1 Modelling and Analysis of Quantum Key Distribution Protocols, BB84 and B92, in Communicating Quantum Processes(CQP) language and Analysing in PRISM Satya Kuppam Dhirubhai Ambani Institute of Information and Communication Technology Gandhinagar, India Email: [email protected], [email protected] Abstract—Proof of security of cryptography protocols The cornerstone of quantum cryptographic protocols is theoretically establishes the strength of a protocol and the inherent probabilistic nature. Unlike classical protocols the constraints under which it can perform, it does not which accommodates a passive eavesdropper, wherein the take into account the overall design of the protocol. In eavesdropper can copy the bits and analyse them later, the past model checking has been successfully applied quantum protocols mandate an active eavesdropper. This to classical cryptography protocols to weed out de- constraint is promulgated by the no-cloning [11] theorem sign flaws which would have otherwise gone unnoticed. Quantum key distribution protocols differ from their which handicaps the eavesdropper from copying qubits. To classical counterparts, in their ability to detect the extract information from the qubits an eavesdropper will presence of an eavesdropper while exchanging the key. inevitably resort to measuring them in a basis which might Although unconditional security has been proven for be different from the encoding basis and thereby alters the both BB84 [3] and B92 [4] key distribution protocols, in state of the qubit. This action is probabilistic in nature. this paper we show that identifying an eavesdropper’s Moreover, quantum protocols also involve both classical presence is constrained on the number of qubits ex- and quantum channels. Therefore we need a language changed. We first model the protocols in Communicat- that is capable of modelling probabilistic phenomenon ing Quantum Processes (CQP) [10] [8] and then explain and also takes into account both classical and quantum the mechanism by which we have translated this into communications. a PRISM model and how we analysed the protocols’ capabilities. We mainly focus on the protocols’ ability to Communicating Quantum Processes (CQP) [10] is a detect an active eavesdropper and the extent to which language developed with the expert purpose of modelling an eavesdropper can retrieve the shared key without quantum protocols. CQP uses the communication prim- being detected by either party. We then conclude by itives of pi-calculus [9] and has capabilities for apply- comparing the performance of the protocols. ing unitary operators, performing measurements, and a static type system that differentiates between classical and quantum communications. Hence CQP seems an obvious I. Introduction choice for modelling quantum protocols. Reasoning along Quantum cryptographic protocols have garnered much the same lines, PRISM allows us to model probabilistic acclaim in the last two decades for their ability to provide transitions, as we show later, this allows to seamlessly unconditional security, which is not practically assured translate a CQP model into a PRISM model. arXiv:1612.03706v2 [cs.CR] 1 Apr 2018 by their classical counterparts. Commercial availability of Previous work on analysis of BB84 by Papanikolaou [5] quantum infrastructure in the last decade has placed even has reasoned about the probability of detecting an eaves- more emphasis on developing methodologies to ascertain dropper and corroborates the claim made by Mayers in the reliability of protocols in practice. Even though, proto- his proof of unconditional security of BB84. However, this cols are theoretically secure, our experience with classical work does not model BB84 in CQP. We first model BB84 protocols has shown that security can be compromised in CQP, conver the CQP model into PRSIM and check the during implementation. Since modelling, analysing and validity of the observations made by Papanikolaou [5]. We verifying classical protocols have worked so well, develop- then proceed to show that B92’s eavesdropping detection ing techniques along these lines seems prudent for quantum capabilities can be reasoned along the same lines. cryptographic protocols as well. To ensure brevity we have refrained from explaining Quantum Mechanical primitives like unitary operators, This is a pre-print version of a journal submission, calling for measurements and no-cloning theorem. One good resource comments from the audience. is Nielsen and Chuang’s work [7]. Also, we have only 2 provided an elementary introduction to CQP, only to send a classical bit 0 to Bob she sends →and if she wants the extent to which we use it in this paper. A better to send 1 she sends %. The rest of the steps involved are and complete resource would be Thimothy Davidson’s [8] the same as in BB84. doctoral thesis. D. Eavesdropping Attacker II. Preliminaries As mentioned earlier, whenever Eve measures the qubits We are going to briefly explain quantum measurement, that are in transit to Bob from Alice, she makes a perma- and working of BB84 and B92 protocols. nent change to the state of qubits if she doesn’t use the same basis as that of Alice. In BB84 protocol if on some A. Quantum Measurement qubits both Alice and Bob use the same basis to encode It is inherent with any quantum mechanical system that and measure but Bob decodes a classical bit different from any measurement done on the system will induce some what Alice encoded, suggests the presence of Eve. In B92 irreversible disturbances. We are going to rely on this as well, Alice and Bob should obtain the opposite results property of qubits heavily in any quantum cryptographic when the encoding basis is the same, then an attacker is protocols. present. We are assuming the qubit channel shared by all the participants noiseless. Any quantum system can be represented as a vector in an n dimensional complex Hilbert space. Measuring this III. Formalising in CQP quantum system can only give a set of priviliged results A brief overview of CQP calculus is provided and then namely those associated with the basis vectors of the state we proceed to formalise both the protocols in CQP. An space. example of BB84-Bit Commitment Protocol in CQP [10] For example, consider a 2-dimensional complex Hilbert was give by Simon and Gay and our formalisation uses the spcae with |0i and |1i as basis vectors. Lets say the vector same techniques. |ψi = α. |0i + β. |1i describes the system. If we try to measure the system in the basis {0, 1}, then the system A protocol at any given point of time has multiple changes to a new state, either |ψ0i = |0i or |ψ0i = |1i participants, like Alice and Bob which are legitimate entities involved and also adversaries like Eve. These permanently. It has a probability |α|2 of changing into entities are collectively known as agents. Agents |ψ0i = |0i and a probability |β|2 of changing into |ψ0i = |1i. 2 2 communicate with each other via communication channels Also, |α| + |β| = 1. We can also measure the system in to exchange information. The working of the agents is whichever basis that we choose. Lets measure the system encapsulated by processes. Every agent has more than in another basis {+, −}, where one process, and at any given time its possible that more |+i = √1 (|0i + |1i and |−i = √1 (|0i − |1i, then the 2 2 than one process is in action. These processes can be (α+β) quantum state can be represented as |ψi = √ (|+i) + reasonably thought of as states in finite state automatons 2 (α−β) and every process transitions to another or terminates. √ (|−i). 2 CQP allows us to impose a probabilistic distribution Measuring this system in the basis {+, −} will yield |+i across these transitions. Also processes in CQP can be (α+β)2 (α−β)2 and |−i with probability 2 and 2 respectively. parametrised. B. BB84 QKD protocol 1) channels are declared by the new keyword. A and B want to establish a secret for secure com- For example to declare a new qubit channel, we munication. A sends the encoding of some bits in the write (new qubitChannel:ˆ[Qbit]), where Qbit is the +,×basis to B on the quantum channel. B then chooses data type qubitChannel is constrained to and ”ˆ” a random sequences of bases and measures the qubit identifies it as a channel. sent by A in that basis. If the basis of Alice and Bob 2) variables can be declared within a process like so, are equal then the B obtains the classical bit chosen by (qbit q). Alice other wise she randomly gets {0, 1}. A and B then 3) Process Output: c![x].Pi+1 to send the data stored use the classical channel to exchange the basis and the by variable x along channel c and then proceed with corresponding measurements of qubits to decide upon a process Pi+1. shared key or to detect the presence of an eavesdropper. 4) Process Input: c?[x].Pi+1 to receive along channel c and then proceed with process Pi+1. 5) Process action: e.Pi+1 evaluates expression e and C. Understanding B92 then proceeds with process Pi+1 Unlike BB84 where each classical bit has two different 6) Process decision: ifethenPi+1elsePi+2 if the expres- encoding depending on the basis used, B92 has only one. In sion e evaluates to true then proceed with process other words there is a one to one correspondence between Pi+1 else Pi+2 the classical bits and qubits exchanged. If Alice wants to 7) Terminate: Pi.0 the process terminates after Pi. 3 A. Formalising BB84 channels without any noise, if the measurement Bob We identify that Alice, Bob are the primary agents of made does not match, Alice straight away confirms the protocol and to analyse the effects of an eavesdropper the presence of an attacker and sends an eveDetect Eve becomes an agent of the system as well.