Prisoners of Their Own Device - Trojan Attacks on Device-Independent Quantum Cryptography 1201.4407

7/27/2019 Prisoners of Their Own Device - Trojan Attacks on Device-Independent Quantum Cryptography 1201.4407

1/9

arXiv:1201.4407v3

[quant-ph]31Jan2012

Prisoners of their own device: Trojan attacks on device-independent quantum

cryptography

Jonathan Barrett,1, Roger Colbeck,2, and Adrian Kent3,2,

1Department of Mathematics, Royal Holloway, University of London, Egham Hill, Egham, TW20 0EX, U.K.2Perimeter Institute for Theoretical Physics, 31 Caroline Street North, Waterloo, ON N2L 2Y5, Canada.

3Centre for Quantum Information and Foundations, DAMTP, Centre for Mathematical Sciences,University of Cambridge, Wilberforce Road, Cambridge, CB3 0WA, U.K.

(Dated: 31st

January 2012)

Device-independent quantum cryptographic schemes aim to guarantee security to users basedonly on the output statistics of any components used, and without the need to verify their internalfunctionality. Since this would protect users against untrustworthy or incompetent manufacturers,sabotage or device degradation, this idea has excited much interest, and many device-independentschemes have been proposed. We point out here a critical weakness of device-independent quantumcryptography protocols that rely on public communication between secure laboratories. Untrusteddevices may record their inputs and outputs and reveal encoded information about them in theiroutputs during later runs. Reusing devices thus compromises the security of a protocol and risksleaking secret data. Immediate solutions include securely destroying used devices, or isolating themuntil previously generated data need no longer be kept secret. However, these solutions are costlyand would impose severe constraints on the practicality of any protocol that is secure against anuntrusted supplier. We briefly consider other possible defences available in scenarios where devicereuse is restricted.

INTRODUCTION

Quantum cryptography aims to exploit the propertiesof quantum systems to ensure the security of varioustasks. The best known example is quantum key distri-bution (QKD), which can enable two parties to share asecret random string and thus exchange messages secureagainst eavesdropping, and we mostly focus on this taskfor concreteness. While all classical key distribution pro-tocols rely for their security on assumed limitations onan eavesdroppers computational power, the advantage

of quantum key distribution protocols (e.g. [1, 2]) is thatthey are provably secure against an arbitrarily powerfuleavesdropper, even in the presence of realistic levels oflosses and errors [3]. However, the security proofs requirethat quantum devices function according to particularspecifications. Any deviation which might arise from amalicious or incompetent manufacturer, or through sab-otage or degradation can introduce exploitable securityflaws (see e.g. [4] for practical illustrations).

The possibility of quantum devices with deliberatelyconcealed flaws, introduced by an untrustworthy man-ufacturer or saboteur, is particularly concerning, since(i) it is easy to design quantum devices that appear to

be following a secure protocol but are actually completelyinsecure, and (ii) there is no general technique for identi-fying all possible security loopholes in standard quantumcryptography devices. This has led to much interest indevice-independent quantum protocols [5], which aim to

Electronic address: [email protected] address: [email protected] address: [email protected]

guarantee security on the fly by testing the device out-puts: no specification of their internal functionality isrequired.

Known provably secure schemes for device-independent quantum key distribution are inefficient,as they require either independent isolated devices foreach entangled pair to ensure full device-independentsecurity [69], or a large number of entangled pairsto generate a single bit [6, 10]. Finding an efficientsecure device-independent quantum key distributionscheme using two (or few) devices has remained an

open theoretical challenge. Nonetheless, in the ab-sence of tight theoretical bounds on the scope fordevice-independent quantum cryptography, progressto date has encouraged optimism (e.g. [11]) about theprospects for device-independent QKD as a practicaltechnology, as well as for device-independent quantumrandomness expansion [1214] and other applications ofdevice-independent quantum cryptography (e.g. [15]).

However, one key question has been generally ne-glected in work to date on device-independent quantumcryptography, namely what happens if and when devicesare reused. Specifically, are device-reusing protocols com-posable i.e. do individually secure protocols of this typeremain secure when combined? It is clear that reuseof untrusted devices cannot be universally composable,i.e. such devices cannot be securely reused in an arbi-trary way. However, one might still hope that they canbe reused at least for multiple QKD implementations,with a guarantee that the generated keys can be securelyused in an arbitrary environment so long as the devicesare kept secure. We focus on this type of composabilityhere. We present below attacks that highlight pitfalls inproducing protocols that are composable (in the abovesense) with device-independent security for reusable de-
http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3http://arxiv.org/abs/1201.4407v3mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://arxiv.org/abs/1201.4407v3


2/9

2

vices, and show that for many protocols such compos-ability fails in the strong sense that purportedly secretdata become completely insecure. One possible defence,discussed below, is not to reuse devices. However, thissolution is so costly that we query whether it is generallypractical. We thus also briefly note below other possi-ble defences, which have the drawback that they rely onfurther restricting device reuse, but nonetheless may be

useful in some scenarios and merit further investigation.It is important to stress that our results do not im-

ply that quantum key distribution per se is insecure orimpractical. In particular, our attacks do not apply tostandard QKD protocols in which the devices propertiesare fully trusted, nor to protocols in which devices aretrusted to be memoryless but other features of their op-eration are not assumed. Our target is the possibility offull device-independent quantum cryptographic security,applicable to users who purchase devices from a poten-tially sophisticated and adversarial supplier and rely onno assumption about the devices internal workings. Weshow that, without further restriction on device reuse,fully device-independent composable security is not at-tainable by any of the methods proposed thus far.

TROJAN MEMORY ATTACKS

We describe here a new type of attack on device-independent quantum cryptosystems using device mem-ories. In short, the problem is that a malicious adversarycan program devices to store data in one protocol andleak it in subsequent protocols, in ways that are hard orimpossible to counter if the devices are indeed reused.

To illustrate this, consider a device-independent

scheme that allows two users (Alice and Bob) to generateand share a purportedly secure cryptographic key. A ma-licious manufacturer can design devices so that they actas Trojan spies in Alices and Bobs secure laboratories,recording and storing all their inputs and outputs. Al-though a well designed device-independent protocol canprevent the devices from leaking information about thegenerated key during that protocol, data about these in-puts and outputs, and hence about the secure key, can beleaked, using output data discussed over a public chan-nel whenever the devices are later used. Moreover, inmany existing protocols, such leaks can be surreptitiouslyhidden in the noise. This allows the devices to operateindefinitely as Trojan spies, apparently complying withsecurity tests, but actually eventually leaking all the pur-portedly secure data.

No existing security definitions address attacks of thetype we describe. A theoretically simple way to pre-vent these attacks is to dispose of i.e. securely destroyor isolate untrusted devices after a single use. How-ever, while this toxic device disposal strategy is secureand relies only on standard cryptographic assumptions,and may conceivably be worthwhile for sufficiently highvalue data in some scenarios, it is clearly costly, and

its use would severely limit the practicality of device-independent quantum cryptography.

We proceed by introducing the device-independent sce-nario we are considering, before describing Trojan mem-ory attacks in more detail, using concrete examples ofattacks on device-independent quantum key distributionprotocols. As we explain, the attacks also apply to otherdevice-independent quantum cryptographic tasks.

Cryptographic scenario for device independent QKD

We use the standard cryptographic scenario for keydistribution between Alice and Bob, each of whom hasa secure laboratory. These laboratories may be parti-tioned into secure sub-laboratories, and we assume Aliceand Bob can prevent communication between their sub-laboratories as well as between their labs and the outsideworld, except as authorized by the protocol.

We also assume Alice and Bob each have access to (orcan generate) their own string of private random bits.

They are connected by an authenticated, but insecure,classical communication channel as well as an insecurequantum channel, and have trusted classical informa-tion processing devices in their laboratories. However,all quantum devices they use for the protocol are as-sumed to be supplied by an untrusted adversary, Eve.These devices effectively function as black boxes for Al-ice and Bob, receiving classical inputs from them and re-turning classical outputs. Eve has access to the classicaland quantum communication channels between Alicesand Bobs laboratories, and complete knowledge of theprotocol. She cannot directly eavesdrop on the classicalrandom data that Alice and Bob generate within theirlabs and use for the protocol, but she may be able todeduce information about those data from their publiccommunications.

Trojan memory attacks on two-device QKD

protocols

The device-independent QKD protocols that have beenproven unconditionally secure [6, 8, 9] require separatedevices for each measurement performed by Alice andBob. The reason is that in addition to the usual as-sumption that no signals can pass from Alices or Bobsdevices directly to Eve the security proofs need to as-sume that no signals can be sent between the separatedevices that Alice is using to measure each of her parti-cles, and similarly for Bob. Within the scenario set outabove, this can be achieved by having each device isolatedin a separate sub-laboratory. The protocols in [8, 9] cantolerate reasonable levels of noise and would be consid-ered efficient at generating secure keys, were it not forthe requirement of many devices and sub-laboratories.

For practical device-independent QKD, though, Aliceand Bob should only use a small number of devices. We


3/9

3

look first at implementations of protocols that are of theform of those in [8, 9], except that Alice and Bob useone device each, i.e., Alice (Bob) uses the same device toperform each of her (his) measurements. (Bob may alsohave a separate isolated source device: see below.) Thememory of a device can then act as a signal from earlierto later measurements, hence the security proofs of [8, 9]do not apply (see also [16] where a different two-device

setup is discussed). It is an open question whether asecure key can be efficiently generated by protocols of thistype in this scenario. Here we demonstrate that even ifa key can be securely generated, repeat implementationsof the protocol using the same devices render an earliergenerated key insecure.

We first consider QKD protocols with the followingstandard structure. Although this structure is poten-tially restrictive, most protocols to date are of this form(we later discuss modifications). Note that we do notneed to specify the precise sub-protocols used for errorcorrection or privacy amplification.

1. Entangled quantum states used in the protocol areeither supplied to Alice and Bob by Eve, or gen-erated by a device Bob holds (which is separateand kept isolated from his measurement device)and then shared over an insecure quantum channelwith Alices device. Once the states are received,the quantum channel is closed.

2. Alice and Bob each pick a random input Ai and Bito their device, ensuring they receive an output bit(Xi and Yi respectively) before making the nextinput (so that the i-th output cannot depend onfuture inputs). They repeat this M times.

3. Either Alice or Bob (or both) publicly announcestheir measurement choices, and the relevant partychecks that they had a sufficient number of suitableinput combinations for the protocol. If not, theyabort.

4. (Sifting.) Some output pairs may be discarded ac-cording to some public protocol.

5. (Parameter estimation.) Alice randomly and in-dependently decides whether to announce each re-maining bit to Bob, doing so with probability (where M 1). Bob uses the communicated bitsand his corresponding outputs to compute sometest function, and aborts if it lies outside a de-sired range. (For example, Bob might compute theCHSH value [17] of the announced data, and abortif it is below 2.5.)

6. (Error correction.) Alice and Bob perform errorcorrection using public discussion, in order to (withhigh probability) generate identical strings. Evelearns the error correction function Alice applies toher string.

7. (Privacy amplification.) Alice and Bob publiclyperform privacy amplification [18], producing ashorter shared string about which Eve has virtuallyno information. Eve similarly learns the privacyamplification function they apply to their error-corrected strings.

Consider now a scenario in which a protocol of thistype is run on day 1, generating a secure key for Aliceand Bob, while informing Eve of the functions used byAlice for error correction and privacy amplification (forsimplicity we assume their protocol has no sifting pro-cedure (Step 4)). The protocol is then rerun on day 2,to generate a second key, using the same devices. Evecan instruct the devices to proceed as follows. On day 1,they follow the protocol honestly. However, they keephidden records of all the raw bits they generate duringthe protocol. At the end of day 1, Eve knows the errorcorrection and privacy amplification functions used byAlice and Bob to generate the secure key.

On day 2, since Eve either distributes a new set ofquantum states to Alice and Bob, or else has access to

the insecure quantum channel over which they are dis-tributed, she can surreptitiously modulate these quan-tum states to carry new classical instructions to the de-vice in Alices lab. These instructions tell the device theerror correction and privacy amplification functions usedon day 1, allowing the device to compute the secret keygenerated on day 1. They also tell the device to deviatefrom the honest protocol for randomly selected inputs,by producing as outputs specified bits from this secretkey. (For example, for input 17, give day 1s key bit 5as output.) If any of these selected outputs are amongthose announced in Step 5, Eve learns the correspondingbits of day 1s secret key. We call this type of attack, in

which Eve attempts to gain information from the classicalmessages sent in Step 5, a parameter estimation attack.Furthermore, if she follows this cheating strategy for

N 1 < M input bits, Eve is likely to learn roughly Nbits of day 1s secret key. Moreover, only the roughly Noutput pairs from this set that are publicly compared giveAlice and Bob statistical information about Eves cheat-ing. Alice and Bob cannot a priori identify these cheatingoutput pairs among the M they compare. Thus, ifthe tolerable noise level is comparable to N 1M1, Evecan (with high probability) mask her cheating as noise.(Note that in unconditional security proofs it is gener-ally assumed that eavesdropping is the cause of all noise.Even if in practice Eve cannot reduce the noise to zero,she can supply less noisy components than she claims anduse the extra tolerable noise to cheat).

Even in the hypothetical case where Alice and Bobhave noise-free devices, so that their protocol can abortat any perceivable noise level, Eve learns at least one bitof day 1s string before her cheating is detected on day 2.Note that standard security definitions aim to protectevery bit of Alices and Bobs key from an adversary.Although this may seem an unduly strong requirement(particularly in the case of very long generated strings),


4/9

4

there are many practical scenarios in which leaking a sin-gle bit can be detrimental.

Note that we assumed in Step 1 of the protocol that inthe case where Bob (rather than Eve) supplies the states,he does so using a device that is isolated from his mea-surement device. This is crucial: if Bob has only a singledevice that both supplies states and performs measure-ments, then his device can hide information about day 1s

raw key in the states he sends on day 2. (This can bedone using states of the form specified in the protocol,masking the errors created as noise as above. Alterna-tively, the data could be encoded in the timings of thesignals or in quantum degrees of freedom not used in theprotocol.)

Attacks on modified protocols

The security loopholes discussed above can be partlyclosed by redesigning QKD protocols so that all quan-tum data and all public communication of output data

in the protocol come from one party, say Bob. Thus, theentangled states used in the protocol are generated by aseparate isolated device held by Bob (as allowed above)and Bob (rather than Alice) sends selected output dataover a public channel in Step 5. If Bobs device is foreverkept isolated from incoming communication, Eve has noway of sending it instructions to calculate and leak secretkey bits from day 1 (or any later day).

Even protocols modified in this way are insecure ifreused, however. Eve can still communicate with Alicesdevice, and Alice needs to be able to make some publiccommunication to Bob, if only to abort the protocol. Evecan thus obtain at least one secret key bit from day 1 on

day 2 by programming Alices device to abort or not de-pending on a particular bit value (we call this an abortattack). Alternatively, in a modified parameter estima-tion attack, Eve can pre-program Bobs device to leakraw key data from day 1 via output data on subsequentdays, at a low enough rate (compared to the backgroundnoise level) that this cheating is unlikely to be detected.If the actual noise level is lower than the level toleratedin the protocol, and Eve knows both (a possibility Aliceand Bob must allow for), she can thereby eventually ob-tain all Bobs raw key data from day 1, and hence thesecret key.

One way of temporarily countering device memory at-tacks is for Alice and Bob to share a small initial secretkey and to use part of this key to choose the privacy am-plification function in Step 7 of the protocol, which maythen never become known to Eve. However, even in thiscase, Eve can pre-program Bobs measurement device toleak raw data from day 1 on subsequent days. WhileEve cannot obtain bits of the secret key so directly inthis case, provided the protocol is composed sufficientlymany times, she can eventually obtain all the raw key.This means that Alice and Bobs residual security ulti-mately derives only from the initial shared secret key:

their QKD protocol produces no extra permanently se-cure data.

A second interesting possible counter-measure [19] isto encrypt the parameter estimation information sentin Step 5 with some initial pre-shared seed randomness.Provided the amount required is small compared to thesize of final string generated (which is the case in manyprotocols), the protocol then performs key expansion.1

Furthermore, even without initial shared key, Alice andBob could communicate the parameter estimation infor-mation unencrypted on day 1, but encrypt it on subse-quent days using generated key.

Note, however, that this counter-measure is not ef-fective in general cryptographic environments involvingcommunication with multiple users who may not all betrustworthy. Suppose that Alice wants to share key withBob on day 1, but with Charlie on day 2. If Charliebecomes corrupted by Eve, then, for example by hidingdata in the parameter estimation, Eve can learn aboutday 1s key. There are clearly scenarios, in which (naive)users might wish to use device-independent QKD, wherethis attack applies. For example, suppose Alice is a mer-chant and Bob is a customer who needs to communicatehis credit card number to Alice via QKD to complete thesale. The next day, Eve can pose as a customer, carry outher own QKD exchange with Alice, and extract informa-tion about Bobs card number without being detected.

Finally, note that Alices and Bobs devices each sepa-rately have the power to cause the protocol to abort onany day of their choice. Thus if Eve is willing to waitlong enough she can program them to communicatesome or all information about their day 1 raw outputs,for instance by encoding the relevant bits as a binary inte-ger N = b1 . . . bm and choosing to abort on day (N + 2).This version of the abort attack seems unavoidable in

any standard cryptographic model requiring composabil-ity and allowing arbitrarily many device reuses. Compos-ability requires that any data about the key generated onday n can be revealed to Eve without giving her any in-formation about the keys generated on other days. Inparticular, it requires that Eve should not be able to in-fer information about other keys from the generated keylength on day n. However, under an abort attack, Evecan infer information about the day 1 key from the factthat the day (N + 2) key has length zero (due to a day(N + 2) abort).2

To reiterate, the essential point is that if devices re-

1 QKD is often referred to as quantum key expansion in any case,taking into account that a common method of authenticating theclassical channel uses pre-shared randomness.

2 In practice, Eve might infer a day (N+2) abort from the fact thatAlice and Bob have no secret key available on day (N+2), whichin many scenarios might detectably affect their behaviour thenor subsequently. Note too that she might alternatively programthe devices to abort on every day from (N + 2) onwards if thismade N more easily inferrable in practice.


5/9

5

tain secret data, using those devices in future protocolsthat involve public communication compromises security,even if the relevant communication only consists of anabort decision. Although we have considered two-deviceQKD protocols so far, the Trojan device memory attackswe describe apply far more generally. We illustrate theirapplication to some well-known multi-device QKD pro-tocols and to quantum randomness expansion protocols

in the Appendix.

Toxic device disposal

As noted above, standard cryptographic models pos-tulate that the parties can create secure laboratories,within which all operations are shielded from eavesdrop-ping. Device-independent quantum cryptographic mod-els also necessarily assume that devices within these lab-

oratories cannot signal to the outside otherwise secu-rity is clearly impossible. Multi-device protocols assumethat the laboratories can be divided into effectively iso-lated sub-laboratories, and that devices in separate sub-laboratories cannot communicate. In other words, Aliceand Bob must be able to build arbitrary configurationsof screening walls, which prevent communication amongEve and any of her devices, and allow only communica-tions specified by Alice and Bob.

Given this, there is no problem in principle in definingprotocols which prescribe that devices must be perma-nently isolated: the devices simply need to be left indef-initely in a screened sub-laboratory. While this could be

detached from the main working laboratory, it must beprotected indefinitely: screening wall material and securespace thus become consumed resources. And indeed insome situations, it may be more efficient to isolate de-vices, rather than securely destroy them, since devicescan be reused once the secrets they know have becomepublic by other means. For example, one may wish tosecurely communicate the result of an election before an-nouncing it, but once it is public, the devices used forthis secure communication could be safely reused.

The alternative, securely destroying devices and theneliminating them from the laboratory, preserves labora-tory space but raises new security issues: consider, for ex-

ample, the problems in disposing of a device programmedto change its chemical composition depending on its out-put bit.

That said, no doubt there are pretty secure ways ofdestroying devices, and no doubt devices could be se-curely isolated for long periods. However, the costs andproblems involved, together with the costs of renewingdevices, make us query whether these are really viablepaths for practical device-independent quantum cryptog-raphy.

DISCUSSION

A malicious manufacturer who wishes to mislead usersor obtain data from them can equip devices with a mem-ory and use it in programming them. The full scope ofthis threat seems to have been overlooked in the liter-ature on device-independent quantum cryptography todate. A task is potentially vulnerable to our attacks if

it involves secret data generated by devices and if Evecan learn some function of the device outputs in a sub-sequent protocol. Since even causing a protocol to abortcommunicates some information to Eve, the class of taskspotentially affected is large indeed. In particular, for oneof the most important applications, QKD, none of theprotocols so far proposed remain composably secure inthe case that the devices are supplied by a malicious ad-versary.

One can think of the problems our attacks raise asa new issue of cryptographic composability. One wayof thinking of standard composability is that a secureoutput from a protocol must still have all the proper-

ties of an ideal secure output when combined with otheroutputs from the same or other protocols. The device-independent key distribution protocols examined abovefail this test because the reuse of Trojan devices can causelater outputs to depend on earlier ones. In a sense, theunderlying problem is that the usage of devices is notcomposably secure. This applies too, of course, for de-vices used in different protocols: devices used for securerandomness expansion cannot then securely be used forkey distribution without potentially compromising thegenerated randomness, for example.

It is worth reiterating that our attacks do not applyagainst protocols where the devices are trusted to be

memoryless. Indeed, there are schemes that are com-posably secure for memoryless devices [8, 9].We also stress that our attacks do not apply to all

device-independent quantum tasks related to cryptogra-phy. For example, even devices with memories cannotmimic nonlocal correlations in the absence of shared en-tanglement [20, 21], and so device-independent entan-glement testing remains viable. In addition, in applica-tions that require only short-lived secrets, devices may bereused once such secrets are no longer required. Partiallysecure device-independent protocols for bit commitmentand coin tossing [15], in which the committer supplies de-vices to the recipient, are also immune from our attacks,so long as the only data entering the devices come fromthe committer.

Note too that, while the abort attacks described aboveapply when protocols are repeated arbitrarily often, inpractice the number of uses required to apply the at-tacks may be extremely large. One can imagine a sce-nario in which Alice and Bob want to carry out device-independent QKD no more than a fixed number n times,each is confident in the others trustworthiness through-out, the devices are used for no other purpose and de-stroyed after n rounds, and key generation is suspended


6/9

6

and the devices destroyed if a single abort occurs. Ifthe only relevant information conveyed to Eve is that anabort occurs on day m n, she can only learn at mostlog n bits of information about the raw key via an abortattack. Hence one might hope that, using suitable addi-tional privacy amplification, Alice and Bob could producea device-independent protocol provably secure when re-stricted to no more than n bilateral uses. It would be

interesting to analyse this possibility, which if provablysecure holds out the hope of restricted but still poten-tially useful practical application.

In summary, we have used Trojan memory-based at-tacks to show that quantum key distribution protocols ofthe types considered to date cannot be both fully device-independent and composably secure when repeated ar-bitrarily often using the same devices. We have alsodiscussed some possible partial defences and counter-measures against Trojan attacks. Many interesting ques-tions remain open. Nonetheless, in our view, the attacks

we have described merit a serious reappraisal of the prac-tical possibilities of quantum cryptography using (com-pletely) untrusted devices.

Acknowledgements

We thank Anthony Leverrier and Gonzalo de la Torrefor [19] and Llus Masanes and Stefano Pironio for help-ful comments. AK was partially supported by a Lever-hulme Research Fellowship, a grant from the John Tem-pleton Foundation, and the EU Quantum Computer Sci-ence project (contract 255961). This work was supportedby the CHIST-ERA DIQIP project. Research at Perime-ter Institute is supported by the Government of Canadathrough Industry Canada and by the Province of Ontariothrough the Ministry of Research and Innovation.

[1] Bennett, C. H. & Brassard, G. Quantum cryptography:Public key distribution and coin tossing. In Proceedingsof IEEE International Conference on Computers, Sys-tems, and Signal Processing, 175179 (New York, 1984).

[2] Ekert, A. K. Quantum cryptography based on Bells the-orem. Physical Review Letters 67, 661663 (1991).

[3] Renner, R. Security of Quantum Key Distribution. Ph.D.thesis, Swiss Federal Institute of Technology, Zurich(2005). Also available as quant-ph/0512258.

[4] Gerhardt, I. et al. Full-field implementation of a perfecteavesdropper on a quantum cryptography system. NatureCommunications 2, 349 (2011).

[5] Mayers, D. & Yao, A. Quantum cryptography with im-

perfect apparatus. In Proceedings of the 39th AnnualSymposium on Foundations of Computer Science (FOCS-98), 503509 (IEEE Computer Society, Los Alamitos,CA, USA, 1998).

[6] Barrett, J., Hardy, L. & Kent, A. No signalling andquantum key distribution. Physical Review Letters 95,010503 (2005).

[7] Masanes, L., Renner, R., Christandl, M., Winter, A. &Barrett, J. Unconditional security of key distributionfrom causality constraints. e-print quant-ph/0606049v4(2009).

[8] Hanggi, E. & Renner, R. Device-independent quantumkey distribution with commuting measurements. e-printarXiv:1009.1833 (2010).

[9] Masanes, L., Pironio, S. & Acn, A. Secure device-

independent quantum key distribution with causally in-dependent measurement devices. Nature Communica-tions 2, 238 (2011).

[10] Barrett, J., Colbeck, R. & Kent, A., in preparation(2012).

[11] Ekert, A. Less reality, more security. Physics WorldSeptember (2009).

[12] Colbeck, R. Quantum and Relativistic Protocols For Se-cure Multi-Party Computation. Ph.D. thesis, Universityof Cambridge (2007). Also available as arXiv:0911.3814 .

[13] Colbeck, R. & Kent, A. Private randomness expansion

with untrusted devices. Journal of Physics A 44, 095305(2011).

[14] Pironio, S. et al. Random numbers certified by Bellstheorem. Nature 464, 10211024 (2010).

[15] Silman, J. et al. Fully distrustful quantum bit commit-ment and coin flipping. Physical Review Letters 106,220501 (2011).

[16] Hanggi, E., Renner, R. & Wolf, S. The impossi-bility of non-signalling privacy amplification. e-printarXiv:0906.4760 (2009).

[17] Clauser, J. F., Horne, M. A., Shimony, A. & Holt, R. A.Proposed experiment to test local hidden-variable theo-ries. Physical Review Letters 23, 880884 (1969).

[18] Bennett, C. H., Brassard, G. & Robert, J.-M. Privacyamplification by public discussion. SIAM Journal onComputing 17, 210229 (1988).

[19] de la Torre, G. & Leverrier, A. Private communication(2012).

[20] Barrett, J., Collins, D., Hardy, L., Kent, A. & Popescu, S.Quantum nonlocality, Bell inequalities, and the memoryloophole. Physical Review A 66, 042111 (2002).

[21] Gill, R. D. Accardi contra Bell (cum mundi): The impos-sible coupling. In Moore, M., Froda, S. & Leger, C. (eds.)Mathematical Statistics and Applications: Festschrift forConstance van Eeden, vol. 42 of IMS Lecture Notes Monograph Series, 133154 (2003).

[22] Fehr, S., Gelles, R. & Schaffner, C. Security and compos-ability of randomness expansion from Bell inequalities.

e-print arXiv:1111.6052 (2011).[23] Vidick, T. & Vazirani, U. Certifiable quantum dice

or, testable exponential randomness expansion. e-printarXiv:1111.6054 (2011).

[24] Pironio, S. & Massar, S. Device-independent randomnessexpansion secure against quantum adversaries. e-printarXiv:1111.6056 (2011).
http://localhost/var/www/apps/conversion/tmp/scratch_6/quant-ph/0512258http://localhost/var/www/apps/conversion/tmp/scratch_6/quant-ph/0512258http://localhost/var/www/apps/conversion/tmp/scratch_6/quant-ph/0606049v4http://localhost/var/www/apps/conversion/tmp/scratch_6/quant-ph/0606049v4http://localhost/var/www/apps/conversion/tmp/scratch_6/quant-ph/0512258


7/9

7

APPENDIX

TROJAN MEMORY ATTACKS ON

MULTI-DEVICE QKD PROTOCOLS

To illustrate further the generality of our attacks, wenow turn to multi-device protocols, and show how tobreak iterated versions of two well known protocols.

Attacks on compositions of the BHK protocol

The Barrett-Hardy-Kent (BHK) protocol [6] requiresAlice and Bob to share M N2 pairs of systems (whereM and N are both large with M N), in such away that no measurements on any subset can effectivelysignal to the others. In a device-independent scenario,we can think of these as black box devices supplied byEve, containing states also supplied by Eve. Each de-vice is isolated within its own sub-laboratory of Alicesand Bobs, so that Alice and Bob have MN2 secure sub-

laboratories each. The devices accept integer inputs inthe range {0, . . . , N 1} and produce integer outputs inthe range {0, 1}. Alice and Bob choose random indepen-dent inputs, which they make public after obtaining allthe outputs. They also publicly compare all their outputsexcept for those corresponding to one pair randomly cho-sen from among those in which the inputs differ by 1or 0 modulo N. If the publicly declared outputs agreewith quantum statistics for specified measurement basischoices (corresponding to the inputs) on a singlet state,then they accept the protocol as secure, and take thefinal undeclared outputs (which are almost certainly an-ticorrelated) to define their shared secret bit.

The BHK protocol produces (with high probability)precisely one secret bit: evidently, it is extremely inef-ficient in terms of the number of devices required. Italso requires essentially noise-free channels and error-free measurements. Despite these impracticalities it il-lustrates our theoretical point well. Suppose that Aliceand Bob successfully complete a run of the BHK protocoland then (unauthorised by BHK) decide to use the same2MN2 devices to generate a second secret bit, and askEve to supply a second batch of states to allow them todo this.

Eve aware in advance that the devices may bereused can design them to function as follows. Inthe first run of the protocol, she supplies a singlet pairto each pair of devices and the devices function honestly,carrying out the appropriate quantum measurements ontheir singlets and reporting the outcomes as their out-puts. However, they also store in memory their inputsand outputs. In the second run, Eve supplies a freshbatch of singlet pairs. However, she also supplies a hid-den classical signal identifying the particular pair of de-vices that generated the first secret bit. (This signal needgo to just one of this pair of devices, and no others.) Onthe second run, the identified device produces as output

the same output that it produced on the first run (i.e. thesecret bit generated, up to a sign convention known toEve). All other devices function honestly on the secondrun.

With probability MN21

MN2, the output from the cheating

device on the second run will be made public, thus reveal-ing the first secret bit to Eve. Moreover, with probability1 3

2N+ O(N2), this cheating will not be detected by

Alice and Bobs tests, so that Eve learns the first secretbit without her cheating even being noticed.

There are defences against this specific attack. First,the BHK protocol [6] can be modified so that only out-puts corresponding to inputs differing by 1 or 0 arepublicly shared.3 While this causes Eve to wait manyrounds for the secret bit to be leaked, and increases therisk her cheating will be detected, it leaves the iteratedprotocol insecure. Second, Alice and Bob could securelydestroy or isolate the devices producing the secret keybit outputs, and reuse all their other devices in a secondimplementation. Since only the devices generating thesecret key bit have information about it, this prevents it

from being later leaked. While effective, this last defencereally reflects the inefficiency of the BHK protocol: to il-lustrate this, we turn next to a more efficient multi-deviceprotocol.

Attacks on compositions of the HR protocol

Hanggi and Renner (HR) [8] consider a multi-deviceQKD protocol related to the Ekert [2] protocol, in whichAlice and Bob randomly and independently choose one oftwo or three inputs respectively for each of their devices.If the devices are functioning honestly, these correspond

to measurements of a shared singlet in the bases U0, U1(Alice) and V0, V1, V2 (Bob), defined by the following vec-tors and their orthogonal complements

U1 |0 ,

V0 cos(/8)|0 + sin(/8)|1 ,

U0, V2 cos(/4)|0 + sin(/4)|1 ,

V1 cos(3/8)|0 + sin(3/8)|1 .

The raw key on any given run is defined by the 1/6of the cases in which U0 and V2 are chosen. Informationreconciliation and privacy amplification proceed accord-ing to protocols of the type described in the main text

(in which the functions used are released publicly).Evidently, our attacks apply here too if (unauthorised

by HR) the devices are reused to generate further secretkeys. Eve can identify the devices that generate the raw

3 As originally presented, the BHK protocol requires public ex-change of all outputs except those defining the secret key bit.This is unnecessary, and makes iterated implementations muchmore vulnerable to the attacks discussed here.


8/9

8

key on day 1, and request them to release their key ascheating outputs on later days, gradually enough that thecheating will be lost in the noise. Since the informationreconciliation and privacy amplification hash functionswere made public by Alice, she can then obtain the se-cret key. Even if she is unable to communicate directlywith the devices for a long time (because they were pre-installed with a very large reservoir of singlets), she can

program all devices to gradually release their day 1 out-puts over subsequent days, and so can still deduce theraw and secret keys.

Alice and Bob could counter these attacks by securelydestroying or isolating all the devices that generated rawkey on day 1 but this costs them 1/6 of their devices,and they have to apply this strategy each time they gen-erate a key, leaving (5/6)N of the devices after N runs,and leaving them able to generate shorter and shorterkeys. As the length of secure key generated scales by(5/6)N (or worse, allowing for fluctuations due to noise)on each run, the total secret key generated is boundedby 6M, where M is the secret key length generated on

day 1.Note that, as in the case of the iterated BHK proto-col, all devices that generate secret key become toxic andcannot be reused. While the relative efficiency of the HRprotocol ensures a (much) faster secret key rate, it alsorequires an equally fast device depletion rate. This ex-ample shows that our attacks pose a generic problem fordevice-independent QKD protocols of the types consid-ered to date.

ATTACKS ON DEVICE-INDEPENDENT

RANDOMNESS EXPANSION PROTOCOLS

Device-independent quantum randomness expansion(DVI QRE) protocols were introduced by two of us [12,13], developed further theoretically and investigated ex-perimentally in [14], and recently extended further withreported unconditional security proofs [2224]. The cryp-tographic scenario here is slightly different from that ofkey distribution in that there is only one honest party,Alice.

Alices aim is to expand an initial secret random stringto a longer one that is guaranteed secret from an eaves-dropper, Eve, even if the quantum devices and statesused are supplied by Eve. The essential idea is that seedrandomness can be used to carry out nonlocality tests onthe devices and states, within one or more secure labora-tories, in a way that guarantees (with numerical bounds)that the outcomes generate a partially secret and ran-dom string. Privacy amplification can then be used togenerate an essentially fully secret random string, which(provided the tests are passed) is significantly longer thanthe initial seed.

There are already known pitfalls in designing such pro-tocols. For example, although one might think that car-rying out a protocol in a single secure laboratory guaran-

tees that the initially secure seed string remains secure,and so guarantees randomness expansion if any new se-cret random data is generated, this is not the case [13].Eves devices may be programmed to produce outputs de-pending on the random seed in such a way that the lengthof the final secret random string depends on the initialseed. Protocols with this vulnerability are not compos-ably secure. (To see this can be a practical problem, note

that Eve may infer the length of the generated secret ran-dom string from its use.)

A corollary of our results is that, if one wants to reusethe devices to generate further randomness, it is crucialto carry out DVI QRE protocols with devices perma-nently held within a single secure laboratory, avoidingany public communication of device output data at anystage. It is crucial too that the devices themselves are se-curely isolated from classical communications and com-putations within the laboratory, to prevent them fromlearning details of the reconciliation and privacy amplifi-cation.

Even under these stringent conditions, our attacks still

apply in principle. For example, consider a noise-tolerantprotocol that produces a secret random output string ofvariable length, depending on the values of test functionsof the device outputs (the analogue of QKD parameterestimation for QRE) that measure how far the deviceoutputs deviate from ideal honest outputs. This mightseem natural for any single run, since if the devices arenever reused the length of the provably secret randomstring that can be generated does indeed depend on thevalue of a suitable test function. However, iterating sucha protocol allows the devices to leak information about(at least) their raw outputs on the first run by generatingartificial noise in later rounds, with the level of extranoise chosen to depend suitably on the output values.Such noise statistically affects the length of the outputrandom strings on later rounds.

In this way, suitably programmed devices could ulti-mately allow Eve to infer all the raw outputs from thefirst round, given observation of the key string lengthscreated in later rounds. This makes the round one QREinsecure, since given the raw outputs for round one, andknowing the protocol, Eve knows all information aboutthe output random string for round one, except that de-termined by the secret random seed.

One defence against this would be to fix a length L forthe random string generated corresponding to a maxi-mum acceptable noise level, and then to employ the Pro-

crustean tactic of always reducing the string generatedto length L, regardless of the measured noise level.

Even then, though, unless some restriction is placed onthe number of uses, the abort attack on QKD protocolsdescribed in the main text also applies here. The deviceshave the power to cause the protocol to abort on anyround of their choice, and so if she is willing to waitlong enough Eve can program them to communicateany or all information about their round 1 raw outputsby choosing the round on which they cause an abort.


9/9

9

Finally, it is worth noting that there are many scenar-ios in which one only needs short-lived randomness, forexample, in many gambling applications, bets are oftenplaced about random data that are later made public.

In such scenarios, once such random data have been re-vealed, the devices could be reused without our attackspresenting any problem.

Prisoners of Their Own Device - Trojan Attacks on Device-Independent Quantum Cryptography 1201.4407

Documents

Transcript of Prisoners of Their Own Device - Trojan Attacks on Device-Independent Quantum Cryptography 1201.4407