1.2.1 The idealized KLJN scheme and its security.

The working principle of the KLJN scheme [2], [26] is presented in Fig. 1, which shows an idealized configuration without any defense circuitry—such as current-voltage measurement/comparison, filters, etc—against invasive and non-ideality attacks. At the beginning of each bit exchange period (BEP), Alice and Bob connect their randomly chosen resistors and , respectively, to the wire line. These resistors are randomly selected by the switches from the set , , where the elements represent the low L and high H bit values 0 and 1, respectively.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Figure 1. Outline of the core KLJN key exchange system.

The communicator parties, Alice and Bob, randomly choose and connect either or to the wire. The (effective) temperature is publicly agreed and kept, and the (enhanced or standard) Johnson noises of the resistors , , , and are independent and Gaussian. The resulting channel voltage and current are also uncorrelated due to the Second Law of Thermodynamics. Parasitic elements leading to non-ideal features and defense circuitry against active (invasive) attacks and against attacks utilizing non-ideal features are not shown.

https://doi.org/10.1371/journal.pone.0081810.g001

The Gaussian voltage noise generators—delivering white noise with publicly agreed bandwidth—represent an enhanced thermal (Johnson) noise at a publicly agreed high effective noise-temperature at which their noises are statistically independent from each other, implying that , as well as from the noise during a former BEP. During the first practical implementation of the KLJN scheme, by Mingesz et al. [29], the noise-temperature range was used, which made the wire temperature insignificant even when the wire resistance was not zero.

Alice and Bob (as well as Eve) can use a measurement of the mean-square voltage and/or current to assess the bit status of the system, as shown in Fig. 2 for the case of voltage. The situations LH and HL represent secure bit exchange [2], [26], because Eve cannot distinguish between them through measurements, and whenever Alice and Bob see the HH/LH situation they know that the other party has the complementary bit value, which means that they infer the full bit arrangement. Eve cannot extract this information, because she does not know any of the bit values. In other words, a secure bit has been generated and shared. The bit situations LL and HH are insecure, which means that these bits (50% of the executed BEPs) are discarded by Alice and Bob.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Figure 2. Mean-square voltage (and current) versus time during operation.

There are three different levels (dotted lines) depending on the actual bit values; the intermediate value indicates a secure bit exchange period.

https://doi.org/10.1371/journal.pone.0081810.g002

According to the Fluctuation-Dissipation Theorem, the power density spectra and of the voltages and , supplied by the voltage generators in and , are given by(1)respectively. In the case of secure bit exchange (i.e., the LH or HL situation), the power density spectrum and the mean-square amplitude of the channel voltage , and the same measures of the channel current , are given by(2)and(3)respectively, where is the noise bandwidth.

1.2.2 The security of the KLJN scheme is based on the Second Law of Thermodynamics.

During the LH and HL cases, linear superposition makes the spectrum given by Eq. (2) represent the sum of the spectra at the two particular situations. Thus one obtains(4)when only the noise generator due to is running and(5)when the only the noise generator due to is running.

If Eve is to identify which end of the wire has or , it is necessary for her to measure and evaluate a physical quantity offering directional information. In the ideal case, the only information of this kind is the direction of the power flow from Alice to Bob (or vice versa, depending on the choice of positive current direction). In thermal equilibrium, however, this power must fulfill , as required by the Second Law of Thermodynamics. In other words, the ultimate security of the KLJN system against passive attacks is provided by the fact that the power , by which the noise generator due to resistor is heating resistor , is equal to the power by which the noise generator due to resistor is heating resistor [2], [26], [32]. Thus the fact that the net power flow is governed by can easily be shown from Eqs. (4) and (5) for the noise-bandwidth by(6a)and(6b)The equality is in accordance with the Second Law of Thermodynamics. In other words it is as difficult to crack the ideal KLJN scheme as to build a perpetual motion machine of the second kind [4].

This security proof against passive (listening) attacks holds only for Gaussian noise—i.e., the statistics of thermal noise—which has the well-known property that its power density spectrum or autocorrelation function already provides the maximum achievable information about the noise, and no higher-order distribution functions or other tools, such as higher-order statistics, are able to provide additional information.

The required duration of the BEP, at a given bit error probability [34] of the bit exchange between Alice and Bob, is determined by the following arguments: For the LL bit status of Alice and Bob, which is not a secure situation, the channel voltage and current satisfy(7)while, in the case of the other non-secure situation namely the HH bit status, the channel voltage and current satisfy(8)

During key exchange in this classical way, Alice and Bob must compare the predictions of Eqs. (7) and (8) with the actually measured mean-square channel voltage and current to decide whether the situation is secure (i.e., LH or HL prevails), while realizing that these mean-square values are different in each of these three situations (LL, LH or HL, and HH). If the situation is secure, Alice and Bob will know that the other party has the inverse of his/her bit, which implies that a secure key exchange takes place. Alice and Bob must use sufficiently large statistics to achieve low error probability. Fortunately, the bit error probability decays exponentially with the duration of the BEP [34]. Furthermore, a new “intelligent” KLJN protocol [31] can be used, which employs additional circuit calculations by Alice and Bob to reduce the BEP without increasing the error probability.

1.2.3 On active (invasive) attacks and attacks utilizing non-idealities.

It has been pointed out repeatedly [2], [26], [28], [29], [32] that deviations from the earlier shown circuitry and Johnson-like noise—including invasive attacks by Eve, parasitic elements, delay effects, inaccuracies, non-Gaussianity of the noise, etc—will cause a potential information leak toward Eve. However it is fortunate that the KLJN system is very simple, which implies that the number of such attacks is strongly limited. The defense methods against the attacks are straight-forward and are generally based on the comparison of instantaneous voltage and current data at the two wire ends via an authenticated communication between Alice and Bob, as indicated in Fig. 3. These attacks [2], [40], [43], [45] are not the subject of the present paper, and we refer to our relevant rebuttals where they have been analyzed [2], [32], [41], [42], [44] and where misconceptions and errors have been pointed out and corrected. Our earlier survey paper [2] reviewed various attacks on the KLJN scheme.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Figure 3. KLJN system minimally armed against invasive (active) attacks, including the man-in-the-middle-attack.

Alice and Bob measure the instantaneous channel voltage and current amplitudes and compare them via an authenticated public channel. In this way, they learn all the information Eve can have. Additions to prevent hacking—such as line filters, blinding detectors, etc—are not shown. The notation is the same as in Fig. 1.

https://doi.org/10.1371/journal.pone.0081810.g003

It is important to emphasize that Alice and Bob know Eve's best measurement information, because it is given by comparisons of voltage and current at the two ends of the wire. If Eve uses the best available protocol and the security of a certain bit is compromised, this is known also by Alice and Bob who therefore can decide to discard the bit in order to have a secure key. This is a new and unique situation in cryptography, which raises a number of research questions as mentioned in an earlier paper [32].

Finally, a secure type of privacy amplification [33]—XOR-ing the key bit pairs and producing a new key with this output, which results in half of the original length—is also feasible to enhance the security because of the low bit error probability of KLJN key exchange. The error probability decays exponentially with the increasing duration of the BEP [34]. At the experimental demonstration [29] the error probability was .

1.2.4 Foundations of the information-theoretic security in practical KLJN schemes.

Of course, perfect security of any physical key exchanger exists only under ideal (mathematical) conditions. For example, quantum encryption theoretically can offer perfect security only in the limit of a zero-photon-emission rate [5] (i.e., zero bit exchange rate) and zero detector and channel noise limits, which are unphysical and can never occur in a real system. The KLJN scheme is no exception to this rule [2], [26], [32]: it offers perfect security only at zero bandwidth or distance as a consequence of transients, cable resistance, capacitance, etc. However, just as for claims in favor of QKD, parameters of the KLJN building elements and protocol can be chosen so that the perfect security limit can be approached asymptotically. The general situation in the non-ideal case is that a miniscule DC signal component buried in a much larger Gaussian noise (of fixed variance) must be detected by Eve from small statistics limited by the BEP. This DC signal component is typically the mean value of a finite-time mean-square operation or that of the output component of a cross-correlation operation; further discussion on this issue is given in an earlier paper [31] and in Sec. 2.8. Eve must detect the sign of this small DC component in the large noise. When the parameters approach the ideal situation, the ratio of the DC signal amplitude and the root-mean-square (RMS) amplitude of the noise converges towards zero as a power law decay—typically with exponent −1 or −2 [2], [29], [42], [44]—with regard to the invested resources such as wire volume, current/voltage resolution, BEP duration , etc.

Here we summarize the foundation of the mathematical analyses below by explaining why and how Eve's information is limited compared to Alice and Bob's information, even though we have not imposed any limitation for Eve's measurement accuracy or her measurement speed anywhere in our analysis. This is a point of frequent misunderstanding and the additional explanation here was triggered by the referee report written by Dr. Bennett.

All our analyses and argumentations are based on a technically-unlimited eavesdropper (Eve). Accordingly, Eve's amplifiers and analyzers have infinite amplitude resolution and infinite measurement speed (infinite bandwidth), they are noise-free and absolutely linear. Otherwise, parameters describing characteristic time/frequency cut-off of Eve's measurement apparatus and of the amplitude resolution limit would enter into all of the equations describing Eve's information. Eve's only measurement-technology limitation is of fundamental physical nature: Eve can only very poorly separate the signals originating from the two directions as the result of the Rayleigh scattering at sizes much smaller than the signal wavelength; see Sections 2.1.4 and 2.3.2 below. This fundamental physical process is unavoidable, and Eve must live with the fact that the laws of physics prohibit using an efficient directional coupler. However, the same limitations concerning Rayleigh scattering also apply to Alice and Bob.

Then, the obvious question emerges: Why does Eve have significantly less information than Alice and Bob? One should note that this question is relevant only for passive attacks in practice (that is, non-ideal situations with finite distance, finite bandwidth, nonzero cable resistance and capacitance) and active attacks for arbitrary situations, because, for the ideal situation (with zero distance, finite bandwidth, zero cable resistance and capacitance) the Second Law guarantees perfect security. So, how can we summarize the main arguments behind our security proofs against the various attacks presented in this paper, and what is the fundamental mechanism behind the unconditional security shown by our mathematical security proofs?

Is it today's technological limitations of Eve's accuracy? No: it is a fundamental limit: the statistical uncertainty principle interrelating the finite measurement duration with statistical errors during noise analysis.

Eve can measure with infinite speed, which means infinite bandwidth, but she will not find anything beyond the noise bandwidth set by the noise generators and line filters of Alice and Bob (except negligible spurious, stochastic frequency components decaying in an exponential or power-law fashion versus frequency beyond the band limit). According to Shannon's sampling theorem, the maximum sampling frequency giving statistically independent data is thus during the duration of the BEP, Eve (just as Alice and Bob) can extract only independent samples of the channel noise even if Eve's measurement apparatus can collect samples with infinite sampling frequency. The quantity is determined by Alice and Bob because and are determined by them and chosen so that the error probability of exchanged bits is miniscule, thus no error correction algorithm is needed. Yuen [5] points out that error correction algorithms provides information to Alice and Bob in QKD, but KLJN can avoid using such. In practical applications one has , which is an extraordinarily small number for Eve to safely distinguish the minor differences, or less [41], in the noise statistics she can extract using non-idealities. For active attacks, Alice and Bob can easily enforce the same small differences in the statistics—for example 14 bits, used in the experimental demonstration, which is equivalent to a difference of less than . It is virtually impossible to distinguish such a small difference between stochastic signals with the available number of independent samples. As a result, the mathematical analyses shown in the subsequent sections indicate that Eve's successful guessing probability will be close to 0.5,—i.e., the limit representing zero information—and the accepted measure of security (statistical distance, see below) between Eve's extracted version of the key and a perfectly secure key is exponentially small.

But what about Alice and Bob? Alice and Bob know essential parameters that Eve does not have access to: they know their own resistance value and the exact amplitude of their noise fed into the line. Thus they do not need to utilize the non-ideality-based miniscule differences seen by Eve or the even smaller differences that Eve may generate by active (invasive) attack while staying hidden; they only need to monitor the channel voltage/current and identify which one of the three significantly different levels of the mean-square noise takes place. At , the achievable bit exchange has extremely small error probability, such as , see [34]. Further improvements are offered by the “intelligent” KLJN method, where can be significantly diminished by Alice and Bob via reducing when utilizing the knowledge of their own noise time function, combined with linear network calculations [31] allowed by the classical physical nature of the scheme.

1.2.5 Mathematical proof of the unconditional security of the exchanged key.

In order to mathematically analyze the security of the shared key, one must compare the probability distribution for successfully guessing each possible key sequence of an N-bit-long key, encompassing 2^N different sequences, with that of the perfect key having uniform distribution. A statistical distance measure, the variational distance [46] between the distributions representing the key guessed by Eve and the distribution representing the ideal (uniform) key is a useful concept. It defined by(9)where E and I represent Eve's extracted key and the perfect key, respectively, and and are the probabilities of correctly guessing the j^th version of Eve's key and of the perfect key, respectively. The key exchange has ε-security, as discussed by Hirota [6], if the statistical distance between the distributions representing the key guessed by Eve and the ideal (uniform) keys is less than , i.e.,(10)for .

The KLJN scheme provides identically and independently distributed sequences of random variables as key bit values, so that(11)where p is Eve's probability of successfully guessing bits. In non-ideal cases involving an information leak, and when the parameters are sufficiently close to the ideal limit, p can be given as(12)where ; here would mean a perfectly secure key. The reason for this behavior is easy to see if one realizes that Eve's small DC signal component offsets the center (mean value) of the probability density burying the large Gaussian noise. The first derivative at the center of the Gaussian density function is zero, implying that its Taylor approximation, to first order, results in a stable value for small changes around the center. In the idealized case (i.e., zero DC signal) Eve's estimation of the mean value of the Gaussian noise would yield (recording a positive sign at 50% of the exchanged key bits and negative sign also at 50% of the cases). In the non-ideal situation, the DC signal and the mean value of noise+signal are positive or negative; hence the flat amplitude distribution within this range makes Eve experience a non-zero (cf., Eq. 12) which is proportional to the DC signal [47].

As an example, we now consider the case of a non-zero wire resistance [29], [40]–[42] and assume that capacitive effects are compensated [29] or can be neglected due to the actual bandwidth. More examples will be shown in Chapter 2. For the case of fixed distance and bandwidth, q is proportional to the inverse of the square of wire diameter, i.e., with the inverse of the wire's volume V. In other words(13)where is a constant valid for a wire-resistance attack. Then, for the case of , one obtains(14)where the last approximation is valid for . Equation (14) indicates that decays exponentially with increasing value of N and inversely with wire volume V.

For the case of ε-security with , i.e., in the limit, the required q is given by(15)During the experimental demonstrations of the KJNL scheme, referred to above [29], it was found that Eve's equaled 0.025 for secure bit exchange during wire-resistance attacks with a wire resistance being 2% of the loop resistance. For a practical evaluation, let us suppose, that due to additional leaks (transients, cable capacitance, etc.) the actual is double of that, . Due to the assumption, in order to use the theory described above, we apply the a privacy amplification described in [33], which keeps the independently and identically distributed nature of the key by XOR-ing pairs of bits in the original key to have a new key with enhanced security and half of the length. Then, repeating this process a second time to obtain the final key with 25% of the original length, the resulting effective of Eve is [33] which allows key lengths N up to the order of 10⁴ bits. Equation (11) can then be evaluated with this effective value. For a 1000-bit-long shared key, it results in (i.e., an -security with ); for a 500-bit-long shared key it results in (i.e., an -security with ).

Finally, we observe that there are advanced protocols that can enhance the security or limit the required resources in efficient ways while the scaling of versus the utilized resource (wire volume, cf. Eq. 13) shown above in Eqs. (14) and (15) does not change. Below we give a short list of advanced protocols and associated basic security features proposed up to now:

1. Ideal KLJN schemes with passive attacks:
   • The Second Law of Thermodynamics and Kirchhoff's Loop Law [2], [26].
2. Non-ideal KLJN schemes with passive or active (invasive) attacks:
   • Transient protocols involving random-walk from equal resistances [31] and voltage ramping/timing [2], [29].
   • Selecting the noise bandwidth versus the value of wire resistance and wire capacitance [2], [29].
   • General defenses that work in any situation including hacking, encompassing comparison of instantaneous voltage and current amplitudes and discarding any bits where they differ or where they provide information to Eve (even it is erroneous). Note, however, that specific protocols apply for different hacking attacks.
   • Privacy amplification (XOR-ing key bit pairs [33]).
   • Enhanced KLJN protocols, for example the “intelligent” (iKLJN) and “keyed” (KKLJN) methods [31].

1.2.6 Optional security addition: cap imposed on q by Alice and Bob.

We briefly mention an additional security tool provided by the classical physical nature of the KLJN system; see its detailed description and security analysis elsewhere [48]. The fact that Alice and Bob have a public authenticated communication channel for comparing their instantaneous current and voltage data (together with the channel parameters known by them) allows them to access the measurement information of Eve. Thus they can discard those exchanged bits that give out too much information to Eve. In another word, Alice and Bob can impose a strict upper limit on q in Eqs. (12) and (15). This additional security tool is useful when the available resources of Alice and Bob are insufficient to diminish the q related to the exchanged raw bits and, for some other reasons, they want to avoid privacy amplification to reduce it. This ability of Alice and Bob is another indication that they are in full control of the maximum of statistical information Eve is able to access.

1.3.1 Bennett–Riedel's claim concerning no information transfer in a wire in the no-wave (quasi-static) limit.

BR write [4]: “We believe this no-wave limit is inappropriate and nonphysical for analyzing communication protocols (even as a mathematical idealization) because if propagating waves are excluded there is no way for information to get from Alice's side of the circuit to influence Bob's side, or vice versa.”

Based on this argument, they assert that Eve can separate and measure the “orthogonal” wave components that propagate from Alice to Bob and vice versa.

After surveying the relevant physics facts about waves, directional couplers for signal separation and the no-wave limit in Sec. 2.1, we refute the above argument in Sec. 2.2. Furthermore, we show what physics has to say about signal propagation in the no-wave (quasi-static) limit.

1.3.2 Bennett–Riedel's claim that the KLJN system does not offer security.

BR [4] set up three equations for the KLJN scheme, which invoke the deterministic nature of Maxwell's equations and neglect the stochastic nature of Johnson noise and the secret/random choice of the resistors. With this premise, it is not surprising that they concluded that KLJN does not offer any security. Here we discuss only the first and third of BR's equations—since the second one is redundant—and their main conclusion.

The conditional information represents the remaining uncertainty about the set of data F when the set of data G is known. Now if G completely determines F, whereas for the case when G does not provide any information about F. BR's first equation is(16)where X is a variable that fully describes the physical quantities on Alice's side of Eve's location during the BEP. These quantities include waves traveling toward Alice and away from her and all of her equipment, as well as noise and memory. The variable Y has the same meaning with regard to Bob. Furthermore, Z_A and Z_B are wave components propagating from Alice and Bob (as observed by Eve), respectively, and Z = (Z_A, Z_B) represents both wave components. We note that in BR's paper [4] either Z is incorrectly indexed or X and Y must be exchanged.

We first presume that Eq. (16) is valid, which assumes that Z_A and Z_B can be measured separately. This means that the uncertainty about Alice's “full description” X does not change if Eve expands her knowledge of wave Z_A coming from Alice by the knowledge of wave Z_B coming from Bob, and the same remains true even if knowledge of the total description of Bob's data Y is included.

It should be observed that the first equality in Eq. (16) contradicts BR's proposed passive correlation attack [4], which requires knowledge of both Z_A and Z_B and thus implies that .

We now introduce the mutual information of X and Y, which measures how much the knowledge of X or Y tells about the other variable. As a consequence of Eq. (16), and with further argumentation, BR deduce the following equation for the conditional mutual information between X and Y, conditional on Z:(17)This equation, if it is valid, would mean that after measuring the two waves Z = (Z_A, Z_B), Eve's information about X (i.e., Alice's full description) is not increased by learning Y (Bob's full description). Thus after measuring the two waves Z = (Z_A, Z_B), Bob's information about Alice would not be larger than Eve's information about her. The same argumentation would work also in the opposite direction, so that the KLJN system would not offer any security.

We will see below that BR's equations are invalid even in the wave limit; this is a result of multiple reflections as well as of Alice's and Bob's secure reflection coefficients and noises (known only by them) that always guarantee that they know more than Eve.

Most importantly, Eqs. (16) and (17) are entirely unfounded in the no-wave limit because the propagating relaxations Z_A and Z_B (which are not waves) cannot be measured separately; only their sum can be determined.

1.3.3 Bennett–Riedel's claim regarding a “thermodynamics-free” key exchange scheme.

One of the major claims of BR [4] is that thermodynamics and noise are not essential for security in the KLJN scheme. To prove this, they attempted to construct a deterministic key exchange method with two voltage generators and two switches, as illustrated in Fig. 4. This scheme is in fact already known; it is called the “Orlando system” and was conceived and patented by Davide Antilli in 2005 [49]. Despite its origin, we refer to it as the “BR system” below.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Figure 4. Outline of the (Antilli–) Bennett–Riedel system.

The two ends of the wire channel are connected to a three-stage switch with positions I (idle between two bit exchanges), L (low bit value) and H (high bit value). The two DC voltage generators have the voltage , and and are the voltage and current time-functions in the wire. Note that this figure is an improved version of BR's system because they mention the idle situation (necessarily grounded wire) only in the text but do not show it in their figure.

https://doi.org/10.1371/journal.pone.0081810.g004

In the idle mode between bit exchange periods, the switches are in position I; thus the wire channel is grounded. At the beginning of the BEP, Alice and Bob randomly choose between the switch positions L or H representing the corresponding bit values, and at the middle of the BEP they change their bit value. If the randomly chosen sequences of bit values happen to be identical, then the voltage on the wire will be zero for half of the BEP, and these events are disregarded. If the choices by Alice and Bob are complementary, then the voltage is U₀ for the whole BEP.

BR make three statements about the system in Fig. 4, which will be important later: They assert that (i) “The wires and voltage sources are taken to be ideal, with zero thermal noise” and, as a corollary, that (ii) “Thermodynamics and noise do not play a role.” Furthermore, they claim (iii) that the BR system is secure in the “no-wave” limit accomplished in a special way: that Eve waits with her measurements until transients have decayed.

We will see below that statements (i) to (iii) lead to an unphysical situation, namely that Eve must wait for infinite time before she may start listening. Furthermore, one should note that (iii) is an illegal assumption in unconditionally secure communications, because then Eve can only be limited by the laws of physics. Thus statement (iii), in itself, would imply only conditional security.

In Secs. 2.1 and 2.2 below we show why BR's scheme is unphysical, and we also crack it fully in a variety of ways while we demonstrate that the KLJN scheme stays unbroken as a consequence of the Second Law of Thermodynamics and of noise.

1.3.4 Bennett–Riedel's wave-transient-based attack before the steady state is reached.

BR write [4]: Thus, while the steady state mean square noise voltage in the original KLJN protocol does not allow Eve to distinguish between the LH and HL settings of Alice's and Bob's resistors she can distinguish them using (a) transient waves created by the switching action before the steady state is established.

For example Bob's resistor affects the phase and amplitude correlations between a right-traveling wave at time t and its left-traveling echo at time t+Δ, where is the transit time from Eve to Bob and back, with the echo vanishing only if the resistor is perfectly impedance matched to his end of the line.

Here it should be noted that BR have not put forward any concrete protocol with a quantitative and testable evaluation scheme. This is unfortunate because, by establishing such a protocol, one can see that, in the no-wave limit, such transients would represent minor information for Eve about Alice's and Bob's status. Even if propagating signal components (not waves) could be measured, the limited information about the noise within a small fraction of its correlation time (and the unknown additive noise and reflection at the other end of the wire) would make the information available to Eve very small. Moreover, even this minuscule information would converge towards zero upon a decrease of the noise bandwidth and/or a reduction of the wire length. The statistical distance between the key guessed by Eve and that of the perfectly secure key (of the same length) will vanish in a fashion similar to the one described by Eqs. (14) and (15). Sections 2.6 and 2.7 below discuss an efficient transient protocol and quantitative analysis.

1.3.5 Bennett–Riedel's passive time-correlation attack in the no-wave limit.

BR write [4]: Thus, while the steady state mean square noise voltage in the original KLJN protocol does not allow Eve to distinguish between the LH and HL settings of Alice's and Bob's resistors, she can distinguish them using (b) time correlations in the steady-state distribution of traveling waves resulting from the fluctuations that give rise to Johnson-Nyquist noise. For example Bob's resistor affects the phase and amplitude correlations between a right-traveling wave at time t and its left-traveling echo at time t+Δ, where Δ is the transit time from Eve to Bob and back, with the echo vanishing only if the resistor is perfectly impedance matched to his end of the line.

We will analyze this problem in Secs. 2.6 and 2.7 and give a security proof showing that the statistical distance between the key guessed by Eve and the perfectly secure key will vanish in an exponential fashion versus the length of the key.

1.3.6 Current extraction/injection based active (invasive) attack.

BR write [4]: …she (Eve) could still learn the key by an active steady-state attack in which she would place a very high-resistance shunt between her node and ground, and monitor the direction of current flow into it. Of course Alice and Bob could try to detect this weak leakage current also, and abort the protocol if they found it. The result would be an unstable arms race, won by whichever side had the more sensitive ammeter, not the sort of robustness reasonably expected of a practical cryptosystem.

We observe that this attack is valid only against the BR system because, in the KLJN scheme, the direction of the current flowing into the shunt resistor does not provide any information since its origin is a Gaussian noise process with zero mean and exhibiting perfect symmetry around zero. What BR might want to say for the KLJN scheme is that, by using the shunt resistor in the middle, the change of the RMS current in the wire will be greater in the direction of the lower resistance than in the directions of the higher resistance.

A very small difference in current, such as the one referred to above, results in an extremely poor statistics for Eve, and therefore one of the present authors (LK) has proposed a more efficient attack of the mentioned type in the original paper describing the KLJN scheme [26]: this attack entails a separate noise current generator instead of a shunt resistance as well as an evaluation of the cross-correlations between the injected current and the channel currents at the two sides of the injection. These cross-correlations determine which end of the wire has the low and which one has the high resistance. An attack of this type was disregarded as being inefficient already in the foundation paper for KLJN [26], because Eve would need a very long time to create sufficient statistics to reach a reasonable decision, whereas she only has the short duration of the BEP before the process ends. In Sec. 2.8, we analyze this attack mathematically and give a security proof against it.

2.1.1 The mathematical definition of a wave in physics.

In physics, a wave is defined as a propagating amplitude disturbance that is the solution of the wave equation(18)where c is the phase velocity, i.e., the propagation velocity when no dispersion is present. The dynamics of waves is governed by the oscillation of energy between two types, such as the electrical and magnetic field energies. If only one of these types of energy takes part in the propagation—or if the propagation is not based on the bouncing of energy between these two fields—then the propagating field disturbance is not a wave but merely a near-field oscillation with retardation effects.

We now consider a wire with finite size L. The wave equation in Eq. (18) has solutions only for frequencies(19)In other words, propagating field disturbances with frequency components below the minimum wave frequency do not satisfy the wave equation, and hence they are not waves. We concur with BR that propagation and corresponding time delays (i.e., retardation) are essential notions, but the propagating entities are not waves but field relaxations, and the consequences of this will be outlined below. Thus BR's statements about propagating “orthogonal” wave components that can be separated in the two directions is simply unphysical and leads to incorrect equations and conclusions. Furthermore, when the KLJN scheme operates in the “no-wave limit”, this means that the condition(20)applies [2], [26], and BR are correct in using the term “quasi-static” to describe this situation. However, in the limit of quasi-static electrodynamics [50] it is incorrect to classify the propagating disturbances as waves; these disturbances are neither the solution of the wave equation nor do their electrical and magnetic fields have wave energy bouncing back and forth between them during propagation.

2.1.2 The quasi-static limit of electrodynamics, and electrical circuitry symbols with lumped elements.

Quasi-static electrodynamics [50] and Eq. (20) constitute the bases for the operation and associated circuit drawings of any electrical circuit with lumped elements. The physical implication is that—along a line in a circuit drawing and the corresponding wire in the realized circuit, and at a given moment—the instantaneous current and the voltage amplitudes are virtually homogeneous, and retardation effects (including waves) can be neglected. In the absence of these implications, everyday electrical engineering design of circuits with lumped elements would be invalid and impossible.

2.1.3 Signal propagation in the no-wave (quasi-static) limit.

After the comments above it is obvious that BR's assertion, that without waves in the wire there is no information transfer, is not only unphysical but also in blatant contradiction with everyday experience. No landline phones, no computers or other electrical circuits with lumped elements would be able to function and process information if BR's claim were true! In conclusion, the quasi-static (no-wave) limit [50] is a physically valid working condition for the KLJN system, and it is not unphysical as BR claim.

2.1.4 Further implications of the quasi-static (no-wave) limit: Directional couplers, etc.

We now consider wave-based directional couplers for extracting and separating signal components in two directions. These couplers simply do not work in the quasi-static limit, and even in the wave limit the cancellation of the irrelevant signal component is strongly frequency dependent because it is determined by the successful destructive interference of wave components in the coupler [51]. Couplers with good directivity are of the size , where and is the frequency for optimal operation. For longer wavelengths (i.e., smaller frequencies), the system is subject to Rayleigh scattering and, accordingly, the separation of intensities decays with a power function scaling according to .

There are also non-wave-based directional couplers, which are able to separate signals coming from two directions in the wire. These couplers work with lumped elements, such as transformers or active devices, and can be efficient in a wide frequency range. Their working principle is to cancel the signal of the irrelevant direction by subtracting from the channel voltage another voltage that is induced by the channel current. However, all of these couplers fail with the KLJN key exchanger because, for a proper operation to reveal Alice's voltage spectrum, the designer must know the exact value of her resistor. If instead Bob's resistor value is used, then the resulting signal voltage will be different and signal's spectrum will match Bob's noise spectrum instead. This fact is again a consequence of the Second Law of Thermodynamics, which guarantees that the cross-correlation of the channel voltage and channel current is zero, which leads to statistically independent channel voltage and current as a result of their Gaussian nature. Similarly, measuring the channel voltage and current and creating and would not offer information as a consequence of the independence and the Gaussianity of and . According to basic noise calculus, the spectrum of and would be and , respectively, independently of the sign for the second terms in these sums. In conclusion, non-wave-based directional couplers do not provide useful information for Eve.

2.3.1 The wave limit and the Pao-Lo Liu key exchange system.

It is important to note that the default operation of BR's system (cf., Fig. 4) is within the wave limit, which is a consequence of the abrupt switching of the voltage (cf., Sec. 2.4) and the generated high-frequency products. Moreover, in the BR system, no noise unknown by Eve is fed by Alice and Bob into the system. Thus Eqs. (16) and (17) are indeed valid for the BR system (but not for KLJN). As a consequence, the BR system does not offer any security for Alice and Bob, as further discussed in Sec. 2.5.

The wave limit represents an illegal operational condition for the KLJN scheme, and therefore it is unimportant. However there is a software-based protocol working in the wave limit, known as the Pao-Lo Liu key exchange system [52]–[54], which was inspired by KLJN but does not utilize the Second Law of Thermodynamics. In the Liu protocol, random number samples of infinitesimally low noises (in the ideal situation) at Alice's and Bob's sites are sent and reflected with random sign of the reflection coefficient. Alice's reflection coefficient, and the noise intensity added by her, is chosen so that, in the steady-state mode of ideal conditions, BR's proposed correlation attack [4] between the incoming and outgoing waves does not yield any information for Eve. The relevant relation for the Liu protocol, in the ideal situation, is(21)instead of the zero-security situation, , implied by BR's considerations and Eq. (17) [4]. Furthermore and surprisingly, Liu's system seems to satisfy(22)in steady-state and at the ideal limit. Liu's system has other weaknesses, though, stemming from the wave limit, viz., the distinct possibility to observe and ; these flaws lead to problems with transients [53] and vulnerability to non-ideal filters [54]. Neither is Liu's system protected by the Second Law of Thermodynamics or other laws of physics.

Finally, returning to the KLJN scheme but lingering in the wave limit, we have the following comments: If only the waves coming from Alice's direction and denoted are known, this particular situation provides less information about Alice's total description than the situation when the waves coming from the direction of Bob are known as well. This is so because alone offers limited information about the reflection coefficient, and the resistance determining it, at Alice's side. On the other hand, in accordance with BR's passive correlation attack discussed in Sec. 1.2.5 (and also in Sec. 2.7 for the no-wave limit, where it does not work), the cross-correlation of and (requiring the wave limit) provides more information about the reflection coefficient at Alice than does, and thus . We note, in passing, that BR's attack and its justification contradict their own equation, given in Eq. (16), which claims that adding to the knowledge of does not help Eve. The duration of the BEP is limited in the KLJN protocol, and thus the relation applies in Eq. (21).

It should be observed that Liu's system [52]–[54], described above, is slightly different from the KLJN system in the wave limit (which is illegal for KLJN) because, in the Liu protocol, the added and reflected noises are combined at the two ends in such a way that, in the ideal case, the cross-correlation does not yield any information from Eve. Thus Liu's system implies that, in general, the correct relation for the wave limit is .

2.3.2 Bennett–Riedel's equations for the KLJN scheme in the no-wave (quasi-static) limit.

BR's relations in Eqs. (16) and (17) do not exist for the KLJN system in the quasi-static limit because and are not observable separately [51]. Directional couplers that are able to separate such waves would produce outputs corresponding to(23)and(24)with . The largest separation would be at the high cut-off frequency of the noise bandwidth. As already pointed out in Sec. 2.1.4, this will lead to unconditional ε-security , i.e., results of the same nature as in Eqs. (14) and (15). The resources invested by Alice and Bob are the duration of the BEP and the length of the key .

Finally, we set up the correct relations replacing Eqs. (16) and (17): The conditional information terms for the KLJN scheme satisfy(25)where are current and voltage amplitudes along the wire in the steady state, where the dependence on x is miniscule and approaches zero for , and is the initial transient disturbance (not wave) running from Alice toward Bob until Bob's end is reached and Bob's unknown noise is mixed into it. The last conditional information term expresses the fact that Bob, by knowing his own total description, is able to make an almost perfect guess of Alice's description X [31]. However this term is still larger than zero, because errors remain even in this case [31], [34], implying that a small uncertainty is left. Correspondingly, instead of Eq. (17), the correct relations for the conditional mutual information satisfy(26)

2.5.1 Six universal energy/current-flow-analysis attacks.

To circumvent the problem of waves, Alice and Bob use proper voltage envelopes to prevent wave-modes (high-frequency components belonging to the wave limit). In practice, the wave modes should be kept negligible. Another alternative is that Alice and Bob use filters. One should note that convergence requires some loss, which is unavoidable for any real physical system.

Six universal energy/current-flow-analysis attacks are based on the fact that any wire has a geometrical capacitance, and to charge the wire one needs a current flow, energy flow and power flow. Measurement of voltage and current, and determination their product, gives the power flow and its direction as shown in Fig. 5. This power flow is the quasi-static analogue of the Poynting vector in electromagnetics.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Figure 5. Universal energy-flow-analysis attack against BR's scheme in the no-wave limit.

The no-wave limit is provided by the specific time-function of the voltage . The capacitive current density toward the ground is spatially homogeneous along the wire, which leads to a maximum channel current amplitude power flow vector and energy flow vector at the closed end, and zero at the open end. The direction of these vectors during the charge-up period is pointing toward the open end.

https://doi.org/10.1371/journal.pone.0081810.g005

The power flow vector is given by(27)and the energy flow vector is its integral over the BEP according to(28)Eve's situation is fully characterized by the direction of the current vector , the mean power flow vector , and the energy flow vector . The magnitudes of the , and vectors with regard to location also fully inform Eve and compromise security. The further away from the connected voltage source these location-dependent quantities are evaluated, the less are their values, and they are zero at the open end. The directions of these vectors during the charge-up period are toward the open end.

In conclusion, the direction and the location-dependence of the three measurable quantities offer six ways to fully crack the key in the BR system.

2.5.2 Three transient-damping resistor attacks.

To make the system physical and stop the transient after one return, Alice and Bob may use damping resistors to match the wave resistance of the wire, as shown in Fig. 6. These resistors will cause a continuous noise current flowing into the geometrical capacitance of the wire. There are then three more ways to utilize thermodynamics to crack this system during the steady state.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Figure 6. Transient-damping-resistor version of BR's scheme, and capacitive noise current attack.

The direction and the location-dependent value of the cross-correlation vector for the time-derivative of the channel voltage and the current vector provide two ways to crack the key, while the location-dependence of the RMS channel current offers a third way.

https://doi.org/10.1371/journal.pone.0081810.g006

The noise current is correlated with the time derivative of the channel voltage and can be written(29)Both the sign of the cross-correlation vector and its value with regard to location fully inform Eve about the situation; their absolute values are zero at the free end of the wire and maximum at the closed end.

A third way to crack the key is given by the location-dependence of the RMS channel current, which is zero at the open end and maximum at the closed end.

2.5.3 Wire-resistance Johnson-noise attack.

Any wire will have non-zero resistance, and thus it produces Johnson noise. Eve can simply measure the voltage noise between the wire and the ground at the two ends of the wire, as indicated in Fig. 7.

Download:

• PPT
  PowerPoint slide
• PNG
  larger image
• TIFF
  original image

Figure 7. BR's scheme with finite wire resistance and Johnson noise attack.

With a wire resistance of and in the steady-state mode, Eve will measure a zero-power density spectrum at the closed end of the wire and at the open end.

https://doi.org/10.1371/journal.pone.0081810.g007

The free end of the wire will have a voltage noise spectrum given by(30)while the connected end shows zero noise. Consequently Eve can fully crack the system. One may note that this attack can be avoided if the connected end of the wire has a large additive noise to conceal the noise given by Eq. (30), but then the former attacks utilizing the current, power flow and energy flow vectors will still crack the system even in the steady state.

2.5.4 The above attacks are inefficient against the KLJN system as a result of thermodynamics.

It is easy to understand how thermodynamics and noise, fed by the two communicating parties, protect the KLJN scheme against the above attacks. The resistors used by Alice and Bob make the system thermodynamic and produce Johnson noise. The noise voltages are much larger than the parasitic Johnson noise of the wire, because the wire resistance must be small (maximum 1 to 2% of ). Similarly the noise bandwidth is chosen so that the capacitive currents are negligible compared to the channel current.

The implication of the considerations above is that, when the above described attacks are used against the KLJN scheme, Eve's measurement will be a small DC signal buried in a large noise. This leads to relations similar to those shown for the wire resistance voltage drop in Eqs. (12) to (15), and the information theoretic security will be almost perfect. In the case of analogous attacks against the BR case, on the other hand, there is no other type of noise to bury Eve's signal. The rectified noise voltages and currents, and the cross-correlation results, are all uni-polar noises for which either the polarity of this quantity provides the result or, when its size matters, the size compared to zero. For example, the Johnson noise of the wire should be evaluated only at its two ends and should be zero at one end and non-zero at the other. Neither statistics nor averaging is needed to crack the BR system with these attacks; the result is virtually instantaneous and within the correlation time of the noise.