QKD Device Evaluation—Why the Difference Between ITS Design and Secure Implementation Matters (A03c)
Quantum Key Distribution (QKD) aims at quantum-safe key agreement between two parties. In contrast to classical cryptographic key-agreement, two parties (Alice and Bob) do not only exchange classical information but also quantum states over open channels, where a strong eavesdropping or manipulating attacker (Eve) can listen and interfere. Eve might have large storage and soon also quantum computing capabilites at her disposal, which put today’s efficient asymmetric cryptographic approaches in danger.
The theoretical security of QKD in the presence of Eve is based on fundamental principles of quantum-mechanics as well as classical information-theoretically secure (ITS) message authentication, but not on complexity-theoretic assumptions. Further, classical local post-processing takes place.
Associated protocol security proofs must refer to a precise definition of security that includes not only cryptanalytic attacks on the designed QKD protocol but captures also all practical physical
(quantum) attacks on the implementation during the expected life-time. Proofs should give a security bound for comparison of an actual protocol run with an ideal protocol execution.
While the existence of a valid security proof with security parameter is important for the choice of a suitable QKD product for adequate protection of communication, it is not sufficient for passing a security evaluation.
The challenge is to consider high attack potential for all manufactured devices of the same type implementing the QKD protocol in question which have tolerances and whose behavior varies over time and under different environmental conditions, i.e. to perform an exemplarily security evaluation on a well defined target of evaluation (TOE) using a worst-case scenario.