JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617

HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 50

Applying Model Checking Technique for the

Analysis of B92 Security
Mohamed Elboukhari, Mostafa Azizi, and Abdelmalek Azizi

Abstract—Quantum Key Distribution (QKD) or Quantum Cryptography solves the key distribution problem by allowing the
exchange of a cryptographic key between two remote parties with absolute security, guaranteed by the laws of quantum
physics. Extensive studies have been undertaken on QKD when it was noted that quantum computers could break public key
cryptosystems based on number theory. Now, the progress of research in this field allows the anticipation of Quantum
Cryptography to be available outside of laboratories within the next few years. But despite this big progress of research, several
challenges remain. For example, the task of how to test the apparatuses of QKD did not yet receive enough attention. These
apparatuses become complex, heterogeneous and demand a big verification effort. We propose in this paper to study Quantum
Cryptography protocols by applying the technique of probabilistic model checking. We use the model checker PRISM to analyze
the security of B92 protocol and we are interested in the specific security property of eavesdropper's information gain on the key
derived from the implementation of this protocol. We show that this property is affected by the parameters of the quantum
channel and the eavesdropper’s power.

Index Terms— B92 Protocol, Cryptography, Quntum Cryptography, Quantum Key Distribution (QKD), Model Checking.

——————————  ——————————

1 INTRODUCTION

Q Quantum Cryptography or Quantum Key Distribu-

tion (QKD) offers new methods of secure communi-
cation. Unlike classical cryptography, which relies
on the computational difficulty of certain mathematical
functions and employs various mathematical techniques
to restrict eavesdroppers from learning the contents of
encrypted messages, QKD is focused on the physics of
information. The robustness of a given cryptosystem of
classical cryptography is based essentially on the secrecy
of its private key and the difficulty with which the inverse
of its one-way function(s) can be calculated. Unfortunate-
ly, there is no mathematical proof that will establish
whether it is not possible to find the inverse of a given
one-way function. So, traditional cryptography cannot
provide guarantee of key security. On the contrary, QKD
is a method for sharing secret keys, whose security can be
formally demonstrated. Also, traditional cryptography
cannot provide any indication of eavesdropping. QKD
has a unique and important properly; it is the ability of
the two communicating users (Alice and Bob) to detect
the presence of any third party (Eve) trying to gain know-
ledge of the key. How the eavesdropper can measure, and
what, depends exclusively on the laws of physics. Ex-
ploiting quantum phenomena, we can design and imple-
ment a communication system that can always detect ea-
vesdropping.
Quantum Cryptography was proposed first by Ste-
————————————————
 M.Elboukhari is with the dept. of Mathematics & Computer Science, Uni-
versity Mohamed First, Oujda, Morocco.
 M.Azizi is with the dept. Applied Engineering, ESTO, University Mo-
hamed First, Oujda, Morocco.
 A.Azizi with the Academy Hassan II of Sciences & Technology, Rabat,
Morocco.
phen Wiesner in the early 1970s. He introduced the con-
cept of quantum conjugate coding. His article titled "Con-
jugate Coding" was rejected by IEEE Information Theory
but was eventually published in 1983 in SIGACT News
(15:1 pp. 78-88, 1983). Through this paper he showed how
to store or transmit two messages by encoding them in
two “conjugate observables”, such as circular and linear
polarization of light, so that either, but not both, of which
may be received and decoded. After a decade and build-
ing upon this work, Charles H. Bennett, of the IBM Tho-
mas J. Watson Research Center, and Gilles Brassard, of
the University of Montreal, proposed a method for secure
communication based on Wiesner’s “conjugate obser-
vables”. In 1990, initially unaware of the earlier work,
Artur Ekert developed a different approach to Quantum
Cryptography based on quantum correlations known as
quantum entanglement.
The idea of Qunantum Cryptography did not attract
much attention at first. Research efforts have increased
since the 1990s when it was proved that quantum com-
puters could break the public-key cryptosystems com-
monly used in modern cryptography and when it is
proved that QKD is secure against quantum computer
attacks. Also a more interest has been generated after the
first practical demonstration over 30 cm of free space em-
ploying polarization coding [1]. Various theoretical and
experimental studies have been undertaken, and proto-
type products are now commercially available. Actually,
several QKD protocols have been developed, and some
that transmit keys through tens of kilometers in both fiber
and free space have been experimentally demonstrated
[2],[6].
Now, despite the huge progress over the recent years,
many open questions remain.
First, complete and realistic analyses of the security is-
sues are still missing. Next, the delicate question of how
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
to test and verify the apparatuses did not yet receive a lot
of research. Indeed, a potential customer of Quantum Key
Distribution buys confidence and secrecy, two qualities
hard to quantify.
In this context, we present in this article an approach to
analyze the security of one of the most known protocol of
Qunatum Cryptography named B92 [7] using the tech-
nique of model checking. The B92 protocol is elaborated
by Charles Bennett in 1992. A good proof of the uncondi-
tional security of B92 is the proof of Tamaki [8]. This
proof guaranteed the security of B92 protocol in the pres-
ence of any enemy who can perform any operation per-
mitted by the quantum physics; consequently the security
of the B92 protocol cannot be compromised by a future
development in quantum calculation. Other results re-
lated to the security of this protocol are shown in the ar-
ticles [9],[10].
In general, the mathematical proof of security of Quan-
tum Key Distribution protocols is not enough to assure
that the implementation of a system related to certain
Quantum Cryptography protocol is secure. As demon-
strated in traditional cryptography, during the progress
from an ideal protocol to an implementation, several
flaws of security can appear. So, even extensive research
has been initiated for sophisticated implementation of
Quantum Key Distribution in practical communication
networks, these systems are difficult to design; for that it
is very important to analyze and verify such systems with
more details related to their practical implementation.
In our paper, we present an analysis using PRISM [11];
a tool of the technique of probabilistic model checking.
Our work is done in the same approach as [12] and
[13],[14],[15], but our effort is focused on the property of
eavesdropper's information gain on the key derived from
the implementation of the B92 protocol. We also intro-
duce new parameters of the eavesdropper’s power and
the parameters of the quantum channel’s efficiency. We
show that these parameters affect the eavesdropper's in-
formation gain on the key.
Our paper is organized as follows. In section 2, the re-
lated works is described. In Section 3 we present a de-
tailed description of the B92 protocol. We introduce a
simple presentation of the technique of model checking in
Section 4 and we show also why this technique is desired
to analyze Quantum Cryptography protocols. In section 5
we present our analysis of B92’s security by introducing
parameters of the channel and the eavesdropper in order
to study the property of the information on the key
owned by the eavesdropper. We conclude our paper by
giving the main results in section 6.
2 DESCRIPTION OF RELATED WORKS
The issue of analyzing quantum protocols by model
checking is already introduced in the literature. More
specially, using the approach of model checking for stud-
ying Quantum Cryptography protocols has been also in-
troduced.
The authors Rajagopal Nagarajan and Simon Gay in
the article [16] propose to analyze quantum protocols by
51
the techniques of formal verification which was applied
and developed in classical computing for the analysis of
communicating concurrent systems. The first step in for-
mal verification is to define a model of the system to be
analyzed, in a well-founded mathematical notation and
based on the same underlying theory, an automated
analysis tool is used to reason about the system.
In their article [17], the authors Rajagopal Nagarajan,
Simon Gay and Nikolaos Papanikolaou introduce fun-
damental and general techniques for formal verification
of quantum protocols. Knowing that current analyses of
quantum protocols use a traditional mathematical ap-
proach and require considerable understanding of the
underlying physics, the authors argue that automated
verification techniques present an elegant alternative. To
show the feasibility of these techniques, they use PRISM,
a probabilistic model-checking tool. For the automated
analysis of quantum information protocols the authors
establish model-checking techniques in the articles [18]-
[19]. Precisely they have introduced QMC, a model-
checking tool for quantum protocols. As opposed to si-
mulation systems, QMC is proposed as the first dedicated
verification tool for quantum protocols. QMC enables the
verification and modeling of properties of quantum pro-
tocols expressible in the quantum formalism.
In the article [20] the authors Rajagopal Nagarajan, Ni-
kolaos Papanikolaou, Garry Bowen and Simon Gay in-
troduce the use of computer–aided verification as a prac-
tical means for analyzing the QKD protocol BB84. Using
the probabilistic model–checking approach, they have
used the model–checker PRISM to show that, the equivo-
cation of the eavesdropper with respect to the channel
decreases exponentially as the number of qubits transmit-
ted in BB84 is increased. They showed also that the prob-
ability of detecting the presence of an eavesdropper in-
creases exponentially as the number of qubits increases.
The authors Mohamed Elboukhari, Mostafa Azizi, and
Abdelmalek Azizi in the article [13] describe a methodol-
ogy based on model checking in order to analyze quan-
tum information systems. They are interested in the QKD
protocol B92. By using the PRISM tool as a probabilistic
model checker, they show that the protocol B92 fulfilled
specific security properties. The authors in the article [14]
use the same technique to analyze certain security’s prop-
erties of B92 protocol; they are interested in the specific
security property of eavesdropping detection. They have
demonstrated that this property is affected by the power
of the eavesdropper and the parameters of quantum
channel. The same study has been done by the authors to
the BB84 protocol [15].
3 PROTOCOL OF QUANTUM KEY DISTRIBUTION:
B92
The B92 is based on the on Heisenberg’s Uncertainty
Principle. Surely it is a famous and realized Quantum
Cryptography protocol. This protocole uses polarised
photons as information carriers. The polarizations of the
photons are two states, and are grouped together in two
different non orthogonal basis
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
Let H 2 be a Hilbert space with two basis  and  .
We suppose that the polarization of a photon can be
modelled by a state of this space.
The two basis  and  are defined as follows:
-The basis  is formed by the horizontal (0°) and the
vertical polarization (+90°). We represent the base states
with the intuitive notation: 0 and 1 . We have
 { 0 , 1 }.
-The basis  is constructed by the diagonal polarizations
(+45°) and (+135°). The two different base states are 
1 1
and  with   ( 0  1 ) and.  
2 2
We have   {  ,  } .
In B92 protocol, the association between the informa-
tion bit (taken from a random number generator) and the
basis are described in Table 1.
TABLE 1
Coding scheme f or the B92 protocol
Bit  
0 
0
1 1  cause 0 
B92 protocol considers that the two legitimate users,
Alice and Bob, communicate through two specific chan-
nels, which the enemy (Eve) also has access to:
-A classical channel which can be public; Eve can lis-
ten passively (without being detected);
-A quantum channel that Eve cannot listen passively.
The first phase of B92 protocol involves transmissions
over the quantum channel, while the second phase takes
place over the classical channel.
The B92 can be described as follows [13],[14]:
1) First phase (Quantum Transmissions)
a) Alice generates a random vector
bits A  {0,1} , n  N . If
n
Ai  0 Alice sends 0
Bob over the quantum channel and if Ai  1 , she
transmits  to him, for all i  {0,1,  , n} .
b) Bob randomly chooses in its turn a vector of
bits B  {0,1} n , n  N . Bob chooses the basis  if
Bi  0, and He chooses the basis  if Bi  1 , for all
i  {0 ,1,  , n } .
c) Bob measures each state sent by Alice ( 0 or  ) in
the selected basis (  or  ).
d) Bob constructs the vector test T  {0,1} n , n  N
by complying the following rule: if a measurement of
52
Bob produces 0 or  then, Ti  0 and if it pro-
duces 1 or  ), Ti  1 , for all i  {0,1,  , n} .
2) Second phase (Public Discussion)
a) Bob transmits the value of the vector T to Alice
over the classical channel.
b) Bob and Alice keep only the bits of the vectors A
and B for which Ti  1 . In such case and in absence
of the enemy Eve, we have the equation:
Ai  1  B i and the shared raw key is formed by Ai (or
1  B i ).
c) Alice chooses randomly a sample of the bits of the
( 0  1 ) raw key and reveals them to Bob over the classical
channel. If it exists i such as Ai  1  B i , then Eve is
certainly detected and the communication is aborted.
d) The common shared secret key K  {0,1} N is
formed by the raw key after elimination of the sam-
ples of the step 2c).
In this description of B92 protocol, measuring with the
incorrect basis yields a random result, as predicted by
quantum theory. Thus, if Bob chooses the basis  to
measure a photon in state 0 , the classical outcome will
be either the bit 0 or 1 with equal probability be-
1
(    ) ; if the basis  was chosen in-
2
stead, the classical outcome would be 0 with certainty
because 0  1 0  0 1 .
There are also three points to understand the B92 pro-
tocol perfectly. Firstly, if the test of Bob is equal to 0 for a
certain measure, then Bob does not know what Alice sent
to him. For example, if Bob chooses the basis 
(resp.  ), he can obtain as result of his measure
0 (resp.  ) for any quantum state sent by Alice ( 0
or  ). Secondly, if the test of Bob is equal to 1 then Bob
knows exactly what Alice sent to him, for example if Bob
of chooses the basis  (resp.  ), he will obtain after meas-
to ure the state  (resp. 1 ) and Alice surely sent to him
0 (resp.  ). Thirdly, in the step 2b), Bob and Alice test
the presence of Eve; the idea is that if it exists i such as
T i  1 then Ai  1  B i , if not an external disturbance is
produced or there is noise in the quantum channel, we
suppose all noise is caused by Eve.
4 MODEL CHECKING AND QUANTUM KEY
DISTRIBUTION PROTOCOLS
In design of complex systems in software and hardware
more time and effort are spent on verification than on
construction. The techniques are sought to ease and re-
duce the verification efforts while increasing their cover-
age. In this context, formal verification is the act of prov-
ing or disproving the correctness of intended algorithms
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
underlying a system with respect to a certain formal spe-
cification or property, using formal methods of mathe-
matics. Model checking is an approach of formal verifica-
tion. It is a verification method that explores all possible
system states in a brute-force manner. In the area of com-
puter science, model checking refers to the following
problem: Given a model of a system, test automatically
whether this model meets a given specification. Using a
specialized software tool (called a model–checker), a sys-
tem implementor can mechanically prove that the system
satisfies a certain set of requirements.
In the literature we meet several Proofs of uncondi-
tional security of the B92 protocol [8],[9],[10], but as Got-
tesman and Lo [21] point out that “the proof of security of
QKD is a fine theoretical result, but it does not mean that
a real QKD system would be secure”. So, more flexible
method to analyzing the security of quantum crypto-
graphic protocols is clearly desirable. Thus, a component
of a system in practice may be quantum, but others could
still be classical. So, manufacturers of commercial quan-
tum cryptographic systems [22], require rigorous and
efficient methods for design and testing.
In our paper we propose to analyze the security of B92
protocol by model checking. First we build an abstract
model, noted M and we express it in a description lan-
guage. Second, we describe the desired behavior of the
system in a set of temporal formulae p i . Both the model
and the formulae are the input of the model–checker.
If the systems have a probabilistic behavior, a variation
of this method is used; a probabilistic model–checker,
such as PRISM [11]. PRISM models are descibed by prob-
abilistic transition systems. The properties for PRISM
models are written in PCTL (Probabilistic Computation
Tree Logic).
Using PRISM we verify if the model M satisfy the
property defined by p i (i.e. whether for each proper-
ty p i M ‘ p i ), and PRISM computes the follownig prob-
ability:
Pr {M ‘ p i } (1)
We can parameterize also the model M by writing
M  M ( x 1 , x 2 , x 3 ,  , x n ) and the probability (1) can be
calculated for different value of x i , and this enables us
to have a meaningful plot of the variation of (1).
In PRISM, a model is formed by components called
modules. Each module has a sequence of actions to be
achieved and also its own local variables. The actions take
the following form:
action   a1 :  var1  value1   a2 :  var2  value 2  
  an : (varn  value n ) (2)
In this formula the variable vari in this equation is as-

i n
signed by value i with probability ai ( i 1
ai  1 ). If
n 1 we have the notation:
a1 :  var1  value1    var1  value 1  with a1  1 . PRISM
53
allows us to specify arbitrarily probabilities for actions,
for example in case n  2 we can model a tendency in
B92 protocol of Alice in the choice of the quantum states
by a module containing the following action:
 EtatOfAlice  true  0.1 : ( EtatAlice | 1 )
0.9 : ( EtatAlice  0 ); (3)
Alice in this equation is biased towards choosing the state
0 to encode the data 0 according to the Table 1.
5 ANALYSIS OF B92 USING THE MODEL CHECKER
PRISM
5.1 The Model B92 in PRISM Tool
Traditional model checkers input a description of a model,
represented as a state transition system, and a specification,
typically a formula in some temporal logic, and return “yes”
or “no”, indicating whether or not the model satisfies the
specification. In the case of using a probabilistic model
checking, the models are probabilistic, in the sense that they
encode the probability of making a transition between states
instead of simply the existence of such a transition, and
analysis normally entails calculation of the actual likelihoods
through appropriate numerical or analytical methods.
In our verification, we have elaborated a model of B92 in
PRISM noted M B 92 . It is done within a file including mod-
ules that descibe the components of the system. So,
in M B 92 , there is a module corresponding to each party in-
volved in the protocol (Alice, Bob and Eve), plus a module
representing the quantum channel.
we are interested in our work to the important security’s
property that the protocol must ensure: an enemy could
never be able to obtain the value of the key. Even if an ene-
my succeeds to gain a certain quantity of information by
trying to monitor the classical channel, this quantity has to
be minimal.
By using our model of B92, we can compute the probabil-
ity:
Pr {M B 92 ‘ p data } (4)
pdata represents a formula PCTL, its Boolean value is
TRUE if the enemy obtataind the information data on the
key. Let n is the number of photons transmitted by Alice to
Bob over the quantum channel. So, we can modify n and
in our PRISM model this probability is a function of n . We
write the probability that Eve obtain the knowledge of data
on the key as:
Pdata ( n )  Pr {M B 92 ‘ p data } (5)
In our article, we will analyse the correct measurements
that Eve does when she intercepts the photons transmitted
by Alice. Let  i represents the event in which Eve makes a
correct measurement to the i-th photons transmitted. If Eve
measures all photons correctly then Eve is able to obtain the
secret key, this event occurs with the following probability:
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 54


i n
Pall  i 1
Pr (  i ) (6) 5.3 Influence of Quantum Channel’s Efficiency on
the Eve’s Obtained Information on the Key
Our objecjtif is is to examine a variation of a probability pro-
In our model B92, the quantum channel is written in a mod-
portionel to Pall noted P 1 when Eve measures more than ule called Quantum Channel. Quantum channel in practice

2
can be an optical fiber or free air. In this section, we present a
half the photon transmitted. This PCTL property is noted simulation of the influence of the channel’s efficiency on the
as  1 . We want to study the variation of the probability: information gain of Eve on the key. This is done by obtain-

2 ing three curves: curve when the quantum channel is perfect
P 1 ( n )  Pr {M BB 84 ‘  1 } (7) and if it is noisy and if it produces a lot of noise. We expect

2

2
that if the channel becomes very noisy the amount of infor-
The model checher PRISM calculates exactly the probability mation obtained by Eve on the key decreases. We suppose in
that Eve measures correctly more than half the photons sent this paragraph that Eve is powerful; Eve intercepts all pho-
by Alice to Bob. We will precise in the next paragraph the tons sent by Alice.
In the perfect quantum channel there is no noise, we
definition of  according to our model of B92.

1 model this in the module Quantum Channel by the line:
2

5.2 The expression of  1

[ aliceput ]( ch _ state  0)  ( ch _ state '  1) & ( ch _ bas '  al _ bas ) &
(10)

2 ( ch _ bit '  al _ bit );

In the model M B 92 , we suppose that Eve applies the stan-

ch_state represets the state of the quantum channel and
dard attack of “man in the middle”. Thus, Eve receives each al_bas and al_bit denote base and bit of Alice. The lines (10)
photon sent by Alice over the quantum channel, she meas- show that the information transmitted by Alice (bit and
ures it with its basis (  or  ), and she obtains the result of base) remain unchanged before it will be received by Eve.
her test, noted Ti
eve
and then she transmits a new photon to For 1  n  60 , PRISM calculates the probability
Bob in the same measured state (the same state of polariza- P 1 (n) which described in 5.1), so PRISM performs the

tion). By the measurement of this photon, Bob obtains his 2

) as illustrated in Fig. 1.
Ch ( 2 )
own test Ti . curve of P 1 (noted P 1
 
In order to detect Eve, it is necessary to compare the bits 2 2
Ch (1)
of Alice and Bob (which are respectively Ai and Bi ) when To elaborate a curve of P 1 (noted P 1 ) where there is a
 
2 2
the test of Bob is Ti  1 ; if in a such case Ai  1  Bi then we bit noise in the channel; we change the lines (10) by the fol-
are sure that a disturbance take place and it be caused cer- lowing code lines:
tainly by the enemy, Eve. [ aliceput ]( ch _ state  0)  c 0 : ( ch _ state '  1) & ( ch _ bas '  al _ bas ) & ( ch _ bit '  al _ bit )

M B 92 has a module called Eve includes a variable  c1 : ( ch _ state '  1) & ( ch _ bas '  1  al _ bas ) & ( ch _ bit '  al _ bit )
 c 2 : ( ch _ state '  1) & ( ch _ bas '  al _ bas ) & ( ch _ bit '  1  al _ bit )
nc by which we calculate the number of time that Eve  c 3 : ( ch _ state '  1) & ( ch _ bas '  1  al _ bas ) & ( ch _ bit '  1  al _ bit ); (11)
makes a correct measurement. nc is shown in our
M B 92 by the code lines with LUCKY  0.5 : In this case, we give the values to the number c0, c1, c2 and
c3 as: c0=0.7, c1=c2=c3=0.1. From these lines we remark that
[evemeasure] (eve_state=1)&(eve_bas=ch_bas)&(nc<n)  (eve_state'=2)&
the information of Alice has been changed in a little way.
(eve_bit'=ch_bit)&(nc'=nc+1); Instead, if we modify these lines by giving new values like
c0=0.4, c1=c2=c3=0.2 we simulate a very noisy channel. This
[evemeasure] (eve_state=1)&(eve_bas!=ch_bas)&(nc<n)  LUCKY : (eve_state'=2)&
Ch (0)
(eve_bit'=ch_bit)&(nc'=nc+1) allows us to elaborate a curve of P 1 (noted P 1 ). All
 
2 2
+(1-LUCKY) : (eve_state'=2)&(eve_bit'= 1-ch_bit); (8) Ch ( i )
curves P 1 )
0 i  2 are shown in Fig. 1.

In the lines (8), eve_state, eve_bas and eve_bit 2
represent state, base and bit of Eve and ch_bas and
Firstly, from these curves we note that if we increase the
ch_bit denote base and bit of the quantum channel.
number of photons emitted by Alice (n), the probability that
The PCTL fomulae of  1 can be written in terms of Eve measures correctly more than half the photons decreases

2 and tends towards 0 and we have lim P 1
Ch ( i )
( n)  0
nc as the following expression: n  
2
n for 0  i  2 . Secondly, as the channel becomes noisy, the
 1
 {TRUE  ( nc  )} (9)
probability of the amount of information on the key owned
 2
2
by Eve becomes smaller as expected and we have the in-
equality for 5  n  60 :
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 55

P1
Ch  0  Ch 1
(n)  P 1 ( n)  P 1
Ch  2 
(n) (12) model a medium attack of Eve because for several pho-
   tons Eve doesn’t measure. By modifying n in the interval
2 2 2
Eve 1
0.8
[5, 60], we elaborate the curve P 1 ; we note it by P 1 .
Ch(2)  
P> 1 2 2
(n), i = 0, 1, 2}

0.7 2

Ch(1)
P> 1
2
When Eve does not measure a lot of photons, we si-
0.6
Ch(0)
P> 1 mulate a weak attack of Eve; this is done by changing the
number d1 and d2 in the lines (13) by d1  0.4 and
2

0.5
Ch(i)

d2  0.6 . So, the new form of lines (14) and the line (13)
The probabilities {P> 1
2

0.4
illustrate a weak attack.
0.3
In this last case PRISM provides a curve of P1

0.2 2
Eve (i)
. The curves  P 1
Eve (0)
0.1 noted P ) 0 i  2 are represented
1
 
2 2
0
0 10 20 30 40 50 60 in Fig. 2.
Number of photons sent by Alice, n
Ch ( i ) 0.8
Fig. 1. The probabilities {P 1 (n), i  0, 1, 2} that Eve measures correctly

(n), i = 0, 1, 2}
 Eve(2)
2 0.7 P> 1
2

more than half the photons transmitted by Alice when we change the canal’s 0.6 P> 1
Eve(1)
2

efficency.
Eve(0)
0.5 P> 1
Eve(i) 2

The probabilities {P> 1

2
0.4
5.4 Influence of Eve’s Power on the Information
Obtained on the Key 0.3

As in paragraph 5.3), we want to simulate the influence of 0.2

the power of Eve on its information obtained on the key.
We expect that if the power is lower, the information 0.1

gained by Eve on the key is lower too. We consider in this 0

0 10 20 30 40 50 60
paragraph that the quantum channel is perfect. Number of photons sent by Alice, n

Eve ( i )
Eve  2  Fig. 2. The probabilities {P 1 (n), i  0, 1, 2} that Eve measures correctly
The curve P 1 (noted also P 1 ) represents the func- 
  2
2 2
more than half the photons transmitted by Alice when we change the Eve’s
tion n  P 1 ( n ) in the case when Eve is powerful; Eve power.

2
performs the intercept-resend attack to all photons emit-
from this figure, we remark if we increase n , the
ted by Alice. Thus, Eve measures all photons. Firstly this
number of photons transmitted by Alice, the probability
appears in the previous lines (8) and in the following line
that Eve measures correctly more than half the photons
included in the module Quantum Channel: Eve  i 
correctly decreases too and we have lim P 1 (n )  0 ,
n  
[eveput] (ch_state=2) -> (ch_state'=3)&(ch_bas'=eve_bas)&(ch_bit'=eve_bit); (13) 2
i  0,1,
 2 . Also and more interesting, if the power of Eve
Now, we change the lines (8) by the following ones
become lower, the probability that Eve measures correctly
with d1  0.7 and d 2  0.3 : more than half the photons becomes smaller. This is clear-
[evemeasure] (eve_state=1)&(eve_bas=ch_bas)&(nc<n)  d1:(eve_state'=2)& ly showed by the inequality for 5  n  60 :
E ve 0  E v e 1  E ve 2 
(eve_bit'=ch_bit)&(nc'=nc+1)+ d2:(eve_state'=2)&(eve_bit'=ch_bit)&(nc'=nc) ; P 1
(n)  P 1
(n)  P 1
(n) (15)
  

[evemeasure] (eve_state=1)&(eve_bas!=ch_bas)&(nc<n)  LUCKY*d1 : (eve_state'=2) 2 2 2

&(eve_bit'=ch_bit)&(nc'=nc+1)+
6 CONCLUSION
 LUCKY*d2 : (eve_state'=2)&(eve_bas'=ch_bas)&(eve_bit'=ch_bit)&(nc'=nc)+
Quantum Cryptography cryptosystems are very promis-
(1-LUCKY)*d1 : (eve_state'=2)&(eve_bit'= 1-ch_bit)+ ing and the technology is improving more and more to
(1-LUCKY)*d2 : (eve_state'=2)&(eve_bas'=ch_bas)&(eve_bit'=ch_bit);(14)
fulfill requirements. But there is a huge need of testing
and analysis such systems due to their complexity. In this
Here, the lines (14) in which the number d2 appears, Eve spirit, we have applied the technique of model checking
doesn’t measure the photon intercepted, so she doesn’t to analyze the security of the B92 protocol. We have fo-
alter its state (base and bit). So the lines (14) and (13) cused our effort on studying the property of the amount
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG
of information on the key gained by an eavesdropper. By
using the model checker PRISM we have obtained the
following results:
- To decrease the probability that Eve measures correctly
more than half the photons sent by Alice, it is clearly ne-
cessary to increase the number of the photons transmit-
ted,
- If the quantum channel is noisy than the probability that
Eve gained some information on the key decreases,
- If the power of Eve becomes biger, the probability that
Eve measures correctly more than half the photon sent
increases.
In the end, the automatic model checker PRISM allows
us to analyze B92 protocol and this approach is adaptable
to other protocol of Quantum Key Distribution. Also this
approach is adequate to analyze heterogonous crypto-
graphic systems containing classical and quantum com-
ponents.
REFERENCES
[1] Bennett, C.H., et al.: ‘Experimental quantum cryptography’, J.
Cryptol., 1992, 5, pp. 3–28
[2] C.-Z. Peng et al., “Experimental free-space distribution of en-
tangled photon pairs over 13 km: Towards satellite-based glob-
al quantum communication,” Phys. Rev. Lett., vol. 94, no. 15,
pp. 150501-1– 150501-4, Apr. 2005.
[3] D. Stucki, N. Gisin, O. Guinnard, G. Ribordy, and H. Zbinden,
“Quantum key distribution over 67 km with a plug & play sys-
tem,” New J. Phys., vol. 4, pp. 41.1–41.8, Mar. 2002.
[4] D. S. Naik, C. G. Peterson, A. G. White, A. J. Berglund, and P.
G. Kwiat, “Entangled state quantum cryptography: Eavesdrop-
ping on the Ekert protocol,” Phys. Rev. Lett., vol. 84, no. 20, pp.
4733–4736, May 2000.
[5] arXiv: Quant-ph/0403104, 2004.
[6] R.J. Hughes, J.E. Nordholt, D. Derkacs, and C.G. Peterson,
“Practical free space quantum key distribution over 10 km in
daylight and at night,” New JPhys. , vol. 4, pp. 43.1–43.14, May
2002.
[7] C. H. Bennett (1992). Phys. Rev. Lett, 68, 3121 (1992).
[8] Tamaki, K., M. Koashi, and N. Imoto.(2003) “Unconditionally
secure key distribution based on two non orthogonal states,”
Physical Review Letters 90, 167904 (2003), [preprint quant-
ph/0210162].
[9] Tamaki.K , Lütkenhaus.N.(2003) “Unconditional Security of the
Bennett 1992 quantum key-distribution over lossy and noisy
channel,“ Quantum Physics Archive: ar-
Xiv:quantph/0308048v2, 2003.
[10] Tamaki.K, Lütkenhaus.N, Koashi.M, and Batuwantu-
dawe.J.(2006) “Unconditional security of the Bennett 1992 quan-
tum key-distribution scheme with strong reference pulse , “
Quantum Physics Archive: arXiv:quant-ph/0607082v1, 2006.
[11] D. Parker, G. Norman, and M. Kwiatkowska (2008). “PRISM 2.0
users’ guide,”February 2008.
http://www.prismmodelchecker.org/doc/manual.pdf
[12] Nikolaos K. Papanikolaou.(2004) ”Techniques for Design and
Validation of Quantum Protocols”, Coventry, September 2004,
University of Warwick
[13] M. Elboukhari, M. Azizi, A. Azizi.(2008) “Security Oriented
Analysis of B92 by Model Checking”, in Proc. IEEE Int. Conf.
56
new technology, mobility and security (NTMS), page 454-458,
2008
[14] M. Elboukhari, M. Azizi, A. Azizi, “Analysis of Quantum Cryp-
tography Protocols by Model Checking”, IJUCS, Vol 1, pp. 34-
40, 2010. http://www.hypersciences.org/IJUCS/Iss.1-
2010/IJUCS- 4-1-2010.pdf
[15] M. Elboukhari, M. Azizi, A. Azizi, “Analysis of the security of
BB84 by Model Checking”, IJNSA International journal of Net-
work Security & Its Applications, Vol 2, Number 2, pp. 88-98,
april 2010. http://airccse.org/journal/nsa/0710ijnsa06.pdf
[16] R. Nagarajan and S. J. Gay. Formal Verification of Quantum
Protocols. arXiv:quant-ph/0203086, March 2002.
[17] S. J. Gay, R. Nagarajan and N. Papanikolaou. Probabilistic
Model-Checking of Quantum Protocols. arXiv:quant-
ph/0504007, April 2005.
[18] S. J. Gay, N. Papanikolaou and R. Nagarajan. Model-Checking
Quantum Protocols. August 2008.
[19] S. J. Gay, N. Papanikolaou and R. Nagarajan. QMC: a model
checker for quantum systems. In: Proceedings of the 20th Inter-
national Conference on Computer Aided Verification (CAV).
Springer LNCS series, volume 5123, pages 543-547, 2008.
[20] R. Nagarajan, N. Papanikolaou, G. Bowen and S. J. Gay. An
Automated Analysis of the Security of Quantum Key Distribu-
tion. arXiv:cs.CR/0502048, February 2005.
[21] D. Gottesman and H-K. Lo (2000). From Quantum Cheating to
Quantum Security. Physics Today, 53(11),November 2000.
quant-ph/0111100
[22] A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden, and N.
Gisin. (1997) “‘Plug and Play’ systems for quantum cryptogra-
phy,” App. Phys. Lett., vol. 70, no. 7, 1997, see also
http://www.idquantique.com
Mohamed Elboukhari received the DESA (diploma of high study)
degree in numerical analysis, computer science and treatment of
signal in 2005 from the University of Science, Oujda, Morocco. He is
currently a PhD student in the University of Oujda in the field of
computer science. His research interests include cryptography,
quantum cryptography and wireless network security.
Mostafa Azizi received his diploma of State engineer in Automation
and Industrial Computing in 1993 from the Mohammadia’s School of
engineers at Rabat (Morocco) and obtained his PH.D in Computer
Science in 2001 from the Université de Montréal (DIRO-FAS) at
Montreal (Canada). He is currently professor at the University of
Oujda (Morocco). He teaches several courses in the domain of com-
puter science such as OOP, IA, RT-systems, Distributed Systems,
TCP/IP, WEB, and Computers Security. He also supervises a num-
ber of Master/PH.D students. His research interests include: Verifica-
tion/Coverification of real-time and embedded systems, Data com-
munication and security, and Computer-aided management of indus-
trial processes.
Abdelmalek Azizi obtained his first Doctorate in Number Theory in
1985 from the Mohammed Vth University at Rabat (Morocco). He
then obtained a Ph.D. in the same domain in 1993 from the Laval
University at Quebec (Canada). Since this date, he supervises the
organization of the Doctoral studies in the research area of class
field Theory and its Cryptography applications at the Mohammed
First University at Oujda (Morocco). Currently, he is the head of the
ACSA Research Laboratory (Arithmetic, Scientific Computation and
Applications) at the Mohammed First University at Oujda (Morocco).
His research interests are in several fields such as History of Ma-
thematics and Cryptography in Morocco, Class Field Theory and its
Applications to Cryptography and the Mathematical Didactics...