Title: Kvantekryptografi med fotoner i optiske fibre
1Poster on XI International Conference on Quantum
Optics in Minsk, Belarus, May 2631, 2006
Faked states attack exploiting detector
efficiency mismatch on BB84, phase-time, DPSK,
and Ekert protocols
Vadim Makarov1,2, Johannes Skaar1, and Andrey
Anisimov2
1Department of Electronics and Telecommunications,
Norwegian University of Science and
Technology, NO-7491 Trondheim, Norway 2Radiophysic
s Department, St. Petersburg State Polytechnic
University, Politechnicheskaya street 29, 195251
St. Petersburg, Russia
2Quantum key distributioncomponents of security
1. Conventional security trusted equipment
manufacturer 2. Security against quantum
attacks 3. Loopholes in optical scheme
attacks that dont deal with quantum states, but
use loopholes and imperfections in
implementation
3Faked states attack
- Conventional intercept /resend
- Faked states attack
(no alarm)
4Exploiting common imperfectiondetector gate
misalignment
BOB
5Detector gate misalignment
BOB
Laser pulse from Alice
6Detector gate misalignment
BOB
7Detector gate misalignment
BOB
8Detector gate misalignment
Example Eve measured with basis Z (90),
obtained bit 1
BOB
0
(Eve resends opposite bit 0 in opposite basis
(X), shifted in time)
9Detector gate misalignment
Example Eve measured with basis Z (90),
obtained bit 1
BOB
90
- Eves attack is not detected
- Eve obtains 100 information of the key
(Eve resends opposite bit 0 in opposite basis
(X), shifted in time)
10Partial sensitivity mismatch
Detector sensitivity
h0(t0)
h1(t1)
h0(t1)
h1(t0)
0
t0
t1
t
11A. Practical intercept-resend attack
12A. Practical intercept-resend attack
For ? ? 0.066 ( 115), QBER ? 11. Eve can
compromise security if mismatch is larger than
115
13B. General security bound
Secure key generation rate
14Security state of QKD system
15Detector model 1.Sensitivity curves
16Detector model 2.Sensitivity curves at low
photon number µ0.5
17Detector model 2.Sensitivity curves at photon
number µ500
18Detector model 2.Equivalent diagram of a single
channel
quant-ph/0511032
19Phase-time coding
New results
Y. Nambu, T. Hatanaka, and K. Nakamura, BB84
quantum key distribution system based on
silica-based planar lightwave circuits, Jap. J.
Appl. Phys. 43, L1109L1110 (2004)
Also used in W. Tittel, J. Brendel, H. Zbinden,
and N. Gisin, Quantum cryptography using
entangled photons in energy-time Bell states,
Phys. Rev. Lett. 84, 47374740 (2000)
20Phase-time codingfaked states
(assume use of gated detectors, total efficiency
mismatch)
Eves detection result.
F a k e d s t a t e
S1.
Eves output
Bob port 1
Bob port 0
S1
S2
S3
S3.
Eves output
Bob port 1
Bob port 0
S1
S2
S3
21Eves detection result.
F a k e d s t a t e
S20.
Eves output
Bob port 1
(blocked by timing)
Bob port 0
S1
S2
S3
S21.
Eves output
Bob port 1
Bob port 0
(blocked by timing)
S1
S2
S3
Note that in the case of partial efficiency
mismatch, only Eves faked states for S20 and S21
contribute to QBER. The faked states for S1 and
S3 remain error-free.
22Phase-time codingEves setup
from Alice
to Bob
23DPSK
H. Takesue, E. Diamanti, T. Honjo, C. Langrock,
M.M. Fejer, K. Inoue, and Y. Yamamoto,
Differen-tial phase shift quantum key
distribution experiment over 105 km fibre, New
J. Phys. 7, 232 (2005)
24DPSKlong, overlapping faked states
(assume total efficiency mismatch)
0
?
?
?
?
?
?
?
?
0
0
0
0
0
0
?
?
Alices output
Bob port 0
Bob port 1
1
1
0
0
1
Eves detection results
0
0
0
0
0
?
?
?
t0
0
0
Causes detections
0
0
Eves output (combined on a coupler)
0
0
0
?
?
?
?
?
?
t1
1
1
1
Causes detections
25DPSKin limit two continuous trains of pulses
from Eve
Alices output
. . .
. . .
Eves output
. . .
. . .
(We dont know yet if conditions exist under
which such a continuous faked stateis
advantageous in the case of partial efficiency
mismatch.)
NB! In this DPSK scheme, the control parameter t
Eve uses to select Bobs detector may not be
necessarily time, but e.g. wavelength (might be
useful with upconversion detectors).
26DPSKEves setup
Eve
Faked state generator no. 1
from Alice
Bob
to Bob
Coupler
Laser
IM
PM
Att
Faked state generator no. 2
Laser
IM
PM
Att
27DPSK with limited-length states
can be eavesdropped on using the methods
considered above
K. Inoue, E. Waks, and Y. Yamamoto,
Differential phase shift quantum key
distribution, Phys.Rev. Lett. 89, 037902 (2002)
Normal counting ratio ? 1 2 2 1 (used to
check for eavesdropping) .
Yet longer states in W. Buttler, J. Torgerson,
and S. Lamoreaux, New, efficient and robust,
fiber-based quantum key distribution schemes,
Phys. Lett. A 299, 3842 (2002)
28Ekert protocol
A. Ekert, Quantum cryptography based on Bells
theorem, Phys. Rev. Lett. 67, 661663 (1991)
a3
1
Correlation coefficient Key obtained from two
perfect anticorrelations Checking for
eavesdropping via CHSH quantity
a2
1
a1
EPR
b2
b3
b1
1
The next slide shows pairs of faked states to
break Ekert protocol when there is total
efficiency mismatch, and no additional consistency
checks besides checking that .
1
29A. Sent with PA 0.41 contributes equally toall
correl. coeff. 1
or
blocked by state
a1
blocked by t1
B. Sent with PB 0.59 contributes E(a1,b3)
1(and three other correl.coeff. not used in
theprotocol)
or
b3
blocked by state
blocked by t1
If only A is sent, If A and B are sent,
30Conclusion
- Detector efficiency mismatch is a problem in
manyprotocols and encodings BB84, phase-time,
DPSKalso in implementations with source of
entangled pairsplaced outside Alice and Bob
(e.g. Ekert protocol). - The worst-case mismatch must be characterized and
accounted for during privacy amplification. - Active protection measures are possible(monitorin
g of incoming pulses at Bob).