# How Secure Are Two-Way Ping-Pong and LM05 QKD Protocols under a Man-in-the-Middle Attack?

^{1}

^{2}

## Abstract

**:**

## 1. Introduction

## 2. Protocols and Attacks on Them

**0**, or by applying $i\mathit{Y}=\mathit{Z}\mathit{X}$, which flips the qubit state and encodes the logical

**1**. ($i\mathit{Y}|0\rangle =-|1\rangle $, $i\mathit{Y}|1\rangle =|0\rangle $, $i\mathit{Y}|+\rangle =|-\rangle $, $i\mathit{Y}|-\rangle =-|+\rangle $.) Alice now sends the qubit back to Bob who measures it in the same basis in which he prepared it and deterministically infers Alice’s operations, i.e., her messages, without basis reconciliation procedure.

**0**, or via $i\mathit{Y}$, if she read

**1**, and sends it back to Bob.

## 3. Security of the Protocols

**Sifting:**Alice and Bob broadcast their basis choices over the classical channel...

**Error correction:**(EC) A reconciliation scheme that broadcasts [chosen] bits of classical error correction data is applied. Bob compute[s] an estimate $\widehat{\mathbf{Y}}$ of the raw key string $\mathbf{Y}$. Alice computes universal${}_{2}$ hash function of $\mathbf{Y}$ [and] sends [it] to Bob. If the hash[es] of $\widehat{\mathbf{Y}}$ and $\mathbf{Y}$ disagree, the protocol aborts.

**Privacy amplification:**(PA) Alice extracts l bits of secret key $\mathbf{S}$ from $\mathbf{Y}$ using a random universal${}_{2}$ hash function. The choice of function is communicated to Bob, who uses it to calculate $\mathbf{S}$.” ([25], p. 3) There are other similar definitions of aBB84 in the literature [26,27,28,29,30].

- [20]
- p. 2, 2nd paragraph from the top: “Alice announces partial of her key bits in the encoding mode [MM]. They compute the error rate e in the Alice–Bob channel.”
- MITM
- ${I}_{AB}=1$ and Eve does not induce any error in the MM, ever.
- [20]
- p. 2, Sec. III.A: “Eve cannot gain any information about Alice’s key bits if she only attacks the qubits after Alice’s encoding operation.”
- MITM
- Since Eve in her MITM sends her own photons to Alice and then reads off $\mathit{I}$ or $i\mathit{Y}$ from Alice’s encoding of those qubits, Eve gains all information from Alice’s qubits, more precisely, from Eve’s qubits encoded by Alice. Note the neither Alice nor Eve know which states the qubits Bob sends are in. They only control $\mathit{I}$ and $i\mathit{Y}$.
- [20]
- Eve’s most general quantum operation can be described by a unitary operation together with an ancilla. In the Bob–Alice channel, when Bob sends a qubit in state $|0\rangle $ and Alice measures in the basis $|0\rangle $,$|1\rangle $, she will get the measurement outcomes $|0\rangle $ with probability ${c}_{00}^{2}$ or $|1\rangle $ with probability ${c}_{01}^{2}$.
- MITM
- Alice does not measure qubits. She just applies $\mathit{I}$ and $i\mathit{Y}$.
- [20]
- Eve’s most general attack (with ancillas) is${U}_{BE}{|0\rangle}_{B}|E\rangle ={c}_{00}{|0\rangle}_{B}|{E}_{00}\rangle +{c}_{01}{|1\rangle}_{B}|{E}_{01}\rangle ,{U}_{BE}{|1\rangle}_{B}|E\rangle ={c}_{11}{|1\rangle}_{B}|{E}_{11}\rangle +{c}_{10}{|0\rangle}_{B}|{E}_{10}\rangle ,$${U}_{BE}{|+\rangle}_{B}|E\rangle \phantom{\rule{-0.166667em}{0ex}}=\phantom{\rule{-0.166667em}{0ex}}{c}_{++}{|+\rangle}_{B}|{E}_{++}\rangle \phantom{\rule{-0.166667em}{0ex}}+\phantom{\rule{-0.166667em}{0ex}}{c}_{+-}{|-\rangle}_{B}|{E}_{+-}\rangle ,\phantom{\rule{4pt}{0ex}}\phantom{\rule{0.222222em}{0ex}}{U}_{BE}{|-\rangle}_{B}|E\rangle \phantom{\rule{-0.166667em}{0ex}}=\phantom{\rule{-0.166667em}{0ex}}{c}_{--}{|-\rangle}_{B}|{E}_{-+}\rangle \phantom{\rule{-0.166667em}{0ex}}+\phantom{\rule{-0.166667em}{0ex}}{c}_{-+}{|+\rangle}_{B}|{E}_{-+}\rangle .$Fidelities are ${f}_{0}={c}_{00}^{2}$, ${f}_{1}={c}_{11}^{2}$, ${f}_{+}={c}_{++}^{2}$, and ${f}_{-}={c}_{--}^{2}$. ${f}_{0}={f}_{1}$ and ${f}_{-}={f}_{+}$ are assumed...Bob’s qubit is in a mixed state ${\rho}^{B}=\left(\right|0\rangle \langle 0|+|1\rangle \langle 1\left|\right)/2$. The joint state of the forward qubit and Eve’s ancilla becomes ${\rho}_{BA}^{BE}={U}_{BE}({\rho}^{B}\otimes |E\rangle \langle E\left|\right){U}_{BE}$. Alice’s encoded qubit together with Eve’s ancillas is: ${\rho}^{ABE}=\frac{1}{2}{|0\rangle \langle 0|}^{A}\otimes {\rho}_{BA}^{BE}+\frac{1}{2}{|1\rangle \langle 1|}^{A}\otimes {\mathit{Y}}_{B}{\rho}_{BA}^{BE}{\mathit{Y}}_{B}$...The asymptotic key generation rate is $r={lim}_{m\to \infty}\frac{k\left(m\right)}{m}$, where m is the size of the raw key and $k\left(m\right)$ is the number of the final key bits. Alice sends Bob EC information over a classical channel so that he can correct his raw key to match Alice’s.
- MITM
- Eve does not induce any disturbance, so there is no EC.
- [20]
- The final key is then derived by applying two-universal hashing to their common raw key as PA. The secure key rate ${r}_{\mathrm{PA}}$ for secret key generation is bounded by the conditional entropy of Alice and Bob’s key bits given the quantum information of Eve about the key bits ${r}_{\mathrm{PA}}=S\left({\rho}^{A}\right|{\rho}^{BE})=-tr{\rho}^{ABE}{log}_{2}{\rho}^{ABE}+\mathrm{tr}{\rho}^{BE}{log}_{1}{\rho}^{BE}=1-h\left(\xi \right)$, where $\xi ={c}_{++}^{2}-{c}_{1}^{2}$, ${c}_{1}={c}_{01}={c}_{10}$, and $h\left(x\right)=-x{log}_{2}x-(1-x){log}_{2}(1-x)$ is the binary Shannon entropy. In particular, if Eve does not attack the forward qubits in the Bob-Alice channel, i.e., ${f}_{0}={f}_{1}={f}_{+}={f}_{-}=1$, one can find that ${r}_{\mathrm{PA}}\left(\xi \right)=1$. This states that Eve cannot gain any information about Alice’s key bits if she does not attack the travel qubit in the Bob–Alice channel first. Consider the case that Eve measures each forward qubit in the Bob-Alice channel in the basis $|0\rangle ,|1\rangle $. Alice and Bob can verify that ${f}_{0}={f}_{1}=1$, and ${f}_{+}={f}_{-}=\frac{1}{2}$. In this case, we have ${r}_{\mathrm{PA}}\left(\xi \right)=0$. On the other hand, Eve can also measure each forward qubit in the Bob-Alice channel in the basis $|+\rangle ,|-\rangle $, which gives ${f}_{+}={f}_{-}=1$ and ${f}_{0}={f}_{1}=\frac{1}{2}$, and thus ${r}_{\mathrm{PA}}\left(\xi \right)=0$. That is, Eve can gain full information of Alice’s key bits if she has exactly known the forward states before Alice’s encoding operations.
- MITM
- Eve does not measure qubits (or ancillas). When she is in the line all the time, she just reads off $\mathit{I}$ and $i\mathit{Y}$ Alice executed on her qubits and applies them to Bob’s qubits she stored, i.e., she copies the whole key—both sides have the whole key. There is no privacy which can be amplified. That means we have ${r}_{\mathrm{PA}}=1$, not 0. This deserves a clarification. ${r}_{\mathrm{PA}}={lim}_{m\to \infty}\frac{k\left(m\right)}{m}=1$ states that the secret key is equivalent to the raw key in the infinite limit for both Alice and Bob and Eve, what corresponds to ${I}_{AB}={I}_{AE}\left({D}_{Max-\mathrm{CM}}\right)=1$, for ${D}_{Max-\mathrm{CM}}=0.5$. So, ${k}_{\mathrm{PA}}\left(m\right)$ should not be used as a secret key, but that does not mean that we can infer ${k}_{\mathrm{PA}}\left(m\right)=0$. After PA both parties have the same ${r}_{\mathrm{PA}}=1$ and discarding ${k}_{\mathrm{PA}}\left(m\right)$ does not turn ${r}_{\mathrm{PA}}$ to zero. Discarding the key is based on Alice and Bob’s estimation from the CM, i.e., from outside of the MM space of calculation. The way of calculating ${k}_{\mathrm{PA}}\left(m\right)$ so as to include discarding of estimated bits both parties might possess should follow from an adequately elaborated PA procedure and its algorithms. A starting step should be a predefined ${D}_{Max-\mathrm{CM}}<0.5$ and its inclusion in the protocol via ${I}_{MaxAE}={I}_{AE}\left({D}_{Max-\mathrm{CM}}\right)$. That would give us a conditional security of the protocol.

## 4. Conclusions

- the photons must cover the double distance than in an equivalent one-way BB84-like protocol (mcasBB84) which also has analogous MM and CM modes;
- while the BB84 protocol is unconditionally secure, and its revised version, the macasBB84 protocol proposed recently is only conditionally secure, the proof of unconditional security of the LM05 protocol given in [20] is not valid, as shown in details in Section 3; the mcasBB84 protocol has a predetermined threshold value of the CM disturbance (${D}_{pdCM}$) at which Bob and Alice must abort the protocol whilst the considered two-way protocols do not have such a critical CM disturbance at which to abort the protocol;
- since there are no errors in the MM mode, the privacy amplification (PA) is the only way to establish the security of the protocols and again in contrast to the mcasBB84 no PA procedures for the two-way protocols have been provided in the literature;

## Funding

## Conflicts of Interest

## References

- Elliott, C.; Colvin, A.; Pearson, D.; Pikalo, O.; Schlafer, J.; Yeh, H. Current Status of the DARPA Quantum Network. In SPIE Quantum Information and Computation III; Donkor, E.J., Pirich, A.R., Brandt, H.E., Eds.; Proceedings of SPIE; SPIE: Bellingham, WA, USA, 2005; Volume 5815, pp. 138–149. [Google Scholar]
- Sasaki, M.; Fujiwara, M.; Ishizuka, H.; Klaus, W.; Wakui, K.; Takeoka, M.; Tanaka, A.; Yoshino, K.; Nambu, Y.; Takahashi, S.; et al. Field test of quantum key distribution in the Tokyo QKD Network. Opt. Express
**2011**, 19, 10387–10409. [Google Scholar] [CrossRef] [PubMed] - Peev, M.; Pacher, C.; Alléaume, R.; Barreiro, C.; Bouda, J.; Boxleitner, W.; Debuisschert, T.; Diamanti, E.; Dianati, M.; Dynes, J.F. The SECOQC Quantum Key Distribution Network in Vienna. New J. Phys.
**2009**, 11, 075001. [Google Scholar] - Bennett, C.H.; Brassard, G. Quantum Cryptography, Public Key Distribution and Coin Tossing. In International Conference on Computers, Systems & Signal Processing, Bangalore, India, 10–12 December 1984; IEEE: New York, NY, USA, 1984; pp. 175–179. [Google Scholar]
- Scarani, V.; Bechmann-Pasquinucci, H.; Cerf, N.J.; Dušek, M.; Lütkenhaus, N.; Peev, M. The Security of Practical Quantum Key Distribution. Rev. Mod. Phys.
**2009**, 81, 1301–1350. [Google Scholar] [CrossRef][Green Version] - Bruß, D. Optimal Eavesdropping in Quantum Cryptography with Six States. Phys. Rev. Lett.
**1998**, 81, 3018–3021. [Google Scholar] [CrossRef][Green Version] - Boström, K.; Felbinger, T. Deterministic Secure Direct Communication Using Entanglement. Phys. Rev. Lett.
**2002**, 89, 187902. [Google Scholar] [CrossRef][Green Version] - Cai, Q.; Li, B. Improving the Capacity of the Boström-Felbinger Protocol. Phys. Rev. A
**2004**, 69, 054301. [Google Scholar] [CrossRef][Green Version] - Lucamarini, M.; Mancini, S. Secure Deterministic Communication without Entanglement. Phys. Rev. Lett.
**2005**, 94, 140501. [Google Scholar] [CrossRef][Green Version] - Beaudry, N.J.; Lucamarini, M.; Mancini, S.; Renner, R. Security of Two-Way Quantum Key Distribution. Phys. Rev. A
**2013**, 88, 062302. [Google Scholar] - Henao, C.I.; Serra, R.M. Practical Security Analysis of Two-Way Quantum-Key-Distribution Protocols Based on Nonorthogonal States. Phys. Rev. A
**2015**, 92, 052317. [Google Scholar] [CrossRef][Green Version] - Khir, M.A.; Zain, M.M.; Bahari, I.; Suryadi; Shaari, S. Implementation of Two Way Quantum Key Distribution Protocol with Decoy State. Opt. Commun.
**2012**, 285, 842–845. [Google Scholar] - Shaari, J.S.; Mancini, S. Finite Key Size Analysis of Two-Way Quantum Cryptography. Entropy
**2015**, 17, 2723–2740. [Google Scholar] [CrossRef][Green Version] - Pirandola, S.; Mancini, S.; Lloyd, S.; Braunstein, S.L. Continuous-Variable Quantum Cryptography Using Two-Way Quantum Communication. Nat. Phys.
**2008**, 4, 726–730. [Google Scholar] [CrossRef][Green Version] - Cerè, A.; Lucamarini, M.; Di Giuseppe, G.; Tombesi, P. Experimental Test of Two-Way Quantum Key Distribution in the Presence of Controlled Noise. Phys. Rev. Lett.
**2006**, 96, 200501. [Google Scholar] [CrossRef] [PubMed][Green Version] - Kumar, R.; Lucamarini, M.; Giuseppe, G.D.; Natali, R.; Mancini, G.; Tombesi, P. Two-Way Quantum Key Distribution at Telecommunication Wavelength. Phys. Rev. A
**2008**, 77, 022304. [Google Scholar] [CrossRef] - Ostermeyer, M.; Walenta, N. On the Implementation of a Deterministic Secure Coding Protocol Using Polarization Entangled Photons. Opt. Commun.
**2008**, 281, 4540–4544. [Google Scholar] [CrossRef][Green Version] - Lütkenhaus, N.; Calsamiglia, J.; Suominen, K.A. Bell Measurements for Teleportation. Phys. Rev. A
**1999**, 59, 3295–3300. [Google Scholar] [CrossRef][Green Version] - Vaidman, L.; Yoran, N. Methods for Reliable Teleportation. Phys. Rev. A
**1999**, 59, 116–125. [Google Scholar] [CrossRef][Green Version] - Lu, H.; Fung, C.H.F.; Ma, X.; Cai, Q.Y. Unconditional Security Proof of a Deterministic Quantum Key Distribution with a Two-Way Quantum Channel. Phys. Rev. A
**2011**, 84, 042344. [Google Scholar] [CrossRef][Green Version] - Han, Y.G.; Yin, Z.Q.; Li, H.W.; Chen, W.; Wang, S.; Guo, G.C.; Han, Z.F. Security of Modified Ping-Pong Protocol in Noisy and Lossy Channel. Sci. Rep.
**2007**, 4, 4936. [Google Scholar] [CrossRef][Green Version] - Bunandar, D.; Lentine, A.; Lee, C.; Cai, H.; Long, C.M.; Boynton, N.; Martinez, N.; DeRose, C.; Chen, C.; Grein, M.; et al. Metropolitan Quantum Key Distribution with Silicon Photonics. Phys. Rev. X
**2018**, 8, 021009. [Google Scholar] - Nguyen, B.A. Quantum Dialogue. Phys. Lett. A
**2004**, 328, 6–10. [Google Scholar] [CrossRef] - Lucamarini, M. Quantum Decoherence and Quantum Cryptography. Ph.D. Thesis, University of Rome La Sapienza, Rome, Italy, 2003. [Google Scholar]
- Tomamichel1, M.; Lim, C.C.W.; Gisin, N.; Renner, R. Tight finite-key analysis for quantum cryptography. Nat. Commun.
**2012**, 3, 1–6. [Google Scholar] [CrossRef] [PubMed] - Lo, H.; Chau, H.F.; Ardehali, M. Efficient Quantum Key Distribution Scheme and a Proof of Its Unconditional Security. J. Cryptol.
**2005**, 82, 133–166. [Google Scholar] [CrossRef][Green Version] - Scarani, V.; Renner, R. Quantum Cryptography with Finite Resources: Unconditional Security Bound for Discrete-Variable Protocols with One-Way Postprocessing. Phys. Rev. Lett.
**2008**, 100, 200501. [Google Scholar] [CrossRef] [PubMed][Green Version] - Cai, R.Y.Q.; Scarani, V. Finite-Key Analysis for Practical Implementations of Quantum Key Distribution. New J. Phys.
**2009**, 11, 045024. [Google Scholar] [CrossRef][Green Version] - Zhou, C.; Bao, W.S.; Li, H.W.; Wang, Y.; Fu, X.Q. Key-Leakage Evaluation of Authentication in Quantum Key Distribution with Finite Resources. Quantum Inf. Process.
**2014**, 13, 935–955. [Google Scholar] [CrossRef] - Mizutani, A.; Curty, M.; Ci, C.; Lim, W.; Imoto, N.; Tamaki, K. Finite-Key Security Analysis of Quantum Key Distribution with Imperfect Light Sources. New J. Phys.
**2015**, 17, 093011. [Google Scholar] - Fuchs, C.A.; Gisin, N.; Griffiths, R.B.; Niu, C.S.; Peres, A. Optimal Eavesdropping in Quantum Cryptography. I. Information Bound and Optimal Strategy. Phys. Rev. A
**1997**, 56, 1163–1172. [Google Scholar] [CrossRef][Green Version] - Gisin, N.; Ribordy, G.; Tittel, W.; Zbinden, H. Quantum Cryptography. Rev. Mod. Phys.
**2002**, 74, 145–195. [Google Scholar] [CrossRef][Green Version] - Molotkov, S.N.; Timofeev, A.V. Explicit Attack on the Key in Quantum Cryptography (BB84 Protocol) Reaching the Theoretical Error Limit Q
_{c}≈ 11%. JETP Lett.**2007**, 85, 524–525. [Google Scholar] [CrossRef] - Bennett, C.H.; Brassard, G.; Crépeau, C.; Maurer, U.M. Generalized Privacy Amplification. IEEE Trans. Inf. Theory
**1995**, 41, 1915–1923. [Google Scholar] [CrossRef][Green Version] - Renner, R.; König, R. Universally Composable Privacy Amplification Against Quantum Adversaries. In Theory of Cryptography; 2nd Theory of Cryptography Conference (TCC 2005), Cambridge, MA, USA, 10–12 February 2005; Kilian, J., Ed.; Chapter Quantum Cryptography and Universal Composability; Springer: Berlin/Heidelberg, Germany, 2005; Volume 3378, pp. 407–425. [Google Scholar]
- Lim, C.C.W.; Curty, M.; Walenta, N.; Xu, F.; Zbinden, H. Concise Security Bounds for Practical Decoy-State Quantum Key Distribution. Phys. Rev. A
**2014**, 89, 022307. [Google Scholar] [CrossRef][Green Version] - Wang, X.B. Beating the Photon-Number-Splitting Attack in Practical Quantum Cryptography. Phys. Rev. Lett.
**2005**, 94, 230503. [Google Scholar] [CrossRef] [PubMed][Green Version]

**Figure 1.**(

**a**) Nguyen’s attack [23] by which Eve is able to deterministically (and undetectably in the message mode (MM)) copy every one of the Bell-state messages in the ping-pong (pp) protocol [7]; (

**b**) Lucamarini’s attack ([24], p. 61, Figure 5.5) by which Eve is able to deterministically (and undetectably in the MM) copy every message in the LM05 protocol; (

**c**) common schematics of both attacks; the green dashed line shows the path of photons when Eve is not in the line.

**Figure 2.**Mutual information plots for (

**a**) one-way protocol BB84; (

**b**) two-way protocols with either pp entangled Bell states or with LM05-like single photon states under a MITM attack; (

**c**) one-way asymmetric BB84-like protocol, in which one basis serves as MM and the other as CM, under a MITM attack (mcasBB84-MITM); ${I}_{AEc}$ stands for ${I}_{AE}\left({D}_{pd-\mathrm{CM}}\right)$.

**Table 1.**Properties of a symmetric BB84-like protocol under an arbitrary attack compared with properties of pp, LM05, and asymmetric mcasBB84 protocols under MITM. For the pp and LM05 protocols $D<0.5$ means that Eve is in the line only a portion of the time and $D=0.5$ that she is in the line all the time. ${D}_{pd-\mathrm{CM}}$ is a predetermined threshold value of $D<0.5$ for the mcasBB84-MITM [22] protocol.

BB84 | pp | LM05 | mcasBB84-MITM | |
---|---|---|---|---|

mode(s) | MM | MM + CM | MM + CM | MM + CM |

disturbance | $0\le {D}_{\mathrm{MM}}\le 0.5$ | ${D}_{\mathrm{MM}}=0$ $0\le {D}_{\mathrm{CM}}\le 0.5$ | ${D}_{\mathrm{MM}}=0$ $0\le {D}_{\mathrm{CM}}\le 0.5$ | ${D}_{\mathrm{MM}}=0$ $0\le {D}_{\mathrm{CM}}\le {D}_{pd-\mathrm{CM}}$ |

maximal disturbance | ${D}_{critical-\mathrm{MM}}=0.11$ | ? | ? | ${D}_{pd-\mathrm{CM}}$ |

secure | for ${D}_{\mathrm{MM}}<0.11$ | for ${D}_{\mathrm{CM}}<\phantom{\rule{4pt}{0ex}}?$ | for ${D}_{\mathrm{CM}}<\phantom{\rule{4pt}{0ex}}?$ | for ${D}_{\mathrm{CM}}<{D}_{pd-\mathrm{CM}}$ |

mutual information | ${I}_{AB}\left({D}_{\mathrm{MM}}\right)$, ${I}_{AE}\left({D}_{\mathrm{MM}}\right)$ | ${I}_{AB}=1$ $0\le {I}_{AE}\left({D}_{\mathrm{CM}}\right)<1$ | ${I}_{AB}=1$ $0\le {I}_{AE}\left({D}_{\mathrm{CM}}\right)<1$ | ${I}_{AB}=1$ $0\le {I}_{AE}\left({D}_{\mathrm{CM}}\right)<{I}_{AE}\left({D}_{pd-\mathrm{CM}}\right)$ |

photon distance | L | 4L | 2L | L |

trans-mittance | $\mathcal{T}$ | ${\mathcal{T}}^{4}$ | ${\mathcal{T}}^{2}$ | $\mathcal{T}$ |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2021 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Pavičić, M. How Secure Are Two-Way Ping-Pong and LM05 QKD Protocols under a Man-in-the-Middle Attack? *Entropy* **2021**, *23*, 163.
https://doi.org/10.3390/e23020163

**AMA Style**

Pavičić M. How Secure Are Two-Way Ping-Pong and LM05 QKD Protocols under a Man-in-the-Middle Attack? *Entropy*. 2021; 23(2):163.
https://doi.org/10.3390/e23020163

**Chicago/Turabian Style**

Pavičić, Mladen. 2021. "How Secure Are Two-Way Ping-Pong and LM05 QKD Protocols under a Man-in-the-Middle Attack?" *Entropy* 23, no. 2: 163.
https://doi.org/10.3390/e23020163