Attacks against a Simplified Experimentally Feasible Semiquantum Key Distribution Protocol

06/16/2018 ∙ by Michel Boyer, et al. ∙ Technion 0

A semiquantum key distribution (SQKD) protocol makes it possible for a quantum party and a classical party to generate a secret shared key. However, many existing SQKD protocols are not experimentally feasible in a secure way using current technology. An experimentally feasible SQKD protocol, "classical Alice with a controllable mirror" (the "Mirror protocol"), has recently been presented and proved completely robust, but it is more complicated than other SQKD protocols. Here we prove a simpler variant of the Mirror protocol (the "simplified Mirror protocol") to be completely non-robust by presenting two possible attacks against it. Our results show that the complexity of the Mirror protocol is at least partly necessary for achieving robustness.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Quantum key distribution (QKD) protocols allow two parties, Alice and Bob, to share a secret random key that is secure even against the most powerful adversaries. Semiquantum key distribution (SQKD) protocols achieve the same goal even if one of the two parties (Alice or Bob) is limited to use only classical operations: the classical party can use only the computational basis , while the quantum party can use any basis – for example, both the computational basis and the Hadamard basis . As explained in Boyer et al. (2007, 2009), the importance of SQKD protocols is both conceptual and practical: they make it possible to investigate the amount of “quantumness” needed for QKD, and they may, in some cases, be easier to implement than standard QKD protocols.

The first SQKD protocol was “QKD with classical Bob” Boyer et al. (2007). Later, other SQKD protocols have been suggested, including “QKD with classical Alice” Zou et al. (2009); Boyer and Mor (2011) and many others (e.g., Boyer et al. (2009); Lu and Cai (2008); Sun et al. (2013); Yu et al. (2014); Krawec (2015); Zou et al. (2015)). Most SQKD protocols have been proven “robust”: namely Boyer et al. (2007), if the adversary Eve succeeds in getting some secret information, she must cause some errors that may be noticed by Alice and Bob. A few SQKD protocols also have a security analysis Krawec (2015, 2016); Zhang et al. (2018); Krawec (2018). Proving robustness is a step towards proving security; proving the security of SQKD protocols is difficult because those protocols are usually two-way: for example, Alice sends a quantum state to Bob, and Bob performs a specific classical operation and sends the resulting quantum state back to Alice.

However, many SQKD protocols, including Boyer et al. (2007); Zou et al. (2009), are vulnerable to practical attacks and cannot be experimentally constructed in a secure way using current technology. An important classical operation of those protocols is named SIFT. The definition of a SIFT operation performed by Alice (assuming that Alice is the classical party) is as follows: Alice measures the incoming quantum state in the computational basis and then generates the state she measured and resends it towards Bob. Security of those SQKD protocols relies on the assumption that during the SIFT operation, Alice’s measurement devices can measure the precise states and distinguish those precise states from any imperfect similar state, and Alice’s photon generation devices can generate the precise states and not any other (imperfect) state. In particular, the generated states must be indistinguishable from states that Alice reflects towards Bob. Using current photonic technology, Alice’s devices are imperfect, which makes this assumption incorrect and makes possible attacks by the eavesdropper Eve: for example, Eve may send a slightly modified state towards Alice (a “tagging attack”) or may distinguish between the states sent by Alice. Full details about those practical attacks are available in Tan et al. (2009); Boyer et al. (2009, 2017).

An experimentally feasible SQKD protocol named “classical Alice with a controllable mirror” (the “Mirror protocol”) has recently been presented Boyer et al. (2017). This protocol is safe against the “tagging” attack presented by Tan et al. (2009). Moreover, the protocol was proved by Boyer et al. (2017) to be completely robust against any attacker Eve, even if Eve is all-powerful and limited only by the laws of physics, and even if Eve can send multi-photon pulses. The robustness proof is still correct even if the detectors of Alice and Bob cannot count how many photons arrive in each mode: namely, when either Alice or Bob looks at a detector which detects a specific mode, they can only notice whether it “clicks” (detects one photon or more in that mode) or not (finds the mode to be empty). This is the standard situation when using current technology.

In this paper, we present a simpler variant of the Mirror protocol (the “simplified Mirror protocol”) which is easier to implement. Our variant allows the classical party, Alice, to choose one of three operations, while the Mirror protocol allows Alice to choose one of four operations. We present two attacks against this variant, proving it to be non-robust. Our results show that the four classical operations allowed by the Mirror protocol are probably necessary for robustness.

In Section 2 we present the Mirror protocol described by Boyer et al. (2017). In Section 3 we present the simplified Mirror protocol and its motivation. In Section 4 we prove the simplified Mirror protocol to be non-robust by presenting two attacks against it: a full attack and a weaker attack. In Section 5 we discuss potential implications of our results.

2 The Mirror Protocol

For describing the Mirror protocol (presented by Boyer et al. (2017)

), we assume a photonic implementation consisting of two modes: the mode of the qubit state

and the mode of the qubit state (below we call them “the mode” and “the mode”, respectively). For example, the mode and the mode can represent two different polarizations or two different time bins. We use the Fock space notations: if there is exactly one photon (and, thus, our Hilbert space is the qubit space), the Fock state (equivalent to ) represents one photon in the mode, and the Fock state (equivalent to ) represents one photon in the mode. We can extend the qubit space to a -dimensional Hilbert space by adding the Fock “vacuum state” , which represents an absence of photons. Most generally, the Fock state represents indistinguishable photons in the mode and indistinguishable photons in the mode. Similarly (in the Hadamard basis), the Fock state represents indistinguishable photons in the mode and indistinguishable photons in the mode. More details about the Fock space notations are given in Boyer et al. (2017); it is vital to use those mathematical notations for describing and analyzing all practical attacks on a QKD protocol (see Brassard et al. (2000) for details).

In the Mirror protocol, in each round, Bob sends to Alice the state – namely, the state. Then, Alice prepares an ancillary state in the initial vacuum state and chooses at random one of the following four classical operations:

(CTRL)

Reflect all the photons towards Bob, without measuring any photon. The mathematical description is:

(1)
(SWAP-10)

Reflect all photons in the mode towards Bob, and measure all photons in the mode. The mathematical description is:

(2)
(SWAP-01)

Reflect all photons in the mode towards Bob, and measure all photons in the mode. The mathematical description is:

(3)
(SWAP-ALL)

Measure all the photons, without reflecting any photon towards Bob. The mathematical description is:

(4)

(We note that in the above mathematical description, Alice measures her ancillary state in the computational basis and sends back to Bob the state.)

The states sent from Alice to Bob (without any error, loss, or eavesdropping) are detailed in Table 1.

Alice’s Classical Operation Did Alice Detect a Photon? State Sent from Alice to Bob
CTRL no (happens with certainty)
SWAP-10 no (happens with probability )
SWAP-10 yes (happens with probability )
SWAP-01 no (happens with probability )
SWAP-01 yes (happens with probability )
SWAP-ALL yes (happens with certainty)
Table 1: The state sent from Alice to Bob in the Mirror protocol without errors or losses, depending on Alice’s classical operation and on whether Alice detected a photon or not.

Then, Bob measures the incoming state in a random basis (either the computational basis or the Hadamard basis ). After completing all rounds, Alice sends over the classical channel her operation choices (CTRL, SWAP-, or SWAP-ALL; she keeps in secret), Bob sends over the classical channel his basis choices, and both of them reveal some non-secret information on their measurement results (as elaborated in Boyer et al. (2017)). Then, Alice and Bob reveal and compute the error rate on test bits for which Alice used SWAP-10 or SWAP-01 and Bob measured in the computational basis, and the error rate on test bits for which Alice used CTRL and Bob measured in the Hadamard basis. They also check whether other errors exist (for example, they verify Bob detects no photons in case Alice uses SWAP-ALL). Alice and Bob also discard mismatched rounds, such as rounds in which Alice used SWAP-10 and Bob used the Hadamard basis. Alice and Bob share the secret bit 0 if Alice uses SWAP-10 and detects no photon while Bob measures in the computational basis and detects a photon in the mode; similarly, they share the secret bit 1 if Alice uses SWAP-01 and detects no photon while Bob measures in the computational basis and detects a photon in the mode.

Finally, Alice and Bob verify that the error rates are below some thresholds, and they perform error correction and privacy amplification in the standard way for QKD protocols. At the end of the protocol, Alice and Bob hold an identical final key that is completely secure against any eavesdropper.

A full description of the protocol and a proof of its complete robustness are both available in Boyer et al. (2017).

The experimental implementation of the protocol can use two time bins (namely, two pulses), one for the mode and one for the mode. In this case, Alice’s possible operations can be described as possible ways for operating a controllable mirror, so that Alice can choose whether to reflect or measure the photon(s) in each time bin. The mirror can be experimentally implemented in various ways; for example:

  • It can be implemented as a mechanically moved mirror. Such mirror is trivial to implement, but it is very slow.

  • It can be implemented by using optical elements: an electronically-triggered Pockels cell, which changes the polarization of the photon(s) in one of the pulses, and a polarizing beam splitter, which can split the two different pulses (that now have different polarizations) into two paths. This implementation is feasible and gives much higher bit rates than the mechanical implementation.

More details about the experimental implementations are available in Boyer et al. (2017).

3 The “Simplified Mirror Protocol”: a Simpler and Non-Robust Variant of the Mirror Protocol

In this paper, we discuss a simpler variant of the Mirror protocol, which we name the “simplified Mirror protocol”. The simplified Mirror protocol is identical to the Mirror protocol described in Section 2, except that it does not include the SWAP-ALL operation. In other words, in the simplified protocol, Alice chooses at random one of the three classical operations CTRL, SWAP-10, and SWAP-01.

The simplified protocol is easier to implement, because the SWAP-ALL operation poses some experimental challenges to the electronic implementation discussed in Section 2: for implementing SWAP-ALL, the Pockels cell should either remain working for a long time (changing polarization for both time bins) or be operated twice (changing polarization for each time bin separately). In more details, for the two pulses representing the mode and the mode: if we assume the duration of each pulse is and the time difference between the two pulses is (where ), the first solution means keeping the Pockels cell operating during the time period , and the second solution means operating the Pockels cell during the two time periods and . The first solution may be problematic for some models of the Pockels cell, and the second solution may be problematic because of the recovery time needed for the Pockels cell. Therefore, at least in some implementations, the simplified Mirror protocol is much easier to implement than the standard Mirror protocol.

Moreover, analyzing the simplified protocol gives a better understanding of the properties required for an SQKD protocol to be robust. In particular, this analysis explains why the structure and complexity of the Mirror protocol are necessary for robustness.

For completeness, we provide below the full description of the simplified Mirror protocol. We note that this description is almost the same as the description of the Mirror protocol in Section 2.

In the simplified Mirror protocol, in each round, Bob sends to Alice the state – namely, the state. Then, Alice prepares an ancillary state in the initial vacuum state and chooses at random one of the following three classical operations:

(CTRL)

Reflect all the photons towards Bob, without measuring any photon. The mathematical description is:

(5)
(SWAP-10)

Reflect all photons in the mode towards Bob, and measure all photons in the mode. The mathematical description is:

(6)
(SWAP-01)

Reflect all photons in the mode towards Bob, and measure all photons in the mode. The mathematical description is:

(7)

(We note that in the above mathematical description, Alice measures her ancillary state in the computational basis and sends back to Bob the state.)

The states sent from Alice to Bob (without any error, loss, or eavesdropping) are detailed in Table 2.

Alice’s Classical Operation Did Alice Detect a Photon? State Sent from Alice to Bob
CTRL no (happens with certainty)
SWAP-10 no (happens with probability )
SWAP-10 yes (happens with probability )
SWAP-01 no (happens with probability )
SWAP-01 yes (happens with probability )
Table 2: The state sent from Alice to Bob in the simplified Mirror protocol without errors or losses, depending on Alice’s classical operation and on whether Alice detected a photon or not.

Then, Bob measures the incoming state in a random basis (either the computational basis or the Hadamard basis ). After completing all rounds, Alice sends over the classical channel her operation choices (CTRL or SWAP-; she keeps in secret), Bob sends over the classical channel his basis choices, and both of them reveal some non-secret information on their measurement results (as elaborated in Boyer et al. (2017)). Then, Alice and Bob reveal and compute the error rate on test bits for which Alice used SWAP-10 or SWAP-01 and Bob measured in the computational basis, and the error rate on test bits for which Alice used CTRL and Bob measured in the Hadamard basis. They also check whether other errors exist (for example, it must never happen that both Alice and Bob detect a photon). Alice and Bob also discard mismatched rounds, such as rounds in which Alice used SWAP-10 and Bob used the Hadamard basis. Alice and Bob share the secret bit 0 if Alice uses SWAP-10 and detects no photon while Bob measures in the computational basis and detects a photon in the mode; similarly, they share the secret bit 1 if Alice uses SWAP-01 and detects no photon while Bob measures in the computational basis and detects a photon in the mode.

Finally, Alice and Bob verify that the error rates are below some thresholds, and they perform error correction and privacy amplification in the standard way for QKD protocols. At the end of the protocol, Alice and Bob hold an identical final key that is completely secure against any eavesdropper.

4 Attacks against the Simplified Mirror Protocol

We prove the simplified protocol to be non-robust by presenting two attacks: a “full attack” described in Subsection 4.1, which gives Eve full information but causes full loss of the CTRL bits, and a “weaker attack” described in Subsection 4.2, which gives Eve less information but causes fewer losses of CTRL bits.

4.1 A Full Attack on the Simplified Protocol that Gives Eve Full Information

In this attack, Eve gets full information of all the information bits. Namely, she gets full information on the SWAP-10 and SWAP-01 bits that were measured by Bob in the computational basis.

Eve applies her attack in two stages: the first stage is on the way from Bob to Alice, and the second stage is on the way from Alice to Bob. In both stages she uses her own probe space (namely, ancillary space) spanned by the orthonormal basis . We assume that Eve fully controls the environment, the errors, and the losses (this is a standard assumption when analyzing the security of QKD): namely, no losses and no errors exist between Bob and Eve or between Alice and Eve.

In the first stage of the attack (on the way from Bob to Alice), Eve intercepts the state (namely, ) sent by Bob, generates instead the state

(8)

and sends to Alice the part of the state. This state causes Alice to get no photons with probability and get the expected state with probability . Alice then performs at random one of the three classical operations CTRL, SWAP-10, or SWAP-01. The resulting possible states of Bob+Eve are described in Table 3.

Alice’s Classical Operation Did Alice Detect a Photon? Bob+Eve State
CTRL no (happens with certainty)
SWAP-10 no (happens with probability )
SWAP-10 yes (happens with probability )
SWAP-01 no (happens with probability )
SWAP-01 yes (happens with probability )
Table 3: The state of Bob+Eve after Alice’s classical operation for the attacks described in Subsections 4.1 and 4.2, depending on Alice’s classical operation and on whether Alice detected a photon or not.

In the second stage of the attack (on the way from Alice to Bob), Eve applies the unitary operator on the joint Bob+Eve state, where is defined as follows:

(9)
(10)
(11)
(12)

is indeed a unitary operator, because we can prove the right-hand sides to be orthonormal: all the right-hand sides are normalized vectors; the first two vectors are clearly orthogonal; the third vector is orthogonal to the first two, because

; and the fourth vector is orthogonal to the three others. Thus, defines (or, more precisely, can be extended to) a unitary operator on .

Applying the unitary operator on Table 3 gives the states listed in Table 4. Comparing it with Table 2, we conclude that this attack never causes Alice and Bob to detect an error. Moreover, Eve detects the whole secret key: Eve measures “” in her probe if Alice and Bob agree on the bit , and she measures “” in her probe if Alice and Bob agree on the bit . However, Eve causes several kinds of losses; in particular, all the CTRL bits are lost.

Alice’s Classical Operation Did Alice Detect a Photon? Bob+Eve State
CTRL no (happens with certainty)
SWAP-10 no (happens with probability )
SWAP-10 yes (happens with probability )
SWAP-01 no (happens with probability )
SWAP-01 yes (happens with probability )
Table 4: The state of Bob+Eve after completing Eve’s attack described in Subsection 4.1, depending on Alice’s classical operation and on whether Alice detected a photon or not.

Therefore, this attack makes it possible for Eve to get full information without inducing any error. However, Eve causes many losses, including full loss of the CTRL bits.

4.2 A Weaker Attack on the Simplified Protocol Causing Fewer Losses of the CTRL Bits

The full attack described in Subsection 4.1 makes it impossible for Bob to ever detect a CTRL bit, which may look suspicious. We now present a weaker attack that lets Bob detect some CTRL bits but gives Eve less information.

The first stage of the attack (on the way from Bob to Alice) remains the same: that is, the state Eve sends to Alice is still given by Equation (8), and the resulting Bob+Eve state after Alice’s classical operation is still shown in Table 3. Eve’s probe space is, too, the same as before: .

This attack is characterized by the parameter . We will see that gives the full attack described in Subsection 4.1, while gives Eve no information at all.

Another important parameter used by the attack is

(13)

We notice that for small values of , the value of is close to . Moreover, for all , it holds that and .

In the second stage of the attack (on the way from Alice to Bob), Eve applies the unitary operator on the joint Bob+Eve state, where is defined as follows:

(14)
(15)
(16)
(17)

is indeed a unitary operator, because we can prove the right-hand sides to be orthonormal: all the right-hand sides are clearly normalized; the first two vectors are orthogonal; the fourth vector is orthogonal to the three others; and the third vector is orthogonal to the first and to the second, because

(18)
(19)

and thus . Therefore, extends to a unitary operator on .

The final global state after Eve’s attack is described in Table 5 (calculated by applying the operator on Table 3), given the following definitions:

(20)
(21)
Alice’s Classical Operation Did Alice Detect a Photon? Bob+Eve State
CTRL no (happens with certainty)
SWAP-10 no (happens with probability )
SWAP-10 yes (happens with probability )
SWAP-01 no (happens with probability )
SWAP-01 yes (happens with probability )
Table 5: The state of Bob+Eve after completing Eve’s attack described in Subsection 4.2, depending on Alice’s classical operation and on whether Alice detected a photon or not. The parameters and are defined in Equations (20) and (21).

We notice that for , the attack is the same as in Subsection 4.1. If , the loss rate of CTRL bits is , and Eve gets no information at all on the information bits (because ).

In general, if Alice and Bob share a “secret” bit , Eve’s probe state is in the (normalized) state

(22)

When Eve measures her probe state in the computational basis , she gets the information bit with probability

(23)

and the loss rates of CTRL and SWAP- bits (where ) are

(24)
(25)

respectively.

Table 6 shows the probabilities and the loss rates for various values of . For example, for , Eve still gets the information bit with probability , Bob’s loss rate for the CTRL bits is , and his loss rate for the SWAP- bits is .

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
1 0.97 0.89 0.78 0.66 0.55 0.44 0.34 0.25 0.15 0
1 0.99 0.97 0.94 0.89 0.83 0.76 0.67 0.57 0.46 0.33
0.83 0.83 0.82 0.79 0.76 0.73 0.68 0.63 0.58 0.53 0.5
Table 6: The probability of Eve obtaining an information bit, and the loss rates and of CTRL and SWAP- bits (where ), respectively, for several values of the attack’s parameter .

For all values of , the attack causes no errors. However, in principle, it can be detected because it causes different loss rates to different types of bits: the loss rate experienced by Bob in the CTRL bits, , is usually different from the loss rate in the SWAP- bits, (see Table 6 for details). Therefore, in principle, the attack can be detected by a statistical test for most values of .

The loss rates become equal only for the value (which gives ). It seems that this specific attack cannot be detected, even in principle: it causes no errors, and it causes the same loss rate for all qubits. For this attack, Eve gets the information bit with probability , and the loss rates are . Therefore, this attack gives Eve a reasonable amount of information, and it is not detectable by looking at errors or comparing loss rates. (We can slightly modify the attack to make the loss rate the same in both directions of the quantum channel, too.)

We conclude that this weaker attack gives Eve partial information, causes no errors, and causes several loss rates. We also conclude that since the loss rates caused by the attack are usually different for different types of bits, the attack can be detected, in principle, for any value of except . However, for , the attack seems undetectable.

5 Discussion

We have discussed a simpler and natural variant of the Mirror protocol (the “simplified Mirror protocol”) which is easier to implement. We have found the simplified Mirror protocol to be completely non-robust; therefore, this protocol is actually an “over-simplified” Mirror protocol. We have presented in Subsection 4.1 an attack giving Eve full information without causing any error; in addition, since this attack also causes full loss of the CTRL bits, we have presented in Subsection 4.2 weaker attacks giving Eve partial information, causing no errors, and causing fewer losses. In particular, we have presented a specific attack (characterized by the parameter ) that seems undetectable and gives Eve one quarter () of all information bits.

Those attacks prove that the simplified Mirror protocol, which allows Alice to use only three classical operations (CTRL, SWAP-10, and SWAP-01), is completely non-robust. On the other hand, the Mirror protocol is proved completely robust (see Section 2 and Boyer et al. (2017)). As explained in Section 3, the only difference between the simplified Mirror protocol and the Mirror protocol is that the Mirror protocol allows a fourth classical operation, SWAP-ALL; therefore, allowing the SWAP-ALL operation is necessary for robustness. More generally, the Mirror protocol probably cannot be made much simpler while remaining robust: its complexity is crucial for robustness. Therefore, we have seen that if we want to use an SQKD protocol that is experimentally feasible in a secure way, we may have to use a relatively complicated protocol.

In this paper, we have not checked the experimental feasibility of Eve’s attacks, because Eve is usually assumed to be all-powerful. Nonetheless, it can be interesting to check in the future the experimental feasibility of those attacks and discover whether the simplified Mirror protocol is flawed also in practice and not “only” in theory. Other interesting directions for future research include trying to find experimentally feasible SQKD protocols that are simpler than the Mirror protocol, and trying to find similar attacks against other QKD and SQKD protocols that have no complete robustness proof.

T.M. suggested to investigate the robustness of the simplified protocol. M.B. suggested and designed the two attacks. All authors performed the careful analysis of the attacks, wrote the manuscript, and reviewed and commented on the final manuscript.

The work of Tal Mor and Rotem Liss was partly supported by the Israeli MOD Research and Technology Unit.

Acknowledgements.
The authors thank Natan Tamari and Pavel Gurevich for useful discussions about the experimental implementation of SWAP-ALL. The authors declare no conflict of interest. The following abbreviations are used in this manuscript:
QKD Quantum Key Distribution
SQKD Semiquantum Key Distribution
References yes

References

  • Boyer et al. (2007) Boyer, M.; Kenigsberg, D.; Mor, T. Quantum Key Distribution with Classical Bob. Phys. Rev. Lett. 2007, 99, 140501. doi:black10.1103/PhysRevLett.99.140501.
  • Boyer et al. (2009) Boyer, M.; Gelles, R.; Kenigsberg, D.; Mor, T. Semiquantum key distribution. Phys. Rev. A 2009, 79, 032341. doi:black10.1103/PhysRevA.79.032341.
  • Zou et al. (2009) Zou, X.; Qiu, D.; Li, L.; Wu, L.; Li, L. Semiquantum-key distribution using less than four quantum states. Phys. Rev. A 2009, 79, 052312. doi:black10.1103/PhysRevA.79.052312.
  • Boyer and Mor (2011) Boyer, M.; Mor, T. Comment on “Semiquantum-key distribution using less than four quantum states”. Phys. Rev. A 2011, 83, 046301. doi:black10.1103/PhysRevA.83.046301.
  • Lu and Cai (2008) Lu, H.; Cai, Q.Y. Quantum key distribution with classical Alice. Int. J. Quantum Inf. 2008, 06, 1195–1202. doi:black10.1142/S0219749908004353.
  • Sun et al. (2013) Sun, Z.W.; Du, R.G.; Long, D.Y. Quantum key distribution with limited classical Bob. Int. J. Quantum Inf. 2013, 11, 1350005. doi:black10.1142/S0219749913500056.
  • Yu et al. (2014) Yu, K.F.; Yang, C.W.; Liao, C.H.; Hwang, T. Authenticated semi-quantum key distribution protocol using Bell states. Quantum Inf. Process. 2014, 13, 1457–1465. doi:black10.1007/s11128-014-0740-z.
  • Krawec (2015) Krawec, W.O. Mediated semiquantum key distribution. Phys. Rev. A 2015, 91, 032323. doi:black10.1103/PhysRevA.91.032323.
  • Zou et al. (2015) Zou, X.; Qiu, D.; Zhang, S.; Mateus, P. Semiquantum key distribution without invoking the classical party’s measurement capability. Quantum Inf. Process. 2015, 14, 2981–2996. doi:black10.1007/s11128-015-1015-z.
  • Krawec (2015) Krawec, W.O. Security proof of a semi-quantum key distribution protocol. 2015 IEEE International Symposium on Information Theory (ISIT). IEEE, 2015, pp. 686–690. doi:black10.1109/ISIT.2015.7282542.
  • Krawec (2016) Krawec, W.O. Security of a semi-quantum protocol where reflections contribute to the secret key. Quantum Inf. Process. 2016, 15, 2067–2090. doi:black10.1007/s11128-016-1266-3.
  • Zhang et al. (2018) Zhang, W.; Qiu, D.; Mateus, P. Security of a single-state semi-quantum key distribution protocol. Quantum Inf. Process. 2018, 17, 135. doi:black10.1007/s11128-018-1904-z.
  • Krawec (2018) Krawec, W.O. Practical security of semi-quantum key distribution. Proceedings of SPIE, Quantum Information Science, Sensing, and Computation X; Donkor, E., Ed., 2018, Vol. 10660, p. 1066009. doi:black10.1117/12.2303759.
  • Tan et al. (2009) Tan, Y.G.; Lu, H.; Cai, Q.Y. Comment on “Quantum Key Distribution with Classical Bob”. Phys. Rev. Lett. 2009, 102, 098901. doi:black10.1103/PhysRevLett.102.098901.
  • Boyer et al. (2009) Boyer, M.; Kenigsberg, D.; Mor, T. Boyer, Kenigsberg, and Mor Reply:. Phys. Rev. Lett. 2009, 102, 098902. doi:black10.1103/PhysRevLett.102.098902.
  • Boyer et al. (2017) Boyer, M.; Katz, M.; Liss, R.; Mor, T. Experimentally feasible protocol for semiquantum key distribution. Phys. Rev. A 2017, 96, 062335. doi:black10.1103/PhysRevA.96.062335.
  • Brassard et al. (2000) Brassard, G.; Lütkenhaus, N.; Mor, T.; Sanders, B.C. Limitations on Practical Quantum Cryptography. Phys. Rev. Lett. 2000, 85, 1330–1333. doi:black10.1103/PhysRevLett.85.1330.