Abstract
The ability of an eavesdropper to compromise the security of a quantum communication system by changing the angle of the incoming light is well-known. Randomizing the role of the detectors has been proposed to be an efficient countermeasure to this type of attack. Here we show that the proposed countermeasure can be bypassed if the attack is generalized by including more attack variables. Using the experimental data from existing literature, we show how randomization effectively prevents the initial attack but fails to do so when Eve generalizes her attack strategy. Our result and methodology could be used to scrutinize a free-space quantum communication receiver against detector-efficiency-mismatch type attacks.
© 2021 Optical Society of America under the terms of the OSA Open Access Publishing Agreement
1. Introduction
Recent trends in quantum technologies suggest a future of quantum computers (QC) having superior computational power [1,2]. Such computational power can efficiently solve hard mathematical problems that are the foundations of security for certain public-key cryptosystems. QCs thus pose a serious threat to our current cryptographic infrastructure. One possible solution can be post-quantum cryptography [3–5] – classical algorithms thought to be secure against quantum attacks – but there is no mathematical proof that these algorithms provide information theoretic security. Thus, in an effort to fight quantum with quantum the trend is towards quantum cryptography [6–8] – more popularly known as quantum key distribution (QKD).
QKD [7,8] uses the laws of quantum mechanics to generate a secret key between two distant parties Alice and Bob. This key then can be used for encryption using one-time-pad and guarantee secure communication. In theory, QKD provides mathematical proof of security by modeling the device behaviors and using the laws of quantum mechanics. However, in practice, devices often behave differently than the assumed model, leaving a gap between theory and practice that can be exploited by an eavesdropper. This gap can be anywhere in the system implementation such as measurement devices [9,10], monitoring systems [11], assumption in the security proofs [12], leakage of information [13–15], change of characteristics [16,17], imperfect sources [18,19], imperfect detector characteristics [20–23] etc. It is essential for QKD security to explore and identify these gaps and characterize them in order to assess the threat. In this work we analyze one such gap – detector-efficiency mismatch [20,21,23,24]– and analyze its effects.
A fundamental assumption in QKD security proofs is that the measurement outcomes should be independent of the measurement bases and Eve should not have any control over them. In ideal QKD, it is impossible for Eve to control the measurement outcomes without introducing errors called quantum bit error rate (QBER). However, in practice, there might be implementation vulnerabilities that allow Eve to have this control. For example, if there is a sensitivity mismatch among the detectors for a certain degree of freedom of the incoming photons, Eve can modify that degree of freedom so that one detector becomes more sensitive compared to another [20–22,24,25]. This can happen in the time degree of freedom: implementation vulnerability may make one detector more sensitive in a particular time window than the others. In this case, Eve can shift the arrival time of certain pulses to coincide with that window. Thus, detection events occurring in that particular time-window have a higher chance of occurring in the sensitive detector and a bias is achieved. Similarly, if the detector sensitivity varies with spatial-mode of the incoming light [20], Eve can send light at certain angle ($\phi$, $\theta$) to create a bias among the detector sensitivity and achieves a control. The demonstration of exploiting such spatial-mode-sensitivity-mismatch was shown in [21,22] while the security proofs against such attacks are reported in Refs. [26–29].
A countermeasure to the detector-efficiency-mismatch type attacks presented in [20,24,25], was proposed in Refs. [30] that involves randomly changing the roles of the detectors to hash out any mismatch in the detection system and reduce efficiency mismatch. However, it is not clear how effective the countermeasure is when one considers that detectors operate on optical modes rather than on single-photon signals as mentioned in [21]. In this paper, we scrutinize the effectiveness of this countermeasure. In Section 2, we introduce and review some necessary details of the spatial-mode-efficiency-mismatch attack reported in [21]. In Section 3, we simulate a detector scrambling countermeasure and show the countermeasure blocks the side-channel. Then in Section 4, we show how the scrambling countermeasure can be bypassed by resorting to a more general attack strategy. We conclude in Section 5.
2. Review of detection efficiency mismatch
We shall assume a polarization-encoded Bennett-Brassard (BB84) QKD scheme with passive basis-choice implementation as shown in Fig. 1(a). The beam splitter (BS) is used for selecting the HV or DA bases and the polarization beam splitters (PBSs) followed by two detectors are used to measure the polarization in a basis. Detectors h and v are used for measuring the incoming H and V polarized light while detectors d and a are used for measuring D and A polarized light respectively.
The efficiency-mismatch side-channel is explained with the help of Fig. 1(b). Here we show how the sensitivity of the $h$ and $v$ detectors varies in response to the angle of the incoming light. The circle on the left (right) shows the sensitive area of detector $h (v)$. Outside the circle the sensitivity is zero (in practical detectors, sensitivity does not go to zero so abruptly, but this simple assumption serves the purpose to explain the concept). In the overlapping (green) region, both the detectors are equally sensitive. However, if the light is sent towards the red (blue) region, detector $v (h)$ has a higher sensitivity than the $h (v)$ detector. Eve can stage a faked-stage attack to exploit this bias.
The faked-state attack considered in Ref. [21] is based on the following assumptions. Eve is present outside Alice’s lab. She intercepts and measures the signal going towards Bob. Then she reproduces another pulse with the same polarization as her measurement outcome but with different mean photon number, and sends it towards Bob at an angle where the target detector has a higher sensitivity compared to others. More specifically, if Eve’s measurement outcome is $j$, she reproduces $j$ polarized light with mean photon number $\mu _j$ and sends it at an angle where detector $j$ has a higher sensitivity than the other three detectors. This angle is referred to as the attack angle for detector $j$. She uses a lossless channel to overcome the channel loss and maximize her target detection probabilities. The sifted key rate and QBER in Eve’s presence become (derived in Section 5)
3. Detector scrambling countermeasure
In this section we discuss the general detector scrambling countermeasure outlined in [30] and investigate its effectiveness in preventing the attack. Let us assume that a half-wave plate (HWP) is placed in front of the BS in Fig. 1. By rotating the axis of the HWP Bob can rotate the incoming polarization by $\theta _{B} = 0~^{\circ} , 45~^{\circ} , 90~^{\circ}$ and $135~^{\circ}$. When $\theta _{B} = 0~^{\circ}$, the detectors marked by h,v,d and a are used to detect incoming horizontal (H), vertical (V), diagonal (D) and anti-diagonal (A) polarized lights respectively. When $\theta _{B} = 90~^{\circ}$ , the bases are unchanged but the roles of each detector is inverted, i.e, detector marked h measures V and vice versa. In case of $\theta _{B} = 45~^{\circ}$, the roles of each basis is flipped and finally for $\theta _{B} = 135~^{\circ}$ both the roles of each basis and each detector is flipped, i.e, a detector marked h measures D and A when $\theta _{B} = 45~^{\circ}$ and $\theta _{B} = 135~^{\circ}$ respectively. Thus, by randomly changing the incoming polarization by a HWP, it is possible for Bob to scramble the roles of both his bases and detectors.
In the following, we assume Bob scrambles his detectors with equal a-priori probability. The sifted key rate $R_e(j|\theta _B)$ and error rate $E_{j|\theta _B }$ in the presence of Eve given she sends $j$ polarized light – towards attack angle $j$ with mean photon number $\mu _j$ – and Bob applies $\theta _B$ rotation, can be derived similar to Eqs. (7) to (9) as presented in Section 5. Thus, the total sifted key rate $R_e^s$ and $QBER_e^s$ with Eve’s attack and Bob applying scrambling countermeasure become:
4. Detector-scrambling-bypass strategy
So far, we have assumed that when Eve sends a $j$ polarized light, it is always sent towards attack angle $j$ with mean photon number $\mu _j$. In this section, we discard this assumption to generalize the attack. In particular, we assume, when Eve sends a $j$ polarized light, it can be directed towards any of the four attack angles $k \in \{ h,v,d,a\}$ with mean photon number $\mu _j^k$ and probability $f_j^k$ with $\sum _k f_j^k = 1$. Let $p_i^k(j|\theta _{B})$ be the raw click probability at Bob’s detector $i$, given Eve sent a $j$-polarized light towards attack angle $k$ with mean photon number $\mu _j^k$ that has been rotated by an angle $\theta _{B}$ during scrambling.
Let $R_e^k(j|\theta _{B})$ be the sifted key rate when Eve sends j polarized light at k attack angle with Bob rotating the polarization by angle $\theta _{B}$. By deriving $R_e^k(j|\theta _{B})$ using similar analysis as Eq. (17)–(20) we get,
Figure 4(a) and Fig. 4(b) show the optimized probabilities $f_j^k$ and mean photon number per pulse chosen by Eve for a channel loss of 6 dB respectively. For a certain channel loss, Eve has to follow a specific blueprint to attack the system. For example, the probability plot in Fig. 4(a) shows that Eve sends V polarized light at V attack angle with higher probability than others. On the other hand, Eve has to send V polarized light with higher mean photon number than other polarizations as shown in Fig. 4(b). For different channel loss the value of the optimized free parameters will be different. Moreover, These scenarios are entirely dependent on the specific mismatch present in the system. In Section 2, we have reviewed a specific detector-efficiency-mismatch strategy: whenever Eve sent a $j$ polarized light, it was always sent towards attack angle $j$ with mean photon number $\mu _j$. The power of this strategy was limited as explained in Section 3: by simply changing the roles of the detectors and bases, Eve’s presence could be identified. In this section we attempt to generalize our attack strategy. In particular, we assume that Eve can send the $j$ polarized light towards any of the four attack angles $k \in \{ h,v,d,a\}$ with mean photon number $\mu _j^k$ and probability $f_j^k$ where $\sum _k f_j^k = 1$. The intuition behind this strategy is that it brings new free parameters into the optimization which Eve could adjust to her advantage as described next.
5. Conclusion
In this work, we have shown that randomizing the roles of the detectors cannot function as an efficient countermeasure against detector-efficiency-mismatch type attacks. Although it can prevent the original attack proposed in Ref. [21], it fails to do so when a more general strategy is followed. The general strategy works even when Bob uses any non-uniform a priori scrambling probabilities.
We note that no two practical setups will have an exact mismatch, and hence it would not be possible for Eve to acquire one prototype to learn the mismatch of the target system. However, according to Kerckhoff’s principle [31] quantum cryptography assumes that except for the key, Eve knows all the system’s imperfections. So, to guarantee unconditional security in theory, we need to assume that Eve knows the exact details of the mismatch and Bob’s scrambling countermeasure to optimize her attack. From a practical point of view, Eve can listen to Bob’s classical communication channel while sending a small fraction of faked states at different spatial angles to get an estimate of the efficiency mismatch [32]. Eve can pursue a similar strategy to estimate Bob’s detector scrambling statistics. Thus, unless new techniques are proposed to strengthen the existing detector-scrambling countermeasure strategies, it cannot guarantee security against detector efficiency mismatch based attacks. The result and methodology in this paper could be used to scrutinize a free-space quantum communication receiver against detector-efficiency-mismatch type attacks.
Appendix A: Sifted key rate and QBER during attack
To derive the key rate and QBER formula in Eve’s presence, Ref [21] started with a system with only Eve and Bob. Let us consider Eve is sending a $j$-polarized pulse to Bob with mean photon number $\mu _j$ towards the attack angles $j$. Let $p_i(j)$ be the raw click probability at detector $i$ while incoming light is $j$ polarized. For Eve sending $H$ polarized light, these probabilities are:
The probabilities $P_{hv}(V),P_{da}(D),P_{da}(A)$ can be calculated similarly. Now we include Alice into the picture. We first assume the case where Alice sends a $H$-polarized light. The possible scenarios are shown in Fig. 5. It is sufficient to consider only the cases when Bob measures in same basis as Alice (HV in this case) as the other cases will be discarded during sifting. Here we assume, Eve measures Alice’s outgoing signal in $HV$ or $DA$ basis with equal a-priory probability using a measurement setup having perfect detection efficiency and no dark count. Thus, with $50\%$ probability she measures in the correct (incorrect) basis and sends the correct (incorrect) state to Bob. Let $R_e(j)$ be the sifted key rate with Eve’s presence given Alice sent a $j$ polarized light. Following Fig. 5, $R_e(j)$ can be given by,
The error rate with Eve given Alice sends a $H$ polarized light can also be calculated with the help of Fig. 5. When Eve measures in the same basis as Alice, she introduces no error (assuming perfect fidelity at Bob). However, when she measures in the wrong basis (in this case, $DA$) there is some probability of error. Let $\mathrm {P_i(j)}$ be the probability that, after squashing, Bob decides on outcome $i$ given incoming light was $j$-polarized light. Thus, $\mathrm {P_v(H)}$ would be,According to Fig. 5, Bob can measure a $v$ only when Eve sends a D or A polarized light (we disregard the case that Bob gets a $v$ when Eve sends a $H$). The probability of each of these cases is shown in Fig. 5 to be $1/8$. Thus the error rate $E_H$ conditioned on Alice sending $H$-polarized light can be expressed as:
In deriving Eqs. (7) to (9), we have assumed simplified cases. In a more general scenario, we also need to consider $P_{hv}(V)$ since the setup may have imperfect fidelity and dark counts in the photodetectors. Let $P_c^e$ and $P_w^e$ be the probability that Eve measures Alice’s signal in the correct basis and gets a click in the correct and wrong photodetector respectively. Let, $P_{nc}^e$ be the probability that Eve measures in the non-compatible or wrong basis. We can then modify Eq. (7) for the case of sifted key rate when there is incoming $H$-polarized light. Thus, the sifted key rate can be written from [21] in the following formAppendix B: Sifted key rate and QBER with scrambling countermeasure
For detector scrambling countermeasure, we assume Bob's measurement setup with a half-wave plate (HWP) as shown in Fig. 6. Let $p_i(j | \theta _B)$ be the raw click probability at Bob’s $i$-th detector given Eve sends $j$ polarized light with mean photon number $\mu _j$ directed towards attack angle $j$ which is rotated by Bob by an angle $\theta _{B}$. The probabilities for $\theta _B = 0^{\circ} , 45~^{\circ} , 90~^{\circ}$ and $135~^{\circ}$ can be derived similar to Eq. (5). When $\theta _B = 0~^{\circ}$:
Appendix C: Details on optimization
The objective of our optimization is to minimize the QBER during attack– for a given loss- while maintaining the rates expected by Alice-Bob so that Eve’s presence is not detected. The free parameters – that Eve can optimize – are the mean photon numbers $\mu _j^k$ and probabilities $f_j^k$. The optimization is performed using an ‘interior-point’ algorithm in MATLAB. The optimization can be expressed as:
Disclosures
The authors declare no conflicts of interest.
References
1. W. Knight, “Ibm raises the bar with a 50-qubit quantum computer,” Tech. rep., MIT Technology Review (2017).
2. D. Castelvecchi, “Quantum computers ready to leap out of the lab in 2017,” Tech. rep., Nature News (2017).
3. R. C. Merkle, “Secrecy, authentication, and public key systems,” Ph.D. thesis, Stanford University (1979).
4. R. J. Mceliece, “A public-key cryptosystem based on algebraic,” Coding Thv 4244, 114–116 (1978).
5. J. Hoffstein, J. Pipher, and J. H. Silverman, “Ntru: A ring-based public key cryptosystem,” in International Algorithmic Number Theory Symposium, (Springer, 1998267–288
6. C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, (IEEE Press, New York, Bangalore, India, 1984175–179
7. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74(1), 145–195 (2002). [CrossRef]
8. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301–1350 (2009). [CrossRef]
9. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4(10), 686–689 (2010). [CrossRef]
10. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun. 2(1), 349 (2011). [CrossRef]
11. S. Sajeed, I. Radchenko, S. Kaiser, J.-P. Bourgoin, A. Pappa, L. Monat, M. Legré, and V. Makarov, “Attacks exploiting deviation of mean photon number in quantum key distribution and coin tossing,” Phys. Rev. A 91(3), 032326 (2015). [CrossRef]
12. S. Sajeed, A. Huang, S. Sun, F. Xu, V. Makarov, and M. Curty, “Insecurity of detector-device-independent quantum key distribution,” Phys. Rev. Lett. 117(25), 250505 (2016). [CrossRef]
13. N. Jain, E. Anisimova, I. Khan, V. Makarov, C. Marquardt, and G. Leuchs, “Trojan-horse attacks threaten the security of practical quantum cryptography,” New J. Phys. 16(12), 123030 (2014). [CrossRef]
14. S. Sajeed, C. Minshull, N. Jain, and V. Makarov, “Invisible trojan-horse attack,” Sci. Rep. 7(1), 8403 (2017). [CrossRef]
15. P. V. P. Pinheiro, P. Chaiwongkhot, S. Sajeed, R. T. Horn, J.-P. Bourgoin, T. Jennewein, N. Lütkenhaus, and V. Makarov, “Eavesdropping and countermeasures for backflash side channel in quantum cryptography,” Opt. Express 26(16), 21020–21032 (2018). [CrossRef]
16. V. Makarov, J.-P. Bourgoin, P. Chaiwongkhot, M. Gagné, T. Jennewein, S. Kaiser, R. Kashyap, M. Legré, C. Minshull, and S. Sajeed, “Creation of backdoors in quantum communications via laser damage,” Phys. Rev. A 94(3), 030302 (2016). [CrossRef]
17. A. N. Bugge, S. Sauge, A. M. M. Ghazali, J. Skaar, L. Lydersen, and V. Makarov, “Laser damage helps the eavesdropper in quantum cryptography,” Phys. Rev. Lett. 112(7), 070503 (2014). [CrossRef]
18. C. H. Bennett, F. Bessette, L. Salvail, G. Brassard, and J. Smolin, “Experimental quantum cryptography,” J. Cryptology 5(1), 3–28 (1992). [CrossRef]
19. F. Xu, K. Wei, S. Sajeed, S. Kaiser, S. Sun, Z. Tang, L. Qian, V. Makarov, and H.-K. Lo, “Experimental quantum key distribution with source flaws,” Phys. Rev. A 92(3), 032305 (2015). [CrossRef]
20. V. Makarov, A. Anisimov, and J. Skaar, “Effects of detector efficiency mismatch on security of quantum cryptosystems,” Phys. Rev. A 74(2), 022313 (2006). [CrossRef]
21. S. Sajeed, P. Chaiwongkhot, J.-P. Bourgoin, T. Jennewein, N. Lütkenhaus, and V. Makarov, “Security loophole in free-space quantum key distribution due to spatial-mode detector-efficiency mismatch,” Phys. Rev. A 91(6), 062301 (2015). [CrossRef]
22. M. Rau, T. Vogl, G. Corrielli, G. Vest, L. Fuchs, S. Nauerth, and H. Weinfurter, “Spatial mode side channels in free-space qkd implementations,” IEEE J. Sel. Top. Quantum Electron. 21(3), 187–191 (2015). [CrossRef]
23. P. Chaiwongkhot, K. B. Kuntz, Y. Zhang, A. Huang, J.-P. Bourgoin, S. Sajeed, N. Lütkenhaus, T. Jennewein, and V. Makarov, “Eavesdropper’s ability to attack a free-space quantum-key-distribution receiver in atmospheric turbulence,” Phys. Rev. A 99(6), 062315 (2019). [CrossRef]
24. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystems,” Quant. Inf. Comp. 7, 73–82 (2007).
25. V. Makarov and J. Skaar, “Faked states attack using detector efficiency mismatch on SARG04, phase-time, DPSK, and Ekert protocols,” Quant. Inf. Comp. 8, 622–635 (2008).
26. C. F. Fung, K. Tamaki, B. Qi, H. Lo, and X. Ma, “Security proof of quantum key distribution with detection efficiency mismatch,” Quantum Inf. Comput. 9, 131–165 (2009).
27. Y. Zhang, P. J. Coles, A. Winick, J. Lin, and N. Lütkenhaus, “Security proof of practical quantum key distribution with detection-efficiency mismatch,” Phys. Rev. Res. 3(1), 013076 (2021). [CrossRef]
28. A. Trushechkin, “Security of quantum key distribution with detection-efficiency mismatch in the multiphoton case,” arXiv preprint arXiv:2004.07809 (2020).
29. M. Bochkov and A. Trushechkin, “Security of quantum key distribution with detection-efficiency mismatch in the single-photon case: Tight bounds,” Phys. Rev. A 99(3), 032308 (2019). [CrossRef]
30. T. F. da Silva, G. C. do Amaral, G. B. Xavier, G. P. Temporão, and J. P. von der Weid, “Safeguarding quantum key distribution through detection randomization,” IEEE J. Sel. Top. Quantum Electron. 21(3), 159–167 (2015). [CrossRef]
31. A. Kerckhoffs, “La cryptographie militaire,” J. des sciences militaires IX, 5–83 (1883).
32. V. Makarov and D. R. Hjelme, “Faked states attack on quantum cryptosystems,” J. Mod. Opt. 52(5), 691–705 (2005). [CrossRef]
33. N. J. Beaudry, T. Moroder, and N. Lütkenhaus, “Squashing models for optical measurements in quantum communication,” Phys. Rev. Lett. 101(9), 093601 (2008). [CrossRef]
34. T. Tsurumaru and K. Tamaki, “Security proof for quantum-key-distribution systems with threshold detectors,” Phys. Rev. A 78(3), 032302 (2008). [CrossRef]
35. O. Gittsovich, N. J. Beaudry, V. Narasimhachar, R. R. Alvarez, T. Moroder, and N. Lütkenhaus, “Squashing model for detectors and applications to quantum-key-distribution protocols,” Phys. Rev. A 89(1), 012325 (2014). [CrossRef]