QKD, or Quantum Key Distribution: every now and then I read some suggestion about QKD and quantum resistant blockchain. Either as a buzzword or a serious suggestion to use for quantum proofing blockchain.

tldr; QKD is not feasible for achieving quantum resistance in blockchain. It is not a cryptography method that can solve the issues current non-quantum resistan signature schemes have. To become quantum resistant, you need to implement a quantum resistant signature scheme. QKD has nothing to do with/ to add, to signature schemes.

Here’s the sales pitch for QKD: A method of encrypted communication can be the following: by encrypting and decrypting information with a shared secret key. For this method, you obviously need to have a shared secret key to be able to decrypt the encrypted messages that are sent. Using QKD, you can send this shared secret key to your partner, while knowing whether or not someone is listening somewhere on the communication line. Yes, you read it right, you can detect if someone has listened in on your line. So you would know that someone has attempted to read the shared secret key that you just tried to establish with your partner. Knowing that the key is compromised, you now just try another one, instead of using the compromised key. When succeeded, only the two of you have this specific shared secret key. This while you know for a fact that no one has eavesdropped, and you can send an encrypted message that only the two of you can decrypt. Just to be totally clear: QKD exists today and doesn’t need quantum computers to function.

QKD isn’t a full cryptography method. It‘s part of an encryption method. It’s only feasable for Key Distribution, for establishing shared secret keys. It’s a method of sending information in such a way, that you can detect eavesdropping by making use of quantum mechanics. So you can detect whether or not someone is listening to what you are sending. But what you are sending isn’t encrypted. Encrypting messages will be done with the shared key you sent by using a QKD method. So since it is not encrypted, you can’t use QKD to send all types of secret information. Why the fact that it is not encrypted is not an issue when you try to establish a shared secret key, will be explained later. Botom line is: QKD is not a full cryptography method, it’s a transmission method that is only useful for one very specific use case: Key Distribution.

QKD and blockchain. QKD solves a problem we don’t have in blockchain. QKD is a way of sending shared secret keys from A to B. This is only useful, if you use a type of cryptography that uses shared secret keys to decrypt and encrypt messages. But blockchain doesn’t use shared secret keys. In blockchain we don’t encrypt transactions, and we use private keys that stay private and will not be shared. And we use public keys that need to be made public when you make a transaction. If public keys can be broken by quantum computers, you would need a quantum resistant signature scheme to solve that issue. QKD doesn’t add anything useful there. For a basic explanation of how blockchain uses public- private key cryptography, see here and here. The misconception that hashing public keys would make a blockchain quantum resistant, as often said about BTC, is discussed in part 6 of that series. Sneak peak: it doesn’t make BTC quantum resistant.

So QKD doesn’t add anything to blockchain as far as quantum resistance goes. It is however, very cool tech and and if you’re interested, worth taking a closer look to.

Here’s how QKD works:

Alice and Bob want to talk. But they must be sure Eve can’t detect what they are saying. So they use encrypted messages that can be encrypted and decrypted by the use of a shared secret key. The key must be unique and secure. This secure key must be established and agreed on between Alice and Bob in such a way that Eve can’t get the key. The key consists of a number of random bits consisting of the usual variation of either 1 or 0. (Don’t confuse this with private- public key cryptography. Private- public key cryptography is used to sign and authenticate messages. This is something totally different. Decrypting and encrypting messages with a shared secret key is to make sure no one can read what you are sending.)

So before Alice and Bob can start a secret conversation, they need to establish a secret key that only they have. To establish the secret key, Quantum Key Distribution is used. First the key is created by Bob. (Not by using QKD. QKD will only be used to send the secret key to Alice.) After the secret key is generated by Bob, he will send the key, so the random variation of 1’s and 0’s, to Alice using QKD. QKD is basically a method of sending and receiving information by making use of quantum superpositions or quantum entanglement and transmitting information in quantum states, usually by using photons. This abstract description should make this understandable:

4 different types of particles can be sent. The first set of particles can be imagined as 45 degree tilted particles: \ and /. (I will call these 45s) The second set of particles can be imagined as 90 degree tilted particles: | and — . (I will call these 90s)

The 45s can be translated to bits. Either a 1 or a 0. The 90s can also be translated to bits. Same here: either a 1 or a 0.

The 45s can be translated into bits by guiding them through a receiver, while that same receiver can’t translate the 90s into bits with a higher certainty than 50%. The 90s can be translated accurately to bits by a second type of receiver, which in turn can’t translate 45s with a higher certainty than 50%.

This can be visualized like so: The 45s receiver will send the particles through a “X shape”. The | or the — can’t fit through this unaltered, because the X won’t let them, so if you send a | or an — through the X shape, it will come out as a / or a \. The chance is 50% for either outcome, while the / or the \ fit through unaltered and will be registered as the intended bit. (Either a 0 or a 1.) While the — or the | are altered from an intended 0 to a 1 or vice versa with a 50% chance.

For the 90s receiver it’s the exact opposite. It will send the particles through a + shape, where the — or the | fit through unaltered, but the / and the \ can’t get through unaltered.

So the 4 kinds of particles are sent over a quantum channel from Bob to Alice. They are generated by a same principle as receiving the particles: by sending particles through an X or a +. This happens randomly though, so neither Bob nor Alice know up front whether they need to translate with a 90s or a 45s receiver. So Bob can’t tell Alice what receiver she needs to use and thus to receive, Alice makes a random choice for the translation of each particle: she either uses the 90s receiver or the 45s receiver. She uses this randomness to translate the whole sequence into bits. On average 50% of the sequence will be 45s and 50% will be 90s. Therefore half of the translated bits are correct, while the other half will be translated with a 50% accuracy. As a result, the total translation will be for 75% correct. So she now has a sequence of bits that is for 75% accurate. To complete the key generation, Alice now will send Bob information about which receiver she has used for each received particle. She can do this over an insecure network. Bob checks which bits Alice has translated with the right receiver, and knows which bits are correct. So now he sends here information on which bits are the correct ones. This can be done without revealing whether it is a 0 or a 1, it will just indicate which bits at what position in the sequence she has measured with the right receiver, and Alice knows whether that is a 0 or a 1. Now they both know which bits Alice has correct of Bobs original sequence. They both disgard of the ones Alice has wrong, and they end up with a similar and unique key.

Now if Eve would be “listening” she would have to read all the particles the same way. Only when she reads this, she will, (just like Bob and Alice) not know which receiver to use and she will randomly switch receivers. The result for Eve will be the same. She will have 75% correct. But, (and this it where it goes wrong for Eve), after she has read the sequence, she has altered 25% of the sequence. (50% went through the correct receiver and are unchanged, and the other 50% went through the wrong receiver and thus half of the output of that 50% is is altered. So 50% of 50% = 25%) This results in Eve sending the sequence through to Alice, but this sequence is only for 75% the correct sequence as Bob has sent. Now if Alice translates that sequence, she will have a 62,5% correct bit sequence.

If Alice and Bob compare bits, they will know the percentage of bits that Alice has right, is around 62,5%, instead of 75%. Now they know someone has tried to listen, and they won’t use that key and try to generate a new key.

Very cool tech. But here come the flaws:

- The first problem with QKD is that an attacker can prevent Alice and Bob to exchange a 100% safe secret key, simply by listening in on their channel. Alter-by-listening. The attacker doesn’t even have to register the secret key. Simply the fact that Alice and Bob know that someone is listening, will make them discard the key and not be able to securely communicate.

- A second problem is the possibility of a Man In The Middle attack. (MITM attack). The problem is this: after they have exchanged their info on a 75% accuracy, they have now agreed on the fact that they use the same key and start a conversation. Note that we stopped talking about Alice and Bob, and instead use they. The thing is: they can’t know for sure who they are talking to. Maybe there is someone literally in the middle of the communication channel. And maybe this is the person who is sending the 75% accurate answer back. So Bob would be talking to the attacker, instead of Alice. Or maybe the one sending the bits to Alice is the attacker instead of Bob. So the listener could be performing an MITM attack. Alice and Bob just have no way of knowing for sure who they are talking to. So to prove for themselves that Alice and Bob are actually talking to each other, and not to an attacker, they need to have a shared secret that only they both know. So the first message they would exchange would be the shared secret to authenticate themselves to each other. Like in a movie it would be something like “It’s cold in november” “Yeah, but only when it rains”. They both know what the other is supposed to say, and thus they know they talking to the right person. The obvious problem is: how will you let each other know in advance what the shared secret is without a secure communication channel? Wasn’t QKD supposed to be that secure channel? Apparently you need a secure communication channel before you can securely use QKD, which you wouldn’t need to use if you had a secure communication channel in the first place.. See also here for a paper on this subject.

- The encrypted messages can be sent over any conventional insecure network. But the key distribution by QKD needs to be done over a special network. This creates the third problem, and this should maybe be the first problem, since it ends practical use in the near future. QKD needs you to send your key exchange over a special network: a quantum communication channel which allows quantum states to be transmitted. So for this to work, this network needs to be there. Worldwide preferably if people around the world would want to be able to use this system. Like a second internet. But that network doesn’t exist. (Yet, you could say, but there are no plans to create such a network either. And again here you could add “yet”.)

- Oh, and also, sending and receiving of quantum states presents another problem: you would need a quantum-key distribution box to send and receive keys. Which the average Joe isn’t going to buy since the vulnerability by Alter-by-listening and MITM attacks. So yeah, publicly and wide scale used QKD? Not very likely.

Really cool and interesting on a scientific level though.

On a side note: A truely quantum resistant blockchain needs a quantum resistant signature scheme. Quantum Resistant Bockchain exists in full glory as we speak. QRL uses XMSS sinds launch, a quantum resistant signature scheme. “NIST currently intends to approve both LMS and XMSS.”