Security aspects of the Authentication used in Quantum Cryptography

Transcription

1 SECURITY ASPECTS OF THE AUTHENTICATION USED IN QUANTUM CRYPTOGRAPHY Securiy asecs of he Auhenicaion used in Quanum Cryograhy Jörgen Cederlöf and Jan-Åe Larsson and Maemaisa Insiuionen, Linöings Universie, SE Linöing, Sweden arxiv:quan-h/06009v2 6 Nov 2006 Absrac Uncondiionally secure message auhenicaion is an imoran ar of Quanum Cryograhy QC). We analyze securiy effecs of using a ey obained from QC for auhenicaion uroses in laer rounds of QC. In aricular, he eavesdroer gains arial nowledge on he ey in QC ha may have an effec on he securiy of he auhenicaion in he laer round. Our iniial analysis indicaes ha his arial nowledge has lile effec on he auhenicaion ar of he sysem, in agreemen wih revious resuls on he issue. However, when aing he full QC roocol ino accoun, he icure is differen. By accessing he quanum channel used in QC, he aacer can change he message o be auhenicaed. This ogeher wih arial nowledge of he ey does incur a securiy weaness of he auhenicaion. The underlying reason for his is ha he auhenicaion used, which is insensiive o such message changes when he ey is unnown, becomes sensiive when used wih a arially nown ey. We sugges a simle soluion o his roblem, and sress usage of his or an equivalen exra securiy measure in QC. Index Terms Quanum Cryograhy, Quanum Key Disribuion, Quanum Key Growing, Auhenicaion. I. INTRODUCTION QUANTUM CRYPTOGRAPHY, or more accuraely Quanum Key Growing QKG), uses roeries of quanum mechanical sysems o share a secre ey beween wo sies. QKG was firs roosed in 984 [] and here are several variaions on he heme oday [2] [4]. Since here are excellen descriions of hese sysems elsewhere e.g., [4]), we will only ouline he generic ses of a QKG algorihm here, and hen focus on he auhenicaion used. The securiy of QKG is based on laws of naure [5] [7] raher han comuaional comlexiy as is usually he case for ey-sharing sysems [8], and herefore we will here no assume ha here are any bounds o he comuaional caaciy of he aacer. We will use common-racice erminology and refer o he sender, receiver and eavesdroer as Alice, Bob, and Eve, resecively. To se u a QKG sysem Alice and Bob need a quanum channel beween hem where hey can send and receive, or share, quanum sysems, e.g., quanum bis qubis). One examle is an oical fibre carrying single hoons wih he qubi coded in he hoon s olarizaion, bu here are many oher ossibiliies. In a erfec channel every qubi sen by Alice is received and correcly measured by Bob, and Bob receives no qubis which Alice has no sen. In racice, such channels don exis. A real-world channel can lose almos all qubis in ransi, mae Bob hin he received qubis never sen by Alice and modify some of he qubis ha do go from Alice o Bob. Bu a erfec channel is no needed, as long as he errors are wihin some limis QKG will sill roduce a ey ha is boh shared and secre [4], [9] [4]. They will also need a classical communicaion channel. The alernaives include bu are no limied o he Inerne, he same oical fibre used above, and a newor cable arallel o he oical fibre. Ofen in his conex a simlifying assumion is used: ha he classical channel can be eavesdroed on, bu no be modified by Eve. Unforunaely, unmodifiable channels don exis in he real world, so message auhenicaion mus be used o allow Alice and Bob o deec Eve s modificaion aems. To be able o auhenicae, Alice and Bob will need a small) shared secre ey o sar wih. The urose of he QKG sysem is o use he wo channels and a small orion of he already shared ey o generae new ey orion, larger han he one jus used. The iniial ey only needs o be large enough o allow for he firs generaion sequence, yically o auhenicae wo messages, one from Alice o Bob and one in he oher direcion. This will enable he ey o grow somewha QKG), and will allow for furher runs, in which he ey will grow even more. A round consiss of a number of ses: ) Raw ey generaion: Use he quanum channel o ransmi/generae a bi sequence, shared beween Alice and Bob bu equal only in a orion of he osiions. The size of his orion deends on he roocol used, roeries of he channel, and wheher Eve is lisening on he quanum channel. 2) Sifing: Remove mos of he bis ha do no mach by comaring arameers of each use of he quanum channel, he seings. This will discard noisy bis wihou sending any informaion abou he value of he bis on he classical channel. A smaller sifed ey is obained which is equal a Alice and Bob in a considerably larger orion, he size of which deends on roeries of he channel and wheher Eve is lisening. 3) Error correcion, or ey reconciliaion [5]: Perform error correcion on he sifed ey and esimae he error rae o deec wheher Eve was lisening on he quanum channel, eiher wih a few sacrificed bis from he sifed ey, or wih some of he sifed-ou bis from he las se, deending on deails of he roocol. If he error rae is above a re-deermined bound, Alice and Bob conclude ha Eve has been lisening and he round mus be abored.

2 SECURITY ASPECTS OF THE AUTHENTICATION USED IN QUANTUM CRYPTOGRAPHY 2 4) Privacy amlificaion [6] [8]: If he noise is lower han he redeermined bound, Eve may sill have been lisening bu in ha case she has oed o only exrac very lile informaion. In his case, Alice and Bob can erform rivacy amlificaion o lower Eve s informaion even furher, sacrificing a few bis of heir candidae ey in he rocess. 5) Auhenicaion [9] [2]: The final se of each round is o auhenicae he messages sen from Alice o Bob and from Bob o Alice on he classical channel, o mae sure Eve has no modified hese messages. The sender uses ey bis from he reviously shared secre ey o creae an auhenicaion ag from he message. The used ey bis are hen discarded. The ag is sen along wih he message and he reciien uses his coy of he ey o generae anoher ag from he received message. If he ags are idenical, he message is acceed as auhenic and he new ey jus generaed is added o he remaining ey from he las round. If he auhenicaion fails, Eve is assumed o be rying o inerfere and he round should be abored. A comlicaion is he fac ha he error correcion is no erfec. An error can, wih a small robabiliy, snea hrough. If ha error is in he ey used for auhenicaion in a laer round, he auhenicaion will fail even wihou Eve being resen.) There are variaions in he deails bu all QKG roocols conain hese main ses. Eve s resence is deeced via high error rae on he quanum channel in se 3 or failure of auhenicaion on he classical channel in se 5. If he auhenicaion se is no erformed, all QKG roocols are susceible o a man-in-he-middle aac, where Eve would imersonae Bob when communicaing wih Alice and vice versa. Even when erforming auhenicaion, one broen round will rovide Eve wih he auhenicaion ey for a subsequen round and can brea ha oo, and so on for all fuure rounds. We will examine he auhenicaion se of he roocols in some more deail here and show ha i is also sensiive o choice of message o be auhenicaed. II. AUTHENTICATION In QKG, he sandard is o use Wegman-Carer auhenicaion [9] [2]. This is he auhenicaion equivalen of he Vernam ciher he one-ime ad, see e.g. [22]), for which all messages are equally liely if he ey is unnown. In Wegman-Carer auhenicaion, all values of he ag are equally liely if he ey is unnown, and even if one message-ag air is nown, all values of he ag corresonding o anoher message sill are almos) equally liely. A ag is shorer han a message, so in comarison, jus guessing a ag will be more liely o succeed han he corresonding guess of a message in OTP. Neverheless, given a sufficienly long ag lengh, he robabiliy of correcly guessing he ag will be very low in Wegman-Carer auhenicaion. Tha is, he robabiliy of generaing he correc ag for a forged message will be very low. In he Vernam ciher, he required ey needs o be a leas as long as he message o be encryed. Forunaely, in Wegman-Carer auhenicaion, he required ey grows only logarihmically wih he message lengh. This is essenial for QKG as i is hen only a maer of maing he rounds large enough o gain more ey han is los in he auhenicaion. Formally, he fundamenal building bloc of Wegman-Carer auhenicaion is called universal families of hash funcions, a family H of funcions ha ma a message in he se of ossible messages M o a ag in he se of ags T. The following formal definiion of he aroriae family of hash funcions is aen from [2]: Definiion : ǫ-almos srongly-universal 2 ǫ-asu 2 ) hash funcions Le M and T be finie ses and call funcions from M o T hash funcions. Le ǫ be a osiive real number. A se H of hash funcions is ǫ-almos srongly-universal 2 if he following wo condiions are saisfied: a) The number of hash funcions in H ha aes an arbirary m M o an arbirary T is exacly /. b) The fracion of hose funcions ha also aes an arbirary m 2 m in M o an arbirary 2 T ossibly equal o ) is no more han ǫ. The arameer ǫ conrols a rade-off beween he size of H and he robabiliy o guess he correc ag. The lower bound of ǫ = / can be achieved if a large family can be oleraed and Wegman and Carer included several such examles in [9]. Those families are oo large o be usable in QKG, bu Wegman and Carer laer showed [20] ha by jus doubling he ossibiliy of a correc guess, a much smaller 2/-ASU 2 family can be consruced. Tha family is small enough for QKG, and alhough here are many oher similar families, he exac choice is no imoran and we will use heir original examle from [20] below. Pu in formal language, he auhenicaion roceeds as follows. Alice and Bob share a secre ey jus large enough o selec a hash funcion h H, 0 <. Alice wans Bob o have he message m A M and sends boh m A and A = h m A ). Bob verifies ha A really equals h m A ) and acces he message as auhenic if i does. The ey is hen discarded and never reused. Le us now inroduce Eve, who has conrol over he channel beween Alice and Bob and wans Bob o acce a faed message m E M. To her he secre ey is a random variable K uniform over is whole range 0 K <. If he ey is a random variable, so is he ag for her message T E = h K m E ). The firs condiion of Def. says ha if K is uniform over is whole range, so is T E see Fig. ). Eve can ae a guess, bu any guess is correc only wih he robabiliy PT E = ) = /. ) A word of warning is erhas aroriae regarding erminology, as hese hash funcions are quie differen from cryograhically secure hash funcions someimes menioned in connecion wih auhenicaion. I is imossible o consruc unbreaable cryograhically secure hash funcions see e.g. [23]). They have similariies and boh deserve o be called hash funcions, bu he individual hash funcions of Wegman-Carer are no, and need no be, cryograhically secure in he classical sense.

3 SECURITY ASPECTS OF THE AUTHENTICATION USED IN QUANTUM CRYPTOGRAPHY 3 / Fig.. In Wegman-Carer auhenicaion, a given message m organizes he eys ino subses ha each ma he message o one value of he ag = h m), and hese subses are of equal size for an ǫ-asu 2 family of hash funcions). Tha is, o Eve, he ey K is comleely unnown uniformly disribued), and herefore so is he ag T E = h K m E ) for her message m E. / / / h m A) = A {}}{ reordered) Eve may also wai unil Alice ries o send an auhenicaed message o Bob, ic u he message and he ag, and mae sure Bob never see hem. Wih boh m A and A = h K m A ) a her disosal she can, given enough comuing ower, rule ou all eys ha do no mach and be lef wih jus / of he eys o guess from, see Fig. 2. However, he second condiion of Def. says ha even wih his nowledge, any ag value guessed by Eve is correc equal o he correc ag T E ) for her m E m A wih K uniform over is whole range) a bes wih he robabiliy P T E = h K m A ) = A ) ǫ 2) The arameer ǫ is clearly an uer limi on he robabiliy ha Eve maes he righ guess and manages o fool Bob ino acceing a fae message, a leas if Eve nows nohing abou he ey beforehand. In fac, Wegman-Carer auhenicaion is cryograhically secure in he following way: he robabiliy of Eve guessing he ag value for her message m E does no deend on which message m A Alice sends, as long as i is no equal o Eve s message m E. The robabiliy is always less han ǫ, indeendenly of m A, or u in oher words, here are no message-ag airs from Alice ha are significanly weaer han ohers. Even if Eve was allowed o choose m A differen from m E ) and was given he ag for ha message, she would no be in an imroved siuaion as regards he ag T E corresonding o her message m E. This may no seem imoran a his oin, bu will rove o be ineresing laer. If Eve ries o brea he auhenicaion in he above scenario and fails, her resence will be deeced and he QKG round will be abored. A comlicaing facor is ha he auhenicaion can fail from ime o ime wihou Eve because of channel noise, so Eve can ry o brea he auhenicaion bu o avoid raising susicion she should only do his seldom. The arameer ǫ should be chosen so ha even if Eve does his, he execed life of he sysem is long enough for Alice s and ǫ Fig. 2. In Wegman-Carer auhenicaion, a given message-ag air corresonds o one subse of eys ha ma he message ono ha ag value. A differen message induces a differen family of subses, and will sread ou he remaining eys so ha all ag values have a robabiliy less han or equal o ǫ for an ǫ-asu 2 family of hash funcions, if he eys are equally robable). Bob s needs. For he 2/-ASU 2 family from [20], a 32-bi ag would give a robabiliy of 2 3 o generae he correc ag afer having seen a message-ag air. On average, Eve would need aems. If one exra failure of he auhenicaion, e.g., every en seconds is no deecable, i would ae on average 680 years o guess he correc ag. This would be long enough for mos uses. III. PARTIALLY KNOWN KEY Above, we have assumed ha Eve has no informaion on he secre ey used in he auhenicaion, i.e., o Eve he ey K was a random variable uniform over is whole range. This is an unrealisic requiremen in QKG. Informaion leaage in he quanum ransmission hase is unavoidable bu he damage can be reduced by using rivacy amlificaion, which will reduce Eve s nowledge of he ey significanly, bu no all he way o nohing. As soon as he whole re-shared ey is used Alice and Bob will have o sar rusing auhenicaion wih a ey ha is no comleely secre. If Eve has some informaion on he ey, bu has no seen any message-ag air as deiced in Fig. 3), an uer bound for he chance ha Eve s generaed, or guessed, ag value

4 SECURITY ASPECTS OF THE AUTHENTICATION USED IN QUANTUM CRYPTOGRAPHY 4 / / 2 h m A) = A {}}{ / a) A nonuniform disribuion on induces a nonuniform disribuion on. 2 / reordered) / b) The disribuion can be very sew, for insance if Eve holds informaion ha allows her o rule ou some eys enirely. Fig. 3. Eve s informaion on he ey will induce a nonuniform disribuion on, and also on. is correc is he sum of robabiliies for he / mos robable eys. The min-enroy of he ey, H K) = min log2 PK = ) ), 3) rovides a somewha looser bu simler bound given by PT E = ) 2 H K), 4) corresonding o he exreme case for which he / mos robable eys have equal robabiliy. If Eve nows nohing abou he ey her ey min-)enroy equals he size of he ey and he robabiliy is bounded by) / as execed. If Eve has only lile nowledge, here is only a lile increase in her robabiliy of guessing he correc ag for her message. However, his changes radically in he case where Eve has a lile nowledge on he ey and ics u a message-ag air see Fig. 4). She again gains addiional informaion ha may increase her nowledge abou he ey, bu his increase is no bounded. Tha is, she can guess generae) he correc ag E Fig. 4. If Eve can rule ou cerain eys wih her very limied informaion, i may haen ha Alice s message-ag air allows Eve o rule ou all eys exce for a few ha all ma her message o he same ag. She can now send her message and ha ag, nowing ha Bob will acce i. There is no ris whasoever ha Bob will deec her. for her m E m A wih he robabiliy P T E = h K m A ) = A ) 5) There is no longer any bound on his robabiliy. This is because, wih informaion abou he ey, K is no longer uniformly disribued o Eve). In his siuaion, Eve has revious nowledge abou which values of he ey ha are ossible. Here, his nowledge is obained from earlier rounds of he QKG roocol, in our examle in Fig. 4 is in he form of a lis of eys ha she can rule ou from he ossible eys: H E = H \ {h,, h n }. 6) In addiion, he message-ag air m A + A ha Eve receives from Alice idenifies a subse of eys hash funcions) of size / from which he ey mus have been drawn: H A = {h H : hm A ) = A }. 7) Given ha he se of ossible eys is H E raher han H, he final se of ossible eys is no H A bu H AE = H A H E 8)

5 SECURITY ASPECTS OF THE AUTHENTICATION USED IN QUANTUM CRYPTOGRAPHY 5 If only one ey remains in his subse, Eve will now which ey was drawn. In his case she can simly creae a ag using he idenified ey. Bu i is also ossible o use he resul if more han one ey is resen in H AE. More secifically, when H AE ǫ/, 9) here may exis messages m ha are such ha h, h 2 H AE, h m) = h 2 m). 0) Tha is, for his message, all remaining eys ma o he same ag. The maximum number ǫ/ is given in requiremen b) in Def.. The number of messages wih his roery will increase as H AE decreases from ǫ/. If one of hese messages coincides wih m E, Eve can successfully brea he auhenicaion. She may no now exacly which ey was drawn bu she nows enough o creae he correc ag E = h m E ) for her message. Even when her referred message m E does no coincide wih one of he above messages, Eve has some freedom in choosing m E and may be able o adjus her message so ha she can use he above echnique. We will from here on assume ha his is he case: ha Eve can choose her message m E so ha she can generae he correc ag E for i as soon as ineq. 9) holds. The ne resul is ha Eve has informaion a hand ha enables her o deermine wheher her aac will be successful. In shor: Eve can choose o a he quanum channel in such a way ha he disurbance is below he noise limi se by Alice and Bob. Her aim is no o use he informaion she gahers o decode messages sen wih he generaed ey, bu o brea he auhenicaion of he QKG sysem. She hen inerces each message-ag air sen by Alice and uses he addiional informaion rovided by he air o deermine he ag for her forged message. She will only be successful occasionally, when ) he message m A sen by Alice is such ha a leas one of he subses deiced in Fig. 4 conain less han ǫ/ eys, and 2) he ey, randomly drawn o Eve, ends u in such a subse. Because Eve can deermine when he aac is successful, i.e., when he remaining eys all ma her message o he same ag, she will only relace Alices message-ag air on he classical channel when she is cerain of success. As long as Eve says assive she does no ris deecion, and she acively relaces he message-ag air only when her ag is correc. This aac is ossible o erform each round, insead of he sarse aems ha he reviosly menioned guessing sraegy allowed. In wha follows, o simlify he analysis, we will assume ha Eve erforms he acive relacemen only when she is cerain of success, even hough his is no sricly necessary. Eve can calculae he robabiliy of success from similar consideraions as used above, even when i is less han one. I would be ossible o devise a more comlicaed guessing sraegy o be used by Eve in his case, bu ha is beyond he scoe of his aer. IV. SECURITY? Le us assess he severiy of his hrea by esimaing he robabiliy ha Eve receives he righ message-ag air given only a lile informaion on he ey. We will assume ha Eve uses all her informaion o eliminae r) eys wih r, see Fig. 3b)), and hus ha he rue ey o her is drawn from he remaining r = H E eys wih equal robabiliy. This assumion simlifies our calculaions bu is no really essenial. The quesion is now how many eys remain in H AE = H A H E afer receiving a message-ag air from Alice. Firs, we will also assume ha Eve can do nohing more han remove eys essenially a random wih her iniial nowledge of he ey. The message-ag air ha Eve receives corresonds o drawing / eys from H wihou reurning hem. The rue ey will always be resen in he drawn eys and is of course one of he remaining, ossible eys), while he oher / eys are drawn from eys of which r are ossible, i.e., belong o H E. The number of drawn ossible eys X is a random variable, and removing he rue ey, he random variable X ) will be hyergeomerically disribued: X ) Hy, ) r,. ) In oher words, P X = i) = ) r r ) i / i ). 2) / The ineresing case is when he number of eys drawn is less han ǫ/, or ) ) r r P X ǫ ) ǫ/ i / i = ). i= / 3) This robabiliy is comlicaed o evaluae bu can be esimaed using he Chebyshev inequaliy 2 P X µ cσ) /c 2, 4) which yields P X ǫ ) = P µ X µ ǫ ) P X µ µ ǫ ) = P X µ µ ǫ σ σ 2 ) σ 2. µ ǫ 5) In our case he mean value is ) r µ = + 6) 2 I can be noed ha he Chebyshev inequaliy is raher loose, bu i is generally valid and will be sufficien for our uroses here.

6 SECURITY ASPECTS OF THE AUTHENTICATION USED IN QUANTUM CRYPTOGRAPHY 6 and he sandard deviaion is ) r σ = r ) /. 2 7) This simlifies considerably in he asymoic regime where we have and P µ = r X ǫ ) r r/, 8) and σ = r r) r ǫ r r). 9) ) 2 = r r) r ǫ) 2. 20) Furher, when r ǫ his simlifies o P X ǫ ) r r, 2) In racice, he righ-hand consan is very small. The 2/- ASU 2 hash family from [20] is of size = 4 log log M, 22) e.g., for a 00 bi message and a 32 bi ag, his ranslaes o = 2 276, 23) i.e., roughly 2 bi of ey used. If Eve is allowed o have, e.g., /8 bi iniial nowledge of he ey so ha r 0.97), her chance o brea he sysem wihou fearing deecion is less han each round. A 000 rounds/s, Eve s execed ime o brea he sysem would be a leas years, much longer han when jus guessing once every en seconds. Remember ha using his aroach, Eve does no guess he ag value bu only ries o brea he sysem when she is cerain of success. This resul is he same as in [24]; even if Eve has a lile informaion on he ey used for auhenicaion, her chances a breaing he auhenicaion does no increase subsanially. However, Eve can do more han jus wai for he righ message-ag air o arrive; she may have a cunning lan. V. A POSSIBLE ATTACK Eve s main obsacle above is he Chebyshev inequaliy. Viewed in anoher manner, he cenral limi heorem ensures ha mos of he subses will, wih high robabiliy, conain a number of remaining eys very close o r/ ǫ/. Eve s chances of breaing he auhenicaion would increase dramaically if he remaining eys were sli ino subses of only wo inds: wih eiher ǫ/ or / eys in each subse. This will change he robabiliy disribuion discussed above, so ha he argumen ha used he Chebyshev inequaliy does no aly anymore. Eve would hen be able o brea he auhenicaion if he correc ey would haen o fall in a subse wih ǫ/ remaining eys, since we assume ha Eve has enough freedom o generae a message-ag air of her own as soon as his haens. There are a few mehods ha Eve could use o arrange he subses o her liing, bu he easies mehod would be o change he message: he message from Alice o Bob conains a lo of daa ha describes wha has haened on he quanum channel. And Eve can access and change wha haens on he quanum channel. In essence, Eve has some influence on he conen of he message ha Alice sends, and as a consequence, Eve can change he subses. Noe ha his aac would use a differen ye of changes on he quanum channel han hose caused by Eve exracing informaion from i, and need no be deecable as an increased noise level in he reconciliaion se of he roocol. The aac is differen in is aim since i is no inended o increase Eve s informaion on he ey, bu raher o maximize he usefulness of he informaion she has obained in a revious round. Assuming ha Eve does his as bes as she can, he subses may well be such ha here remains eiher ǫ/ or / eys in each subse see Fig. 5). / Fig. 5. Eve may be able o influence he message from Alice o arrange for subses of wo inds, eiher wih ǫ/ remaining ey values on he lef in he figure) or / remaining ey values on he righ), o have as many subses as ossible wih ǫ/ remaining ey values. In his siuaion, he robabiliy of success is insead he robabiliy ha he correc ey ends u in one of he subses wih ǫ/ remaining eys in i. The number of such subses are eliminaed eys n = eliminaed eys in a good subse r) = ǫ)/ and he robabiliy of ending u in such a subse is P X ǫ ) ossible eys in good subses = ossible eys = nǫ/ = r ǫ r r ǫ. 24) 25) The change in robabiliy disribuion gives a dramaic increase in robabiliy from he bound in ineq. 2) o he value in eqn. 25). The difference beween / and ǫ/ ǫ) is immense for our 2/-ASU 2 hash family, since eqn. 22) gives = 2 4log log M = ǫ < ǫ ǫ. 26) In our examle, using a 2/-ASU 2 hash family, a 32 bi ag and /8 bi iniial nowledge of he ey so ha r 0.970), he robabiliy of success is Again, a 000 rounds/s, Eve s execed ime o brea he sysem would be jus nine monhs. Yes, read ha again. Nine monhs o

7 SECURITY ASPECTS OF THE AUTHENTICATION USED IN QUANTUM CRYPTOGRAPHY 7 brea a QKG sysem wihou ris of deecion. The immense difference beween he wo execed imes above suggess ha his is a roblem even when Eve is no able o obain he ideal subses. The real heoreical reason for he exisence of his aac is ha Wegman-Carer auhenicaion wih a arially nown ey is no cryograhically secure in he way discussed in Secion II, concerning Wegman-Carer auhenicaion wih a comleely secre ey. Here, he robabiliy of Eve guessing he ag value for her message m E does deend on which message m A Alice sends even when i is no equal o Eve s message m E ). Pu in oher words, here are message-ag airs from Alice ha are weaer han ohers. In QKG, Eve can influence m A via he quanum channel and is given he ag for ha message, and his will imrove her siuaion as regards he deerminaion of he correc ag E corresonding o her message m E. I is clear ha simly sending he ag along wih he message o rove auheniciy does no wor in he long run if Eve has a small bu non-zero nowledge of he auhenicaion ey used and can influence he message Alice wans o send. The lile informaion carried by he ag can be enough ogeher wih wha Eve already has, o mae Eve cerain ha her aac will be successful. The robabiliy of his haening in a run is small bu Eve can wai, no rying o brea he auhenicaion unil she is sure of success. VI. PREVENTION To reven Eve from breaing he QKG sysem, Alice and Bob may adjus he arameer choices of by using a larger ag, or r by requiring more rivacy amlificaion. This o mae he execed ime-of-life of he sysem long enough o sui heir ase, bu his will use u more ey in he auhenicaion, and/or require hem o sacrifice more ey during rivacy amlificaion. The ey roducion rae of such a sysem will be lowered, and given he meager ouu of he sysems used oday, his is robably no desirable. Minimizing his effec would require a deailed analysis of each individual QKG roocol. A simler, more efficien and generic fix would be o delay he second ransfer of informaion o Eve so ha she has o mae he decision o ry o brea he auhenicaion before she nows if she will succeed, i.e., before she has received he ag. The mos obvious way o do his is o force Eve o send he message Alice s or her own) o Bob before she ges hold of he ag. One soluion is using synchronized clocs and sending messages and ags a re-agreed imes, wih a ause longer han he recisions of he clocs. Synchronized clocs are already recommended for oher securiy uroses in resen QKG sysems []. Anoher soluion ha does no need clocs is for Alice o send he message o Bob, who relies wih a large random number never seen by Eve or used before, a sal. Alice calculaes a ag based on he concaenaion of he message and he sal and sends ha ag o Bob. Before Eve has seen he ag she will no now if she will be able o forge a message/sal/ag rile, and she will no see he ag before she sends a sal o Alice. Eve can eiher send he real message o Bob and fail bu say undeeced or send Alice a faed sal and/or Bob a faed message. In he laer case, wih he above arameer choices, i is almos cerain ha he ag she receives from Alice won give he aroriae addiional informaion, which reduces his aac o he simle guessing sraegy iniially described above. VII. CONCLUSIONS To conclude, even hough Wegman-Carer auhenicaion seems secure when used wih a arially nown ey [24], he usual imlemenaion of a QKG sysem conains an addiional subley. Eve can influence he message o be sen, and ogeher wih arial nowledge of he ey, his oens u Eve s ossibiliies. Forunaely a simle remedy exiss: force Eve o mae her aac before she nows ha i will succeed, by maing sure Alice will no send he auhenicaion ag unil eiher Bob has received he message or Eve has aemed breaing he sysem. A real-world imlemenaion of a QKG sysem migh already have similar roeries since a) he messages in quesion are o a large exen comosed of random bisequences, and b) a round normally consiss of a dialogue of several messages and an auhenicaion ag for all of hem a he very end of he round. Wheher his is enough o ee he sysem secure deends on he deails of he sysem, bu imlemening he soluion roosed here is chea and requires no dee analysis of he sysem. We would herefore recommend doing jus ha in fuure QKG sysems. REFERENCES [] C. H. Benne and G. Brassard, Quanum cryograhy: Public ey disribuion and coin ossing, in Proc. of he IEEE In. Conf. on Comuers, Sysems, and Signal Processing, Bangalore, India. New Yor: IEEE, 984, [2] A. K. Eer, Quanum cryograhy based on Bell s heorem, Phys. Rev. Le., vol. 67, , 99. [3] C. H. Benne, F. Bessee, G. Brassard, L. Salvail, and J. Smolin, Exerimenal quanum cryograhy, J. Cryo., vol. 5,. 3 28, 992. [4] N. Gisin, G. Ribordy, W. Tiel, and H. Zbinden, Quanum cryograhy, Rev. Mod. Phys., vol. 74, , [5] J. S. Bell, On he Einsein-Podolsy-Rosen aradox, Physics, vol., , 964. [6] J. F. Clauser, Exerimenal disincion beween he quanum and classical field-heoreic redicions for he hooelecric effec, Phys. Rev. D, vol. 9, , 974. [7] W. K. Wooers and W. H. Zure, A single quanum canno be cloned, Naure London), vol. 299, , 982. [8] R. L. Rives, A. Shamir, and L. Adleman, A mehod for obaining digial signaures and ublic-ey cryosysems, Communicaions of he ACM, vol. 2, , 978. [9] D. Mayers, Quanum ey disribuion and sring oblivious ransfer in noisy channels, in Advances in cryology Proceedings of Cryo 96. Sringer, 996, [0] D. Mayers and A. Yao, Quanum cryograhy wih imerfec aaraus, in Proceedings 39h Annual Symosium on Foundaions of Comuer Science. Los Alamios, CA, USA: IEEE Comu. Soc, 998, [] N. Lüenhaus, Esimaes for racical quanum cryograhy, Phys. Rev. A, vol. 59, , 999. [2] P. W. Shor and J. Presill, Simle roof of securiy of he BB84 quanum ey disribuion roocol, Phys. Rev. Le., vol. 85, , [3] D. S. Nai, C. G. Peerson, A. G. Whie, A. J. Berglund, and P. G. Kwia, Enangled sae quanum cryograhy: Eavesdroing on he Eer roocol, Phys. Rev. Le., vol. 84, , 2000.

8 SECURITY ASPECTS OF THE AUTHENTICATION USED IN QUANTUM CRYPTOGRAPHY 8 [4] G. Brassard, N. Lüenhaus, T. Mor, and B. C. Sanders, Limiaions on racical quanum cryograhy, Phys. Rev. Le., vol. 85, , [5] G. Brassard and L. Salvail, Secre ey reconciliaion by ublic discussion, in Advances in Cryology: EUROCRYPT 93, T. Helleseh, Ed., vol Sringer, 994, [6] C. H. Benne, G. Brassard, and J.-M. Rober, How o reduce your enemy s informaion, in Advances in Cryology Proceedings of Cryo 85, ser. Lecure Noes in Comuer Science, vol. 28. Sringer Berlin), 986, [7], Privacy amlificaion by ublic discussion, SIAM J. of Com., vol. 7, , 988. [8] C. H. Benne, G. Brassard, C. Creeau, and U. M. Maurer, Generalized rivacy amlificaion, IEEE Transacions on Informaion Theory, vol. 4,. 95, 995. [9] M. N. Wegman and J. L. Carer, Universal classes of hash funcions, J. of Comu. Sysem Sci., vol. 8, , 979. [20], New hash funcions and heir use in auhenicaion and se equaliy, J. of Comu. Sysem Sci., vol. 22, , 98. [2] D. R. Sinson, Universal hashing and auhenicaion codes, in Advances in Cryology: Proceedings of Cryo 9, J. Feigenbaum, Ed., vol Sringer, 99, [22] B. Schneier, Alied Cryograhy. Wiley, 993. [23] N. Ferguson and B. Schneier, Pracical Cryograhy. Wiley, [24] M. Ben-Or, M. Horodeci, D. W. Leung, D. Mayers, and J. Oenheim, The universal comosable securiy of quanum ey disribuion, in Theory of Cryograhy: Second Theory of Cryograhy Conference, TCC 2005, ser. Lecure Noes in Comuer Science, J. Kilian, Ed., vol Sringer, 2005,