how we eavesdropped 100% percent of a quantum crypto key

8/14/2019 How We Eavesdropped 100% Percent of a Quantum Crypto Key

1/36

Vadim Makarov, Qin Liu,

Ilja Gerhardt, Anta Lamas-Linares, Christian Kurtsiefer

How we eavesdropped

100% of a quantum cryptographic

key

Lecture atHacking at Random, August 14, 2009

Centre for

Quantum

Technologies, Singapore


2/36

Outline

Introduction to quantum cryptography

The quantum cryptosystem at CQT

Problems with photon detectors

Attack on the real system

What was a photon? Perspectives


3/36

ca. 1970

2004 First commercial offers (20~50 km fiber links)

Concept (money physically impossible

to counterfeit)

1984 First key distribution protocol (BB84)

1989 Proof-of-the-principle experiment

1993 Key transmission over fiber optic link

2007 200 km in fiber, 144 km free-space demonstrated

Quantum cryptography timeline

2009

A quantum cryptosystem fully hacked :)


4/36

Encoder Decoder

Public (insecure)channel BobAlice

Key

Secure channel

MessageMessage

Encoded message

Secret key cryptography requires secure channel for keydistribution

Quantum cryptography distributes the key

by transmitting quantum states in an open channel

Key distribution


5/36

Quantum key distribution

Retained bit sequence 1 1 0 0 1 0 0 1 0

Bobs measurement 1 0 0 1 0 0 1 1 0 0 0 1 0 0

Bobs detection basis

Alices bit sequence 1 0 1 1 0 0 1 1 0 0 1 1 1 0Light source

AliceBob

Diagonaldetector basis

Horizontal-

vertical detectorbasis

Diagonalpolarization filters

Horizontal-verticalpolarization filters

Image reprinted from article: W. Tittel, G. Ribordy, and N. Gisin, "Quantum cryptography," Physics World, March 1998


6/36

id Quantique

(Switzerland)

MagiQ

Technologies

(USA)

SmartQuantum

(France)

Commercial offers (as of August 2009)

Picture6

VPN encryptor (AES)

+quantum key

generator

VPN &

quantum key

generator

VPN &

quantum key

generator

SALE

100,000(*maybe cheaper)


7/36

How secure is quantum key distribution (QKD) practically?

Eve lost the battle against security proofsbut

she can exploit component imperfections

(e.g., saturation and blinding behavior of passively-quenched APDs)

To build the first complete

working eavesdropping

.experiment in the world!

Motivation for attack


8/36

The system under attack

QKD system from CQT in Singapore

Basically all systems vulnerable

Entanglement based QKD

What is entanglement?

How can it be used for QKD?

What is Bells inequality?


9/36


10/36

Entanglement

Spooky action at a distance

Einstein, Podolsky and Rosen, 1935

John Bell, 1964: How to measure whats going on


11/36

Bell state measurement

So u t p u t p o r t

1

o u t p u t p o r t2




12/36

Entanglement-based QKD

No need for random numbers

Different photons, different colors?Dimensionality of Hilbert space needs to be known for

security, measuring Bells inequality


13/36


New J. Phys. 11, 045007 (2009)

E t l t b d QKD


14/36


Pair source:

Blue photon in, two red photons out

Strong temporally correlated Spectrally broader than dimmed lasers

50 cm25 cm


15/36

D t t


16/36

Detector response

Ideal and real detector response:

Light in [# of photons]

Detector should seelight, but is blind

Ideal detector

Real detector

csout

Pblind


17/36

Control intensity diagrams


18/36

Control intensity diagrams

No click

Single click

Pbackground

Pbackground

Popt

Popt

threshold

Faked state

Pbackground Pblind

Intercept resend (faked state) attack


19/36

Intercept-resend (faked-state) attack

Eve forces her detection result onto Bob by sending

- Background light to keep all detectors blinded (circular polarization)- Faked-state above intensity threshold to make target detectorclick

(linear polarization)

In conjugate basis, faked-state is split in half, below threshold (no click)

2I0

I0

I0/2

I0/2

0

arXiv:0809.3408

Normal QKD

QKD under attack


20/36

Normal QKDQKD under attack

Eavesdropping on installed QKD line


21/36

S12

Eavesdropping on installed QKD lineon campus of the National University of Singapore

290 m of fiber

AliceBob

Eve

S15

S14

S13

Satellite image Google

Eve installed and running


22/36

Eve, installed and running

+recording all classicalcommunication AliceBob

(Wireshark)

Does Eve really have 100% key information?


23/36

Does Eve really have 100% key information?

Clicks in Bob:

Clicks in Eve:Clicks in Eve and Bob:

Eve forcing a click in Bob: 97% probability

Eve has 100% information of the wiretappedline, because Bob has to reveal which clicks

were received

Good correlationMore clicks in Eve

doesnt matter

What about a workaround?


24/36

What about a workaround ?

Sure... there will be a workaround

BUT:

No universal security measure, like a quantum state!

Generating arbitrary quantum states


25/36

Generating arbitrary quantum states

Eve is able to fake an EPR source

Also interesting for other experiments

The laws of physics:

Quantum correlations:

No eavesdropper??

Applicable to schemes which expect single photons

Questions and perspectives:


26/36

Questions and perspectives:

What is a photon?

A photon is a single click on a detector

(Anton Zeilinger)

well....

You cannot delegate security!

Dont trust security in a black box, even if its

expensive or called quantum

Our attack


27/36

Our attack

First experimental implementation

Eve has 100% key information

Demonstrated eavesdropping underrealistic conditions (290m fiber run via

4 buildings)


28/36

Thank you.www.iet.ntnu.no/groups/optics/qcr

www.quantumlah.org


29/36

More technical details about the attack

that we didnt have time to show in the talk

Eve can exploit blinding of APDunder bright illumination...


30/36

p g g

and make a single photon detector work as a classical detector!

PblindAbove Pblind, detector totally blind to

single photons, dark counts, afterpulses

EG&G SPCM-200-PQ

Entire Bob

with fourAPDs (NUS)

Do-it-yourself(MSU)

New J. Phys. 11, 065003 (2009)

Bob control efficiency


31/36

y

Improved control intensity diagram


32/36

100%

100%

100%

100%

0 %

0 %

Final Eves scheme


33/36

Timing performance


34/36

After Eve inserted

-507 -506 -505 -504

Channel No.(Alice - Bob )

1-11-21-31-4

2-12-22-32-4

3-1

3-23-33-4

4-14-24-34-4

Delay between Alice and Bob (ns)

-295 -294 -293 -292


-507 -506 -505 -504

Channel No.(Alice - Bob )

1-11-2

1-31-4

2-12-2

2-32-4

3-1

3-23-33-4

4-14-24-34-4


Normal QKD without Eve After Eves delay stages adjusted

Compare the average FWHM of 16 combinations:

FWHMavg.= 761 ps FWHMavg.= 779 ps

After Eve inserted, the FWHMs is practically unchanged

Attack also works via free-space link


35/36

Eves faked state generatorInstruments assessing performance of th

Collimator

Bob


36/36

how we eavesdropped 100% percent of a quantum crypto key

Documents