Vadim Makarov - vad1.com · 1 candidate: Vadim Makarov and Defence for the degree doktor ingeniør at the Norwegian University of Science and Technology, April 30, 2007 SPbSPU

1

candidate: Vadim Makarov

and

Defence for the degree doktor ingeniør

at the Norwegian University of Science and Technology, April 30, 2007

SPbSPUSt. Petersburg StatePolytechnic University

2

ca. 1970

2004 First commercial offers

Concept (“money physically impossible

to counterfeit”)

...... Market?

1984 Key distribution protocol (BB84)

1989 Proof-of-the-principle experiment

1993 Key transmission over fiber optic link

Quantum cryptography timeline

3

Encoder Decoder

Open (insecure)channel

BobAlice

Key

Secure channel

MessageMessage

Encoded message

• Secret key cryptography requires secure channel

for key distribution.

• Quantum cryptography distributes the key

by transmitting quantum states in open channel.

Key distribution

4

Retained bit sequence 1 – – 1 0 0 – 1 0 0 – 1 – 0

Bob’s measurement 1 0 0 1 0 0 1 1 0 0 0 1 0 0

Bob’s detection basis

Alice’s bit sequence 1 0 1 1 0 0 1 1 0 0 1 1 1 0

Light source

Alice

Bob

Diagonaldetector basis

Horizontal-verticaldetector basis

Diagonalpolarization filters

Horizontal-verticalpolarization filters

Image reprinted from article: W. Tittel, G. Ribordy, and N. Gisin, "Quantum cryptography," Physics World, March 1998

Quantum key distribution

0

0

1

1

5

ϕA = – 45° or + 45° : 0

Detector bases:

ϕB = – 45° : X

ϕB = + 45° : Zϕ

A = +135° or – 135° : 1

ϕA

Lightsource

D0ϕB

Alice Bob

LA

SA

Transmission

lineSB

LB

D1

Interferometric QKD channel

6

Quantum cryptography at NTNU

Fiber optic QKD setup

1. Optimal tracking of phase drift

2. Single photon detector

with afterpulse blocking

Security against practical attacks

3. Large pulse attack: experiment

4. Faked states attack

5. Detector efficiency mismatch ”0"

”1"

t

BOB

7

QKD setup

Bob

Laser

APD

1310 nm

Pulse rate = 10 MHz

Line

Polarizationсontroller

Attenuator

Alice’sPC

Publiccommunication(TCP/IP)

Bob’sPC

Polarizationcombiner

Polarizationсombiner

Phasemodulator 2

Polarizingsplitter

Phasemodulator 1

PM coupler50/50

Variabledelay linePolarizer

Variable ratioPM coupler

“1”

“0”

Alice

PM fiberstandard SM fiber

8

Photo 1. Alice (uncovered, no thermoisolation installed)

9

Photo 2. Bob (uncovered, no thermoisolation installed)

10

Tracking phase drift

To get phase accuracy ∆φ within ±10° (QBERopt ∆ϕ < 1%),

no more than Na = ~ 200 detector counts per adjustment

are required.

Optimally counted at ±90° points from the extreme of the

interference curves. Exact required number of counts

where k is the number of standard deviations of not exceeding ∆φ.

( ) ,

2

2

2

QBER21

12

−ϕ∆= k

Na

J. Appl. Opt. 43, 4385 (2004)

11

Tracking phase drift

+π

–π

0

0 60 minTime

J. Appl. Opt. 43, 4385 (2004)

To get phase accuracy ∆φ within ±10° (QBERopt ∆ϕ < 1%),

no more than Na = ~ 200 detector counts per adjustment

are required.

Experiment: adjustment every 3 s, Na = 230:

12

Test of QKD in laboratory conditions

Test run No. 2

QBER =

.5.7% average

QB

ER

, %

50

11

00 5 min

Time

Test run No. 1

best QBER

~ 4%

QB

ER

, %

50

11

00 5 min

Time

13

tgate down to 1ns

Gate pulse rate = 20 MHz

VE

Vbias

VB

t

T=1/(Gate pulse rate)

tgate–VAPD

Single photon detector:avalanche photodiode in Geiger mode

APD: Ge FD312L

T=77K, QE=16%, DC=5·10

–5

APD inside cryostatC = CAPD

Differential

amplifier

50 Ω coaxial cables

Gate pulse

generator Bias

14

Afterpulse blocking

• In QKD systems, probability of detecting a photon per pulse is always

much lower than 1 (e.g., ~ 1/1000). This makes afterpulse blocking

efficient, allowing without much loss in detection probability:

• In our QKD system: 20 MHz gate pulse rate

• In principle: a few orders of magnitude faster gate pulse rate

–VAPD

Detector

output

Hold-off time: N pulses are blocked

after detecting avalanche

t

VB

t

15

Hardware implementation ofafterpulse blocking

APD

Differential

amplifier

Gate pulse

generator BiasRF switch

= =

Set

Reset

Trigger

ComparatorIntegrator

Digital

output

0 0

N set

by switch

CLK

Load

Counter

Overflow

16

Test of afterpulse blocking

APD: Ge FD312L

Gate pulse rate = 12 MHz

QE = 7%

T = 77K

Number of gate pulses blocked

0.00

0.05

0.10

0.15

0.20

Co

un

t p

rob

ab

ilit

y,

%

Dark counts

Counts at 0.005 photon per pulse

0 2 5 12 18 34

N

17

1. Conventional security; trusted equipment manufacturer

2. Security against quantum attacks – security proofs for idealized model of equipment

3. Loopholes in optical scheme – imperfections not yet accounted in the proof

Quantum key distribution:components of security

2 311

Alice Bob

18

Large pulse attackAlice

Line

Attenuator

Alice’sPC

Eve’s equipment

Phasemodulator

– interrogating Alice’s phase modulator with powerful

external pulses (can give Eve bit values directly)

19

Large pulse attack: experiment

Laser

4% reflection

Vmod

OTDR

Out

In

Fine lengthadjustment

to get L1 = L2

L2

L1

ReceivedOTDRpulse

Vmod, V4.1 8.20

Variableattenuator

Alice

Phasemodulator

Eve

J. Mod. Opt. 48, 2023 (2001)

20

Photo 3. Artem Vakhitov tunes up Eve’s setup

21

Conventional intercept -resend:

Faked states attack:

(no alarm)

Faked states attack

J. Mod. Opt. 52, 691 (2005)

22

”0"

”1"

t

BOB

Exploiting common imperfection:detector gate misalignment

Phys. Rev. A 74, 022313 (2006)

23

”0"

”1"

t

BOB

Laser pulse from Alice

Detector gate misalignment

Phys. Rev. A 74, 022313 (2006)

24

”0"

”1"

t

BOB

Detector gate misalignment

Phys. Rev. A 74, 022313 (2006)

25

”0"

”1"

t

BOB

Detector gate misalignment

Phys. Rev. A 74, 022313 (2006)

26

”0"

”1"

t

Example: Eve measured with basis Z (90°), obtained bit 1

0°

BOB

=0°

Detector gate misalignment

(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)

27

(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)

”0"

”1"

t

Example: Eve measured with basis Z (90°), obtained bit 1

90°

BOB

=0°

Detector gate misalignment

28

De

tec

tor

eff

icie

nc

y

t

0

t0

t1

η0(t0)

η1(t0) η

0(t1)

η1(t1)

Partial efficiency mismatch

29

Partial efficiency mismatch

In the symmetric case (when η1(t0)/η

0(t0) = η

0(t1)/η

1(t1) ),

Eve causes less than 11% QBER if mismatch is larger than 1:15

A. Practical faked states attack:

B. General security bound (incomplete):

where

30

-3 -2 -1 1 2 30

t, ns

0

No

rma

lize

d d

ete

cto

r s

en

sit

ivit

y,

arb

. u

.

Detector model 1.Sensitivity curves

31

0 1 2 3 4 5 6 7 8 9 10 11 12

t, ns

0

10

20

De

tec

tor

qu

an

tum

eff

icie

nc

y,

% t = 5.15 ns

1/9

t = 7.40 ns

1/30

0 1

≈ ≈ηη

ηη

1

0

0

1

Detector model 2.Sensitivity curves at low photon number µ=0.5

32

Detector efficiency mismatch

• Detector efficiency mismatch is a problem for many

protocols and encodings: BB84 (considered above),

SARG04, phase-time, DPSK and Ekert protocols.

• Control parameter t that changes detector efficiencies

shall not be necessarily timing; it can be, e.g., wavelength

or polarization.

• The worst-case mismatch, no matter how small,

must be characterized and accounted for during

privacy amplification.

[quant-ph/0702262]

33

Conclusion

• A phase tracking technique and detector with afterpulse

blocking were successfully developed.

(QKD was demonstrated with a very limited success.)

• Our group has built unique expertise in quantum

cryptanalysis of attacks via optical loopholes.

Several attacks have been proposed, studied in detail,

and protection measures suggested.

34

Possible future research

• Continuing security studies beyond those presented in the

thesis; we have experimented with passively-quenched

Si APD; we are trying to incorporate detector efficiency

mismatch into general proof... With sufficient financing,

a study of high-power damage can be attempted.

• Improving the QKD experiment, demonstrating it over

at least ~ 20 km distance. Performance of detector

and phase tracking can be more accurately characterized.

• The QKD field is abound with novel ideas that can be tried...

35

Optional slides

36

0.00 0.11

QBER

0

1

R

0

Handling errors in raw key

R = 1 – 2 h(QBER)

37

• MagiQ Tecnologies

USA

• id Quantique

Switzerland

Standard VPN router + QKD equipment for frequent key changes

Several other companies also have the QKD technology, but are not selling yet

Commercial offers (as of late 2006)

38

Photo 4. Bob (left) and Alice (right), thermoisolation partially installed

39

Typical values of reflection coefficients for different fiber-optic components

(courtesy Opto-Electronics, Inc.)

40

( Eve’s basis = Bob’s basis )is sufficient for eavesdropping

Alice

Eve’s basis det. result

Bob

Incompatible basis –discarded by Alice and Bob during sifting

41

0 1η0.00

0.11

QBER

Not proven(assumed insecure)

Insecure

0.0660

Securewith reduced key rate

Security state of QKD system

( reduced rate at QBER=0 line, too )

42

Trondheim

St. Petersburg