eve strikes back: attacks exploiting component imperfections€¦ · pc eve’s equipment –...
TRANSCRIPT
1
1
Eve strikes back:*
Seminar at AlbaNova University Center, Stockholm, October 23, 2008
Vadim Makarov
Eve strikes back:attacks exploiting component imperfections
*Title idea ©Claude Crépeau
2
ca. 1970 Concept (“money physically impossibleto counterfeit”)
Quantum cryptography timeline
1984 First key distribution protocol (BB84)
1989 Proof-of-the-principle experiment1993 Key transmission over fiber optic link
2004 First commercial offers (20~50 km fiber links)
...... Market? And, what’s the real level of security?
2007 200 km in fiber, 144 km free-space demonstrated
2
3
Our friend, Eve …
EVE
Alice Bob
key (X): 010110101 010110101
Classical Channel
initial secret key
Quantum Channel
Alice and Bob’s devices - shielded from Eve- work according to specification
Eve retired (Florida)
Slide courtesy Norbert Lütkenhaus
4
Not so friendly …
Alice BobChannel
EVE
key (X) keyChannel
What Vadim does:- find deviations of devices from model assumptions- actively intrude devices via optical fibers!- manipulate devices (blind, burn detectors)
Vadim’s complices: Hoi-Kwong Lo, Antia Lamas-Linares, Christian Kurtsiefer
3
5
Eve strikes back!Eve lost the battle in security proofs,
but came back via loopholes.
Stealing an idea from Claude Crepeau's slides in a CIAR meeting
Slide courtesy Hoi-Kwong Lo
6Loopholes
• Large pulse attack
• Detector efficiency mismatch
• Control of passively-quenched detectors
• Control of PerkinElmer actively-quenched detector
4
7Large pulse attack
AlicePhase
modulator
Line
AttenuatorAlice’s
PC
Eve’s equipment
– interrogating Alice’s phase modulator with powerfulexternal pulses (can give Eve bit values directly)
8Large pulse attack experiment
Laser
4% reflectionAlice
Phase modulator
Laser
Vmod
OutL1
Eve
OTDR
In
Fine length adjustment
to get L1 = L2
L2
Received OTDR pulse
Vmod, V4.1 8.20
Variable attenuator
J. Mod. Opt. 48, 2023 (2001)
5
99
Artem Vakhitov tunes up Eve’s setup
10Example: plug-and-play system
Alic
e
Bob
N. Gisin et al., Phys. Rev. A 73, 022320 (2006)
6
11
2. Passive (attenuator+isolator)
Protection against large pulse attack
1. Don’t use modulators
to BobBPF
Isolator
“Old” Alice
“New” Alice
Attenuator
Laser
3. Active (detector)
from Alice
“New” Bob
BPF
Alarmdetector
“Old” Bob
12
Conventional intercept-resend:
A BB AEVE
Faked states attack
Faked states attack:
EVE
A BB AALARM!!!
Please, makesame click as me
BA FSBEVE
(no alarm)J. Mod. Opt. 52, 691 (2005)
same click as me
7
13Detector efficiency mismatch
• Most quantum cryptosystems need at least two detectors.• Efficiency of detectors depends on external parameters and is
different for two detectors, due to finite manufacturing and alignment precision.
• External control parameters:
“0” “1”Detectorefficiency
“1”
• External control parameters:
Timing Spatial mode
t “0”
Wavelength Polarization
14
BOB
Possible attack
”0"
”1"
t
Phys. Rev. A 74, 022313 (2006)
8
15
BOB
Possible attack
”0"
”1"
tLaser pulse from Alice
Phys. Rev. A 74, 022313 (2006)
16
BOB
Possible attack
”0"
”1"
t
Phys. Rev. A 74, 022313 (2006)
9
17
BOB
Possible attack
”0"
”1"
t
Phys. Rev. A 74, 022313 (2006)
18
Example: Eve measured with basis Z (90°), obtained bit 1
BOB
Possible attack
”0"
”1"
0°=0°Δϕ
t
(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)
10
19
Example: Eve measured with basis Z (90°), obtained bit 1
BOB
Possible attack
”0"
”1"
90°
50%=0°Δϕ
(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)
tEve’s attack is not detectedEve obtains 100% information of the key
20
20
ncy,
% t = 5.15 ns
1/9
t = 7.40 ns
1/30
0 1
⎯ ≈≈η η1 0
Example: pair of detectors for QKD
η η
10
quan
tum
effi
cien
1/9 1/30⎯ ≈⎯ ≈η η0 1η η
0 1 2 3 4 5 6 7 8 9 10 11 12t, ns
0Det
ecto
r q
11
21
ty, a
rb. u
.
Example: time-multiplexed detector
dete
ctor
sen
sitiv
it
-3 -2 -1 1 2 30t, ns
0
Nor
mal
ized
d
22Example: 144 km free-space experiment
A. Lamas-Linares, C. Kurtsiefer, Opt. Express 15, 9388 (2007)
12
23Example: id Quantique ID-500 commercial QKD systemin worst 4% of automatic line length measurement cycles
η =1/7.1 η =1/3.3
Y. Zhao et al., arXiv:0704.3253
24Time-shift attack
–Δt
Eve
Available bit rate at QBER=0,in symmetric case:
1
+ΔtAlice Bob
Random switching
in symmetric case:
R = I(A : B|E) = h(η /(η +1))
0.0 0.2 0.4 0.6 0.8 1.0η
0
R
0
B. Qi et al., Quant. Inf. Comp. 7, 73 (2007)
13
25Solution: develop security proof for a quantified η
0.11[1] [3][2]
QB
ER
[5]
[3,4]
[3]
[1] V. Makarov et al., Phys. Rev. A 74, 022313 (2006)[2] L. Lydersen, private communication[3] L. Lydersen, J. Skaar, arXiv:0807.0767[4] C.-H. F. Fung et al., arXiv:0802.3788[5] B. Qi et al., Quant. Inf. Comp. 7, 73 (2007)Other protocols (DPSK, SARG04, Ekert): V. Makarov, J. Skaar, Quant. Inf. Comp. 8, 0622 (2008)
1η0.0660 0.25
[ ]
26Control of passively-quenched detector.Detector saturation curves
1E+5
1E+6
105
106
1E+1
1E+2
1E+3
1E+4
1E+5
unts
per
sec
ond 105
104
103
102
101
#2: EG&GSPCM-200-PQ
1E-16 1E-15 1E-14 1E-13 1E-12 1E-11 1E-10 1E-9 1E-8 Optical power at the APD, W
1E-2
1E-1
1E+0Cou
10−16 10−15 10−14 10−13 10−12 10−810−11 10−10 10−9
100
0
10−1#1: Do-it-yourself by
National Universityof Singapore
14
27Detector #1
V +208 V 360k
Si APD:..PerkinElmer C30902S
==+0 16 V
Output
10 μs
100+0.16 V
IAPD
~ 1 ns
Single-photon response:
VAPD, V+208
≈ +202
0Comparator threshold
t
τrecharge ~ 1 μs
28Control intensity diagrams (for detector #1):
Popt
400 pW
No click12.6 pW
t
7 pW
0
Popt
400 pW 2 μs
No click
400 pW
12.6 pW
t0
2 μs
Single “click”with probability ≥ 0.8
arXiv:0707.3987
15
29Proposed attack
Modulator D0
0° or 45°
PBSAlice BobBob FS
Eve
D1
45°0°Eve detects, obtains: 0°, D0.Eve resends faked state: 12.6 pW
7 pW12.6 pW
Modulator
D0
Bob:
12.6 pW
12.6 pW14 pW
12.6 pW7 pW
12.6 pW14 pW
D1⊕
No click No click
No click Click
30Example: ultrashort range QKD system
J. Duligall et al., “Quantum key distribution for consumer applications” (LPHYS08, July 2008)
16
31Example: 144 km free-space experiment
R. Ursin et al., Nature Physics 3, 481 (2007); Phys. Rev. Lett 98, 010504 (2007)
32Control of PerkinElmer actively-quenched detector
Oscilloscope
!*Pulsed laser source Detector
Output?????
17
33Control of PerkinElmer actively-quenched detector 33
34PerkinElmer detector reverse-engineered.Control method №4
Eve sends bright pulses(50 ns wide, >2 mW)
arXiv:0809.3408
18
35Bias voltage vs. parameters of bright pulses
(voltage at normal operation)
Filled symbols: full control over detector
36Control intensity diagrams
(a) Detector
output
Pcontrol = 8.5 mW2.0 mW
(always clicks)
illumination 10 ns
(b) output (never clicks)
Detector
Input
p
Input illumination
1.2 mW
19
37Proposed attack
PBSBSBobAlice
EveControl pulsesgenerator
↕↕↕↕
PBSBSBob
Side effect: simultaneous clicksfrom control pulses >70 kHz
HWPPBS
E.g., clicks ↕ ↕clicks
↕HWPPBS
100%
50%
0%
25%
25%
[1] C. Erven et al., arXiv:0807.2289 [2] V. Fernandez et al., IEEE J. Quantum Electron. 43, 130 (2007);
K. J. Gordon et al., Opt. Express 13, 3015 (2005); IEEE J. Quantum Electron. 40, 900 (2004)[3] X. Shan et al., Appl. Phys. Lett. 89, 191121 (2006)[4] K. J. Resch et al., Opt. Express 13, 202 (2005)[5] W. T. Buttler et al., Phys. Rev. Lett. 84, 5652 (2000); ibid. 81, 3283 (1998); Phys. Rev. A 57, 2379 (1998)
from control pulses, >70 kHz
38
20
39Loopholes, and their patching status
• Large pulse attack– not much yet done to protect in practice
• Detector efficiency mismatch– have proofs, but not yet detectors with guaranteed η
• Control of passively-quenched detectors– have vague ideas, not yet hack-proof detectors/Bob
• Control of PerkinElmer actively-quenched detector– just discovered
40
Is quantum cryptography secure?
Yes.Testing for loopholes is normal, necessary practice.