STORY OF THE MONTH
Quantum-secure clock synchronization, but what is secure exactly?
Loïc Millet
Clock synchronization
Sharing an identical time across distinct clocks is an essential feature for connected societies. Indeed, different clocks, even if once calibrated to a common reference frequency, eventually drift away from the nominal setting and end up ticking at different rates, hence defining time differently. Clock synchronization aims at making clocks define the same time. In practice, synchronization implies correcting both the clocks frequency difference, such that clocks tick at the same rate, and their phase offset, such that any constant time difference is removed.
One-way vs two-way methods
A simple way to synchronize clocks is one-way time transfer. There, Alice sends a timestamp to Bob, , which represents the time seen by her local, reference clock. Upon reception, Bob produces a timestamp, , reflecting the time seen by his own clock. Knowing the propagation delay of Alice’s signal through prior measurement or modelling, , Bob can infer from an accumulation of these two timestamps both the clock drift (the relative frequency difference, ) and the phase offset, , to lock his clock to Alice’s.

Such a method, however, is fundamentally vulnerable. If an attacker simply delays Alice’s timestamps, Bob is unable to distinguish a real clock offset from a manipulated propagation delay. Indeed, let Eve be an adversary who adds both a constant delay between Alice and Bob , and a time dependent delay .

This vulnerability motivated two-way synchronization methods. Upon reception of , , Bob does not simply produce his own timestamp, but sends back a message to Alice, . Upon reception of , Alice produces a new timestamp . The difference between Alice’s sent and received timestamps estimates the Round-Trip Time (RTT), which is then used as an estimate of τAB in the one-way equation

Assuming the delay between Alice and Bob to be independent of the direction , we have, in the presence of Eve, and assuming for simplicity Eve to add only a constant delay,

such that the one-way equation using RTTE as an estimate of τAB gives

The difference between the actual one-way quantity and the one estimated using the RTT measurement is, in the presence of Eve,

This equation shows that the two-way method perfectly compensates for Eve’s delay only if Eve does not bias the delay asymmetrically. Indeed, if τABE ≠ τBAE, Bob’s correction remains biased.
Furthermore, a negative adversarial delay in one direction can bias the clock offset estimates while remaining perfectly hidden. Indeed, if τABE = -τBAE, the RTT would appear as expected with RTTE/2 = τAB , resulting in an error of τAB in Bob’s phase offset estimate. Note that a negative delay is not necessarily unphysical. In a fiber network, Eve could simply shorten an optical delay line that she introduced secretly.
Following these observations, the sufficient requirements for secure two-way clock synchronization were defined [1]. In short, these requirements are
- Unpredictable signals.
The signal carrying the timestamps must appear random. In practice, the timestamps can be encrypted to ensure their authenticity. Notably, this countermeasure forbids Eve from sending a synchronization timestamps to Bob in advance, hence preventing negative adversarial delays.
- Irreducible propagation delay.
The propagation time must not be reducible by Eve by more than a chosen threshold L. This condition means that in practice, no shortest path of propagation available to Eve should exist, and Eve should not be able to use a signal that propagates faster than Alice’s signal to arrive earlier by. This requirement also prohibits negative delays.
- Known and measurable RTT.
Alice must know and measure the expected round-trip time to within the limit L. Indeed, synchronization is considered compromised if the error is higher than L

while Eve’s remains hidden from the RTT check if

where RTTE is the measured round-trip time and RTT is the modeled one. Obviously, Eve cannot fulfill both conditions without introducing a negative delay, and she can only hide within the measurement uncertainty L using asymmetrical delays.
Quantum secure time transfer
Quantum technologies have enabled a wide range of devices and protocols for clock synchronization [2]. Importantly, however, quantum technologies do not remove the assumptions and requirements for secure synchronization. For example, implementations that estimate the RTT using entangled photon pairs shared between Alice and Bob remain sensitive to asymmetric delay attacks [3], such that bounding the adversarial asymmetry remains a requirement.
A promising demonstration of quantum-secure time transfer was performed with the Micius satellite [4]. In their paper, the authors directly address the 3 requirements of secure synchronization. Unpredictability comes from the use of random photons emitted by their quantum key distribution systems to estimate the RTT. Indeed, an adversary attempting to bias the RTT estimate by introducing photons could be interpreted as an intercept and resend attack, hence driving the QBER towards 25%, whereas channel irreducibility is supported by free-space propagation.
[1] L. Narula and T. E. Humphreys, “Requirements for Secure Clock Synchronization,” in IEEE Journal of Selected Topics in Signal Processing, vol. 12, no. 4, pp. 749-762, Aug. 2018, doi: 10.1109/JSTSP.2018.2835772.
[2]U. Khalid, et al., “Quantum Clock Synchronization Networks: A Survey”, arXiv:2604.04437
[3] Jianwei Lee, Lijiong Shen, Alessandro Cerè, James Troupe, Antia Lamas-Linares, Christian Kurtsiefer; Asymmetric delay attack on an entanglement-based bidirectional clock synchronization protocol. Appl. Phys. Lett. 30 September 2019; 115 (14): 141101. https://doi.org/10.1063/1.5121489
[4] Dai, H., Shen, Q., Wang, CZ. et al. Towards satellite-based quantum-secure time transfer. Nat. Phys. 16, 848–852 (2020). https://doi.org/10.1038/s41567-020-0892-y
OTHER STORIES




