Faked states attack exploiting detector efficiency ... · PDF fileVadim Makarov1,2, Johannes...
1
Vadim Makarov 1,2 , Johannes Skaar 1 , and Andrey Anisimov 2 Faked states attack exploiting detector efficiency mismatch on BB84, phase-time, DPSK, and Ekert protocols 1 Department of Electronics and Telecommunications, Norwegian University of Science and Technology, NO-7491 Trondheim, Norway 2 Radiophysics Department, St. Petersburg State Polytechnic University, Politechnicheskaya street 29, 195251 St. Petersburg, Russia SPbSPU St. Petersburg State Polytechnic University Poster on XI International Conference on Quantum Optics in Minsk, Belarus, May 26–31, 2006 1. Conventional security; trusted equipment manufacturer 2. Security against quantum attacks 3. Loopholes in optical scheme – attacks that don’t deal with quantum states, but use loopholes and imperfections in implementation Quantum key distribution: components of security 2 3 1 1 Alice Bob Conventional intercept/resend: Faked states attack: B A FS B EVE A B B A EVE ALARM!!! (no alarm) Faked states attack Exploiting common imperfection: detector gate misalignment ”0" ”1" t BOB Laser pulse from Alice ”0" ”1" t BOB ”0" ”1" t BOB ”0" ”1" t Example: Eve measured with basis Z (90°), obtained bit “1” 0° BOB )n=0° ”0" ”1" t 90° BOB ü ü Eve’s Eve’s attack attack is not is not detected detected ü ü Eve Eve obtains obtains 100% 100% information of the key information of the key )n=0° Detector sensitivity t 0 t 0 t 1 h 0 (t 0 ) h 1 (t 0 ) h 0 (t 1 ) h 1 (t 1 ) Partial sensitivity mismatch A. Practical intercept-resend attack 1 h 0.11 QBER Not proven (assumed insecure) Insecure 0.066 0 Secure with reduced key rate Security state of QKD system -3 -2 -1 1 2 3 0 t, ns 0 Normalizeddetector sensitivity, arb. u. Detector model 1. Sensitivity curves 0 1 2 3 4 5 6 7 8 9 10 11 12 t, ns 0 10 20 Detector quantumefficiency, % t = 5.15 ns 1/9 t = 7.40 ns 1/30 0 1 ¾» ¾» h h h h 1 0 0 1 Detector model 2. Sensitivity curves at low photon number μ=0.5 0 1 2 3 4 5 6 7 8 9 t, ns 0 1 Detector clicking probability Sensitivity curves at photon number μ=500 == Detector output BPF ~1—2.5 Ghz G APD +V bias Circulator Sync trigger Phase-time coding: [Y. Nambu,T. Hatanaka, and K. Nakamura, “BB84 quantum key distribution system based on silica- based planar lightwave circuits,” Jap. J. Appl. Phys. 43, L1109–L1110 (2004) ] Also used in [W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, “Quantum cryptography using entangled photons in energy-time Bell states,” Phys. Rev. Lett. 84, 4737–4740 (2000) ] Eve’s setup Bob Eve Laser IM PM Att Faked state generator (one of possible schemes) from Alice to Bob [H. Takesue, E. Diamanti, T. Honjo, C. Langrock, M.M. Fejer, K. Inoue, andY.Yamamoto, “Differen- tial phase shift quantum key distribution experiment over 105 km fibre,” New J. Phys. 7, 232 (2005) ] DPSK: Long, overlapping faked states (assume total efficiency mismatch) 0 “1” p p p p p p p p 0 0 0 0 “1” 0 “0” “0” “1” – – – – – – – 0 0 0 0 0 0 p p “0” “0” 0 p p p – p p “1” “1” “1” Eve’s output (combined on a coupler) Alice’s output j: j: j: t 0 t 1 Causes detections: Causes detections: Eve’s detection results: Bob port 0 Bob port 1 p “0” “0” “0” “0” in limit: two continuous trains of pulses from Eve NB! In this DPSK scheme, the control parameter t Eve uses to select Bob’s detector may not be necessarily time, but e.g. wavelength (might be useful with upconversion detectors). (We don’t know yet if conditions exist under which such a continuous faked state is advantageous in the case of partial efficiency mismatch.) Faked states (assume use of gated detectors, total efficiency mismatch) Eve’s setup from Alice to Bob Bob Laser IM PM Att Laser IM PM Att Faked state generator no. 1 Faked state generator no. 2 Eve Coupler blocked by state ( ) 1 3 t a + - B. Sent with P B = 0.59 contributes E(a 1 ,b 3 )=1 (and three other correl. coeff. not used in the protocol) blocked by t +1 3 a - blocked by state ( ) 1 1 t b + - blocked by t +1 1 b - ( ) 1 t state random + A. Sent with P A = 0.41 contributes equally to all correl. coeff. = –1 ( ) 1 t state random - or or ( ) 1 3 t a - ( ) 1 1 t b - If only A is sent, If A and B are sent, a 1 b 3 2 1 1 1 1 - = - - + - = S ( ) 2 2 1 1 2 2 3 1 - = - - - + - = S ( ) 1 t r.st. - ( ) 1 t r.st. + Ekert protocol [A. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett. 67, 661–663 (1991) ] a 1 a 2 a 3 b 3 b 1 b 2 +1 –1 +1 –1 EPR Correlation coefficient Key obtained from two perfect anticorrelations Checking for eavesdropping via CHSH quantity ( ) ( ) ( ) ( ) ( ) j j j j j j j j j j P P P P E b a b a b a b a b a , , , , , + - - + - - + + - - + = ( ) ( ) 1 b a b a 2 3 1 2 - = = , , E E ( ) ( ) ( ) ( ) 2 2 b a b a b a b a 3 3 1 3 3 1 1 1 - = + + - = , , , , E E E E S Shown below are pairs of faked states to break Ekert protocol when there is total efficiency mismatch, and no additional consistency checks besides checking that . 2 2 - = S www.iet.ntnu.no/groups/optics/qcr Alice’s output Eve’s output ... ... ... ... quant-ph/0511032 New results For h£ 0.066 (~ 1:15), QBER £ 11%. Eve can compromise security if mismatch is larger than 1:15 (Eve resends opposite bit “0” in opposite basis (X), shifted in time) B. General security bound Secure key generation rate: Eve’s detection result. Faked state S1. Bob port 1 Bob port 0 Eve’s output Bob port 1 Bob port 0 Eve’s output S3. S1 S2 S3 S1 S2 S3 () normal t ll ( ) normal t ss ( ) 0 t ss s l ll + - - Bob port 1 Bob port 0 ( ) 1 t ss s l ll - - + Eve’s output Bob port 1 Bob port 0 Eve’s output (blocked by timing) (blocked by timing) S2 0 . S2 1 . . S1 S2 S3 S1 S2 S3 Note that in the case of partial efficiency mismatch, only Eve’s faked states for S2 0 and S2 1 contribute to QBER. The faked states for S1 and S3 remain error-free. DPSK with limited-length states [K. Inoue, E. Waks, andY.Yamamoto, “Differential phase shift quantum key distribution,” Phys. Rev. Lett. 89, 037902 (2002) ] Normal counting ratio ® 1:2:2:1 (used to check for eavesdropping) . can be eavesdropped on using the methods considered above Yet longer states in [W. Buttler, J.Torgerson, and S. Lamoreaux, “New, efficient and robust, fiber- based quantum key distribution schemes,” Phys. Lett. A 299, 38–42 (2002) ] Conclusion · Detector efficiency mismatch is a problem in many protocols and encodings: BB84, phase-time, DPSK; also in implementations with source of entangled pairs placed outside Alice and Bob (e.g. Ekert protocol). · The worst-case mismatch must be characterized and accounted for during privacy amplification. · Active protection measures are possible (monitoring of incoming pulses at Bob).
Transcript of Faked states attack exploiting detector efficiency ... · PDF fileVadim Makarov1,2, Johannes...
Vadim Makarov1,2, Johannes Skaar1, and Andrey Anisimov2
Faked states attack exploiting detector efficiency mismatchon BB84, phase-time, DPSK, and Ekert protocols
1Department of Electronics and Telecommunications, Norwegian University of Science and Technology, NO-7491 Trondheim, Norway2Radiophysics Department, St. Petersburg State Polytechnic University, Politechnicheskaya street 29, 195251 St. Petersburg, Russia
SPbSPUSt. Petersburg StatePolytechnic University
Poster on XI International Conference on Quantum Optics
in Minsk, Belarus, May 26–31, 2006
1. Conventional security; trusted equipment manufacturer
2. Security against quantum attacks
3. Loopholes in optical scheme
– attacks that don’t deal with quantum states, but use
loopholes and imperfections in implementation
Quantum key distribution:components of security
2 311
Alice Bob
Conventional intercept/resend:
Faked states attack:
BA FSB
EVE
A BB A
EVE
ALARM!!!
(no alarm)
Faked states attack
Exploiting common imperfection:detector gate misalignment
”0"
”1"
t
BOB
Laser pulse from Alice
”0"
”1"
t
BOB
”0"
”1"
t
BOB
”0"
”1"
t
Example: Eve measured with basis Z (90°), obtained bit “1”
0°BOB
��=0°
”0"
”1"
t
90°BOB
�� Eve’sEve’s attackattack is notis not detecteddetected
�� EveEve obtainsobtains 100%100% information of the keyinformation of the key
��=0°
De
tec
tor
se
ns
itiv
ity
t0
t0 t1
�0(t0)
�1(t0)�0(t1)�1(t1)
Partial sensitivity mismatch
A. Practical intercept-resend attack
1�
0.11
QB
ER
Not proven(assumed insecure)
Insecure
0.0660
Securewith reduced key rate
Security state of QKD system
-3 -2 -1 1 2 30t, ns
0
Nor
mal
ized
dete
ctor
sens
itivi
ty,a
rb.u
.Detector model 1.Sensitivity curves
0 1 2 3 4 5 6 7 8 9 10 11 12t, ns
0
10
20
Det
ecto
rqua
ntum
effic
ienc
y,% t = 5.15 ns
1/9
t = 7.40 ns
1/30
0 1
� �� ���
��
1
0
0
1
Detector model 2.Sensitivity curves at low photon number µ=0.5
0 1 2 3 4 5 6 7 8 9t, ns
0
1
Det
ecto
rclic
king
prob
abili
ty
Sensitivity curves at photon number µ=500
= = Detector
output
BPF
~1—2.5 Ghz
G
APD
+Vbias
Circulator
Sync
trigger
Phase-time coding:[Y. Nambu, T. Hatanaka, and K. Nakamura, “BB84 quantum key distribution system based on silica-
based planar lightwave circuits,” Jap. J. Appl. Phys. 43, L1109–L1110 (2004) ]
Also used in [W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, “Quantum cryptography using entangled
photons in energy-time Bell states,” Phys. Rev. Lett. 84, 4737–4740 (2000) ]
Eve’s setup
Bob
Eve
Laser IM PM Att
Faked state generator(one of possible schemes)from
Alice toBob
[H. Takesue, E. Diamanti, T. Honjo, C. Langrock, M.M. Fejer, K. Inoue, and Y. Yamamoto, “Differen-
tial phase shift quantum key distribution experiment over 105 km fibre,” New J. Phys. 7, 232 (2005) ]
DPSK:
Long, overlapping faked states(assume total efficiency mismatch)
0
“1”
� � � � � � � �0 0 0 0
“1”
0
“0” “0” “1”– –– – – – –
0
0 0 0
0 0
� �
“0” “0”
0 � � �
–
� �
“1” “1” “1”
Eve’s
output
(combinedon a coupler)
Alice’s output�:
�:
�:
t0
t1
Causes detections:
Causes detections:
Eve’s detection results:
Bob port 0
Bob port 1
�
“0” “0”
“0” “0”
in limit: two continuous trains of pulses from Eve
NB! In this DPSK scheme, the control parameter t Eve uses to select Bob’s detector may not be
necessarily time, but e.g. wavelength (might be useful with upconversion detectors).
(We don’t know yet if conditions exist under which such a continuous faked state
is advantageous in the case of partial efficiency mismatch.)
Faked states(assume use of gated detectors, total efficiency mismatch)
Eve’s setup
fromAlice to
Bob
Bob
Laser IM PM Att
Laser IM PM Att
Faked state generator no. 1
Faked state generator no. 2
Eve
Coupler
blocked by state� �1
3 ta
�
B. Sent with PB = 0.59
contributes E(a1,b3) = 1
(and three other correl.
coeff. not used in the
protocol)
blocked by t+1
3a
blocked by state� �1
1 tb
�
blocked by t+1
1b
� �1
tstaterandom�
A. Sent with PA = 0.41
contributes equally to
all correl. coeff. = –1
� �1
tstaterandom
or
or
� �1
3 ta
� �1
1 tb
If only A is sent,
If A and B are sent,
a1
b3
21111 �S
� � 22112231 �S
� �1
tr.st.
� �1
tr.st.�
Ekert protocol[A. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett. 67, 661–663 (1991) ]
a1
a2
a3
b3 b1
b2
+1–1
+1
–1
EPR
Correlation coefficient
Key obtained from two perfect anticorrelations
Checking for eavesdropping via CHSH quantity
� � � � � � � � � �jjjjjjjjjj PPPPE bababababa ,,,,, ���� �
� � � � 1baba 2312 ,, EE
� � � � � � � � 22babababa 33133111 �� ,,,, EEEES
Shown below are pairs of faked states to break Ekert protocol
when there is total efficiency mismatch, and no additional
consistency checks besides checking that .22S
www.iet.ntnu.no/groups/optics/qcr
Alice’s output
Eve’s output ... ...
... ...
quant-ph/0511032
New results
For � � 0.066 (~ 1:15), QBER � 11%.
Eve can compromise security if mismatch is larger than 1:15
(Eve resends opposite bit “0” in opposite basis (X), shifted in time)
B. General security bound
Secure key generation rate:
Eve’s detection result. F a k e d s t a t e
S1.
Bob port 1
Bob port 0
Eve’s output
Bob port 1
Bob port 0
Eve’s output
S3.
S1 S2 S3
S1 S2 S3
� �normal
tll
� �normalt
ss
� �0
tssslll �
Bob port 1
Bob port 0
� �1
tssslll �
Eve’s output
Bob port 1
Bob port 0
Eve’s output
(blocked by timing)
(blocked by timing)
S20.
S21.
.
S1 S2 S3
S1 S2 S3
Note that in the case of partial efficiency mismatch, only Eve’s faked states for S20 and S21
contribute to QBER. The faked states for S1 and S3 remain error-free.
DPSK with limited-length states
[K. Inoue, E. Waks, and Y. Yamamoto, “Differential phase shift quantum key distribution,” Phys. Rev.
Lett. 89, 037902 (2002) ]
Normal counting ratio � 1 : 2 : 2 : 1
(used to check for eavesdropping) .
can be eavesdropped on using the methods considered above
Yet longer states in [W. Buttler, J. Torgerson, and S. Lamoreaux, “New, efficient and robust, fiber-
based quantum key distribution schemes,” Phys. Lett. A 299, 38–42 (2002) ]
Conclusion
Detector efficiency mismatch is a problem in many
protocols and encodings: BB84, phase-time, DPSK;
also in implementations with source of entangled pairs
placed outside Alice and Bob (e.g. Ekert protocol).
The worst-case mismatch must be characterized and
accounted for during privacy amplification.
Active protection measures are possible
(monitoring of incoming pulses at Bob).
