On the optimality of individual entangling-probe attacks against BB84 quantum key distribution

I. M. Herbauts; S. Bettelli; H. Hübel; M. Peev

doi:10.1140/epjd/e2008-00002-x

2024 Impact factor 1.5

Atomic, Molecular, Optical and Plasma Physics

Highlight

Eur. Phys. J. D 46, 395-406 (2008)
https://doi.org/10.1140/epjd/e2008-00002-x

On the optimality of individual entangling-probe attacks against BB84 quantum key distribution

I. M. Herbauts¹^a, S. Bettelli², H. Hübel¹ and M. Peev²

¹ Quantum Optics, Quantum Nanophysics and Quantum Information, Faculty of Physics, University of Vienna, Boltzmanngasse 5, 1090 Vienna, Austria
² Austrian Research Centers GmbH - ARC, Donau-City-Straße 1, 1220 Vienna, Austria

Corresponding author: ^a isabelle.herbauts@univie.ac.at

Received: 12 November 2007
Published online: 9 January 2008

Abstract

Some MIT researchers [Phys. Rev. A 75, 042327 (2007)] have recently claimed that their implementation of the Slutsky-Brandt attack [Phys. Rev. A 57, 2383 (1998); Phys. Rev. A 71, 042312 (2005)] to the BB84 quantum-key-distribution (QKD) protocol puts the security of this protocol “to the test” by simulating “the most powerful individual-photon attack” [Phys. Rev. A 73, 012315 (2006)]. A related unfortunate news feature by a scientific journal [G. Brumfiel, Quantum cryptography is hacked, News @ Nature (april 2007); Nature 447, 372 (2007)] has spurred some concern in the QKD community and among the general public by misinterpreting the implications of this work. The present article proves the existence of a stronger individual attack on QKD protocols with encrypted error correction, for which tight bounds are shown, and clarifies why the claims of the news feature incorrectly suggest a contradiction with the established “old-style” theory of BB84 individual attacks. The full implementation of a quantum cryptographic protocol includes a reconciliation and a privacy-amplification stage, whose choice alters in general both the maximum extractable secret and the optimal eavesdropping attack. The authors of [Phys. Rev. A 75, 042327 (2007)] are concerned only with the error-free part of the so-called sifted string, and do not consider faulty bits, which, in the version of their protocol, are discarded. When using the provably superior reconciliation approach of encrypted error correction (instead of error discard), the Slutsky-Brandt attack is no more optimal and does not “threaten” the security bound derived by Lütkenhaus [Phys. Rev. A 59, 3301 (1999)]. It is shown that the method of Slutsky and collaborators [Phys. Rev. A 57, 2383 (1998)] can be adapted to reconciliation with error correction, and that the optimal entangling probe can be explicitly found. Moreover, this attack fills Lütkenhaus bound, proving that it is tight (a fact which was not previously known).