Time-shift attack in practical quantum cryptosystems (original) (raw)
Related papers
After-gate attack on a quantum cryptosystem
New Journal of Physics, 2011
We present a method to control the detection events in quantum key distribution systems that use gated single-photon detectors. We employ bright pulses as faked states, timed to arrive at the avalanche photodiodes outside the activation time. The attack can remain unnoticed, since the faked states do not increase the error rate per se. This allows for an intercept-resend attack, where an eavesdropper transfers her detection events to the legitimate receiver without causing any errors. As a side effect, afterpulses, originating from accumulated charge carriers in the detectors, increase the error rate. We have experimentally tested detectors of the system id3110 (Clavis2) from ID Quantique. We identify the parameter regime in which the attack is feasible despite the side effect. Furthermore, we outline how simple modifications in the implementation can make the device immune to this attack.
Safeguarding Quantum Key Distribution Through Detection Randomization
IEEE Journal of Selected Topics in Quantum Electronics, 2015
We propose and experimentally demonstrate a scheme to render the detection apparatus of a Quantum Key Distribution system immune to the main classes of hacking attacks in which the eavesdropper explores the back-door opened by the single-photon detectors. The countermeasure is based on the creation of modes that are not deterministically accessible to the eavesdropper. We experimentally show that the use of beamsplitters and extra single-photon detectors at the receiver station passively creates randomized spatial modes that erase any knowledge the eavesdropper might have gained when using bright-light faked states. Additionally, we experimentally show a detector-scrambling approach where the random selection of the detector used for each measurement -equivalent to an active spatial mode randomization -hashes out the side-channel open by the detection efficiency mismatch-based attacks. The proposed combined countermeasure represents a practical and readily implementable solution against the main classes of quantum hacking attacks aimed on the single-photon detector so far, without intervening on the inner working of the devices.
Phase-Remapping Attack in Practical Quantum Key Distribution Systems
Computing Research Repository, 2006
Quantum key distribution (QKD) can be used to generate secret keys between two distant parties. Even though QKD has been proven unconditionally secure against eavesdroppers with unlimited computation power, practical implementations of QKD may contain loopholes that may lead to the generated secret keys being compromised. In this paper, we propose a phase-remapping attack targeting two practical bidirectional QKD systems (the "plug & play" system and the Sagnac system). We showed that if the users of the systems are unaware of our attack, the final key shared between them can be compromised in some situations. Specifically, we showed that, in the case of the Bennett-Brassard 1984 (BB84) protocol with ideal single-photon sources, when the quantum bit error rate (QBER) is between 14.6% and 20%, our attack renders the final key insecure, whereas the same range of QBER values has been proved secure if the two users are unaware of our attack; also, we demonstrated three situations with realistic devices where positive key rates are obtained without the consideration of Trojan horse attacks but in fact no key can be distilled. We remark that our attack is feasible with only current technology. Therefore, it is very important to be aware of our attack in order to ensure absolute security. In finding our attack, we minimize the QBER over individual measurements described by a general POVM, which has some similarity with the standard quantum state discrimination problem.
Securing two-way quantum communication : the monitoring detector and its flaws
2014
Monitoring incoming pulse energy is obligatory for any two-way system that sends bright pulses from Bob to Alice, such as plug-and-play and relativistic quantum cryptography schemes. Implementation of this monitoring detector has largely been ignored in experimental realizations so far. However, ID Quantique has implemented the hardware and associated software routines in their commercial system Clavis2. We scrutinize this implementation for security problems, and show that designing a hack-proof pulse-energy-measuring detector is far from trivial. Indeed the first implementation has three serious flaws (confirmed experimentally), each of which may be exploited in a cleverly constructed Trojan-horse attack. We model attack performance. We also discuss requirements for a loophole-free monitoring detector.
Towards practical and fast Quantum Cryptography
2004
We present a new protocol for practical quantum cryptography, tailored for an implementation with weak coherent pulses. The key is obtained by a very simple time-of-arrival measurement on the data line; an interferometer is built on an additional monitoring line, allowing to monitor the presence of a spy (who would break coherence by her intervention). Against zero-error attacks (the analog of photon-number-splitting attacks), this protocol performs as well as standard protocols with strong reference pulses: the key rate decreases only as the transmission t of the quantum channel. We present also two attacks that introduce errors on the monitoring line: the intercept-resend, and a coherent attack on two subsequent pulses. Finally, we sketch several possible variations of this protocol.
Physical Review A
Quantum key distribution protocols are known to be vulnerable against a side channel attack that exploits the time difference in detector responses used to obtain key bits. The recommended solution against this timing side channel attack is to use a large time bin width instead of high resolution timing information. Common notion is that using a large bin width reduces the resolution of detector responses, hence supposedly minimizes the information leakage to an eavesdropper. We challenge this conventional wisdom, and demonstrate that increasing the bin width does not monotonically reduce the mutual information between the key bits and the eavesdropper's observation of detector responses. Instead of randomly increasing the bin width, it should be carefully chosen because the mutual information fluctuates with respect to the bin width. We also examined the effect of full width half maximums (FWHMs) of the detectors responses on the mutual information and showed that decreasing the FWHM increases the mutual information. Lastly, the start time of binning is also shown to be important in binning process and the mutual information fluctuates periodically with respect to it.
Attacks exploiting deviation of mean photon number in quantum key distribution and coin-tossing
The security of quantum communication using a weak coherent source requires an accurate knowledge of the source's mean photon number. Finite calibration precision or an active manipulation by an attacker may cause the actual emitted photon number to deviate from the known value. We model effects of this deviation on the security of three quantum communication protocols: the Bennett-Brassard 1984 (BB84) quantum key distribution (QKD) protocol without decoy states, Scarani-Acin-Ribordy-Gisin 2004 (SARG04) QKD protocol, and a coin-tossing protocol. For QKD, we model both a strong attack using technology possible in principle, and a realistic attack bounded by today's technology. To maintain the mean photon number in two-way systems, such as plug-and-play and relativistic quantum cryptography schemes, bright pulse energy incoming from the communication channel must be monitored. Implementation of a monitoring detector has largely been ignored so far, except for ID Quantique's commercial QKD system Clavis2. We scrutinize this implementation for security problems, and show that designing a hack-proof pulse-energy-measuring detector is far from trivial. Indeed the first implementation has three serious flaws confirmed experimentally, each of which may be exploited in a cleverly constructed Trojan-horse attack. We discuss requirements for a loophole-free implementation of the monitoring detector.
Quantum Flows for Secret Key Distribution in the Presence of the Photon Number Splitting Attack
Entropy, 2014
Physical implementations of quantum key distribution (QKD) protocols, like the Bennett-Brassard (BB84), are forced to use attenuated coherent quantum states, because the sources of single photon states are not functional yet for QKD applications. However, when using attenuated coherent states, the relatively high rate of multi-photonic pulses introduces vulnerabilities that can be exploited by the photon number splitting (PNS) attack to brake the quantum key. Some QKD protocols have been developed to be resistant to the PNS attack, like the decoy method, but those define a single photonic gain in the quantum channel. To overcome this limitation, we have developed a new QKD protocol, called ack-QKD, which is resistant to the PNS attack. Even more, it uses attenuated quantum states, but defines two interleaved photonic quantum flows to detect the eavesdropper activity by means of the quantum photonic error gain (QPEG) or the quantum bit error rate (QBER). The physical implementation of the ack-QKD is similar to the well-known BB84 protocol.
Improved Eavesdropping Detection in Quantum Key Distribution
arXiv (Cornell University), 2011
Employing the fundamental laws of quantum physics, Quantum Key Distribution (QKD) promises the unconditionally secure distribution of cryptographic keys. However, in practical realisations, a QKD protocol is only secure, when the quantum bit error rate introduced by an eavesdropper unavoidably exceeds the system error rate. This condition guarantees that an eavesdropper cannot disguise his presence by simply replacing the original transmission line with a less faulty one. Unfortunately, this condition also limits the possible distance between the communicating parties, Alice and Bob, to a few hundred kilometers. To overcome this problem, we design a QKD protocol which allows Alice and Bob to distinguish system errors from eavesdropping errors. If they are able to identify the origin of their errors, they can detect eavesdropping even when the system error rate exceeds the eavesdropping error rate. To achieve this, the proposed protocol employs an alternative encoding of information in two-dimensional photon states. Errors manifest themselves as quantum bit and as index transmission errors with a distinct correlation between them in case of intercept-resend eavesdropping. As a result, Alice and Bob can tolerate lower eavesdropping and higher system error rates without compromising their privacy.
Trojan-horse attacks threaten the security of practical quantum cryptography
A quantum key distribution system may be probed by an eavesdropper Eve by sending in bright light from the quantum channel and analyzing the backreflections. We propose and experimentally demonstrate a setup for mounting such a Trojan-horse attack. We show it in operation against the quantum cryptosystem Clavis2 from ID Quantique, as a proof-of-principle. With just a few back-reflected photons, Eve discerns Bob's secret basis choice, and thus the raw key bit in the Scarani-Acín-Ribordy-Gisin 2004 protocol, with higher than 90% probability. This would clearly breach the security of the cryptosystem. Unfortunately in Clavis2 Eve's bright pulses have a side effect of causing high level of afterpulsing in Bob's single-photon detectors, resulting in a high quantum bit error rate that effectively protects this system from our attack. However, in a Clavis2-like system equipped with detectors with less-noisy but realistic characteristics, an attack strategy with positive leakage of the key would exist. We confirm this by a numerical simulation. Both the eavesdropping setup and strategy can be generalized to attack most of the current QKD systems, especially if they lack proper safeguards. We also propose countermeasures to prevent such attacks.