Kish Cypher - The Kish Cypher Scheme

The Kish Cypher Scheme

The key-exchange channel is a wire. At the beginning of each clock cycle, Alice and Bob, who have identical pairs of resistors R₀ and R₁ (representing the 0 and 1 bit situations) randomly select and connect one of the resistors to their end of the wire. No conventional signal is sent along the line but in this conceptual scheme, the Johnson noise of the resistor results in a noise voltage between the wire and the ground and a noise current in the wire. Low-pass filters are used because the bandwidth of the noise must be so small that the time-dependence of the channel noise amplitude must be so slow that the voltage and current amplitudes are virtually homogenous all along the wire, which means wave and propagation/delay effects are negligible. This is essential for the security and it strictly requires that the bandwidth is much smaller than the ratio of the propagation velocity and the length of the cable. Alice and Bob use a spectrum analyzer (or just an AC voltmeter to measure mean-square amplitudes) to passively measure the Johnson noise voltage and current of the line. From these data, the total resistance of the Kirchhoff loop can be calculated by the Johnson formula. Alice and Bob know their own resistor value thus, from the loop resistance, they can deduce the resistor value of the other party. In the ideal situation, the cases R₀/R₁ and R₁/R₀ represent a secure bit exchange because they cannot be distinguished in the noise spectra or mean-square values. Eve can do the very same measurements but she has no knowledge of the actually connected resistance values at Alice and Bob.

The use of the Johnson noise formula to securely evaluate the resistor values in the way described above requires thermal equilibrium. In the practical Kish cypher devices this is far from the case. For example, it cannot be guaranteed that the receiver and sender are at the same temperature. This is addressed by using artificial noise sources with Johnson-like characteristics. Thus the use of the Johnson noise of resistors is only a visualization of the security of the ideal scheme against passive attacks and, in practice, electronic noise generators are used to emulate a strongly enhanced Johnson noise at a publicly agreed very high temperature (around 1 billion Kelvin at the experiments ). This removes the restriction of operation within thermal equilibrium and replaces that with the requirement of calibrated noise generators. It also has the added advantage that noise can be ramped down to zero before switching and can be ramped up back to the nominal value after switching, in order to prevent practical problems involving unwanted transients.

To protect the Kish cypher against invasive attacks, including man-in-the-middle attacks, the sender and receiver continuously monitor the current and voltage amplitudes and broadcast them via independent public channels. In this way they are thought to have full knowledge of the eavesdropper's information, although existing security analyses have covered only specific attacks.

One possible attack against the Kish cypher is to evaluate a resistor value at one end of the wire, in the time window where the resistor at the other end is being switched out. The response to this claim is that this attack is completely avoidable by the simple trick of doing the switching when both the voltage and the current are zero in the line. In the hardware demonstration of the cypher, the voltage (and current) was ramped down to zero before the switching took place in order to create this situation in an easy way. A simpler method to eliminate this problem utilizes the fact that accurate noise measurement is slow, as it requires an averaging process. The resistors are switched faster than the noise measurement time. Thus the heart of the Kish cypher scheme is based on exploiting classical time-amplitude measurement uncertainty, in contrast to quantum uncertainty that is central to quantum cryptography.