Quantum hacking - experimental demonstration of time-shift attack against a practical quantum crypto-system Yi Zhao Dept. of Physics Center for Quantum Information and Quantum Control (CQIQC) University of Toronto Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, arXiv:0704.3253. QIP 2008, New Delhi, India, 2018年5月23日星期三 1
Eve lost the battle in security proofs, but came back via loopholes. Eve strikes back! Eve lost the battle in security proofs, but came back via loopholes. First, secondly… Stealing an idea from Claude Crepeau's slides in a CIAR meeting 2
List of questions What is the attack (quantum hacking)? What are potential counter-measures? What are the lessons? What are the future directions? First, secondly…
Outline Introduction Detection efficiency mismatch Our work: time-shift attack Theory Experiment General lessons Future directions First, secondly… First experimental demonstration of a feasible attack against a commercial QKD system.
Outline Introduction Detection efficiency mismatch Our work: time-shift attack Theory Experiment General lessons Future directions First, secondly…
Commercial Quantum Crypto products available on the market Today! MAGIQ TECH. Distance over 100 km of commercial Telecom fibers. ID QUANTIQUE
Are practical QKD systems really secure? QKD protocols have been proved to be unconditionally secure even with imperfect devices Decoy state can substantially improve the performance of QKD with a coherent source Is this the end of security investigation for QKD? Not really! Practical systems may contain imperfections not considered by standard proofs that may lead to loopholes. 7 7
Are practical QKD systems really secure? QKD protocols have been proved to be unconditionally secure even with imperfect devices Decoy state can substantially improve the performance of QKD with a coherent source Is this the end of security investigation for QKD? Not really! Practical systems may contain imperfections not considered by standard proofs that may lead to loopholes. Side Remark: Assumptions in standard security proofs are often not enforced in actual QKD experiments! 9 9 9
Example: phase randomization Standard assumption made in many security proofs Never been strictly implemented If phase is not randomized, existing security proof gives a lower key rate. [Lo and Preskill, QIC 7, 431 (2007).] We demonstrated the first experimental QKD with active phase randomization. 10 10 10
Lesson from history “... unconditionally secure against any eavesdropper who happened to be deaf!” Gilles Brassard describing the first QKD experiment 11 11
Outline Introduction Detection efficiency mismatch Our Work: Time-Shift Attack Theory Experiment General Lessons Future Directions First, secondly… 12 12 12
Efficiency mismatch: security Loophole The detectors’ efficiencies are similar during the expected signal arrival time. Large efficiency mismatch may occur if signal arrives at unexpected time. Current InGaAs detectors cannot resolve the exact arrival time. V. Makarov, A. Anisimov, and J. Skaar, Phys. Rev. A 74, 022313 (2006) B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, Quant. Info. Compu. 7, 73 (2007). 13 13
Outline Introduction Detection efficiency mismatch Our Work: Time-Shift Attack Theory Experiment General Lessons Future Directions First, secondly… 14 14 14
Our work on time-shift attack Demonstrated over a commercial QKD system ID-500 manufactured by id Quantique. Use standard optical components and make simple modifications. Bottom line: First experimental demonstration of a technological feasible attack against a commercial QKD system. First, secondly… 15 15 15
Time-Shift Attack: Strategy Eve finds two shifts with large efficiency mismatches. Eve randomly shifts the arrival time of each signal to either of the two. The probability of choosing either shift is carefully chosen so that Bob will receive similar number of “0”s and “1”s. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, Quant. Info. Compu. 7, 73 (2007). Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, arXiv:0704.3253. 16
Remarks on Time-Shift Attack Surprise! Surprise! Time-shift attack is particularly powerful against a perfect single- photon source. In fact, if Alice and Bob had a perfect single- photon source and detectors with negligible dark counts, etc, time-shift attack would always be successful and would be very simple to demonstrate! Ironically, the fact that Alice and Bob have an imperfect source makes Eve’s life harder! 17 17
Time-Shift Attack: Experiment Scan the time shifts manually. Exchange keys in each shift at μ=0.1. Calculate the counts of each detector and the error rate for each time shift. OVDL: optical variable delay line Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, arXiv:0704.3253. 18 18 18
Our measurement results obtained with Id Quantique ID-500
Time-Shift Attack: Analysis Probabilities of choosing the two shifts: 23:77 Two detectors receive the same counts. Upper bound (knowing the attack): 1131 bits Given the information obtained by Eve. Lower bound (ignoring the attack): 1297 bits Assuming Alice and Bob apply infinitely many decoy states and use 1-way communications. Experimental parameters Dark count rate μ 2.26 10-5 0.1 Data averaged over two shifts Data size Gain QBER 20.97Mbits 3.32e-4 5.68% 20 20
Time-Shift Attack: Analysis Lower bound (ignoring time-shift attack, 1297 bits) Upper bound (considering time-shift attack, 1131 bits) > Final key shared between Alice and Bob is compromised by Eve! Information leaked to Eve without Alice and Bob noticing. The first experimental demonstration of a technologically feasible attack against a commercial QKD system. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, arXiv:0704.3253. 21 21
Time-shift attack and detection efficiency loophole
Time-shift attack and detection efficiency loophole Device-independent security proof (cf. the talk this morning by S. Pironio et al.), e.g. based on violation of Bell inequalities (Ekert91 protocol), may not work when the efficiency is low! local hidden variable model can be constructed when efficiency < 82.8% for maximally entangled states (gain in our exp: 3.32e-4). Fair sampling hypothesis Device-independent security proof Low detection efficiency The fair sampling hypothesis may come to rescue. However, the fair sampling hypothesis is not reasonable for untrusted devices! 23 23
Lesson One: Even devices provided by trustworthy manufacturers may contain subtle flaws (e.g. detection efficiency mismatch), thus allowing Eve to break the system. 24 24
Countering attacks based on efficiency mismatch Four-state measurement by Bob [M. J. LaGasse, US patent application] Check timing of incoming pulses at Bob Activate Bob’s phase modulator in a narrow window centred at the normal pulse position Randomly shifting the gating window of SPD to smooth out the efficiency. Security proof for detectors with different efficiencies ― more privacy amplification 25 25
Lesson Two Counter-measures may lead to new security loopholes! Large pulse attack + Time shift attack {0,π/2, π, 3π/2} Counter-measure: 4-state setting Time-shift attack Counter-measures may lead to new security loopholes! 26 26 The four-state measurement by Bob is a counter measure for the time-shift attack. But it can also be broken by a large pulse attack by Eve.
Lesson Three Unanticipated attacks can be fatal! Once Alice and Bob are aware of an attack, it may not be too difficult for them to devise counter measures against it. Imperfections, once quantified, can be dealt with by additional privacy amplification. But, we have lesson Three: Unanticipated attacks can be fatal! 27 27
Future direction I: Battle-testing: Imperative to study eavesdropping attacks and counter measures more carefully and extensively. This involves both theory and experiment. Needs collaboration between theorists and experimentalists. 28 28
Future direction II: Security proofs with testable assumptions: All assumptions in security proofs should be explicitly stated and experimentally verified. Until experimental verification has been done, one can never be sure about the security of a real QKD system. 29 29
List of questions 1. What is the attack? Time-shift attack against commercial QKD system. 2. What are potential counter-measures? e.g. Bob uses four-state setting. 3. What are the lessons? Practical QKD systems may have fatal flaws. Counter-measures may open up new loopholes. Unanticipated attacks can be fatal. 4. What are the future directions? Battle-testing Security proofs with testable assumptions. 30 30
Acknowledgements 31 31 31
QIP 2008, New Delhi, India, 2018年5月23日星期三 Thank you! Yi Zhao QIP 2008, New Delhi, India, 2018年5月23日星期三 B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, Quant. Info. Compu. 7, 73 (2007). Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, arXiv:0704.3253 (2007). Other Related Works: C.-H. F. Fung, B. Qi, K. Tamaki, H.-K. Lo, Phys. Rev. A 75, 032314 (2007). A. Lamas-Linares and C. Kurtsiefer, arXiv:0704.3297 (2007). Taehyun Kim et al, Phys. Rev. A 75, 042327 (2007) 32 32
? 33
Modifications on the Original System The original laser pulses are too wide. Eve could compress the bright blank pulses in the channel when they are sent from Bob to Alice. We replaced the original laser diode, which is equivalent. The chromatic dispersion of telecom fiber broadens the pulses. Again, Eve could compress the pulses, or pre-chirp them. We installed a loop of dispersion compensation fiber to compensate it. Various time delays have to be created. Eve could use high-speed optical switches and different paths. We used the optical variable delay line and shift the pulses manually. OVDL: optical variable delay line 34 34 34 Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, arXiv:0704.3253.
Reference R. Alleaume, et al. SECOQC white paper on quantum key distribution and cryptography. quant-ph/0701168 (2007). C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing. In Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, 175 . 179 (IEEE, 1984). M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim, The universal composable security of quantum key distribution. In J. Kilian (ed.) Theory of Cryptography: Second Theory of Cryptography Conference, TCC 2005, Lecture Notes in Computer Science, vol. 3378, 386.406 (Springer-Verlag, 2005). E. Biham, M. Boyer, P. O. Boykin, T. Mor, and V. Roychowdhury, A proof of the security of quantum key distribution. Journal of Cryptology 19, 381.439 (2006). G. Brassard and L. Salvail, Lecture Notes in Computer Science, vol. 765, 410.423 (Springer, 1994). D. Deutsch, et al. Quantum privacy amplification and the security of quantum cryptography over noisy channels. Phys. Rev. Lett. 77, 2818.2821 (1996). A. K. Ekert, Quantum cryptography based on Bell's theorem. Phys. Rev. Lett. 67, 661 (1991). N. Gisin and B. Gisin, A local hidden variable model of quantum correlation exploiting the detection loophole. Phys. Lett. A 260, 323.327 (1999). C. Gobby, Z. L. Yuan, and A. J. Shields, Quantum key distribution over 122 km of standard telecom fiber. Appl. Phys. Lett. 84, 3762 (2004). D. Gottesman, H.-K. Lo, N. Lutkenhaus, and J. Preskill, Security of quantum key distribution with imperfect devices. Quant. Info. Compu. 4, 325 (2004). J.W. Harrington, J. M. Ettinger, R. J. Hughes, and J. E. Nordholt, Enhancing practical security of quantum key distribution with a few decoy states. quant-ph/0503002 (2005). W. Y. Hwang, Quantum key distribution with high loss: Toward global secure communication. Phys. Rev. Lett. 91, 057901 (2003). M. Koashi, Unconditional security proof of quantum key distribution and the uncertainty principle. J. Phys. Conf. Ser. 36, 98 (2006). arXiv:quant-ph/0505108. G. R. Lin, Y. T. Lin, and C. K. Lee, Simultaneous pulse amplification and compression in all fiber-integrated pre-chirped large-mode-area Er-doped fiber amplifier. Opt. Expr. 15, 2993-2999 (2007). H.-K. Lo, Getting something out of nothing. Quant. Info. Compu. 5, 413 (2005). H.-K. Lo and H. F. Chau, Unconditional security of quantum key distribution over arbitrarily long distances. Science 283, 2050 (1999). H.-K. Lo, X. Ma, K. Chen, Decoy state quantum key distribution. Phys. Rev. Lett. 94, 230504 (2005). X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, Practical decoy state for quantum key distribution. Phys. Rev. A 72, 012326 (2005). V. Makarov, A. Anisimov, and J. Skaar, Effects of detector efficiency mismatch on security of quantum cryptosystems. Phys. Rev. A 74, 022313 (2006). V. Makarov and J. Skaar, Faked states attack using detector efficiency mismatch on SARG04, phase-time, DPSK, and Ekert protocols. quant-ph/0702262 (2007). D. Mayers, Unconditional security in quantum cryptography. J. of ACM 48, 351 (2001). B. Qi, C.-H. F. Fung, H.-K. Lo, X. Ma, Time-shift attack in practical quantum cryptosystems. Quant. Info. Compu. 7, 73 (2007). R. Renner, and R. K¡§onig, Universally composable privacy amplification against quantum adversaries. In J. Kilian (ed.) Theory of Cryptography: Second Theory of Cryptography Conference, TCC 2005, Lecture Notes in Computer Science, vol. 3378, 407.425 (Springer-Verlag, 2005). P. Shor and J. Preskill, Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85, 441 (2000). D. Stucki, N. Gisin, O. Guinnard, G. Robordy, and H. Zbinden, Quantum key distribution over 67 km with a plug&play system. New J. of Phys. 4, 41 (2002). X.-B. Wang, Beating the photon-number-splitting attack in practical quantum cryptography. Phys. Rev. Lett. 94, 230503 (2005). X.-B. Wang, Decoy-state protocol for quantum cryptography with four different intensities of coherent light. Phys. Rev. A 72, 012322 (2005). Y. Zhao, B. Qi, X. Ma, H.-K. Lo, and L. Qian, Experimental quantum key distribution with decoy states. Phys. Rev. Lett. 96, 070502 (2006).
N. Gisin and B. Gisin, A local hidden variable model of quantum correlation exploiting the detection loophole. Phys. Lett. A 260, 323.327 (1999). C. Gobby, Z. L. Yuan, and A. J. Shields, Quantum key distribution over 122 km of standard telecom fiber. Appl. Phys. Lett. 84, 3762 (2004). D. Gottesman, H.-K. Lo, N. Lutkenhaus, and J. Preskill, Security of quantum key distribution with imperfect devices. Quant. Info. Compu. 4, 325 (2004). J.W. Harrington, J. M. Ettinger, R. J. Hughes, and J. E. Nordholt, Enhancing practical security of quantum key distribution with a few decoy states. quant-ph/0503002 (2005). W. Y. Hwang, Quantum key distribution with high loss: Toward global secure communication. Phys. Rev. Lett. 91, 057901 (2003). M. Koashi, Unconditional security proof of quantum key distribution and the uncertainty principle. J. Phys. Conf. Ser. 36, 98 (2006). arXiv:quant-ph/0505108. G. R. Lin, Y. T. Lin, and C. K. Lee, Simultaneous pulse amplification and compression in all fiber-integrated pre-chirped large-mode-area Er-doped fiber amplifier. Opt. Expr. 15, 2993-2999 (2007). H.-K. Lo, Getting something out of nothing. Quant. Info. Compu. 5, 413 (2005). H.-K. Lo and H. F. Chau, Unconditional security of quantum key distribution over arbitrarily long distances. Science 283, 2050 (1999).
H. -K. Lo, X. Ma, K. Chen, Decoy state quantum key distribution. Phys H.-K. Lo, X. Ma, K. Chen, Decoy state quantum key distribution. Phys. Rev. Lett. 94, 230504 (2005). X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, Practical decoy state for quantum key distribution. Phys. Rev. A 72, 012326 (2005). V. Makarov, A. Anisimov, and J. Skaar, Effects of detector efficiency mismatch on security of quantum cryptosystems. Phys. Rev. A 74, 022313 (2006). V. Makarov and J. Skaar, Faked states attack using detector efficiency mismatch on SARG04, phase-time, DPSK, and Ekert protocols. quant-ph/0702262 (2007). D. Mayers, Unconditional security in quantum cryptography. J. of ACM 48, 351 (2001). B. Qi, C.-H. F. Fung, H.-K. Lo, X. Ma, Time-shift attack in practical quantum cryptosystems. Quant. Info. Compu. 7, 73 (2007). R. Renner, and R. K¡§onig, Universally composable privacy amplification against quantum adversaries. In J. Kilian (ed.) Theory of Cryptography: Second Theory of Cryptography Conference, TCC 2005, Lecture Notes in Computer Science, vol. 3378, 407.425 (Springer-Verlag, 2005). P. Shor and J. Preskill, Simple proof of security of the BB84 quantum key distribution protocol. Phys. Rev. Lett. 85, 441 (2000). D. Stucki, N. Gisin, O. Guinnard, G. Robordy, and H. Zbinden, Quantum key distribution over 67 km with a plug&play system. New J. of Phys. 4, 41 (2002).
X.-B. Wang, Beating the photon-number-splitting attack in practical quantum cryptography. Phys. Rev. Lett. 94, 230503 (2005). X.-B. Wang, Decoy-state protocol for quantum cryptography with four different intensities of coherent light. Phys. Rev. A 72, 012322 (2005). Y. Zhao, B. Qi, X. Ma, H.-K. Lo, and L. Qian, Experimental quantum key distribution with decoy states. Phys. Rev. Lett. 96, 070502 (2006).
Decoy state QKD Why decoy state? Objective: find out good guys Imperfect single sources Objective: find out good guys Estimate the amount detection events that come from single photon states The original proposal W.-Y. Hwang, Phys. Rev. Lett. 91, 057901 (2003). Security proof H.-K. Lo, X. Ma and K. Chen, Phys. Rev. Lett. 94, 230504 (2005). Practical protocols X.Ma, B.Qi, Y.Zhao and H.-K. Lo, Phys. Rev. A72, 012326 (2005). X.-B. Wang, Phys. Rev. Lett. 94, 230503 (2005). J. W. Harrington, J. M. Ettinger, R. J. Hughes, and J. E. Nordholt, arxiv: quant-ph/0503002. Experimental demonstrations Y.Zhao, B.Qi, X.Ma, H.-K. Lo and L.Qian, Phys. Rev. Lett. 96, 070502 (2006). Y. Zhao, B. Qi, X. Ma, H.-K. Lo and L. Qian, Proc. of IEEE International Symposium on Info. Th., pp. 2094-2098 (2006). D. Rosenberg, et al., Phys. Rev. Lett., 98, 010503, (2007). T. Schmitt-Manderbach, et al., Phys. Rev. Lett., 98, 010504, (2007). C.-Z. Peng, et al., Phys. Rev. Lett., 98, 010505, (2007). Z. L. Yuan, A. W. Sharpe, and A. J. Shields, Appl. Phys. Lett., 90, 011118, (2007). 39
Many groups have followed our lead Phase encoding Rosenberg et. al., PRL Los Alamos & NIST, 107km Fiber Polarization Encoding Peng et. al., PRL USTC, China 102km Fiber Phase Encoding Yuan, Sharpe, and Shields et. al., APL Toshiba, UK, 25km Fiber Free space Schmitt- Manderbach et. al., PRL Europe 144km free space
Deriving Lower Bound Alice sends Ñ signals (with matched basis) to Bob and Bob receives ÑQ signals. Alice sends Bob the error syndrome encrypted with one-time pad. Since the initial sifted key has length ÑQ, number of pre-shared secret bits needed for Error Correction is E: QBER H2(∙): Shannon binary entropy function f(∙): inefficiency of practical Error Correction code (e.g., 1.22) Gerd, Vollbrecht, and Verstraete, PRA 71, 062325 (2005) . Ma, Fung, Dupuis, Chen, Tamaki, and Lo, PRA 74, 032330 (2006).
Deriving Lower Bound (Cont'd) Now that Alice and Bob share the same key of length ÑQ, they apply privacy amplification to get the final secret key of length Q1: the probability of receiving single-photon states e1: the QBER for single-photon states Q0: the probability of getting a detection from vacuum states We assume Alice and Bob apply infinitely many decoy states. D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, QIC 4, 325 (2004). H.-K. Lo, QIC 5, 413 (2005). M. Koashi, arXiv:quant-ph/0609180. 42
Deriving Lower Bound (Cont'd) By taking into account of the key bits consumed for EC, the net key length ignoring the time-shift attack is By assuming infinite decoy states are applied and using experiment data, the lower bound ignoring the time-shift attack on the key length is 1297 bits. 43
Deriving Upper Bound Since the final key is derivable from Alice’s initial bit string, Eve’s uncertainty about the final key is at most her uncertainty about Alice’s string. Thus, an upper bound on the privacy amplification part of the final key length is the conditional entropy X: random variable for Alice’s bit Z1: random variable for Eve’s choice of time shift Z2: random variable for basis information H (∙): entropy funciton R. Rener and R. König, LNCS, 3378, 407 (2005). I. Csiszár and J. Körner, IEEE TIT, 24, 339 (1978). U. M. Maurer, IEEE TIT, 39, 733 (1993).
Deriving Upper Bound (Cont'd) By taking into account of the key bits consumed for EC, the upper bound on the net key length considering the time-shift attack is By using experimental data for the two time shifts chosen by Eve, the upper bound considering the time-shift attack on the key length is 1131 bits. 45
Generalization of time-shift attack: spatial/spectral attack Mismatch in detection efficiencies may be caused by manipulations in domains other than the time domain, [V. Makarov and J. Skaar, quant-ph/0702262] such as the space and frequency domains [B. Qi, et al (unpublished manuscript)]. Spectral attack: Eve may shift the wavelength to cause different efficiencies. Spatial attack: Eve may change the incident angle of the incoming signal to Bob to induce an efficiency mismatch. 46 46
A hypothetical space-shift attack Due to manufacturing imperfections, the distances of the two couplers may not be the same. Change in incident angle different losses in couplers B. Qi, et al (unpublished manuscript) 47
Time-Shift Attack: Challenges The pulse width needs to be narrowed. Replace the original laser (~500ps) with a narrower (~100ps) pulsed laser diode. Install a loop (~2km) of chromatic dispersion compensating fiber to fight against dispersion broadening. The choice of “large mismatch” May not be the shifts with the largest mismatch. Affecting factors: dark counts, efficiencies, etc. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, arXiv:0704.3253. 48 48 48
Time-Shift Attack: Basic Idea Use optical variable delay line to obtain the efficiency mismatch at different time shifts. Locate time shifts with large efficiency mismatches. Security analysis: upper bound and lower bound B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, Quant. Info. Compu. 7, 73 (2007). Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, arXiv:0704.3253. 49 49 49
Time-shift attack and detection efficiency loophole Device-independent security proof, e.g. based on violation of Bell inequalities (Ekert91 protocol). QKD protocol built from data violating the CHSH Bell inequality Pr{a0=b0} + Pr{a0=b1} + Pr{a1=b0} + Pr{a1b1} ≤ 3 where “a0” is the random variable associated with measurement setting “0” and result “a”. [A. Acín, N. Gisin, and L. Masanes, PRL 97, 120405 (2006)] 50 50 50 Detection efficiency loophole: detection efficiency is low in practice to make the proof work. Additional assumptions such as the fair sampling hypothesis is needed.