eve strikes back:eve strikes back: attacks exploiting ... · pc line eve’s equipment –...
TRANSCRIPT
1Seminar at AlbaNova University Center, Stockholm, October 23, 2008
Eve strikes back:*Eve strikes back:attacks exploiting component imperfectionsattacks exploiting component imperfections
Vadim Makarov
*Title idea ©Claude Crépeau
2Quantum cryptography timeline
ca. 1970 Concept (“money physically impossiblet t f it”)to counterfeit”)
1984 First key distribution protocol (BB84)1984 First key distribution protocol (BB84)
1989 Proof-of-the-principle experiment1993 Key transmission over fiber optic link
2004 First commercial offers (20~50 km fiber links)2004 First commercial offers (20 50 km fiber links)2007 200 km in fiber, 144 km free-space demonstrated
...... Market? And, what’s the real level of security?
3
O f i d EOur friend, Eve …
EVE
Alice BobClassical Channel
Aliceinitial secret key
key (X): 010110101 010110101Quantum Channel
Alice and Bob’s devices ce d ob s dev ces- shielded from Eve- work according to specification
Eve retired (Florida)
Slide courtesy Norbert Lütkenhaus
4
N t f i dlNot so friendly …EVE
Alice BobChannel
EVE
key (X) keyChannel
What Vadim does:What Vadim does:- find deviations of devices from model assumptions- actively intrude devices via optical fibers!
manipulate devices (blind burn detectors)- manipulate devices (blind, burn detectors)
Vadim’s complices: Hoi-Kwong Lo, Antia Lamas-Linares, Christian Kurtsiefer
5
Eve strikes back!Eve lost the battle in security proofs,
but came back via loopholes.
Stealing an idea from Claude Crepeau's slides in a CIAR meeting
Slide courtesy Hoi-Kwong Lo
6Loopholes
• Large pulse attack
• Detector efficiency mismatch
• C t l f i l h d d t t• Control of passively-quenched detectors
• Control of PerkinElmer actively-quenched detector
7Large pulse attack
AlicePhase
modulator
AttenuatorAlice’s
PC
Line
PC
Eve’s equipment
– interrogating Alice’s phase modulator with powerfulinterrogating Alice s phase modulator with powerfulexternal pulses (can give Eve bit values directly)
8Large pulse attack experiment
4% reflectionAlice
Laser
4% reflectionPhase
modulator
Laser
VVmod
E
OutL1
Eve
OTDRReceived OTDR pulse
Variable attenuator
In
Fine lengthL2
p
Fine length adjustment
to get L1 = L2 Vmod, V4.1 8.20J. Mod. Opt. 48, 2023 (2001)
99
Artem Vakhitov tunes up Eve’s setup
10Example: plug-and-play systemA
lice
Bob
N. Gisin et al., Phys. Rev. A 73, 022320 (2006)
11Protection against large pulse attack
1. Don’t use modulators
2. Passive (attenuator+isolator)
to BobBPF
Isolator
“Old” Alice
Attenuator
Laser
“New” Alice
3. Active (detector)
from AliceBPF “Old” BobBPF
Alarm
Old Bob
“New” Bobdetector
12Faked states attack
Conventional intercept-resend:
EVEA BB A
EVEA BB A
ALARM!!!ALARM!!!
Faked states attack:
EVEPlease, makesame click as me
BA FSBEVE same click as me
BA FSB( l )(no alarm)
J. Mod. Opt. 52, 691 (2005)
13Detector efficiency mismatch
• Most quantum cryptosystems need at least two detectors.• Efficiency of detectors depends on external parameters and is
ff f f fdifferent for two detectors, due to finite manufacturing and alignment precision.
• External control parameters:
“0” “1”D t t
• External control parameters:
Timing Spatial mode0 1Detector
efficiency“1”
t “0”
Wavelength Polarizationg
14Possible attack
BOB”0"
”1"
tt
Phys. Rev. A 74, 022313 (2006)
15Possible attack
BOB”0"
”1"
ttLaser pulse from Alice
Phys. Rev. A 74, 022313 (2006)
16Possible attack
BOB”0"
”1"
tt
Phys. Rev. A 74, 022313 (2006)
17Possible attack
BOB”0"
”1"
tt
Phys. Rev. A 74, 022313 (2006)
18Possible attack
Example: Eve measured with basis Z (90°), obtained bit 1p ( ),
BOB”0"0°
=0°Δϕ 0Δϕ
”1"
tt
(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)
19Possible attack
Example: Eve measured with basis Z (90°), obtained bit 1p ( ),
BOB”0"90°
=0°Δϕ
50%0Δϕ
”1"
ttEve’s attack is not detected
(Eve resends the opposite bit 0 in the opposite basis X, shifted in time)Eve obtains 100% information of the key
20Example: pair of detectors for QKD
20% 20
ncy,
% t = 5.15 ns
1/9
t = 7.40 ns
1/30
0 1
⎯ ≈≈η η1 0η η
ffici
en
1/9 1/30⎯ ≈⎯ ≈η η0 1η η
10um e
f
10
quan
tuec
tor q
0 1 2 3 4 5 6 7 8 9 10 11 120D
ete
0 1 2 3 4 5 6 7 8 9 10 11 12t, ns
21Example: time-multiplexed detector
b. u
.ty
, arb
nsiti
vit
or s
ende
tect
oiz
ed d
-3 -2 -1 1 2 300
orm
al
-3 -2 -1 1 2 30t, nsN
o
22Example: 144 km free-space experiment
A. Lamas-Linares, C. Kurtsiefer, Opt. Express 15, 9388 (2007)
23Example: id Quantique ID-500 commercial QKD systemin worst 4% of automatic line length measurement cyclesin worst 4% of automatic line length measurement cycles
η =1/7.1 η =1/3.3
Y. Zhao et al., arXiv:0704.3253
24Time-shift attack
Eve
–Δt
+ΔtAlice Bob
Random switching
Available bit rate at QBER=0,in symmetric case:
1
in symmetric case:
R = I(A : B|E) = h(η /(η +1)) R
00.0 0.2 0.4 0.6 0.8 1.0
η00
B. Qi et al., Quant. Inf. Comp. 7, 73 (2007)
25Solution: develop security proof for a quantified η
0.11[1] [3][2]
BER
[3 4]
[3]
QB [3,4]
[5]1η0.0660 0.25
[ ]
[1] V. Makarov et al., Phys. Rev. A 74, 022313 (2006)[2] L. Lydersen, private communication[3] L. Lydersen, J. Skaar, arXiv:0807.0767[4] C H F F l Xi 0802 3788[4] C.-H. F. Fung et al., arXiv:0802.3788[5] B. Qi et al., Quant. Inf. Comp. 7, 73 (2007)Other protocols (DPSK, SARG04, Ekert): V. Makarov, J. Skaar, Quant. Inf. Comp. 8, 0622 (2008)
26Control of passively-quenched detector.Detector saturation curvesDetector saturation curves
1E+5
1E+6
105
106
1E+4
1E+5
econ
d 105
104
#2: EG&GSPCM-200-PQ
1E+2
1E+3
per s
e
103
102
1E+1
1E+2
unts
p 102
101
1E-1
1E+0Cou 100
10−1#1: Do-it-yourself by
National University
1E 16 1E 15 1E 14 1E 13 1E 12 1E 11 1E 10 1E 9 1E 81E-2
1E 1
10−16 10−15 10−14 10−13 10−12 10−810−11 10−10 10−90
10 of Singapore
1E-16 1E-15 1E-14 1E-13 1E-12 1E-11 1E-10 1E-9 1E-8 Optical power at the APD, W
10 16 10 15 10 14 10 13 10 12 10 810 11 10 10 10 9
27Detector #1
Si APD:..PerkinElmer C30902S
V +208 V 360k==
+0 16 VOutput
10 μs
100+0.16 V
Single-photon response:IAPD
~ 1 ns
VAPD, V0
Comparator threshold
APD,+208
202 τ h ~ 1 μs≈ +202
t
τrecharge 1 μs
28Control intensity diagrams (for detector #1):
Popt
400 pW400 pW
No click12.6 pW
7 pW
0
No click
t0
Popt
400 pW 2 μs400 pW 2 μs
Single “click”12.6 pW
0
with probability ≥ 0.8
t0
arXiv:0707.3987
29Proposed attack
0° or 45°
S EveModulator D0
PBSAlice BobBob FS
Eve
D1Bob:
45°0°Eve detects obtains: 0° D0
Modulator
Bob:
Eve detects, obtains: 0 , D0.Eve resends faked state: 12.6 pW
7 pW12.6 pWD0
12.6 pWNo click Click
14 pW12.6 pW
7 pW12.6 pW
14 pW
D1
⊕
12.6 pWp
No click No click
30Example: ultrashort range QKD system
J. Duligall et al., “Quantum key distribution for consumer applications” (LPHYS08, July 2008)
31Example: 144 km free-space experiment
R. Ursin et al., Nature Physics 3, 481 (2007); Phys. Rev. Lett 98, 010504 (2007)
32Control of PerkinElmer actively-quenched detector
!*Pulsed laser source Detector
Output?????Oscilloscope* ?????
33Control of PerkinElmer actively-quenched detector 33
34PerkinElmer detector reverse-engineered.Control method №4Control method №4
Eve sends bright pulses(50 ns wide, >2 mW)
arXiv:0809.3408
35Bias voltage vs. parameters of bright pulses
(voltage at normal operation)
Filled symbols: full control over detector
36Control intensity diagrams
(a) Detector
output
(always clicks)output
Pcontrol = 8.5 mW2.0 mW
( y )
illumination10 nsInput
illumination
(b) output (never clicks)
Detector p
1 2 WInput
illumination
1.2 mW
37Proposed attack
Eve
PBSBSBobAlice
EveControl pulsesgenerator
↕↕↕↕
PBSBSBob
HWPPBS
↕HWPPBS
100%
50%
0%
25%
E.g., clicks ↕ ↕clicks
↕ 100% 25%
25%
Side effect: simultaneous clicksfrom control pulses >70 kHzfrom control pulses, >70 kHz
[1] C. Erven et al., arXiv:0807.2289 [2] V. Fernandez et al., IEEE J. Quantum Electron. 43, 130 (2007);
K. J. Gordon et al., Opt. Express 13, 3015 (2005); IEEE J. Quantum Electron. 40, 900 (2004)[3] X Sh l A l Ph L 89 191121 (2006)[3] X. Shan et al., Appl. Phys. Lett. 89, 191121 (2006)[4] K. J. Resch et al., Opt. Express 13, 202 (2005)[5] W. T. Buttler et al., Phys. Rev. Lett. 84, 5652 (2000); ibid. 81, 3283 (1998); Phys. Rev. A 57, 2379 (1998)
38
39Loopholes, and their patching status
• Large pulse attack– not much yet done to protect in practice
• Detector efficiency mismatch– have proofs, but not yet detectors with guaranteed η
• C t l f i l h d d t t• Control of passively-quenched detectors– have vague ideas, not yet hack-proof detectors/Bob
• Control of PerkinElmer actively-quenched detector– just discovered– just discovered
40
Is quantum cryptography secure?Is quantum cryptography secure?
Yes.Testing for loopholes is normal, necessary practice.
41
Optional slides
42Key distribution
O (i ) BobAlice
Encoder Decoder
Open (insecure)channel
BobAliceMessageMessage
E d dEncoder DecoderEncoded message
Keyy
Secure channelSecure channel
• Secret key cryptography requires secure channelSecret key cryptography requires secure channel for key distribution.
• Quantum cryptography distributes the key• Quantum cryptography distributes the keyby transmitting quantum states in open channel.
43Quantum key distribution
B bAlice
BobDiagonalAlice Diagonal detector basis
Horizontal-Diagonal
polarization filters0
1 Horizontalvertical detector basis
p
Horizontal-vertical polarization filters
01
Alice’s bit sequence 1 0 1 1 0 0 1 1 0 0 1 1 1 0
Light source
Bob’s measurement 1 0 0 1 0 0 1 1 0 0 0 1 0 0Bob’s detection basis
q
Retained bit sequence 1 – – 1 0 0 – 1 0 0 – 1 – 0Image reprinted from article: W. Tittel, G. Ribordy, and N. Gisin, "Quantum cryptography," Physics World, March 1998
44Handling errors in raw key
1
R
R = 1 – 2 h(QBER)
0 00 0 11000.00 0.11
QBER0
45
Typical values of reflection coefficients for different fiber-optic components(courtesy Opto-Electronics, Inc.)
46Quality of control (detector #1)Control intensity diagram:
Popt. high 2 μs
PPopt. low
t0
nits
P 13 W nits Popt. high, pW:
400 ⇒ 5 ns FWHM
arbi
trar
y un Popt. high = 13 pW
Popt. low = 00.2 pW
arbi
trar
y un
Popt. low = 0400 ⇒ 5 ns FWHM
200
prob
abili
ty,
prob
abili
ty,
11580
0 0 0 5 1 0 1 5 2 0 2 5
Cou
nt p
2 10 2 15 2 20 2 250
Cou
nt p 80
2613
0.0 0.5 1.0 1.5 2.0 2.5
t, μs t, μs2.10 2.15 2.20 2.25
arXiv:0707.3987
47Quality of control (detector #2)rise time 3 ns
BAPopt
P+P++Pblind
rise time 3 nsControl intensity diagram:
200 ns20 ns
Pblind = 280 pW
t0
500 nsPopt. low (34 dB below Pblind)
Main peakFWHM = 0 92 ns base width = 4 ns 6
t
ary
units
FWHM = 0.92 ns, base width = 4 ns96.4% counts
Premature1 9% t
Delayed1 7% t
A+B, P+ = 784·Pblind5
6
k, n
s
bilit
y, a
rbitr
a 1.9% counts 1.7% counts
3
4
of m
ain
pea
only A
only B
ount
pro
bab
1
2
FWH
M o
A+B
0 92 ns
0 100 200 300 400 500 600
t, ns
C
1 10 100 10000
By how many times P+ exceeds Pblind
0.92 ns