Satellite Quantum Communications When Man-in-the-Middle Attacks Are Excluded

Cryptographic key distribution is a major application of quantum communication. Such schemes typically use measurements of quantum states of photons shared between two remote parties to allow both sides to derive shared entropy that can be quantitatively assessed to be private. This shared entropy may be used as keying material for use as one time pads [1] or as seed keys for symmetric encryption [2]. Quantum key distribution relies on the transmission of single photons so many photons must be distributed to generate a key over lossy channels. For shorter distances and metropolitan regions photons can be distributed between parties using optical fibres, but for global distances satellite-based nodes become more practical [3]. For quantum communication from satellites, and other moving platforms, photons are distributed using free space optics (FSO).

Quantum key distribution schemes [4,5] have extremely strong security guarantees due to minimal assumptions on the capabilities of the technology available to potential eavesdroppers—essentially any attack permitted by the laws of physics is deemed possible. Although typically the two communicating parties must trust the quantum key distribution (QKD) hardware within their control, they need not trust the optical channel between them because they can detect any attempt at eavesdropping and any man-in-the-middle attacks on the channel using statistical tests that are inherent to the QKD process. These tests require a fraction of the received photons to be discarded such that they cannot be used in the final keying material. This discarding arises in processes such as basis reconciliation, parameter estimation and privacy amplification. In many situations these discarded photons and slower key rates are a necessity for security e.g., in a metropolitan environment where QKD is performed over optical fibres which pass through many ducts and underground passages where, in principle, eavesdropping can take place.

For the case of satellite QKD (and other FSO delivery methods), where there is a direct line of sight, these measures seem to be harder to justify. To compromise the security of the link, other than disrupting it through denial-of-service attacks, an adversary would have to act as a man-in-the-middle. We argue that performing this attack for an optical link between a low earth orbit (LEO) satellite and ground station would be physically possible, but technically not feasible for most adversaries. It requires intercepting and re-sending a beam that is only a few metres across and rapidly tracking across the sky without being detected. Practical satellite-ground links employ dual tracking beacons to establish the required high accuracy pointing link, effectively providing a channel monitoring system. Additional hardware may be deployed to monitor the channel in other wavelengths, e.g., radar systems or thermal imaging cameras. Furthermore, space-situational awareness has led to publicly accessible catalogues that provide ephemeris data of orbiting space objects which are frequently updated, making it possible to assess if any (publicly known) satellites can threaten the link in space. If users fear that their adversaries could have technologies which can covertly intercept the link they could of course use QKD; other users can relax their threat assumptions. In light of the above we thus focus only on passive eavesdroppers, attackers which cannot be detected by channel monitoring techniques. As we will show, using this updated threat model simplifies the key delivery protocol.

In this paper we term the simplified quantum communication schemes that address this scenario as ‘photon key distribution’ (PKD) so as to separate them from conventional QKD protocols. Some more recent QKD schemes, where the security proofs may not yet be completely agreed, may also prove to be somewhere on the PKD to QKD spectrum depending on the security assumptions they require. While most QKD schemes use two bases for encoding, in our PKD schemes only a single encoding basis is used since mixed bases are primarily a mechanism to detect man-in-the-middle attacks. This avoids the basis reconciliation sifting stage and so is more efficient in its use of photons.

Sasaki et al. have previously discussed the opportunity for simplified cryptography schemes that fall between QKD and laser communications [6]. As they explain QKD (and PKD) fit within the wider field of physical layer security methods. These encompass such techniques as wiretap channels [7] and radio frequency equivalents [8], to laser-based methods that actively quantify the amount of information an eavesdropper can receive [9]. Our exploration of PKD here builds on the ideas put forward by Sasaki et al.

In this paper we look at the asymptotic secret key rates at high losses (i.e., long distance free space links) for three QKD schemes using three different kinds of transmitter hardware, and compare this to three simplified PKD schemes that use similar hardware. The simplified schemes are primarily targeted at satellite applications and all assume that a covert man-in-the-middle attack has been assessed to be non-existent. As expected, they are all found to remain effective at higher losses than their QKD counterparts.

Table 1 shows a summary of the hardware types and corresponding QKD and PKD methods considered. Figure 1 shows a comparison of the quantum bit error rate (QBER) and bits per pulse achieved with these methods at increasing distances (losses). In this way the results can be presented independently of the pulse rate of any particular hardware setup. Although we use the term ‘pulse’ here for straightforwardness of comparison, the spontaneous parametric down conversion (SPDC) sources we consider are operated by a continuous-wave pump, i.e., not pulsed, and produce photon pairs on a stochastic basis, so ‘detection events’ would be the more appropriate term. Figure 1a,b show that for QKD protocols (BB84, BBM92) there is a sharp drop off in key rate as losses increase. At high losses more key has to be discarded in privacy amplification than is available so the secure key rate drops to zero. This does not happen in the PKD equivalents as it is assumed that there are no active man-in-the-middle attacks, and so privacy amplification is only required for multi-photon pulses.

The results are discussed in the sections below based on the different hardware types. General assumptions were that space-based detectors have 15,000 dark counts per second while ground-based detectors have 2500 dark counts per second. This was based on pessimistic cases for single photon detectors before and after radiation damage [10]. Furthermore, ground-based detectors were assumed to have an additional 1000 background counts per second due to scattered light entering the receiver. This was slightly more conservative than noise counts estimated in recent literature [11]. All sources were assumed to have perfect visibility, e.g., for a SPDC source this means it was assumed to produce perfectly entangled states.

The decoy state BB84 equations used are those published in reference [14], and the BBM92 equations are those from reference [26].

The equation for PPM PKD is derived from the Devetak–Winter bound for collective attack for a simplified coherent one way (COW) PPM scheme with decoys from Appendix B of reference [27]. All parts due to decoy are set to neutral, and an error correction term is added to the equation. The final key rate is thus

where g(ζ) is a privacy amplification term corresponding to the optimized mean photon number μopt=ζ1−t. η is the detection efficiency, fsource is the source frequency and t is the transmissivity.

The approach presented in this paper can be applied to key distribution, not only when using satellites, but also in other types of FSO-based systems. For example, in ad-hoc networks where the transmitter and receiver can visually identify each other, it may be straightforward to assess the absence of a man-in-the-middle and use PKD type protocols to establish a secret key. If the possibility of man-in-the-middle attacks can be excluded or monitored by conventional means, then PKD protocols can allow for secure key distribution using quantum communication methods at increased losses using similar or simplified hardware. In a practical key distribution scenario, it is worthwhile to have a better specification of the threat model and to devote efforts in closing physical side-channels, rather than attempting to defeat a hypothetical quantum adversary. Finally, we remark that using QKD hardware it may be possible to switch to a PKD protocol when the channel is assessed to be free of active attacks, and thus increase key distribution rates.

A patent has been filed for the heralded source key distribution method.

We thank Charles Lim and Ignatius William Primaatmaja for their valuable feedback and suggestions.

The following abbreviations are used in this manuscript:

Conceptualization: R.B., J.A.G. and A.L.; Data curation: T.V.; formal analysis: T.V.; funding acquisition: A.L.; Investigation: T.V.; methodology: T.V.; project administration: R.B. and A.L.; resources: A.L.; software: T.V.; supervision: R.B. and A.L.; validation: T.V.; visualization: T.V.; writing—original draft: T.V. and R.B.; writing—review and editing: T.V., R.B., J.A.G. and A.L.

This work is partially supported by the National Research Foundation, Prime Minister’s Office, Singapore (under the Research Centres of Excellence programme and through Award No. NRF-CRP12-2013-02).

The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript, or in the decision to publish the results.