SIMULATION AND ANALYSIS OF BB84 PROTOCOL BY MODEL CHECKING

(1)

SIMULATION AND ANALYSIS OF

BB84 PROTOCOL BY MODEL

CHECKING

J.R. SAHOO1

Department of Computer Science and Engineering, Institute of Technical Education and Research,

Bhubaneswar, Orissa, India

[email protected]

S. SATAPATHY2

Department of Computer Science and Engineering, Institute of Technical Education and Research,

Bhubaneswar, Orissa, India

[email protected]

Abstract:

Quantum Cryptography or Quantum key distribution (QKD) is a technique to securely distribute a bit string, among two parties by using laws of quantum mechanics. Its security relies on foundations of quantum mechanics, where as classical cryptography relies on difficulty of certain mathematical problems that can not able to provide unconditional security. Progress of research in this field indicates that QKD will be available outside the laboratory within next few years. These devices have now become complex and more effort is needed for their verification. In this paper, we will use the PRISM tool to analyze the security of BB84 protocol and more specifically the property of eavesdropping detection by combining the parameters of quantum channel and power of eavesdropper.

Keywords: BB84 protocol; Quantum Cryptography; Quantum Key Distribution; Model Checking.

1. Introduction

The security has become a big issue in both wired and wireless networks. Since conventional cryptosystems are based on a mixture of guess work and mathematics, it can not provide unconditional security. So, quantum cryptography has become an alternative solution which assumes only the laws of quantum physics should hold.

The first quantum key distribution protocol was proposed by Benett and Brassard in 1984 named after them as BB84 protocol [Bennett and Brassard, (1984)]. After that, so many quantum key distribution protocols have been proposed. But, BB84 protocol is the most widely used protocol till date.

As the mathematical proof of security of QKD protocols is not enough, computer scientists have developed a range of techniques and tools for analysis of these protocols. A logical model-checker such as SPIN [Holzmann, (1997)], states a system model satisfies a temporal formula or not. But, a tool such as PRISM, a probabilistic symbolic model checker, computes the probability with which such a formula is satisfied. The application of probabilistic model checking to QKD protocols is entirely appropriate, since quantum phenomena are inherently described by random processes.

(2)

The rest of our paper is organized as follows. In section 2 we provide a detailed description of BB84 protocol. In section 3 we give a simple presentation of the technique of model checking and we show why this technique is desired to analyze protocols of QKD. In section 4 we present our analysis of security of BB84 by combining the parameter of quantum channel’s efficiency and rate of attack in order to study the property of eavesdropping detection. Finally, we conclude the paper in section 5.

2. BB84 Protocol

Quantum Key Distribution (QKD) uses quantum mechanics to guarantee secure communication. It is only used to produce and distribute a key K = {0, 1} n, not to transmit any message data. This key can then be used with any chosen encryption algorithm to encrypt (and decrypt) a message, which can then be transmitted over a standard communication channel.

The protocol BB84 [Bennett and Brassard, (1984)], named after its inventors and year of publication, uses four photon polarization states grouped together in two different non-orthogonal bases. It is based on the assumption that only one photon can be transmitted at a time.

In general the two non-orthogonal bases are:

 Base + having horizontal polarization (00) and vertical polarization (900), and we represent the base states with intuitive notation: |0> and |1>. So, we have+ = {|0 >, |1 >}.

 Base × having diagonal polarizations (450) and (1350). The two different base states are |+> and |-> with |+> = 1/√2(|0 > + |1 >) and|−> = 1/√2(|0 > − |1 >). So, we have × = {|+>, |−>}.

The association between the information bit and basis are described in the Table 1.

Table 1. Coding scheme for the BB84 protocol.

Bit + ×

0 |0> = a00 |+> = a10

1 |1> = a01 |-> = a11

The protocol can be described as follows [Elboukhari et al., (2009)].

1) Quantum Transmissions (First Phase)

a) Alice chooses a random string of bits d Є {0, 1} n, and a random string of bases b Є {+, ×} n, where n > N.

b) Alice prepares a photon in quantum state aijfor each bit diin d and biin b as in Table 1, and sends it to Bob over the quantum channel.

c) With respect to either + or ×, chosen at random, Bob measures each aij received. Bob’s measurements produce a string d' Є {0, 1} n, while his choices of bases form b’ Є {0, 1} n.

2) Public Discussion (Second Phase) a) For each bit diin d

i) Alice over the classical channel sends the value of bi to Bob.

ii) Bob responds to Alice by stating whether he used the same basis for the measurement. Both di and di' are discarded if bi ≠ bi'.

(3)

c) The string of bits remaining in d once the bits disclosed in step 2b) are removed is the common secret key, K = {0, 1} N.

Measuring with the incorrect basis yields a random result, as predicted by quantum theory. Thus, if Bob chooses the × basis to measure a photon in state 1, the classical outcome will be either 0 or 1 with equal probability because|1 > = 1 /√ 2(|+> −|−>); if the + basis was chosen instead, the classical outcome would be 1 with certainty because|1 > = 1|1 > + 0|0 >.

To detect Eve, Alice and Bob perform a test for eavesdropping in step 2b) of the protocol. The idea is that, wherever Alice and Bob’s bases are identical (i.e. bi = bi’), the corresponding bits should match (i.e. di= di'). If not, an external disturbance is produced or there is noise in the quantum channel, we suppose all that is caused by Eve. In our article we are interested in analyzing this important property assured by quantum mechanics: the enemy’s presence is always made manifest to the legitimate users.

3. The Method of Model Checking

More time and effort are spent on verification than on construction in software and hardware design of complex systems. Techniques are sought to reduce and ease the verification efforts while increasing their coverage. In this context, formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property, using formal methods of mathematics. Formal verification includes the method of Model checking.

Model checking is a verification technique that explores all possible system states in a brute-force manner. In the field of logic in computer science, model checking refers to the following problem: Given a model of a system, test automatically whether this model meets a given specification. Using a specialized software tool (called a model–checker), a system implementer can mechanically prove that the system satisfies a certain set of requirements.

Using the model-checker PRISM, we verify if the model M satisfies the property defined by pi (i.e. whether M ⊨ Pi for each property Pi), and with PRISM we compute the value of the probability:

Pr {M | = Pi} (1)

By writing M = M (x1, x2, x3… xn), we can parameterize the model M and the probability (1) can be calculated for different value of xi, this enable us to have meaningful plot of the variation of (1).

A model is described in PRISM by components called modules. Each module has a sequence of actions to be achieved and it has its own local variables. The actions take the following expression:

[action]a ∶ (var = value ) + a ∶ (var = value ) + … + a ∶ (var = value ); (2)

In (2), the variable vari is assigned by valuei with probability a1 = 1. In case where n = 1 we have the notation: a : (var = value ) = (var = value )with 1 a = 1. The model checker PRISM permits us to specify arbitrarily probabilities for actions, for example in case n = 2 we can model a tendency in BB84 protocol of Alice in the choice of the quantum states by a module containing the action:

[StateOfAlice]true  0.7 ∶ (EtatAlice = |1 >) + 0.3 ∶ (EtatAlice = |0 >); (3)

(4)

4. Analysis of BB84 Protocol using the Model Checker PRISM

4.1. Description of the model BB84 in PRISM tool

PRISM is a probabilistic model checking tool being developed at the University of Birmingham. Conventional model checkers input a description of a model, represented as a state transition system, and a specification, typically a formula in some temporal logic, and return “yes” or “no”, indicating whether or not the model satisfies the specification. In the case of probabilistic model checking, the models are probabilistic, in the sense that they encode the probability of making a transition between states instead of simply the existence of such a transition, and analysis normally entails calculation of the actual likelihoods through appropriate numerical or analytical methods.

We have elaborated a model of BB84 in PRISM noted MBB84. It is done within a file containing modules that represent the components of the system. In our model of BB84, there is a module corresponding to each party involved in the protocol (Alice, Bob and Eve), plus a module representing the quantum channel.

As mentioned before, we are interested to studying by PRISM the specific security property that BB84 protocol must offer: an enemy who tries to eavesdrop must be detected. So, as mentioned in [Bennett and Brassard, (1984)], if Alice and Bob know that Eve is trying to eavesdrop, they can be in agreement to use the technique of purification and/or temporarily to stop the key establishment process.

By using our model of BB84, we can calculate the probability:

Pr {MBB84 |= Pdet}

Where Pdet represents a formula PCTL, its Boolean value is TRUEif the enemy is detected. We can vary n, the number of photons transmitted involved in the communication between Alice and Bob, and so in our PRISM model this probability is a function of n. Let us write the probability of detecting the enemy like:

Pdet(n) = Pr{MBB84 |= Pdet}

As we see, PRISM calculates exactly the probability of detecting an enemy, Eve. But we must give the definition of Pdet. For that we must precise the random event φ occurs when Eve is detected, this will enable us to write Pdet(n) like a conventional probability Pr(φ).

4.2. The Expression of Pdet

In the model MBB84, we suppose that Eve applies the standard attack of “man in the middle”. Thus, Eve receives each photon sent by Alice over the quantum channel, she measures it with its basis (+ or ×), and she obtains the result of its test, noted Tieveand then she transmits a new photon to Bob in the same measured state (the same state of polarization). By the measurement of this photon, Bob obtains its own test Ti.

In order to detect Eve, it is necessary to compare the bits of Alice and Bob (which are respectively Ai and Bi) when the test of Bob is Ti = 1; if in such case Ai ≠ 1-Bi then we are sure that a disturbance take place and it be caused certainly by the enemy, Eve. Let us note here that we suppose that the quantum channel is perfect; an imperfect channel can cause additional disturbances. In such case, for the need of the security we suppose all noise is due to Eve.

So, Eve’s presence is made manifest as soon as the following event φ occurs:

φ = (Ti = 1) ^ (Ai ≠ 1 − Bi) for some i ≤ n (4)

φ = (Ti = 1) ^ (Ai = Bi) for some i ≤ n (5)

(5)

P (n) = P {(Ti = 1) ^ (Ai = Bi) for some i ≤ n} (6)

Finally, the PCTL formula Pdet corresponding to this formula is:

P = {TRUE U (Ti = 1) ^ (Ai = Bi)} (7)

4.3. Probability of detecting an eavesdropper as a function of security parameter N (Intercept- Resend)

Here it is based on the assumption that the channel can store only one photon at a time and the quantum channel is ideal. We model this in the quantum channel module by the line:

[aliceput ](ch = 0)  (ch′ _{= 1) & (ch}′ _{= al} _{) & (ch}′ _{= al );} ₍₈₎

But, the eavesdropper intercepts all the photons passing through the channel. We model this in the quantum channel module by the line:

[eveput ](ch = 3)  (ch′ _{= 4) & (ch}′ _{= eve} _{) & (ch}′ _{= eve );} ₍₉₎

We use chstate, chbas, chbit , albas , albitfor respectively state, base and bit of the channel and base and bit of Alice. This line shows that the information sent by Alice (base and bit) remain unchanged before it received by Eve.

For 1 ≤ N ≤ 30, PRISM calculates Pdet (N), this produces the curve of Pdet (noted as Pdet(N)) as in fig. 1.

Fig. 1. The probabilities { Pdet(N), where N = No of photons } to detect Eve where the no of photons transmitted by Alice is between 1 and 30.

We note from the above curve, if we increase the number of photons emitted by Alice over the quantum channel, the probability of Eve’s detection increases and tends towards 1.

4.4. Influence of Quantum Channel’s efficiency and Rate of Attack

In our model MBB84, the quantum channel is represented by a module called Quantum Channel which can be in reality optical fiber or free air. We expect that the probability of detecting Eve increases when the quantum channel becomes noisy and also the probability of detecting Eve increases when the rate of attack increases. To achieve this we have consider 3 cases.

(6)

4.4.1. Ideal channel (no noise) and weak attack

As the channel is ideal channel we can model this in module quantum channel as equation (8). When Eve doesn’t intercept most of the photons, we simulate a weak attack. We can write this line as:

[eveput](ch = 3) 0.2 ∶ (ch′ _{= 4) & ch}′ _{= eve} _{& ch}′ _{= eve}

+ 0.8 ∶ (ch′ _{= 4) & ch}′ _{= al} _{& ch}′ _{= al} _{; (10)}

4.4.2. Little noisy channel and medium attack

When there is little noise in the channel we can model this in the module quantum channel as:

[aliceput ](ch = 0) 0.7: (ch′ _{= 1) & ch}′ _{= al} _{& ch}′ _{= al}

+ 0.1: (ch′ _{= 1) & ch}′ _{= 1 – al} _{& ch}′ _{= al}

+ 0.1: (ch′ _{= 1) & ch}′ _{= al} _{& ch}′ _{= 1 – al}

+ 0.1: (ch′ _{= 1)& ch}′ _{= 1 – al} _{& (ch}′ _{= 1 − al ); (11)}

As Eve performs a medium attack here we can model this line as:

[eveput](ch = 3) 0.5: (ch′ _{= 4)& ch}′ _{= eve} _{& ch}′ _{= eve}

+ 0.5: (ch′ _{= 4) & (ch}′ _{= al} _{) & (ch}′ _{= al );} ₍₁₂₎

4.4.3. Much noisy channel and strong attack

When there are very much noise in the channel we can model this in the quantum channel as:

[aliceput ](ch = 0) 0.4: (ch′ _{= 1)& ch}′ _{= al} _{& ch}′ _{= al}

+ 0.2: (ch′ _{= 1)& ch}′ _{= 1 – al} _{& ch}′ _{= al}

+ 0.2: (ch′ _{= 1)& ch}′ _{= al} _{& ch}′ _{= 1 – al}

+ 0.2: (ch′ _{= 1) & (ch}′ _{= 1 − al} _{) & (ch}′ _{= 1 − al ); (13)}

As Eve intercepts all the photons passing through the channel we can model this in quantum channel as equation (9).

(7)

Fig. 2. The probabilities {Pdet ch(i)Eve(i), i = 0,1,2} to detect the no of photons transmitted by Alice is between 1 and 15

In the above figure we mark that

 When the quantum channel is ideal and the rate of attack is weak the probability of detection of eavesdropper increases as we increase the number of photons,

 When the quantum channel is little noisy and the rate of attack is medium the probability of detection of eavesdropper increases more rapidly as we increase the number of photons,

 When the quantum channel is very noisy and the rate of attack is strong the probability of detection of eavesdropper increases even more rapidly as we increase the number of photons.

5. Conclusion

As the need of Quantum cryptography is raising, it is very much necessary to test and analyze such systems with more effort. In this article we chose a model-based technique for security analysis of the most widely used protocol BB84.

We are interested in studying the property of eavesdropper. By using the PRISM tool, we get the following three results.

 First, if we want to increase the probability of the detection of eavesdropper, it is necessary to increase the number of transmitted photons.

 Second, in the case when the quantum channel becomes noisy then the probability of detecting the eavesdropper increases too.

 Third, when the power of Eve becomes much stronger, the probability of her detection is higher.

6. References

[1] Bennett, C. H.; Brassard, G.(1984): Quantum cryptography: Public key distribution and coin tossing, in Proc. IEEE Int. Conf. Computers, Systems and Signal Processing, New York, Bangalore, India, pp. 175–179.

[2] Elboukhari, M.; Azizi, M.; Azizi, A. (2009): Implementation of secure key distribution based on quantum cryptography, in Proc. IEEE Int. Conf Multimedia Computing and Systems (ICMCS’09), page 361 – 365.

[3] Elboukhari, M.; Azizi, M.; Azizi, A. (2010 a): Analysis of Quantum Cryptography Protocols by Model checking, IJUCS, Vol 1, pp. 34-40.

[4] Elboukhari, M.; Azizi, M.; Azizi, A. (2010 b): Analysis of the security of BB84 by model checking, International Journal of Network Security & Its Applications (IJNSA), Volume 2, Number 2.

[5] Holzmann, G.J. (1997): The Model Checker SPIN, IEEE transactions on software engineering, vol. 23, no. 5. [6] http://www.prismmodelchecker.org/manual/Main/AllOnOnePage.