Integrity from Algebraic Manipulation Detection in Trusted-Repeater QKD Networks

Quantum Key Distribution (QKD) allows secure communication without relying on computational assumptions, but can currently only be deployed over relatively short distances due to hardware constraints. To extend QKD over long distances, networks of trusted repeater nodes can be used, wherein QKD is executed between neighbouring nodes and messages between non-neighbouring nodes are forwarded using a relay protocol. Although these networks are being deployed worldwide, no protocol exists which provides provable guarantees of integrity against manipulation from both external adversaries and corrupted intermediates. In this work, we present the first protocol that provably provides both confidentiality and integrity. Our protocol combines an existing cryptographic technique, Algebraic Manipulation Detection (AMD) codes, with multi-path relaying over trusted repeater networks. This protocol achieves Information Theoretic Security (ITS) against the detection of manipulation, which we prove formally through a sequence of games.

💡 Research Summary

The paper addresses a critical gap in the security of trusted‑repeater quantum key distribution (QKD) networks: while QKD provides information‑theoretic confidentiality, existing relay protocols do not guarantee integrity when intermediate repeaters are malicious or compromised. The authors propose the first protocol that simultaneously achieves unconditional confidentiality and integrity in such networks, using algebraic manipulation detection (AMD) codes together with multi‑path secret sharing.

The setting is a graph‑based trusted‑repeater network where Alice and Bob are connected by n vertex‑disjoint paths. Each edge represents a QKD link that supplies a one‑time‑pad (OTP) key for encrypting messages hop‑by‑hop. Traditional single‑path relaying requires every intermediate node to fully trust that it will delete the plaintext after forwarding; a single compromised node can silently alter the message without detection.

To overcome this, the protocol proceeds in four stages:

1. AMD Encoding – Alice first encodes her secret m using a δ‑AMD code (Cramer‑Dodis‑Fehr‑Padró‑Wichs construction). The encoding produces a tuple (s, x, σ) where σ = f(x, s) is a polynomial‑type tag. The AMD property guarantees that any non‑zero algebraic shift Δ applied to the encoded value will be detected with probability at least 1‑δ.

2. Linear Secret Sharing – The AMD‑encoded value is then fed into a linear secret‑sharing scheme (e.g., additive sharing). This splits the encoded secret into n shares s₁,…,sₙ such that any qualified set (the full set of n shares) can reconstruct the original, while any smaller set reveals no information.

3. Multi‑Path OTP Transmission – Each share sᵢ is sent along a distinct, vertex‑disjoint path Pᵢ. On each hop the intermediate node decrypts the incoming OTP ciphertext using its QKD‑derived key, re‑encrypts with the key for the next hop, and forwards. Because the OTP is information‑theoretically secure, the confidentiality of each share is preserved even if a node is observed.

4. Verification and Reconstruction – Bob receives the n ciphertexts, removes the OTP layers using the corresponding QKD keys, and obtains the raw shares. He then applies the secret‑sharing recovery function to obtain the AMD‑encoded value, finally feeding it to the AMD decoder. If any share has been tampered with, the decoder outputs ⊥ with probability at least 1‑δ, causing Bob to abort. Otherwise, the original secret m is recovered.

The security proof adapts the game‑based framework of Brakerski‑Rabin (BR07) to the trusted‑repeater model. The adversary is allowed to corrupt up to t < n paths (dynamic corruption). The proof shows:

• Confidentiality – Since each share is protected by an OTP derived from QKD, the adversary learns nothing about the underlying secret unless it controls all n paths, which is prohibited by the t < n assumption.
• Integrity – The AMD code ensures that any algebraic manipulation of a share leads to detection with probability ≥ 1‑δ. Because the secret‑sharing scheme is linear, a manipulation of any subset of shares translates into an algebraic shift on the encoded value, which the AMD decoder catches.
• Information‑Theoretic Security – No computational assumptions are required; security holds against unbounded adversaries.

The authors also analyze overhead. Each share requires the same number of OTP bits as the share length, so the total extra QKD consumption is O(n·|m|), which they prove to be optimal for the given security parameters. They provide a concrete implementation using realistic QKD key rates, demonstrating that δ can be set to 2⁻⁴⁰ with modest tag sizes, and that the detection probability matches theoretical predictions in simulation.

A thorough related‑work section critiques prior attempts (SECOQC, Strenger authentication, Rass‑König) for relying on pre‑shared MAC keys or circular reasoning, which prevents provable integrity. By contrast, the AMD‑based approach requires no prior shared secret beyond the QKD keys used for OTP, eliminating the circular dependency.

In conclusion, the paper delivers a practical, provably secure protocol for trusted‑repeater QKD networks that simultaneously guarantees confidentiality and integrity without additional trust assumptions on intermediate nodes. The combination of AMD codes with multi‑path secret sharing offers a clean, information‑theoretic solution that can be integrated into emerging quantum communication infrastructures.