Eve strikes back:Eve strikes back: attacks exploiting ... · PC Line Eve’s equipment – interrogating Aliceinterrogating Alice s’s phase modulator with powerful phase modulator

1Seminar at AlbaNova University Center, Stockholm, October 23, 2008

Eve strikes back:*Eve strikes back:attacks exploiting component imperfectionsattacks exploiting component imperfections

Vadim Makarov

*Title idea ©Claude Crépeau

2Quantum cryptography timeline

ca. 1970 Concept (“money physically impossiblet t f it”)to counterfeit”)

1984 First key distribution protocol (BB84)1984 First key distribution protocol (BB84)

1989 Proof-of-the-principle experiment1993 Key transmission over fiber optic link

2004 First commercial offers (20~50 km fiber links)2004 First commercial offers (20 50 km fiber links)2007 200 km in fiber, 144 km free-space demonstrated

...... Market? And, what’s the real level of security?

3

O f i d EOur friend, Eve …

EVE

Alice BobClassical Channel

Aliceinitial secret key

key (X): 010110101 010110101Quantum Channel

Alice and Bob’s devices ce d ob s dev ces- shielded from Eve- work according to specification

Eve retired (Florida)

Slide courtesy Norbert Lütkenhaus

4

N t f i dlNot so friendly …EVE

Alice BobChannel

EVE

key (X) keyChannel

What Vadim does:What Vadim does:- find deviations of devices from model assumptions- actively intrude devices via optical fibers!

manipulate devices (blind burn detectors)- manipulate devices (blind, burn detectors)

Vadim’s complices: Hoi-Kwong Lo, Antia Lamas-Linares, Christian Kurtsiefer

5

Eve strikes back!Eve lost the battle in security proofs,

but came back via loopholes.

Stealing an idea from Claude Crepeau's slides in a CIAR meeting

Slide courtesy Hoi-Kwong Lo

6Loopholes

• Large pulse attack

• Detector efficiency mismatch

• C t l f i l h d d t t• Control of passively-quenched detectors

• Control of PerkinElmer actively-quenched detector

7Large pulse attack

AlicePhase

modulator

AttenuatorAlice’s

PC

Line

PC

Eve’s equipment

– interrogating Alice’s phase modulator with powerfulinterrogating Alice s phase modulator with powerfulexternal pulses (can give Eve bit values directly)

8Large pulse attack experiment

4% reflectionAlice

Laser

4% reflectionPhase

modulator

Laser

VVmod

E

OutL1

Eve

OTDRReceived OTDR pulse

Variable attenuator

In

Fine lengthL2

p

Fine length adjustment

to get L1 = L2 Vmod, V4.1 8.20J. Mod. Opt. 48, 2023 (2001)

99

Artem Vakhitov tunes up Eve’s setup

10Example: plug-and-play systemA

lice

Bob

N. Gisin et al., Phys. Rev. A 73, 022320 (2006)

11Protection against large pulse attack

1. Don’t use modulators

2. Passive (attenuator+isolator)

to BobBPF

Isolator

“Old” Alice

Attenuator

Laser

“New” Alice

3. Active (detector)

from AliceBPF “Old” BobBPF

Alarm

Old Bob

“New” Bobdetector

12Faked states attack

Conventional intercept-resend:

EVEA BB A

EVEA BB A

ALARM!!!ALARM!!!

Faked states attack:

EVEPlease, makesame click as me

BA FSBEVE same click as me

BA FSB( l )(no alarm)

J. Mod. Opt. 52, 691 (2005)

13Detector efficiency mismatch

• Most quantum cryptosystems need at least two detectors.• Efficiency of detectors depends on external parameters and is

ff f f fdifferent for two detectors, due to finite manufacturing and alignment precision.

• External control parameters:

“0” “1”D t t

• External control parameters:

Timing Spatial mode0 1Detector

efficiency“1”

t “0”

Wavelength Polarizationg

14Possible attack

BOB”0"

”1"

tt

Phys. Rev. A 74, 022313 (2006)

15Possible attack

BOB”0"

”1"

ttLaser pulse from Alice

Phys. Rev. A 74, 022313 (2006)

16Possible attack

BOB”0"

”1"

tt

Phys. Rev. A 74, 022313 (2006)

17Possible attack

BOB”0"

”1"

tt

Phys. Rev. A 74, 022313 (2006)

18Possible attack

Example: Eve measured with basis Z (90°), obtained bit 1p ( ),

BOB”0"0°

=0°Δϕ 0Δϕ

”1"

tt

(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)

19Possible attack

Example: Eve measured with basis Z (90°), obtained bit 1p ( ),

BOB”0"90°

=0°Δϕ

50%0Δϕ

”1"

ttEve’s attack is not detected

(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)Eve obtains 100% information of the key

20Example: pair of detectors for QKD

20% 20

ncy,

% t = 5.15 ns

1/9

t = 7.40 ns

1/30

0 1

⎯ ≈≈η η1 0η η

ffici

en

1/9 1/30⎯ ≈⎯ ≈η η0 1η η

10um e

f

10

quan

tuec

tor q

0 1 2 3 4 5 6 7 8 9 10 11 120D

ete

0 1 2 3 4 5 6 7 8 9 10 11 12t, ns

21Example: time-multiplexed detector

b. u

.ty

, arb

nsiti

vit

or s

ende

tect

oiz

ed d

-3 -2 -1 1 2 300

orm

al

-3 -2 -1 1 2 30t, nsN

o

22Example: 144 km free-space experiment

A. Lamas-Linares, C. Kurtsiefer, Opt. Express 15, 9388 (2007)

23Example: id Quantique ID-500 commercial QKD systemin worst 4% of automatic line length measurement cyclesin worst 4% of automatic line length measurement cycles

η =1/7.1 η =1/3.3

Y. Zhao et al., arXiv:0704.3253

24Time-shift attack

Eve

–Δt

+ΔtAlice Bob

Random switching

Available bit rate at QBER=0,in symmetric case:

1

in symmetric case:

R = I(A : B|E) = h(η /(η +1)) R

00.0 0.2 0.4 0.6 0.8 1.0

η00

B. Qi et al., Quant. Inf. Comp. 7, 73 (2007)

25Solution: develop security proof for a quantified η

0.11[1] [3][2]

BER

[3 4]

[3]

QB [3,4]

[5]1η0.0660 0.25

[ ]

[1] V. Makarov et al., Phys. Rev. A 74, 022313 (2006)[2] L. Lydersen, private communication[3] L. Lydersen, J. Skaar, arXiv:0807.0767[4] C H F F l Xi 0802 3788[4] C.-H. F. Fung et al., arXiv:0802.3788[5] B. Qi et al., Quant. Inf. Comp. 7, 73 (2007)Other protocols (DPSK, SARG04, Ekert): V. Makarov, J. Skaar, Quant. Inf. Comp. 8, 0622 (2008)

26Control of passively-quenched detector.Detector saturation curvesDetector saturation curves

1E+5

1E+6

105

106

1E+4

1E+5

econ

d 105

104

#2: EG&GSPCM-200-PQ

1E+2

1E+3

per s

e

103

102

1E+1

1E+2

unts

p 102

101

1E-1

1E+0Cou 100

10−1#1: Do-it-yourself by

National University

1E 16 1E 15 1E 14 1E 13 1E 12 1E 11 1E 10 1E 9 1E 81E-2

1E 1

10−16 10−15 10−14 10−13 10−12 10−810−11 10−10 10−90

10 of Singapore

1E-16 1E-15 1E-14 1E-13 1E-12 1E-11 1E-10 1E-9 1E-8 Optical power at the APD, W

10 16 10 15 10 14 10 13 10 12 10 810 11 10 10 10 9

27Detector #1

Si APD:..PerkinElmer C30902S

V +208 V 360k==

+0 16 VOutput

10 μs

100+0.16 V

Single-photon response:IAPD

~ 1 ns

VAPD, V0

Comparator threshold

APD,+208

202 τ h ~ 1 μs≈ +202

t

τrecharge 1 μs

28Control intensity diagrams (for detector #1):

Popt

400 pW400 pW

No click12.6 pW

7 pW

0

No click

t0

Popt

400 pW 2 μs400 pW 2 μs

Single “click”12.6 pW

0

with probability ≥ 0.8

t0

arXiv:0707.3987

29Proposed attack

0° or 45°

S EveModulator D0

PBSAlice BobBob FS

Eve

D1Bob:

45°0°Eve detects obtains: 0° D0

Modulator

Bob:

Eve detects, obtains: 0 , D0.Eve resends faked state: 12.6 pW

7 pW12.6 pWD0

12.6 pWNo click Click

14 pW12.6 pW

7 pW12.6 pW

14 pW

D1

⊕

12.6 pWp

No click No click

30Example: ultrashort range QKD system

J. Duligall et al., “Quantum key distribution for consumer applications” (LPHYS08, July 2008)

31Example: 144 km free-space experiment

R. Ursin et al., Nature Physics 3, 481 (2007); Phys. Rev. Lett 98, 010504 (2007)

32Control of PerkinElmer actively-quenched detector

!*Pulsed laser source Detector

Output?????Oscilloscope* ?????

33Control of PerkinElmer actively-quenched detector 33

34PerkinElmer detector reverse-engineered.Control method №4Control method №4

Eve sends bright pulses(50 ns wide, >2 mW)

arXiv:0809.3408

35Bias voltage vs. parameters of bright pulses

(voltage at normal operation)

Filled symbols: full control over detector

36Control intensity diagrams

(a) Detector

output

(always clicks)output

Pcontrol = 8.5 mW2.0 mW

( y )

illumination10 nsInput

illumination

(b) output (never clicks)

Detector p

1 2 WInput

illumination

1.2 mW

37Proposed attack

Eve

PBSBSBobAlice

EveControl pulsesgenerator

↕↕↕↕

PBSBSBob

HWPPBS

↕HWPPBS

100%

50%

0%

25%

E.g., clicks ↕ ↕clicks

↕ 100% 25%

25%

Side effect: simultaneous clicksfrom control pulses >70 kHzfrom control pulses, >70 kHz

[1] C. Erven et al., arXiv:0807.2289 [2] V. Fernandez et al., IEEE J. Quantum Electron. 43, 130 (2007);

K. J. Gordon et al., Opt. Express 13, 3015 (2005); IEEE J. Quantum Electron. 40, 900 (2004)[3] X Sh l A l Ph L 89 191121 (2006)[3] X. Shan et al., Appl. Phys. Lett. 89, 191121 (2006)[4] K. J. Resch et al., Opt. Express 13, 202 (2005)[5] W. T. Buttler et al., Phys. Rev. Lett. 84, 5652 (2000); ibid. 81, 3283 (1998); Phys. Rev. A 57, 2379 (1998)

38

39Loopholes, and their patching status

• Large pulse attack– not much yet done to protect in practice

• Detector efficiency mismatch– have proofs, but not yet detectors with guaranteed η

• C t l f i l h d d t t• Control of passively-quenched detectors– have vague ideas, not yet hack-proof detectors/Bob

• Control of PerkinElmer actively-quenched detector– just discovered– just discovered

40

Is quantum cryptography secure?Is quantum cryptography secure?

Yes.Testing for loopholes is normal, necessary practice.

41

Optional slides

42Key distribution

O (i ) BobAlice

Encoder Decoder

Open (insecure)channel

BobAliceMessageMessage

E d dEncoder DecoderEncoded message

Keyy

Secure channelSecure channel

• Secret key cryptography requires secure channelSecret key cryptography requires secure channel for key distribution.

• Quantum cryptography distributes the key• Quantum cryptography distributes the keyby transmitting quantum states in open channel.

43Quantum key distribution

B bAlice

BobDiagonalAlice Diagonal detector basis

Horizontal-Diagonal

polarization filters0

1 Horizontalvertical detector basis

p

Horizontal-vertical polarization filters

01

Alice’s bit sequence 1 0 1 1 0 0 1 1 0 0 1 1 1 0

Light source

Bob’s measurement 1 0 0 1 0 0 1 1 0 0 0 1 0 0Bob’s detection basis

q

Retained bit sequence 1 – – 1 0 0 – 1 0 0 – 1 – 0Image reprinted from article: W. Tittel, G. Ribordy, and N. Gisin, "Quantum cryptography," Physics World, March 1998

44Handling errors in raw key

1

R

R = 1 – 2 h(QBER)

0 00 0 11000.00 0.11

QBER0

45

Typical values of reflection coefficients for different fiber-optic components(courtesy Opto-Electronics, Inc.)

46Quality of control (detector #1)Control intensity diagram:

Popt. high 2 μs

PPopt. low

t0

nits

P 13 W nits Popt. high, pW:

400 ⇒ 5 ns FWHM

arbi

trar

y un Popt. high = 13 pW

Popt. low = 00.2 pW

arbi

trar

y un

Popt. low = 0400 ⇒ 5 ns FWHM

200

prob

abili

ty,

prob

abili

ty,

11580

0 0 0 5 1 0 1 5 2 0 2 5

Cou

nt p

2 10 2 15 2 20 2 250

Cou

nt p 80

2613

0.0 0.5 1.0 1.5 2.0 2.5

t, μs t, μs2.10 2.15 2.20 2.25

arXiv:0707.3987

47Quality of control (detector #2)rise time 3 ns

BAPopt

P+P++Pblind

rise time 3 nsControl intensity diagram:

200 ns20 ns

Pblind = 280 pW

t0

500 nsPopt. low (34 dB below Pblind)

Main peakFWHM = 0 92 ns base width = 4 ns 6

t

ary

units

FWHM = 0.92 ns, base width = 4 ns96.4% counts

Premature1 9% t

Delayed1 7% t

A+B, P+ = 784·Pblind5

6

k, n

s

bilit

y, a

rbitr

a 1.9% counts 1.7% counts

3

4

of m

ain

pea

only A

only B

ount

pro

bab

1

2

FWH

M o

A+B

0 92 ns

0 100 200 300 400 500 600

t, ns

C

1 10 100 10000

By how many times P+ exceeds Pblind

0.92 ns