Description
Modern cryptography fundamentally relies on mathematical and computational hardness assumptions
that remain unproven. Public-key cryptosystems such as RSA [1] and Diffie-
Hellman key exchange [2] base their security on the presumed difficulty of trapdoor one-way
functions [3, 4], in particular integer factorization, discrete logarithms, and related numbertheoretic
problems [4, 5]. While no efficient classical algorithms are known, these assumptions
lack formal mathematical proofs [3]. Moreover, Shor’s algorithm shows that a sufficiently
large and fault-tolerant quantum computer could solve these problems in polynomial time,
breaking most currently deployed public-key schemes [6, 3]. Post-quantum cryptography mitigates
this risk by proposing new hardness assumptions and lattice-based constructions, but
it still offers only computational, not information-theoretic, security [7].
Quantum key distribution (QKD) addresses the key-distribution problem from a fundamentally
different angle. Instead of relying on unproven complexity assumptions, QKD leverages physical
principles such as the no-cloning theorem [8] and measurement-induced disturbance [9]
to guarantee that any eavesdropping attempt leaves detectable traces. This idea traces back
to Wiesner’s conjugate coding [10] and was first formulated as a cryptographic protocol in the
prepare-and-measure BB84 scheme by Bennett and Brassard [11]. Shortly thereafter, Ekert
demonstrated that entanglement and Bell inequalities can be used to establish secret keys
in the E91 protocol [12], highlighting that non-classical correlations themselves can certify
security. Building on these foundations, Bruß proposed the Six-State protocol, which extends
BB84 to three mutually unbiased bases and offers stronger security against optimal individual
attacks at the cost of reduced efficiency [13].
Despite these strong theoretical guarantees, practical QKD implementations operate in a
non-ideal world. Optical losses, detector imperfections, and environmental noise introduce
quantum bit errors even in the absence of an adversary [5, 14]. At the same time, realistic
eavesdroppers are not limited to simple intercept–resend attacks: they may use quantum
memories, approximate cloning, or even quantum machine-learning (QML) techniques to
adapt their strategies to specific hardware imperfections and channel asymmetries [7, 15].
Recent industrial systems, such as ID Quantique’s Clavis XG or Toshiba’s decoy-state BB84
platforms, demonstrate that QKD is leaving the laboratory and entering carrier-grade networks,
but they also expose a complex interplay between protocol choice (BB84 vs. Six-
State), physical noise, and implementation details.
In this work, BB84 and the Six-State protocol are studied under realistic noise models and
advanced adversarial scenarios, with the goal of quantifying their robustness against QMLbased
individual attacks in a finite-key setting. The analysis is deliberately conservative: Eve
is assumed to possess a fault-tolerant quantum computer capable of implementing arbitrary
two-qubit unitaries and variational circuits, but not a long-lived quantum memory capable of
storing photonic qubits over longer time. This assumption reflects the state of current quantum
memory technology and the fact that practical QKD implementations can delay sifting
and parameter estimation, rendering stored quantum states unusable due to decoherence.
Within this threat model, an important question is whether a learning-based eavesdropper
can in practice approach or surpass known optimal attacks such as phase-covariant cloning,
and whether the Six-State protocol – motivated by Bruß’s and Abruzzo’s entanglement-based
security analyses [13, 16] – provides a tangible security margin over BB84 once realistic noise
and post-processing are taken into account.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching