Professional Documents
Culture Documents
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 50
Abstract—Quantum Key Distribution (QKD) or Quantum Cryptography solves the key distribution problem by allowing the
exchange of a cryptographic key between two remote parties with absolute security, guaranteed by the laws of quantum
physics. Extensive studies have been undertaken on QKD when it was noted that quantum computers could break public key
cryptosystems based on number theory. Now, the progress of research in this field allows the anticipation of Quantum
Cryptography to be available outside of laboratories within the next few years. But despite this big progress of research, several
challenges remain. For example, the task of how to test the apparatuses of QKD did not yet receive enough attention. These
apparatuses become complex, heterogeneous and demand a big verification effort. We propose in this paper to study Quantum
Cryptography protocols by applying the technique of probabilistic model checking. We use the model checker PRISM to analyze
the security of B92 protocol and we are interested in the specific security property of eavesdropper's information gain on the key
derived from the implementation of this protocol. We show that this property is affected by the parameters of the quantum
channel and the eavesdropper’s power.
Index Terms— B92 Protocol, Cryptography, Quntum Cryptography, Quantum Key Distribution (QKD), Model Checking.
—————————— ——————————
1 INTRODUCTION
to test and verify the apparatuses did not yet receive a lot the techniques of formal verification which was applied
of research. Indeed, a potential customer of Quantum Key and developed in classical computing for the analysis of
Distribution buys confidence and secrecy, two qualities communicating concurrent systems. The first step in for-
hard to quantify. mal verification is to define a model of the system to be
In this context, we present in this article an approach to analyzed, in a well-founded mathematical notation and
analyze the security of one of the most known protocol of based on the same underlying theory, an automated
Qunatum Cryptography named B92 [7] using the tech- analysis tool is used to reason about the system.
nique of model checking. The B92 protocol is elaborated In their article [17], the authors Rajagopal Nagarajan,
by Charles Bennett in 1992. A good proof of the uncondi- Simon Gay and Nikolaos Papanikolaou introduce fun-
tional security of B92 is the proof of Tamaki [8]. This damental and general techniques for formal verification
proof guaranteed the security of B92 protocol in the pres- of quantum protocols. Knowing that current analyses of
ence of any enemy who can perform any operation per- quantum protocols use a traditional mathematical ap-
mitted by the quantum physics; consequently the security proach and require considerable understanding of the
of the B92 protocol cannot be compromised by a future underlying physics, the authors argue that automated
development in quantum calculation. Other results re- verification techniques present an elegant alternative. To
lated to the security of this protocol are shown in the ar- show the feasibility of these techniques, they use PRISM,
ticles [9],[10]. a probabilistic model-checking tool. For the automated
In general, the mathematical proof of security of Quan- analysis of quantum information protocols the authors
tum Key Distribution protocols is not enough to assure establish model-checking techniques in the articles [18]-
that the implementation of a system related to certain [19]. Precisely they have introduced QMC, a model-
Quantum Cryptography protocol is secure. As demon- checking tool for quantum protocols. As opposed to si-
strated in traditional cryptography, during the progress mulation systems, QMC is proposed as the first dedicated
from an ideal protocol to an implementation, several verification tool for quantum protocols. QMC enables the
flaws of security can appear. So, even extensive research verification and modeling of properties of quantum pro-
has been initiated for sophisticated implementation of tocols expressible in the quantum formalism.
Quantum Key Distribution in practical communication In the article [20] the authors Rajagopal Nagarajan, Ni-
networks, these systems are difficult to design; for that it kolaos Papanikolaou, Garry Bowen and Simon Gay in-
is very important to analyze and verify such systems with troduce the use of computer–aided verification as a prac-
more details related to their practical implementation. tical means for analyzing the QKD protocol BB84. Using
In our paper, we present an analysis using PRISM [11]; the probabilistic model–checking approach, they have
a tool of the technique of probabilistic model checking. used the model–checker PRISM to show that, the equivo-
Our work is done in the same approach as [12] and cation of the eavesdropper with respect to the channel
[13],[14],[15], but our effort is focused on the property of decreases exponentially as the number of qubits transmit-
eavesdropper's information gain on the key derived from ted in BB84 is increased. They showed also that the prob-
the implementation of the B92 protocol. We also intro- ability of detecting the presence of an eavesdropper in-
duce new parameters of the eavesdropper’s power and creases exponentially as the number of qubits increases.
the parameters of the quantum channel’s efficiency. We The authors Mohamed Elboukhari, Mostafa Azizi, and
show that these parameters affect the eavesdropper's in- Abdelmalek Azizi in the article [13] describe a methodol-
formation gain on the key. ogy based on model checking in order to analyze quan-
Our paper is organized as follows. In section 2, the re- tum information systems. They are interested in the QKD
lated works is described. In Section 3 we present a de- protocol B92. By using the PRISM tool as a probabilistic
tailed description of the B92 protocol. We introduce a model checker, they show that the protocol B92 fulfilled
simple presentation of the technique of model checking in specific security properties. The authors in the article [14]
Section 4 and we show also why this technique is desired use the same technique to analyze certain security’s prop-
to analyze Quantum Cryptography protocols. In section 5 erties of B92 protocol; they are interested in the specific
we present our analysis of B92’s security by introducing security property of eavesdropping detection. They have
parameters of the channel and the eavesdropper in order demonstrated that this property is affected by the power
to study the property of the information on the key of the eavesdropper and the parameters of quantum
owned by the eavesdropper. We conclude our paper by channel. The same study has been done by the authors to
giving the main results in section 6. the BB84 protocol [15].
Let H 2 be a Hilbert space with two basis and . Bob produces 0 or then, Ti 0 and if it pro-
We suppose that the polarization of a photon can be duces 1 or ), Ti 1 , for all i {0,1, , n} .
modelled by a state of this space.
2) Second phase (Public Discussion)
The two basis and are defined as follows: a) Bob transmits the value of the vector T to Alice
-The basis is formed by the horizontal (0°) and the over the classical channel.
vertical polarization (+90°). We represent the base states b) Bob and Alice keep only the bits of the vectors A
with the intuitive notation: 0 and 1 . We have and B for which Ti 1 . In such case and in absence
{ 0 , 1 }. of the enemy Eve, we have the equation:
-The basis is constructed by the diagonal polarizations Ai 1 B i and the shared raw key is formed by Ai (or
(+45°) and (+135°). The two different base states are 1 B i ).
1 1 c) Alice chooses randomly a sample of the bits of the
and with ( 0 1 ) and. ( 0 1 ) raw key and reveals them to Bob over the classical
2 2 channel. If it exists i such as Ai 1 B i , then Eve is
We have { , } . certainly detected and the communication is aborted.
In B92 protocol, the association between the informa- d) The common shared secret key K {0,1} N is
tion bit (taken from a random number generator) and the formed by the raw key after elimination of the sam-
basis are described in Table 1. ples of the step 2c).
In this description of B92 protocol, measuring with the
TABLE 1
Coding scheme f or the B92 protocol incorrect basis yields a random result, as predicted by
quantum theory. Thus, if Bob chooses the basis to
Bit measure a photon in state 0 , the classical outcome will
1) First phase (Quantum Transmissions) knows exactly what Alice sent to him, for example if Bob
a) Alice generates a random vector of chooses the basis (resp. ), he will obtain after meas-
bits A {0,1} , n N . If
n
Ai 0 Alice sends 0 to ure the state (resp. 1 ) and Alice surely sent to him
Bob over the quantum channel and if Ai 1 , she 0 (resp. ). Thirdly, in the step 2b), Bob and Alice test
the presence of Eve; the idea is that if it exists i such as
transmits to him, for all i {0,1, , n} .
T i 1 then Ai 1 B i , if not an external disturbance is
b) Bob randomly chooses in its turn a vector of
produced or there is noise in the quantum channel, we
bits B {0,1} n , n N . Bob chooses the basis if
suppose all noise is caused by Eve.
Bi 0, and He chooses the basis if Bi 1 , for all
i {0 ,1, , n } . 4 MODEL CHECKING AND QUANTUM KEY
c) Bob measures each state sent by Alice ( 0 or ) in DISTRIBUTION PROTOCOLS
the selected basis ( or ). In design of complex systems in software and hardware
d) Bob constructs the vector test T {0,1} n , n N more time and effort are spent on verification than on
construction. The techniques are sought to ease and re-
by complying the following rule: if a measurement of
duce the verification efforts while increasing their cover-
age. In this context, formal verification is the act of prov-
ing or disproving the correctness of intended algorithms
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 53
underlying a system with respect to a certain formal spe- allows us to specify arbitrarily probabilities for actions,
cification or property, using formal methods of mathe- for example in case n 2 we can model a tendency in
matics. Model checking is an approach of formal verifica- B92 protocol of Alice in the choice of the quantum states
tion. It is a verification method that explores all possible by a module containing the following action:
system states in a brute-force manner. In the area of com-
puter science, model checking refers to the following
EtatOfAlice true 0.1 : ( EtatAlice | 1 )
i n
Pall i 1
Pr ( i ) (6) 5.3 Influence of Quantum Channel’s Efficiency on
the Eve’s Obtained Information on the Key
Our objecjtif is is to examine a variation of a probability pro-
In our model B92, the quantum channel is written in a mod-
portionel to Pall noted P 1 when Eve measures more than ule called Quantum Channel. Quantum channel in practice
2
can be an optical fiber or free air. In this section, we present a
half the photon transmitted. This PCTL property is noted simulation of the influence of the channel’s efficiency on the
as 1 . We want to study the variation of the probability: information gain of Eve on the key. This is done by obtain-
2 ing three curves: curve when the quantum channel is perfect
P 1 ( n ) Pr {M BB 84 ‘ 1 } (7) and if it is noisy and if it produces a lot of noise. We expect
2
2
that if the channel becomes very noisy the amount of infor-
The model checher PRISM calculates exactly the probability mation obtained by Eve on the key decreases. We suppose in
that Eve measures correctly more than half the photons sent this paragraph that Eve is powerful; Eve intercepts all pho-
by Alice to Bob. We will precise in the next paragraph the tons sent by Alice.
In the perfect quantum channel there is no noise, we
definition of according to our model of B92.
1 model this in the module Quantum Channel by the line:
2
) as illustrated in Fig. 1.
Ch ( 2 )
own test Ti . curve of P 1 (noted P 1
In order to detect Eve, it is necessary to compare the bits 2 2
Ch (1)
of Alice and Bob (which are respectively Ai and Bi ) when To elaborate a curve of P 1 (noted P 1 ) where there is a
2 2
the test of Bob is Ti 1 ; if in a such case Ai 1 Bi then we bit noise in the channel; we change the lines (10) by the fol-
are sure that a disturbance take place and it be caused cer- lowing code lines:
tainly by the enemy, Eve. [ aliceput ]( ch _ state 0) c 0 : ( ch _ state ' 1) & ( ch _ bas ' al _ bas ) & ( ch _ bit ' al _ bit )
M B 92 has a module called Eve includes a variable c1 : ( ch _ state ' 1) & ( ch _ bas ' 1 al _ bas ) & ( ch _ bit ' al _ bit )
c 2 : ( ch _ state ' 1) & ( ch _ bas ' al _ bas ) & ( ch _ bit ' 1 al _ bit )
nc by which we calculate the number of time that Eve c 3 : ( ch _ state ' 1) & ( ch _ bas ' 1 al _ bas ) & ( ch _ bit ' 1 al _ bit ); (11)
makes a correct measurement. nc is shown in our
M B 92 by the code lines with LUCKY 0.5 : In this case, we give the values to the number c0, c1, c2 and
c3 as: c0=0.7, c1=c2=c3=0.1. From these lines we remark that
[evemeasure] (eve_state=1)&(eve_bas=ch_bas)&(nc<n) (eve_state'=2)&
the information of Alice has been changed in a little way.
(eve_bit'=ch_bit)&(nc'=nc+1); Instead, if we modify these lines by giving new values like
c0=0.4, c1=c2=c3=0.2 we simulate a very noisy channel. This
[evemeasure] (eve_state=1)&(eve_bas!=ch_bas)&(nc<n) LUCKY : (eve_state'=2)&
Ch (0)
(eve_bit'=ch_bit)&(nc'=nc+1) allows us to elaborate a curve of P 1 (noted P 1 ). All
2 2
+(1-LUCKY) : (eve_state'=2)&(eve_bit'= 1-ch_bit); (8) Ch ( i )
curves P 1 )
0 i 2 are shown in Fig. 1.
In the lines (8), eve_state, eve_bas and eve_bit 2
represent state, base and bit of Eve and ch_bas and
Firstly, from these curves we note that if we increase the
ch_bit denote base and bit of the quantum channel.
number of photons emitted by Alice (n), the probability that
The PCTL fomulae of 1 can be written in terms of Eve measures correctly more than half the photons decreases
2 and tends towards 0 and we have lim P 1
Ch ( i )
( n) 0
nc as the following expression: n
2
n for 0 i 2 . Secondly, as the channel becomes noisy, the
1
{TRUE ( nc )} (9)
probability of the amount of information on the key owned
2
2
by Eve becomes smaller as expected and we have the in-
equality for 5 n 60 :
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 55
P1
Ch 0 Ch 1
(n) P 1 ( n) P 1
Ch 2
(n) (12) model a medium attack of Eve because for several pho-
tons Eve doesn’t measure. By modifying n in the interval
2 2 2
Eve 1
0.8
[5, 60], we elaborate the curve P 1 ; we note it by P 1 .
Ch(2)
P> 1 2 2
(n), i = 0, 1, 2}
0.7 2
Ch(1)
P> 1
2
When Eve does not measure a lot of photons, we si-
0.6
Ch(0)
P> 1 mulate a weak attack of Eve; this is done by changing the
number d1 and d2 in the lines (13) by d1 0.4 and
2
0.5
Ch(i)
d2 0.6 . So, the new form of lines (14) and the line (13)
The probabilities {P> 1
2
0.4
illustrate a weak attack.
0.3
In this last case PRISM provides a curve of P1
0.2 2
Eve (i)
. The curves P 1
Eve (0)
0.1 noted P ) 0 i 2 are represented
1
2 2
0
0 10 20 30 40 50 60 in Fig. 2.
Number of photons sent by Alice, n
Ch ( i ) 0.8
Fig. 1. The probabilities {P 1 (n), i 0, 1, 2} that Eve measures correctly
(n), i = 0, 1, 2}
Eve(2)
2 0.7 P> 1
2
more than half the photons transmitted by Alice when we change the canal’s 0.6 P> 1
Eve(1)
2
efficency.
Eve(0)
0.5 P> 1
Eve(i) 2
Eve ( i )
Eve 2 Fig. 2. The probabilities {P 1 (n), i 0, 1, 2} that Eve measures correctly
The curve P 1 (noted also P 1 ) represents the func-
2
2 2
more than half the photons transmitted by Alice when we change the Eve’s
tion n P 1 ( n ) in the case when Eve is powerful; Eve power.
2
performs the intercept-resend attack to all photons emit-
from this figure, we remark if we increase n , the
ted by Alice. Thus, Eve measures all photons. Firstly this
number of photons transmitted by Alice, the probability
appears in the previous lines (8) and in the following line
that Eve measures correctly more than half the photons
included in the module Quantum Channel: Eve i
correctly decreases too and we have lim P 1 (n ) 0 ,
n
[eveput] (ch_state=2) -> (ch_state'=3)&(ch_bas'=eve_bas)&(ch_bit'=eve_bit); (13) 2
i 0,1,
2 . Also and more interesting, if the power of Eve
Now, we change the lines (8) by the following ones
become lower, the probability that Eve measures correctly
with d1 0.7 and d 2 0.3 : more than half the photons becomes smaller. This is clear-
[evemeasure] (eve_state=1)&(eve_bas=ch_bas)&(nc<n) d1:(eve_state'=2)& ly showed by the inequality for 5 n 60 :
E ve 0 E v e 1 E ve 2
(eve_bit'=ch_bit)&(nc'=nc+1)+ d2:(eve_state'=2)&(eve_bit'=ch_bit)&(nc'=nc) ; P 1
(n) P 1
(n) P 1
(n) (15)
&(eve_bit'=ch_bit)&(nc'=nc+1)+
6 CONCLUSION
LUCKY*d2 : (eve_state'=2)&(eve_bas'=ch_bas)&(eve_bit'=ch_bit)&(nc'=nc)+
Quantum Cryptography cryptosystems are very promis-
(1-LUCKY)*d1 : (eve_state'=2)&(eve_bit'= 1-ch_bit)+ ing and the technology is improving more and more to
(1-LUCKY)*d2 : (eve_state'=2)&(eve_bas'=ch_bas)&(eve_bit'=ch_bit);(14)
fulfill requirements. But there is a huge need of testing
and analysis such systems due to their complexity. In this
Here, the lines (14) in which the number d2 appears, Eve spirit, we have applied the technique of model checking
doesn’t measure the photon intercepted, so she doesn’t to analyze the security of the B92 protocol. We have fo-
alter its state (base and bit). So the lines (14) and (13) cused our effort on studying the property of the amount
JOURNAL OF COMPUTING, VOLUME 2, ISSUE 9, SEPTEMBER 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 56
of information on the key gained by an eavesdropper. By new technology, mobility and security (NTMS), page 454-458,
using the model checker PRISM we have obtained the 2008
following results: [14] M. Elboukhari, M. Azizi, A. Azizi, “Analysis of Quantum Cryp-
- To decrease the probability that Eve measures correctly tography Protocols by Model Checking”, IJUCS, Vol 1, pp. 34-
more than half the photons sent by Alice, it is clearly ne- 40, 2010. http://www.hypersciences.org/IJUCS/Iss.1-
cessary to increase the number of the photons transmit- 2010/IJUCS- 4-1-2010.pdf
ted, [15] M. Elboukhari, M. Azizi, A. Azizi, “Analysis of the security of
- If the quantum channel is noisy than the probability that BB84 by Model Checking”, IJNSA International journal of Net-
Eve gained some information on the key decreases, work Security & Its Applications, Vol 2, Number 2, pp. 88-98,
- If the power of Eve becomes biger, the probability that april 2010. http://airccse.org/journal/nsa/0710ijnsa06.pdf
Eve measures correctly more than half the photon sent [16] R. Nagarajan and S. J. Gay. Formal Verification of Quantum
increases. Protocols. arXiv:quant-ph/0203086, March 2002.
In the end, the automatic model checker PRISM allows [17] S. J. Gay, R. Nagarajan and N. Papanikolaou. Probabilistic
us to analyze B92 protocol and this approach is adaptable Model-Checking of Quantum Protocols. arXiv:quant-
to other protocol of Quantum Key Distribution. Also this ph/0504007, April 2005.
approach is adequate to analyze heterogonous crypto- [18] S. J. Gay, N. Papanikolaou and R. Nagarajan. Model-Checking
graphic systems containing classical and quantum com- Quantum Protocols. August 2008.
ponents. [19] S. J. Gay, N. Papanikolaou and R. Nagarajan. QMC: a model
checker for quantum systems. In: Proceedings of the 20th Inter-
national Conference on Computer Aided Verification (CAV).
REFERENCES
Springer LNCS series, volume 5123, pages 543-547, 2008.
[1] Bennett, C.H., et al.: ‘Experimental quantum cryptography’, J. [20] R. Nagarajan, N. Papanikolaou, G. Bowen and S. J. Gay. An
Cryptol., 1992, 5, pp. 3–28 Automated Analysis of the Security of Quantum Key Distribu-
[2] C.-Z. Peng et al., “Experimental free-space distribution of en- tion. arXiv:cs.CR/0502048, February 2005.
tangled photon pairs over 13 km: Towards satellite-based glob- [21] D. Gottesman and H-K. Lo (2000). From Quantum Cheating to
al quantum communication,” Phys. Rev. Lett., vol. 94, no. 15, Quantum Security. Physics Today, 53(11),November 2000.
pp. 150501-1– 150501-4, Apr. 2005. quant-ph/0111100
[3] D. Stucki, N. Gisin, O. Guinnard, G. Ribordy, and H. Zbinden, [22] A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden, and N.
“Quantum key distribution over 67 km with a plug & play sys- Gisin. (1997) “‘Plug and Play’ systems for quantum cryptogra-
tem,” New J. Phys., vol. 4, pp. 41.1–41.8, Mar. 2002. phy,” App. Phys. Lett., vol. 70, no. 7, 1997, see also
[4] D. S. Naik, C. G. Peterson, A. G. White, A. J. Berglund, and P. http://www.idquantique.com
G. Kwiat, “Entangled state quantum cryptography: Eavesdrop-
ping on the Ekert protocol,” Phys. Rev. Lett., vol. 84, no. 20, pp. Mohamed Elboukhari received the DESA (diploma of high study)
degree in numerical analysis, computer science and treatment of
4733–4736, May 2000.
signal in 2005 from the University of Science, Oujda, Morocco. He is
[5] arXiv: Quant-ph/0403104, 2004. currently a PhD student in the University of Oujda in the field of
[6] R.J. Hughes, J.E. Nordholt, D. Derkacs, and C.G. Peterson, computer science. His research interests include cryptography,
“Practical free space quantum key distribution over 10 km in quantum cryptography and wireless network security.
daylight and at night,” New JPhys. , vol. 4, pp. 43.1–43.14, May
Mostafa Azizi received his diploma of State engineer in Automation
2002.
and Industrial Computing in 1993 from the Mohammadia’s School of
[7] C. H. Bennett (1992). Phys. Rev. Lett, 68, 3121 (1992). engineers at Rabat (Morocco) and obtained his PH.D in Computer
[8] Tamaki, K., M. Koashi, and N. Imoto.(2003) “Unconditionally Science in 2001 from the Université de Montréal (DIRO-FAS) at
secure key distribution based on two non orthogonal states,” Montreal (Canada). He is currently professor at the University of
Oujda (Morocco). He teaches several courses in the domain of com-
Physical Review Letters 90, 167904 (2003), [preprint quant- puter science such as OOP, IA, RT-systems, Distributed Systems,
ph/0210162]. TCP/IP, WEB, and Computers Security. He also supervises a num-
[9] Tamaki.K , Lütkenhaus.N.(2003) “Unconditional Security of the ber of Master/PH.D students. His research interests include: Verifica-
tion/Coverification of real-time and embedded systems, Data com-
Bennett 1992 quantum key-distribution over lossy and noisy
munication and security, and Computer-aided management of indus-
channel,“ Quantum Physics Archive: ar- trial processes.
Xiv:quantph/0308048v2, 2003.
[10] Tamaki.K, Lütkenhaus.N, Koashi.M, and Batuwantu- Abdelmalek Azizi obtained his first Doctorate in Number Theory in
1985 from the Mohammed Vth University at Rabat (Morocco). He
dawe.J.(2006) “Unconditional security of the Bennett 1992 quan-
then obtained a Ph.D. in the same domain in 1993 from the Laval
tum key-distribution scheme with strong reference pulse , “ University at Quebec (Canada). Since this date, he supervises the
Quantum Physics Archive: arXiv:quant-ph/0607082v1, 2006. organization of the Doctoral studies in the research area of class
[11] D. Parker, G. Norman, and M. Kwiatkowska (2008). “PRISM 2.0 field Theory and its Cryptography applications at the Mohammed
First University at Oujda (Morocco). Currently, he is the head of the
users’ guide,”February 2008. ACSA Research Laboratory (Arithmetic, Scientific Computation and
http://www.prismmodelchecker.org/doc/manual.pdf Applications) at the Mohammed First University at Oujda (Morocco).
[12] Nikolaos K. Papanikolaou.(2004) ”Techniques for Design and His research interests are in several fields such as History of Ma-
thematics and Cryptography in Morocco, Class Field Theory and its
Validation of Quantum Protocols”, Coventry, September 2004,
Applications to Cryptography and the Mathematical Didactics...
University of Warwick
[13] M. Elboukhari, M. Azizi, A. Azizi.(2008) “Security Oriented
Analysis of B92 by Model Checking”, in Proc. IEEE Int. Conf.