Study on the security of the authentication scheme with key recycling in QKD

Abstract

In quantum key distribution (QKD), the information theoretically secure authentication is necessary to guarantee the integrity and authenticity of the exchanged information over the classical channel. In order to reduce the key consumption, the authentication scheme with key recycling (KR), in which a secret but fixed hash function is used for multiple messages while each tag is encrypted with a one-time pad (OTP), is preferred in QKD. Based on the assumption that the OTP key is perfect, the security of the authentication scheme has be proved. However, the OTP key of authentication in a practical QKD system is not perfect. How the imperfect OTP affects the security of authentication scheme with KR is analyzed thoroughly in this paper. In a practical QKD, the information of the OTP key resulting from QKD is partially leaked to the adversary. Although the information leakage is usually so little to be neglected, it will lead to the increasing degraded security of the authentication scheme as the system runs continuously. Both our theoretical analysis and simulation results demonstrate that the security level of authentication scheme with KR, mainly indicated by its substitution probability, degrades exponentially in the number of rounds and gradually diminishes to zero.

Appendix: Estimation of the number of uncertain hash functions

Based on the information leakage of OTP key in the ith round of authentication, Eve can sift out a subset \({{\mathcal{H}_i}}\) of size \(n_0\) from \(\mathcal{H}\). After i rounds, the set of uncertain hash functions is decreased to \(S_i=\cap _{j = 1}^{i}{\mathcal{H}_j}\). Let \({X_i} = \left| S_i\right| - 1\), indicating the number of false hash functions. Suppose \({X_{i - 1}} = n_{i-1}\), the probability of \({X_i} = j\) satisfies the hypergeometrical distribution [15], i.e.,

$$\begin{aligned} {} P({X_i} = j|{X_{i - 1}} = {n_{i - 1}}) = \frac{{\left( {\begin{array}{ll} {{n_{i - 1}}}\\ j \end{array}} \right) \left( {\begin{array}{ll} {\left| \mathcal{H} \right| - 1 - {n_{i - 1}}}\\ {{n_0} - 1 - j} \end{array}} \right) }}{{\left( {\begin{array}{ll} {\left| \mathcal{H} \right| - 1}\\ {{n_0} - 1} \end{array}} \right) }} \end{aligned}$$

(11)

According to Eq. 11, the expected value of \(X_i\) on the condition that \(X_{i-1}=n_{i-1}\) can be deducted as Eq. 12.

$$\begin{aligned} {} \begin{aligned} E({X_i}|{X_{i - 1}}= {n_{i - 1}})&= \sum \limits _{j = 0} j \times P({X_i} = j|{X_{i - 1}} = {n_{i - 1}})\\&= \sum \limits _{j = 0} {j\frac{{\left( {\begin{array}{ll} {{n_{i - 1}}}\\ j \end{array}} \right) \left( {\begin{array}{ll} {\left| \mathcal{H} \right| - 1 - {n_{i - 1}}}\\ {{n_0} - 1 - j} \end{array}} \right) }}{{\left( {\begin{array}{ll} {\left| \mathcal{H} \right| - 1}\\ {{n_0} - 1} \end{array}} \right) }}}\\&= \frac{{{n_0} - 1}}{{\left| \mathcal{H} \right| - 1}} \times {n_{i - 1}}\;\sum \limits _{j = 1} {\frac{{\left( {\begin{array}{ll} {{n_{i - 1}} - 1}\\ {j - 1} \end{array}} \right) \left( {\begin{array}{ll} {\left| \mathcal{H} \right| - 1 - {n_{i - 1}}}\\ {{n_0} - 1 - j} \end{array}} \right) }}{{\left( {\begin{array}{ll} {\left( {\left| \mathcal{H} \right| - 1} \right) - 1}\\ {\left( {{n_0} - 1} \right) - 1} \end{array}} \right) }}} \\&= \frac{{{n_0} - 1}}{{\left| \mathcal{H} \right| - 1}} \times {n_{i - 1}}\;\frac{{\sum \limits _{j = 1} {\left( {\begin{array}{ll} {{n_{i - 1}} - 1}\\ {j - 1} \end{array}} \right) \left( {\begin{array}{ll} {\left| \mathcal{H} \right| - 1 - {n_{i - 1}}}\\ {{n_0} - 1 - j} \end{array}} \right) } }}{{\left( {\begin{array}{ll} {\left( {\left| \mathcal{H} \right| - 1} \right) - 1}\\ {\left( {{n_0} - 1} \right) - 1} \end{array}} \right) }}\\&= \frac{{{n_0} - 1}}{{\left| \mathcal{H} \right| - 1}} \times {n_{i - 1}}\frac{{\left( {\begin{array}{ll} {\left( {\left| \mathcal{H} \right| - 1} \right) - 1}\\ {\left( {{n_0} - 1} \right) - 1} \end{array}} \right) }}{{\left( {\begin{array}{ll} {\left( {\left| \mathcal{H} \right| - 1} \right) - 1}\\ {\left( {{n_0} - 1} \right) - 1} \end{array}} \right) }}\\&= \;\frac{{{n_0} - 1}}{{\left| \mathcal{H} \right| - 1}} \times {n_{i - 1}}\; \end{aligned} \end{aligned}$$

(12)

Let \(\frac{{{n_0} - 1}}{{\left| \mathcal{H} \right| - 1}} = \eta \), \(E({X_i}|{X_{i - 1}} = {n_{i - 1}}) = \eta \times {n_{i - 1}}\). Consequently, the value of \(X_i\) can be estimated as Eq. 13 according to the law of total probability.

$$\begin{aligned} \begin{aligned} {X_i}&\approx E\left[ {{X_i}} \right] \\&= \sum \limits _j {j \times P\left( {{X_i} = j} \right) } \\&= \sum \limits _j {j \times \sum \limits _k {P\left( {{X_i} = j} \right) \left| {P\left( {{X_{i - 1}} = k} \right) } \right. } } P\left( {{X_{i - 1}} = k} \right) \\&= \sum \limits _k {P\left( {{X_{i - 1}} = k} \right) \sum \limits _j {j \times P\left( {{X_i} = j} \right) \left| {P\left( {{X_{i - 1}} = k} \right) } \right. } } \\&= \sum \limits _k {P\left( {{X_{i - 1}} = k} \right) E\left( {{X_i}\left| {{X_{i - 1}} = k} \right. } \right) } \\&= \sum \limits _k {P\left( {{X_{i - 1}} = k} \right) \times \eta } \times k\\&= \eta \sum \limits _k {k \times P\left( {{X_{i - 1}} = k} \right) }\\&= \eta E\left( {{X_{i - 1}}} \right) \\&= {\eta ^2}E\left( {{X_{i - 2}}} \right) = \cdots = {\eta ^i}E\left( {{X_0}} \right) = {\eta ^i}{n_0} \end{aligned} \end{aligned}$$

(13)

Therefore, the value of \(Y_i\) can be estimated as Eq. 14

$$\begin{aligned} {Y_i} \approx E\left[ {{Y_i}} \right] = E\left[ {{X_i} + 1} \right] = {n_0}{\eta ^i} + 1. \end{aligned}$$

(14)