Attacks against a Simplified Experimentally Feasible Semiquantum Key Distribution Protocol

A semiquantum key distribution (SQKD) protocol makes it possible for a quantum party and a classical party to generate a secret shared key. However, many existing SQKD protocols are not experimentally feasible in a secure way using current technology. An experimentally feasible SQKD protocol, “classical Alice with a controllable mirror” (the “Mirror protocol”), has recently been presented and proved completely robust, but it is more complicated than other SQKD protocols. Here we prove a simpler variant of the Mirror protocol (the “simplified Mirror protocol”) to be completely non-robust by presenting two possible attacks against it. Our results show that the complexity of the Mirror protocol is at least partly necessary for achieving robustness.


Introduction
Quantum key distribution (QKD) protocols allow two parties, Alice and Bob, to share a secret random key that is secure even against the most powerful adversaries. Semiquantum key distribution (SQKD) protocols achieve the same goal even if one of the two parties (Alice or Bob) is limited to use only classical operations: the classical party can use only the computational basis {|0 , |1 }, while the quantum party can use any basis-for example, both the computational basis and the Hadamard basis {|+ |0 +|1 √ 2 , |− |0 −|1 √ 2 }. As explained in [1,2], the importance of SQKD protocols is both conceptual and practical: they make it possible to investigate the amount of "quantumness" needed for QKD, and they may, in some cases, be easier to implement than standard QKD protocols.
The first SQKD protocol was "QKD with classical Bob" [1]. Later, other SQKD protocols have been suggested, including "QKD with classical Alice" [3,4] and many others (e.g., [2,[5][6][7][8][9]). Most SQKD protocols have been proven "robust": namely [1], if the adversary Eve succeeds in getting some secret information, she must cause some errors that may be noticed by Alice and Bob. A few SQKD protocols also have a security analysis [10][11][12][13]. Proving robustness is a step towards proving security; proving the security of SQKD protocols is difficult because those protocols are usually two-way: for example, Alice sends a quantum state to Bob, and Bob performs a specific classical operation and sends the resulting quantum state back to Alice.
However, many SQKD protocols, including [1,3], are vulnerable to practical attacks and cannot be experimentally constructed in a secure way using current technology. An important classical operation of those protocols is named SIFT. The definition of a SIFT operation performed by Alice (assuming that Alice is the classical party) is as follows: Alice measures the incoming quantum state in the computational basis {|0 , |1 } and then generates the state she measured and resends it towards Bob. Security of those SQKD protocols relies on the assumption that during the SIFT operation, Alice's measurement devices can measure the precise states {|0 , |1 } and distinguish those precise states from any imperfect similar state, and Alice's photon generation devices can generate the precise states {|0 , |1 } and not any other (imperfect) state. In particular, the generated states {|0 , |1 } must be indistinguishable from states that Alice reflects towards Bob. Using current photonic technology, Alice's devices are imperfect, which makes this assumption incorrect and makes possible attacks by the eavesdropper Eve: for example, Eve may send a slightly modified state towards Alice (a "tagging attack") or may distinguish between the states sent by Alice. Full details about those practical attacks are available in [14][15][16].
An experimentally feasible SQKD protocol named "classical Alice with a controllable mirror" (the "Mirror protocol") has recently been presented [16]. This protocol is safe against the "tagging" attack presented by [14]. Moreover, the protocol was proved by [16] to be completely robust against any attacker Eve, even if Eve is all-powerful and limited only by the laws of physics, and even if Eve can send multi-photon pulses. The robustness proof is still correct even if the detectors of Alice and Bob cannot count how many photons arrive in each mode: namely, when either Alice or Bob looks at a detector, which detects a specific mode, they can only notice whether it "clicks" (detects one photon or more in that mode) or not (finds the mode to be empty). This is the standard situation when using current technology.
In this paper, we present a simpler variant of the Mirror protocol (the "simplified Mirror protocol"), which is easier to implement. Our variant allows the classical party, Alice, to choose one of three operations, while the Mirror protocol allows Alice to choose one of four operations. We present two attacks against this variant, proving it to be non-robust. Our results show that the four classical operations allowed by the Mirror protocol are probably necessary for robustness.
In Section 2 we present the Mirror protocol described by [16]. In Section 3 we present the simplified Mirror protocol and its motivation. In Section 4 we prove the simplified Mirror protocol to be non-robust by presenting two attacks against it: a full attack and a weaker attack. In Section 5 we discuss potential implications of our results.

The Mirror Protocol
For describing the Mirror protocol (presented by [16]), we assume a photonic implementation consisting of two modes: the mode of the qubit state |0 and the mode of the qubit state |1 (below we call them "the |0 mode" and "the |1 mode", respectively). For example, the |0 mode and the |1 mode can represent two different polarizations or two different time bins. We use the Fock space notations: if there is exactly one photon (and, thus, our Hilbert space is the qubit space), the Fock state |0, 1 (equivalent to |0 ) represents one photon in the |0 mode, and the Fock state |1, 0 (equivalent to |1 ) represents one photon in the |1 mode. We can extend the qubit space to a 3-dimensional Hilbert space by adding the Fock "vacuum state" |0, 0 , which represents an absence of photons. Most generally, the Fock state |m 1 , m 0 represents m 1 indistinguishable photons in the |1 mode and m 0 indistinguishable photons in the |0 mode. Similarly (in the Hadamard basis), the Fock state |m − , m + x represents m − indistinguishable photons in the |− mode and m + indistinguishable photons in the |+ mode. More details about the Fock space notations are given in [16]; it is vital to use those mathematical notations for describing and analyzing all practical attacks on a QKD protocol (see [17] for details).
In the Mirror protocol, in each round, Bob sends to Alice the |+ B state-namely, the |0,1 x,B state. Then, Alice prepares an ancillary state in the initial vacuum state |0, 0 A and chooses at random one of the following four classical operations: • I (CTRL) Reflect all the photons towards Bob, without measuring any photon. The mathematical description is: • S 1 (SWAP-10) Reflect all photons in the |0 mode towards Bob, and measure all photons in the |1 mode. The mathematical description is: • S 0 (SWAP-01) Reflect all photons in the |1 mode towards Bob, and measure all photons in the |0 mode. The mathematical description is: • S (SWAP-ALL) Measure all the photons, without reflecting any photon towards Bob. The mathematical description is: (We note that in the above mathematical description, Alice measures her ancillary state |· A in the computational basis and sends back to Bob the |· B state.) The states sent from Alice to Bob (without any error, loss, or eavesdropping) are detailed in Table 1.  . After completing all rounds, Alice sends over the classical channel her operation choices (CTRL, SWAP-x, or SWAP-ALL; she keeps x ∈ {01, 10} in secret), Bob sends over the classical channel his basis choices, and both of them reveal some non-secret information on their measurement results (as elaborated in [16]). Then, Alice and Bob reveal and compute the error rate on test bits for which Alice used SWAP-10 or SWAP-01 and Bob measured in the computational basis, and the error rate on test bits for which Alice used CTRL and Bob measured in the Hadamard basis. They also check whether other errors exist (for example, they verify Bob detects no photons in case Alice uses SWAP-ALL). Alice and Bob also discard mismatched rounds, such as rounds in which Alice used SWAP-10 and Bob used the Hadamard basis. Alice and Bob share the secret bit 0 if Alice uses SWAP-10 and detects no photon while Bob measures in the computational basis and detects a photon in the |0 mode; similarly, they share the secret bit 1 if Alice uses SWAP-01 and detects no photon while Bob measures in the computational basis and detects a photon in the |1 mode.
Finally, Alice and Bob verify that the error rates are below some thresholds, and they perform error correction and privacy amplification in the standard way for QKD protocols. At the end of the protocol, Alice and Bob hold an identical final key that is completely secure against any eavesdropper.
A full description of the protocol and a proof of its complete robustness are both available in [16]. The experimental implementation of the protocol can use two time bins (namely, two pulses), one for the |0 mode and one for the |1 mode. In this case, Alice's possible operations can be described as possible ways for operating a controllable mirror, so that Alice can choose whether to reflect or measure the photon(s) in each time bin. The mirror can be experimentally implemented in various ways; for example: • It can be implemented as a mechanically moved mirror. Such mirror is trivial to implement, but it is very slow. • It can be implemented by using optical elements: an electronically-triggered Pockels cell, which changes the polarization of the photon(s) in one of the pulses, and a polarizing beam splitter, which can split the two different pulses (that now have different polarizations) into two paths. This implementation is feasible and gives much higher bit rates than the mechanical implementation.
More details about the experimental implementations are available in [16].

The "Simplified Mirror Protocol": A Simpler and Non-Robust Variant of the Mirror Protocol
In this paper, we discuss a simpler variant of the Mirror protocol, which we name the "simplified Mirror protocol". The simplified Mirror protocol is identical to the Mirror protocol described in Section 2, except that it does not include the SWAP-ALL operation. In other words, in the simplified protocol, Alice chooses at random one of the three classical operations CTRL, SWAP-10, and SWAP-01.
The simplified protocol is easier to implement, because the SWAP-ALL operation poses some experimental challenges to the electronic implementation discussed in Section 2: for implementing SWAP-ALL, the Pockels cell should either remain working for a long time (changing polarization for both time bins) or be operated twice (changing polarization for each time bin separately). In more details, for the two pulses representing the |0 mode and the |1 mode: if we assume the duration of each pulse is t and the time difference between the two pulses is T (where t T), the first solution means keeping the Pockels cell operating during the time period [0, T + 2t], and the second solution means operating the Pockels cell during the two time periods [0, t] and [T + t, T + 2t]. The first solution may be problematic for some models of the Pockels cell, and the second solution may be problematic because of the recovery time needed for the Pockels cell. Therefore, at least in some implementations, the simplified Mirror protocol is much easier to implement than the standard Mirror protocol.
Moreover, analyzing the simplified protocol gives a better understanding of the properties required for an SQKD protocol to be robust. In particular, this analysis explains why the structure and complexity of the Mirror protocol are necessary for robustness.
For completeness, we provide below the full description of the simplified Mirror protocol. We note that this description is almost the same as the description of the Mirror protocol in Section 2.
In the simplified Mirror protocol, in each round, Bob sends to Alice the |+ B state-namely, the |0,1 x,B state. Then, Alice prepares an ancillary state in the initial vacuum state |0, 0 A and chooses at random one of the following three classical operations: • I (CTRL) Reflect all the photons towards Bob, without measuring any photon. The mathematical description is: • S 1 (SWAP-10) Reflect all photons in the |0 mode towards Bob, and measure all photons in the |1 mode. The mathematical description is: • S 0 (SWAP-01) Reflect all photons in the |1 mode towards Bob, and measure all photons in the |0 mode. The mathematical description is: (We note that in the above mathematical description, Alice measures her ancillary state |· A in the computational basis and sends back to Bob the |· B state.) The states sent from Alice to Bob (without any error, loss, or eavesdropping) are detailed in Table 2. . After completing all rounds, Alice sends over the classical channel her operation choices (CTRL or SWAP-x; she keeps x ∈ {01, 10} in secret), Bob sends over the classical channel his basis choices, and both of them reveal some non-secret information on their measurement results (as elaborated in [16]). Then, Alice and Bob reveal and compute the error rate on test bits for which Alice used SWAP-10 or SWAP-01 and Bob measured in the computational basis, and the error rate on test bits for which Alice used CTRL and Bob measured in the Hadamard basis. They also check whether other errors exist (for example, it must never happen that both Alice and Bob detect a photon). Alice and Bob also discard mismatched rounds, such as rounds in which Alice used SWAP-10 and Bob used the Hadamard basis. Alice and Bob share the secret bit 0 if Alice uses SWAP-10 and detects no photon while Bob measures in the computational basis and detects a photon in the |0 mode; similarly, they share the secret bit 1 if Alice uses SWAP-01 and detects no photon while Bob measures in the computational basis and detects a photon in the |1 mode.
Finally, Alice and Bob verify that the error rates are below some thresholds, and they perform error correction and privacy amplification in the standard way for QKD protocols. At the end of the protocol, Alice and Bob hold an identical final key that is completely secure against any eavesdropper.

Attacks against the Simplified Mirror Protocol
We prove the simplified protocol to be non-robust by presenting two attacks: a "full attack" described in Section 4.1, which gives Eve full information but causes full loss of the CTRL bits, and a "weaker attack" described in Section 4.2, which gives Eve less information but causes fewer losses of CTRL bits.

A Full Attack on the Simplified Protocol that Gives Eve Full Information
In this attack, Eve gets full information of all the information bits. Namely, she gets full information on the SWAP-10 and SWAP-01 bits that were measured by Bob in the computational basis.
Eve applies her attack in two stages: the first stage is on the way from Bob to Alice, and the second stage is on the way from Alice to Bob. In both stages she uses her own probe space (namely, ancillary space) H E = H 3 spanned by the orthonormal basis { |0 E , |1 E , |2 E }. We assume that Eve fully controls the environment, the errors, and the losses (this is a standard assumption when analyzing the security of QKD): namely, no losses and no errors exist between Bob and Eve or between Alice and Eve.
In the first stage of the attack (on the way from Bob to Alice), Eve intercepts the state |+ B (namely, |0, 1 x,B ) sent by Bob, generates instead the state and sends to Alice the B part of the state. This state causes Alice to get no photons with probability 1 3 and get the expected |+ B state with probability 2 3 . Alice then performs at random one of the three classical operations CTRL, SWAP-10, or SWAP-01. The resulting possible states of Bob+Eve are described in Table 3.
In the second stage of the attack (on the way from Alice to Bob), Eve applies the unitary operator V on the joint Bob+Eve state, where V is defined as follows: V is indeed a unitary operator, because we can prove the right-hand sides to be orthonormal: all the right-hand sides are normalized vectors; the first two vectors are clearly orthogonal; the third vector is orthogonal to the first two, because 0|+ E = 1|+ E = 1 √ 2 ; and the fourth vector is orthogonal to the three others. Thus, V defines (or, more precisely, can be extended to) a unitary operator on Applying the unitary operator V on Table 3 gives the states listed in Table 4. Comparing it with Table 2, we conclude that this attack never causes Alice and Bob to detect an error. Moreover, Eve detects the whole secret key: Eve measures "0" in her probe if Alice and Bob agree on the bit 0, and she measures "1" in her probe if Alice and Bob agree on the bit 1. However, Eve causes several kinds of losses; in particular, all the CTRL bits are lost.
Therefore, this attack makes it possible for Eve to get full information without inducing any error. However, Eve causes many losses, including full loss of the CTRL bits.

A Weaker Attack on the Simplified Protocol Causing Fewer Losses of the CTRL Bits
The full attack described in Section 4.1 makes it impossible for Bob to ever detect a CTRL bit, which may look suspicious. We now present a weaker attack that lets Bob detect some CTRL bits but gives Eve less information.
The first stage of the attack (on the way from Bob to Alice) remains the same: that is, the state Eve sends to Alice is still given by Equation (8), and the resulting Bob+Eve state after Alice's classical operation is still shown in Table 3. Eve's probe space is, too, the same as before: This attack is characterized by the parameter 0 ≤ ≤ 1. We will see that = 0 gives the full attack described in Section 4.1, while = 1 gives Eve no information at all.
Another important parameter used by the attack is We notice that for small values of , the value of κ is close to 1 3 . Moreover, for all 0 ≤ ≤ 1, it holds that 0 < 2 + κ 2 ≤ 1 and 2κ 2 < 1.
In the second stage of the attack (on the way from Alice to Bob), Eve applies the unitary operator V on the joint Bob+Eve state, where V is defined as follows: V is indeed a unitary operator, because we can prove the right-hand sides to be orthonormal: all the right-hand sides are clearly normalized; the first two vectors are orthogonal; the fourth vector is orthogonal to the three others; and the third vector is orthogonal to the first and to the second, because and thus = κ 2 . Therefore, V extends to a unitary operator on H B ⊗ H E .
The final global state after Eve's attack is described in Table 5 (calculated by applying the operator  V on Table 3), given the following definitions: SWAP-10 yes (happens with probability 1 3 ) SWAP-01 yes (happens with probability 1 3 ) We notice that for = 0, the attack is the same as in Section 4.1. If = 1, the loss rate of CTRL bits is 1 3 , and Eve gets no information at all on the information bits (because κ = 0). In general, if Alice and Bob share a "secret" bit b ∈ {0, 1}, Eve's probe state is in the When Eve measures her probe state in the computational basis { |0 E , |1 E , |2 E }, she gets the information bit b with probability and the loss rates of CTRL and SWAP-x bits (where x ∈ {01, 10}) are respectively. Table 6 shows the probabilities p and the loss rates R CTRL , R SWAP-x for various values of . For example, for = 0.5, Eve still gets the information bit with probability p ≈ 0.55, Bob's loss rate for the CTRL bits is R CTRL ≈ 0.83, and his loss rate for the SWAP-x bits is R SWAP-x ≈ 0.73. Table 6. The probability p of Eve obtaining an information bit, and the loss rates R CTRL and R SWAP-x of CTRL and SWAP-x bits (where x ∈ {01, 10}), respectively, for several values of the attack's parameter . For all values of , the attack causes no errors. However, in principle, it can be detected because it causes different loss rates to different types of bits: the loss rate experienced by Bob in the CTRL bits, R CTRL , is usually different from the loss rate in the SWAP-x bits, R SWAP-x (see Table 6 for details). Therefore, in principle, the attack can be detected by a statistical test for most values of .
The loss rates become equal only for the value = 0 3− √ 3 2 ≈ 0.796 (which gives κ 2 = 2 3 ). It seems that this specific attack cannot be detected, even in principle: it causes no errors, and it causes the same loss rate for all qubits. For this attack, Eve gets the information bit with probability p = 1 4 , and the loss rates are R CTRL = R SWAP-x = 1 √ 3 ≈ 0.577. Therefore, this attack gives Eve a reasonable amount of information, and it is not detectable by looking at errors or comparing loss rates. (We can slightly modify the attack to make the loss rate the same in both directions of the quantum channel, too.) We conclude that this weaker attack gives Eve partial information, causes no errors, and causes several loss rates. We also conclude that since the loss rates caused by the attack are usually different for different types of bits, the attack can be detected, in principle, for any value of except 0 . However, for = 0 , the attack seems undetectable.

Discussion
We have discussed a simpler and natural variant of the Mirror protocol (the "simplified Mirror protocol") which is easier to implement. We have found the simplified Mirror protocol to be completely non-robust; therefore, this protocol is actually an "over-simplified" Mirror protocol. We have presented in Section 4.1 an attack giving Eve full information without causing any error; in addition, since this attack also causes full loss of the CTRL bits, we have presented in Section 4.2 weaker attacks giving Eve partial information, causing no errors, and causing fewer losses. In particular, we have presented a specific attack (characterized by the parameter = 0 3− √ 3 2 ≈ 0.796) that seems undetectable and gives Eve one quarter ( 1 4 ) of all information bits. Those attacks prove that the simplified Mirror protocol, which allows Alice to use only three classical operations (CTRL, SWAP-10, and SWAP-01), is completely non-robust. On the other hand, the Mirror protocol is proved completely robust (see Section 2 and [16]). As explained in Section 3, the only difference between the simplified Mirror protocol and the Mirror protocol is that the Mirror protocol allows a fourth classical operation, SWAP-ALL; therefore, allowing the SWAP-ALL operation is necessary for robustness. More generally, the Mirror protocol probably cannot be made much simpler while remaining robust: its complexity is crucial for robustness. Therefore, we have seen that if we want to use an SQKD protocol that is experimentally feasible in a secure way, we may have to use a relatively complicated protocol.
In this paper, we have not checked the experimental feasibility of Eve's attacks, because Eve is usually assumed to be all-powerful. Nonetheless, it can be interesting to check in the future the experimental feasibility of those attacks and discover whether the simplified Mirror protocol is flawed also in practice and not "only" in theory. Other interesting directions for future research include trying to find experimentally feasible SQKD protocols that are simpler than the Mirror protocol, and trying to find similar attacks against other QKD and SQKD protocols that have no complete robustness proof.  Acknowledgments: The authors thank Natan Tamari and Pavel Gurevich for useful discussions about the experimental implementation of SWAP-ALL.

Conflicts of Interest:
The authors declare no conflict of interest.