1、 ETSI GS QKD 005 V1.1.1 (2010-12)Group Specification Quantum Key Distribution (QKD);Security ProofsDisclaimer This document has been produced and approved by the Quantum Key Distribution (QKD) ETSI Industry Specification Group (ISG) and represents the views of those members who participated in this
2、ISG. It does not necessarily represent the views of the entire ETSI membership. ETSI ETSI GS QKD 005 V1.1.1 (2010-12) 2Reference DGS/QKD-0005_SecProofs Keywords protocol, Quantum Key Distribution, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fa
3、x: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice Individual copies of the present document can be downloaded from: http:/www.etsi.org The present document may be made available in more than
4、one electronic version or in print. In any case of existing or perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF). In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network d
5、rive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http:/portal.etsi.org/tb/status/status.asp If you find errors in the presen
6、t document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced except as authorized by written permission. The copyright and the foregoing restriction extend to reproduction in all media. Europea
7、n Telecommunications Standards Institute 2010. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTM, TIPHONTM, the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Org
8、anizational Partners. LTE is a Trade Mark of ETSI currently being registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS QKD 005 V1.1.1 (2010-12) 3Contents Intellectual Property
9、 Rights 4g3Foreword . 4g3Introduction 4g31 Scope 5g32 References 5g32.1 Normative references . 5g32.2 Informative references 5g33 Definitions, symbols and abbreviations . 6g33.1 Definitions 6g33.2 Symbols 9g33.3 Abbreviations . 9g34 Security Definition . 9g34.1 What QKD delivers 9g34.2 Structure of
10、QKD protocols 10g34.3 Framework for Security Statements of QKD Implementations 10g34.4 Scientific Security proof framework 12g34.4.1 Security Assumptions on Devices 12g34.4.2 Assumptions on Adversary . 12g34.5 Modelling, Assumptions and Side Channels 13g34.5.1 Source . 14g34.5.2 Detection unit 15g34
11、.6 Classical assumptions (shielding, electronic side-channels) 15g34.7 Classical protocol . 15g34.7.1 Sifting . 16g34.7.2 Error estimation 16g34.7.3 Error Correction (Reconciliation) . 16g34.7.4 Confirmation . 17g34.7.5 Privacy Amplification . 17g34.7.6 Authentication . 17g34.7.7 Common Sources of M
12、istakes in Classical Protocols . 18g3Annex A (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/webapp.etsi.org/IPR/home.asp). Pursua
13、nt to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present docum
14、ent. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification (ISG) Group Quantum Key Distribution (QKD). Introduction The present document shall define the generic requirements for quantum information theoretic security proofs of quantum cryptography. It shall serve a
15、s a reference for the construction of requirements and evaluation criteria for practical security evaluation of quantum key distribution (QKD) systems. In contrast to conventional cryptography which is often based on computational assumptions, quantum cryptography, notably QKD, offers “unconditional
16、 security“ based on the laws of physics. To deliver such promise, demonstrating security by means of a security proof is an important aspect of quantum cryptography. Security proofs of quantum cryptography and their applicability have to be addressed with extreme care and precision primarily for two
17、 reasons. First, the security definition of a quantum cryptographic protocol is rather subtle. Second, it is often challenging to enforce assumptions in a security proof of a quantum cryptographic protocol in a practical quantum cryptographic system. Notice that any seemingly minor or innocent viola
18、tion of an assumption in a security proof might be exploited by an adversary with disastrous consequences on the security of a practical QKD system. The above two points: i) the subtlety in security definitions; and ii) the challenges to enforce assumptions in a practical QKD system, shall be the tw
19、o main themes of the present document. ETSI ETSI GS QKD 005 V1.1.1 (2010-12) 51 Scope Quantum key distribution (QKD) comprises technologies that use quantum mechanical effects to distribute private keys to distant partners. The goals of the present document are as follows: to make precise the nature
20、 of the security claim, including its statistical component; to list meaningful restrictions of adversarial action; to clarify the difference between security claim of a protocol (based on models) and the security claim of its implementation; to carefully list all the usual components of a QKD proto
21、col with their critical characterizations. The present document is developed by the QKD ISG group in which participate experts of QKD theory and practice. With the goals identified above, the present document shall help to: clarify the role QKD devices can play in a security infrastructure given the
22、 exact nature of their security claim; classify QKD devices regarding the security level they can achieve; clarify which parameters need to be monitored continuously or periodically to assure the generation of a secret key for the different security levels. On the other hand, the present document wi
23、ll not try to do the following: to give specific parameters for successful QKD as these numbers change with time; to endorse particular security proofs. 2 References References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specif
24、ic references, only the cited version applies. For non-specific references, the latest version of the reference document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. N
25、OTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. 1 ETSI GS QKD 008: “Quantum Key Distribution
26、(QKD); QKD Module Security Specification“. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dusek, N.
27、Ltkenhaus, M. Peev: “ The security of practical quantum key distribution“, Reviews of Modern Physics, Vol. 81, July-September 2009, pages 1301-1350. And references therein. ETSI ETSI GS QKD 005 V1.1.1 (2010-12) 63 Definitions, symbols and abbreviations 3.1 Definitions For the purposes of the present
28、 document, the following terms and defintions apply: advantage distillation: advantage distillation is a preprocessing of partially compromised data that involves two-way communications between two users, Alice and Bob adversary: malicious entity in cryptography whose aim is to prevent the users of
29、the cryptosystem from achieving their goals Alice: legitimate entity who sends the data ancilla: auxiliary (quantum mechanical) system attacks: any action that aims at compromising the security of information attenuation: reduction in intensity of the light beam (or signal) authentication: used as s
30、hort term for message authentication: Act of establishing or confirming that some message indeed originated from the entity it is claimed to come from and was not modified during transmission bit commitment: scenario where Alice commits some message to Bob without being able to change it at a later
31、stage, while Bob cannot read the message until authorized by Alice bit error rate: percentage of bits with errors divided by the total number of bits that have been transmitted, received or processed over a given time period Bob: legitimate entity who wishes to communicate securely with Alice and re
32、ceives data from her classical public channel: insecure communication channel, for example broadcast radio or internet, where all messages sent over this channel become available to all parties, including adversaries clock rate: number of repetition events per time unit, e.g. number of signals sent
33、per time unit collective attack: attack where an adversary lets each individual signal interact with an ancilla each, but can perform joint operation on all the ancillas to extract information composability: property that the output of one cryptographic protocol can be used by another cryptographic
34、protocol in such a way that the security proof can be done for each protocol independently conjugate variables: term in quantum mechanics characterizing mutually exclusive sets of properties, where the perfect knowledge of one blurs completely the other set of properties cryptography: art and scienc
35、e of keeping data or messages secure cryptographic primitives: fundamental protocols from which cryptographic applications can be composed dark count: false alarm of a detector NOTE: A detector may falsely give a detection event when the input state contains no photon. dead time: duration after a de
36、tection event when a detector is inactive decoding: process by which a receiver extracts the secret message from the publicly transmitted data decoy state: legitimate user intentionally and randomly replaces the usual protocol signals by different signals to test the channel action depolarization ch
37、annel: quantum channel which has the same probability for each of the three types (X, Y and Z) of errors detection efficiency: probability that an incident light photon produces a detection event ETSI ETSI GS QKD 005 V1.1.1 (2010-12) 7detection time: time at which a corresponding detector detects a
38、photon detector saturation: limit of detection frequency at which a detector can detect photons device model: physical model of a device to capture the essential behaviour distillation: distillation of a key which means the extraction of a secure key from some partially compromised data eavesdroppin
39、g: act of attempting to listen to the private conversation of others without their consent encoding: process of mapping a secret message into a publicly accessible set of data from which the rightful user can decode the secret message again entanglement: property of quantum mechanical systems that s
40、hows correlations between two physical systems that cannot be explained by classical physics error correction: process of correcting errors in data that may have been corrupted due to errors during transmission or in storage entropy: measure of uncertainty regarding information eve: adversarial enti
41、ty who eavesdrops the data in a quantum or classical link gating mode: operation mode of photodetectors in which the detector can be triggered by a signal only during a specified time interval homodyne detection: method of detecting a weak frequency-modulated signal through mixing with a strong refe
42、rence frequency-modulated signal (so-called local oscillator) individual attack: attack where Eve lets each signal interact separately with its own ancilla, and keeps the ancillas apart at later times NOTE: A slightly different definition is used in Scaranie et al i.1. key establishment: procedure,
43、conducted by two or more participants, which culminates in the derivation of keying material by all participants NOTE: Key establishment can be based on pre-shared keys or on public key schemes. key generation: process of generating secret keys for cryptography key rate: rate of shared secret key ge
44、neration resulting from a Quantum Key Distribution process measurement: quantum mechanical process of reading out information from a quantum system NOTE: The outcome of a measurement is always a classical event chosen from a set of mutually exclusive events. multi-photon signal: optical signal conta
45、ining more than one photon permutation: change in the order of elements of a sequence of data phase encoding: method of encoding qubits using optical phase differences between optical pulses photon number: number of photons in a pulse photon number resolution: ability of a photo-detection process to
46、 distinguish not only between no photon and one or more photons, but being able to distinguish between 0,1,2,3, photons polarization: property of electromagnetic waves that describes the orientation of the oscillating electric field vector privacy amplification: process of distilling secret keys fro
47、m partially compromised data private keys: keys known only to the rightful users private states: quantum mechanical states from which private keys can be generated protocol: list of steps to be performed by the participating entities to reach their goal ETSI ETSI GS QKD 005 V1.1.1 (2010-12) 8public
48、announcement: messages sent over the public channel during a protocol quantum channel: communication channel which can transmit quantum information, that is, it can transmit signal that needs to be described by quantum mechanics quantum error correction codes: coding procedures for quantum states to
49、 protect them against errors during transmission or storage quantum key distribution: procedure or method for generating and distributing symmetrical cryptographic keys with information theoretical security based on quantum information theory quantum mechanics: physical theory that describes natural phenomena quantum mechanical state: complete description of a physical system in quantum mechanics quantum memories: device that can store and retrieve quantum mechanical states quantum signal: signal described by a quantum mechanical state quantum st