ETSI GS QKD 005 V1.1.1 (2010-12)

Group Specification
Quantum Key Distribution (QKD);
Security Proofs
Disclaimer
This document has been produced and approved by the Quantum Key Distribution (QKD) ETSI Industry Specification Group
(ISG) and represents the views of those members who participated in this ISG. It does not necessarily represent the views of
the entire ETSI membership.
2 ETSI GS QKD 005 V1.1.1 (2010-12)

Reference
DGS/QKD-0005_SecProofs
Keywords
protocol, Quantum Key Distribution, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2010.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI GS QKD 005 V1.1.1 (2010-12)
Contents
Intellectual Property Rights . 4
Foreword . 4
Introduction . 4
1 Scope . 5
2 References . 5
2.1 Normative references . 5
2.2 Informative references . 5
3 Definitions, symbols and abbreviations . 6
3.1 Definitions . 6
3.2 Symbols . 9
3.3 Abbreviations . 9
4 Security Definition . 9
4.1 What QKD delivers . 9
4.2 Structure of QKD protocols. 10
4.3 Framework for Security Statements of QKD Implementations . 10
4.4 Scientific Security proof framework . 12
4.4.1 Security Assumptions on Devices . 12
4.4.2 Assumptions on Adversary . 12
4.5 Modelling, Assumptions and Side Channels . 13
4.5.1 Source . 14
4.5.2 Detection unit . 15
4.6 Classical assumptions (shielding, electronic side-channels) . 15
4.7 Classical protocol . 15
4.7.1 Sifting . 16
4.7.2 Error estimation . 16
4.7.3 Error Correction (Reconciliation) . 16
4.7.4 Confirmation . 17
4.7.5 Privacy Amplification . 17
4.7.6 Authentication . 17
4.7.7 Common Sources of Mistakes in Classical Protocols . 18
Annex A (informative): Authors & contributors . 20
History . 21

ETSI
4 ETSI GS QKD 005 V1.1.1 (2010-12)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification (ISG) Group Quantum Key
Distribution (QKD).
Introduction
The present document shall define the generic requirements for quantum information theoretic security proofs of
quantum cryptography. It shall serve as a reference for the construction of requirements and evaluation criteria for
practical security evaluation of quantum key distribution (QKD) systems.
In contrast to conventional cryptography which is often based on computational assumptions, quantum cryptography,
notably QKD, offers "unconditional security" based on the laws of physics. To deliver such promise, demonstrating
security by means of a security proof is an important aspect of quantum cryptography. Security proofs of quantum
cryptography and their applicability have to be addressed with extreme care and precision primarily for two reasons.
First, the security definition of a quantum cryptographic protocol is rather subtle. Second, it is often challenging to
enforce assumptions in a security proof of a quantum cryptographic protocol in a practical quantum cryptographic
system. Notice that any seemingly minor or innocent violation of an assumption in a security proof might be exploited
by an adversary with disastrous consequences on the security of a practical QKD system.
The above two points:
i) the subtlety in security definitions; and
ii) the challenges to enforce assumptions in a practical QKD system,
shall be the two main themes of the present document.
ETSI
5 ETSI GS QKD 005 V1.1.1 (2010-12)
1 Scope
Quantum key distribution (QKD) comprises technologies that use quantum mechanical effects to distribute private keys
to distant partners. The goals of the present document are as follows:
• to make precise the nature of the security claim, including its statistical component;
• to list meaningful restrictions of adversarial action;
• to clarify the difference between security claim of a protocol (based on models) and the security claim of its
implementation;
• to carefully list all the usual components of a QKD protocol with their critical characterizations.
The present document is developed by the QKD ISG group in which participate experts of QKD theory and practice.
With the goals identified above, the present document shall help to:
• clarify the role QKD devices can play in a security infrastructure given the exact nature of their security claim;
• classify QKD devices regarding the security level they can achieve;
• clarify which parameters need to be monitored continuously or periodically to assure the generation of a secret
key for the different security levels.
On the other hand, the present document will not try to do the following:
• to give specific parameters for successful QKD as these numbers change with time;
• to endorse particular security proofs.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are necessary for the application of the present document.
[1] ETSI GS QKD 008: "Quantum Key Distribution (QKD); QKD Module Security Specification".
2.2 Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dusek, N. Lütkenhaus, M. Peev: " The
security of practical quantum key distribution", Reviews of Modern Physics, Vol. 81,
July-September 2009, pages 1301-1350. And references therein.
ETSI
6 ETSI GS QKD 005 V1.1.1 (2010-12)
3 Definitions, symbols and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and defintions apply:
advantage distillation: advantage distillation is a preprocessing of partially compromised data that involves two-way
communications between two users, Alice and Bob
adversary: malicious entity in cryptography whose aim is to prevent the users of the cryptosystem from achieving their
goals
Alice: legitimate entity who sends the data
ancilla: auxiliary (quantum mechanical) system
attacks: any action that aims at compromising the security of information
attenuation: reduction in intensity of the light beam (or signal)
authentication: used as short term for message authentication: Act of establishing or confirming that some message
indeed originated from the entity it is claimed to come from and was not modified during transmission
bit commitment: scenario where Alice commits some message to Bob without being able to change it at a later stage,
while Bob cannot read the message until authorized by Alice
bit error rate: percentage of bits with errors divided by the total number of bits that have been transmitted, received or
processed over a given time period
Bob: legitimate entity who wishes to communicate securely with Alice and receives data from her
classical public channel: insecure communication channel, for example broadcast radio or internet, where all messages
sent over this channel become available to all parties, including adversaries
clock rate: number of repetition events per time unit, e.g. number of signals sent per time unit
collective attack: attack where an adversary lets each individual signal interact with an ancilla each, but can perform
joint operation on all the ancillas to extract information
composability: property that the output of one cryptographic protocol can be used by another cryptographic protocol in
such a way that the security proof can be done for each protocol independently
conjugate variables: term in quantum mechanics characterizing mutually exclusive sets of properties, where the
perfect knowledge of one blurs completely the other set of properties
cryptography: art and science of keeping data or messages secure
cryptographic primitives: fundamental protocols from which cryptographic applications can be composed
dark count: false alarm of a detector
NOTE: A detector may falsely give a detection event when the input state contains no photon.
dead time: duration after a detection event when a detector is inactive
decoding: process by which a receiver extracts the secret message from the publicly transmitted data
decoy state: legitimate user intentionally and randomly replaces the usual protocol signals by different signals to test
the channel action
depolarization channel: quantum channel which has the same probability for each of the three types (X, Y and Z) of
errors
detection efficiency: probability that an incident light photon produces a detection event
ETSI
7 ETSI GS QKD 005 V1.1.1 (2010-12)
detection time: time at which a corresponding detector detects a photon
detector saturation: limit of detection frequency at which a detector can detect photons
device model: physical model of a device to capture the essential behaviour
distillation: distillation of a key which means the extraction of a secure key from some partially compromised data
eavesdropping: act of attempting to listen to the private conversation of others without their consent
encoding: process of mapping a secret message into a publicly accessible set of data from which the rightful user can
decode the secret message again
entanglement: property of quantum mechanical systems that shows correlations between two physical systems that
cannot be explained by classical physics
error correction: process of correcting errors in data that may have been corrupted due to errors during transmission or
in storage
entropy: measure of uncertainty regarding information
eve: adversarial entity who eavesdrops the data in a quantum or classical link
gating mode: operation mode of photodetectors in which the detector can be triggered by a signal only during a
specified time interval
homodyne detection: method of detecting a weak frequency-modulated signal through mixing with a strong reference
frequency-modulated signal (so-called local oscillator)
individual attack: attack where Eve lets each signal interact separately with its own ancilla, and keeps the ancillas
apart at later times
NOTE: A slightly different definition is used in Scaranie et al [i.1].
key establishment: procedure, conducted by two or more participants, which culminates in the derivation of keying
material by all participants
NOTE: Key establishment can be based on pre-shared keys or on public key schemes.
key generation: process of generating secret keys for cryptography
key rate: rate of shared secret key generation resulting from a Quantum Key Distribution process
measurement: quantum mechanical process of reading out information from a quantum system
NOTE: The outcome of a measurement is always a classical event chosen from a set of mutually exclusive
events.
multi-photon signal: optical signal containing more than one photon
permutation: change in the order of elements of a sequence of data
phase encoding: method of encoding qubits using optical phase differences between optical pulses
photon number: number of photons in a pulse
photon number resolution: ability of a photo-detection process to distinguish not only between 'no photon' and 'one or
more photons', but being able to distinguish between 0,1,2,3,… photons
polarization: property of electromagnetic waves that describes the orientation of the oscillating electric field vector
privacy amplification: process of distilling secret keys from partially compromised data
private keys: keys known only to the rightful users
private states: quantum mechanical states from which private keys can be generated
protocol: list of steps to be performed by the participating entities to reach their goal
ETSI
8 ETSI GS QKD 005 V1.1.1 (2010-12)
public announcement: messages sent over the public channel during a protocol
quantum channel: communication channel which can transmit quantum information, that is, it can transmit signal that
needs to be described by quantum mechanics
quantum error correction codes: coding procedures for quantum states to protect them against errors during
transmission or storage
quantum key distribution: procedure or method for generating and distributing symmetrical cryptographic keys with
information theoretical security based on quantum information theory
quantum mechanics: physical theory that describes natural phenomena
quantum mechanical state: complete description of a physical system in quantum mechanics
quantum memories: device that can store and retrieve quantum mechanical states
quantum signal: signal described by a quantum mechanical state
quantum storage: See quantum memories.
qubit: unit of quantum information, described by a state vector in a two-level quantum mechanical system, which is
formally equivalent to a two-dimensional vector space over the complex numbers
receiver: entity that receives signals
reconciliation: process of generating a set of data on which sender and receiver agree from a set of data which contains
differences
NOTE: The result of reconciliation is not necessarily either the sender's or receiver's version of the data.
secret keys: private keys
security claim: precise formulation in which sense a cryptographic protocol is secure
security infrastructure: hierarchy of devices and protocols that manage key, user privileges and controls the
cryptographic protocols
security level: level of protection against adversaries
security model: modeling of devices and protocols, and also of adversarial power
security parameters: parameters in a protocol that regulate the level of protection again adversaries
sender: entity sending signals
Shannon theory/information: Shannon's theory of communication defines the field of communication theory,
including for example the throughput of information through noisy channels
NOTE: The central notion of that theory is the Shannon information, which is a measure of information content
for signals based on entropy.
side channel: channels that are not included in the modeling of devices
security analysis: analysis of a cryptographic protocol to relate the security parameters with the exact security claim of
the protocol
threshold detector: photon detector that can tell the difference between i) having no photon and ii) having one or more
photons, but cannot tell the number of photons
time shift attack: specific attack aimed at a deviation between devices and their models, here the gating intervals of the
various photo-detectors
trojan horse attack: any attack that aims at intruding Alice's or Bob's device to read out internal settings
ETSI
9 ETSI GS QKD 005 V1.1.1 (2010-12)
X-type error: bit-flip error
Y-type error: phase error
Z-type error: combination of bit-flip and phase error
3.2 Symbols
For the purposes of the present document, the following symbol applies:
Epsilon ε Security parameter, worst case probability that the adversary obtains a complete key produced in
one run of the QKD system
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
QKD Quantum Key distribution
4 Security Definition
4.1 What QKD delivers
Security Statement: The security statement of a QKD protocol is of a probabilistic nature. The final key can be
claimed to be completely random and completely private, except with a probability ε. With that probability ε, one
pessimistically assumes that an adversary might know the complete key. Any QKD device therefore shall have to quote
not only the length of key that it creates in a given time over specified distances, but also the parameter ε associated
with this key.
Origin of Security Parameter ε: There are several sources of this probabilistic nature of the secret key. The most
obvious one comes from parameter estimation of the device and also the data, for example, the estimation of the error
rate. However, as one can see from a simple example, there are additional effects that are not connected to parameter
estimation.
EXAMPLE 1: Intercept/Resend attack: Consider a generic QKD protocol where an adversary intercepts all
signals and resends new signals to the receiver, where the choice of the signals is based on the best
guess from his measurement result. It is clear that with some (small) probability this attack
succeeds without leaving any detectable trace, namely whenever all resent signals are identical to
the original ones.
Reducing Security Parameter ε: A security proof shall specify for which systems parameters (loss, error rate) a secret
key can be obtained, and what the security parameter ε is. Whenever a positive secret key rate is achieved with a given
ε, then the value of ε can be decreased by increasing the number of exchanged quantum signals while maintaining the
same system parameters. To achieve this goal, the security proof shall specify the exact protocol parameters (amount of
privacy amplification) that achieve the target goal.
Interpretation: The security parameter ε has a clear interpretation, so that from a specific use case one can deduce the
value of ε one should aim for, as it has a clear probability of failure interpretation which can be combined with a risk
analysis.
EXAMPLE 2: One might imagine that a futuristic insurance company is wiling to ensure against a (highly
unlikely) failure event.
ETSI
10 ETSI GS QKD 005 V1.1.1 (2010-12)
Aborting Protocols: In setting the value of ε, note that QKD protocols can abort, for example whenever the observed
error rate is too high. In these cases the output of the QKD protocol is a key of length zero, but the attempt to create a
key has to be taken into account in choosing ε.
EXAMPLE 3: Eve can simply cut a quantum channel and perform a denial-of-service attack. Note that the same
type of attack can also happen to a classical communication channel. So, this is not a particular
short-coming of QKD.
Composability: In this property, a QKD protocol with a failure probability ε can be combined with any other protocol
with a failure probability ε' in which the key is used. The failure probability ε'' of the combined protocol is then
bounded by the sum of ε and ε'. This property of composability of failure probabilities is essential, as the secret key is
naturally to be used by other applications.
EXAMPLE 4: If during the lifetime of a QKD system, a QKD protocol with a failure probability ε is run N times,
then the total failure probability for the combined N runs shall be given by N ε. So, it is not
enough that ε is small. One needs to ensure that this total failure probability N ε remains small.
4.2 Structure of QKD protocols
This clause outlines the general structure of QKD protocols together with its components.
QKD protocols utilize different resources:
• Quantum Channel: this is a channel that preserves quantum mechanical features.
EXAMPLE: Standard telecom fibers and free-space optics transmission.
• Authenticated Classical Channel: this is a public channel which is authenticated, meaning that all messages
on the channel are authenticated to come from the corresponding party. Information theoretically secure
methods of authentication do exist. To implement a meaningful authentication structure is one of the main
tasks in building up a QKD infrastructure.
• Source of Randomness: a physical random number generator (not a pseudo-random number generator).
A typical /QKD protocol runs in two phases:
1) Quantum Phase: In this phase quantum mechanical signals are exchanged via the quantum channel and
measured by sender and receiver. At the end of this phase, both parties have a record of classical data. The
assumptions on the quantum mechanical devices used in this step shall be discussed in depth in clause 4.4.
Two distinct types of protocols exist:
- Prepare and Measure Protocols: in this type of protocol one party (the sender) prepares signals chosen
at random from a pre-defined set. The other party (the receiver) measures the signals in measurements of
quantum mechanical nature, e.g. by choosing at random between a predefined set of quantum
mechanically non-commuting measurements (active choice), or by having a single larger measurement
containing non-commuting elements (passive choice).
- Entanglement based protocols: in this type of protocols a third party provides bi-partite systems to both
parties. Each party measures them by active or passive choice (see before). No trust needs to be put into
the third party.
2) Classical Communication Phase: The quantum phase provides a record of classical data to both QKD
parties. In the classical communication phase they use the authenticated classical channel to run through
classical communication protocols (sifting, error correction, privacy amplification) to obtain a final secret key.
These protocols shall be discussed in more detail in clause 4.6.
4.3 Framework for Security Statements of QKD
Implementations
In this clause we clarify the interplay between scientific security proofs and tests performed on implementations in
order to obtain accepted levels of security. It is important to become clear about this interplay as we develop procedures
that will allow the certification of QKD implementations.
ETSI
11 ETSI GS QKD 005 V1.1.1 (2010-12)
The security statement of a QKD implementation has two major contributions:
a) Scientific Security Proof:
A Scientific Security Proof takes:
1) a model of the physical devices;
2) a protocol executed with these model devices.
And proves conclusively the security of the protocol executed on the model devices. This proof gives the
relevant parameters of the protocol and results in the precise security statement. For example, in the
composable security definition, it gives the exact form of the security parameter ε as a function of protocol
parameters.
The Scientfic Security Proof follows established accepted rules of scientific proofs and does not need further
specification.
b) Implementation Verification:
To complete the security statement on a QK
...