Universitat Politecnica de Catalunya

SSI Project Report

Quantum Cryptography andPossible Attacks

Author:Arinto MurdopoIoanna TsalouchidouMaria Stylianou

Supervisor:Jordi Linares

December 20, 2011

Contents

1 Introduction to Quantum Cryptography 11.1 Why Quantum Cryptography . . . . . . . . . . . . . . . . . . 11.2 Theoretical Background . . . . . . . . . . . . . . . . . . . . . 2

1.2.1 Photon Polarization . . . . . . . . . . . . . . . . . . . 21.2.2 Quantum Superposition . . . . . . . . . . . . . . . . . 31.2.3 Heisenberg Uncertainty Principle (HUP) . . . . . . . . 41.2.4 Quantum Entanglement . . . . . . . . . . . . . . . . . 4

1.3 Historical Background . . . . . . . . . . . . . . . . . . . . . . 41.4 Report Structure . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 Quantum Key Distribution - BB84 Protocol 52.1 General Description . . . . . . . . . . . . . . . . . . . . . . . 52.2 More Detailed Description . . . . . . . . . . . . . . . . . . . . 6

2.2.1 Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.2.2 Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.2.3 Step 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2.4 Step 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.2.5 Step 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Attack on Quantum Key Distribution Systems 113.1 Easily Solvable Vulnerabilites . . . . . . . . . . . . . . . . . . 11

3.1.1 Photon Number Attack . . . . . . . . . . . . . . . . . 113.1.2 Spectral Attack . . . . . . . . . . . . . . . . . . . . . . 113.1.3 Random Numbers . . . . . . . . . . . . . . . . . . . . 12

3.2 Non-solvable Vulnerability: Faked - State Attack . . . . . . . 143.2.1 Practical Implementation . . . . . . . . . . . . . . . . 163.2.2 Putting Them All Together . . . . . . . . . . . . . . . 233.2.3 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 23

4 Conclusion 24

i

List of Figures

1 Behaviour of a photon. Vertical and Horizontal polarizationon the left. -45 and +45 degrees polarization on the right. . . 2

2 Polarizing Beam Splitter . . . . . . . . . . . . . . . . . . . . . 33 Results of measurement of polarized photon . . . . . . . . . . 34 BB84 Protocol Outline . . . . . . . . . . . . . . . . . . . . . . 65 Photon Source in Alice’s BB84 equipment . . . . . . . . . . . 76 Bob’s Detector . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Summary of Step 1 and Step 2 (Polarization Measurement) . 98 Error Detection and Correction in QKD . . . . . . . . . . . . 109 Privacy Amplification in QKD . . . . . . . . . . . . . . . . . 1110 Difference in Spectral Intensity in Spectral Attack . . . . . . 1211 Entangled Photon Source . . . . . . . . . . . . . . . . . . . . 1312 BB84 with Photon Pairs . . . . . . . . . . . . . . . . . . . . . 1413 General Scheme of Faked-State Attack . . . . . . . . . . . . . 1514 Replica of Bob’s Receiver . . . . . . . . . . . . . . . . . . . . 1615 SPAD Component . . . . . . . . . . . . . . . . . . . . . . . . 1716 SPAD Circuit Diagram . . . . . . . . . . . . . . . . . . . . . . 1717 SPAD Working Mode . . . . . . . . . . . . . . . . . . . . . . 1818 SPAD Characteristics Under Illumination . . . . . . . . . . . 1819 SPAD Circuit Diagram with Light Applied on It . . . . . . . 1920 SPAD Electric Circuit Characteristics Under Bright Illumi-

nation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1921 Replicating Click on Bob’s actual detector . . . . . . . . . . . 2022 Linear Mode Characteristics of SPAD . . . . . . . . . . . . . 2123 Fake-State Generator and Pulse Intensity . . . . . . . . . . . 2224 Putting Them All Together . . . . . . . . . . . . . . . . . . . 23

ii

List of Tables

1 Result of Replicating State Result in Bob’s Detector . . . . . 23

iii

1 Introduction to Quantum Cryptography

Quantum Cryptography[1, 2, 3] is described as a set of quantum mechanicaleffects used to perform cryptographic functionalities and to break crypto-graphic systems. The widely known example of quantum cryptography isthe Quantum Key Distribution which is described in detail in this report.For a start, we should explain how quantum cryptography resulted, underwhat circumstances and why.

1.1 Why Quantum Cryptography

Cryptography is the study of information security for the purposes of securecommunication and transmission of data. The objective of cryptographyis to transform readable data into unreadable, transmit it across insecurenetworks - like Internet - and re-transform it into readable again when it isreceived by the intended recipient.

Two wide-known techniques[4] have been developed and applied so farfor achieving secure communication; the symmetric-key and the asymmetric-key encryption. In symmetric-key algorithms, a party – let’s say Alice – usesa secret key to encrypt the message to be sent and the receiving party – let’ssay Bob – uses the same secret key to decrypt the message. The barrier insuch algorithms is to find a secure way to share the secret key between thetwo parties, without allowing a third party – for example Eve – to read thiskey.

In asymmetric-key algorithms, each party has its own pair of public andsecret key. When Alice wants to send a message to Bob, she encrypts themessage with Bob’s public key and Bob is the only one who can decrypt itwith the use of his secret key. These algorithms base their current ”success”in hardware limitations on finding the prime factors of very large numbers.Considering the rapid evolution of technology it is expected to have, sooneror later, either an algorithm that speeds factorization or a new generationwith quantum computers. This would be a disaster for the security of ourpersonal data and for the way we, nowadays, use the Internet.

It was an urge to find another way for keeping the communication anddata secure. Quantum Cryptography emerged to help in the symmetric-key encryption and particularly in the secure key transfer between the twoparties. Quantum cryptography is said to be flawless as it relies on physics– and more specifically on the laws of quantum mechanics – for detectingany attempt at eavesdropping from a third party.

It is shown that having a good theoretical model based on physics lawsis not enough. Hardware has a key - role in security as well. In this study,we focus on a quantum key distribution protocol, called BB84, which iseventually seemed to be not as flawless as it is firstly stated.

1

1.2 Theoretical Background

As it is stated above, quantum cryptography is used to solve the ”key dis-tribution problem” appeared in the symmetric encryption. This techniqueexcels the classic ones, since it does not employ any mathematical techniquesnor it depends on the weakness of current computers to calculate the desiredbig numbers. It is simply based on quantum theory to send and receive in-formation by physical means - for example photons in optical fibres - and toensure confidentiality of information.

In physics, a quantum refers to the minimum amount of any physical en-tity. A photon is a single quantum of light and its properties are exploitedfor the sake of quantum cryptography. In this section the most importantprinciples of quantum mechanics are given in order to understand how se-curity is combined with laws of physics.

1.2.1 Photon Polarization

Photon polarization[5, 4] is the way to describe a photon. A photon canbe polarized in three different bases of polarization, resulting differently ineach base. The three bases are:

1. Rectilinear base with possible results: horizontal or vertical

2. Diagonal base with possible results: +45 or -45 degrees

3. Circular base with possible results: left-circular or right-circular

And among those three that are mentioned above, only the first two basesare used in quantum cryptography.

The different behaviours of a photon with the use of rectilinear anddiagonal base are shown in the Figure 1, while in the Figure 2, a PolarizingBeam Splitter is given. This Polarizing Beam Splitter receives a beam oflight and splits it into two; half of it is transmitted and half of it is reflected.Since the photon is the minimum amount of light, it cannot be splitted.Therefore, when it arrives at the splitter, it is either transmitted or reflected.

Figure 1: Behaviour of a photon. Vertical and Horizontal polarization onthe left. -45 and +45 degrees polarization on the right.

2

Figure 2: Polarizing Beam Splitter

The following fundamental principles of quantum mechanics apply forall quantum objects and in our case in terms of photons.

1.2.2 Quantum Superposition

Quantum Superposition is a principle stating that a photon can exist inall its possible states simultaneously. However, when it comes to measurethe photon, the result corresponds to the configuration given. Consideringthe bases listed before, a photon can take whichever result, but when aparticular base is chosen, then the photon can result in one of the twopossible outcomes. The two possible outcomes in each base need to beorthogonal. This measure determines its orientation in relation to the basechosen.

In Figure 3, the photon is polarized with 4 different ways (first line)and then measured with the vertical/horizontal basis (second line) and thediagonal basis (third line). As we can see, when the photon was preparedin - let’s say - diagonal basis and then it was measured in the same basis,then the result was correct (white fields). Otherwise, the result was randomhaving either the one of the other value (yellow fields).

Figure 3: Results of measurement of polarized photon

3

1.2.3 Heisenberg Uncertainty Principle (HUP)

Heisenberg Uncertainty Principle states that ”observation causes perturba-tion”. This means that when a photon is observed - or otherwise measured- it results to an outcome, its state changed. If it is again measured witha different base, its state will change again and the result from the lastmeasure will disappear. Thus, it is impossible to determine simultaneouslytwo polarizations of a photon, like it is impossible to measure the presentposition of the photon and at the same time to determine its future motion.

Moreover, from the Heisenberg Uncertainty Principle, the no-cloningtheorem is derived. This theorem forbids the creation of identical copies ofa photon state. This is logical and can be justified easily. If this theoremwasn’t satisfied, that would mean that more than one copy of a photonstate could exist. If that was possible, then we could measure each copy ofthe photon with a different base and, therefore, we could have the differentstates of the photon at the same time. That would violate the HeisenbergUncertainty Principle and the whole quantum notion would collapse.

As we will see later, this quantum phenomenon is very essential fordetecting possible eavesdropping. This is because measurements on thephoton disturb the state of the photon and leave traces which can be latertranslated as eavesdropping.

1.2.4 Quantum Entanglement

Although, this principle seems to be a bit confusing, it is of great importance.Two photons - let’s say m and n - are said to become entangled when aproperty is measured in m, and the opposite state is observed in n. This“correlation” exists regardless of the distance between the two photons.

1.3 Historical Background

Quantum Cryptography was born in the early 1970’s by Stephen Wiesner,but was officially proposed in his paper “Conjugate Coding” published inSIGACT in 1983. Based on his work, Charle’s H. Bennett and Gilles Bras-sard created the first Quantum Cryptographic protocol, called BB84, in1984. This protocol was based on the Heisenberg Uncertainty Principle de-scribed above. Seven years later, the first experimental prototype based onthat protocol was demonstrated. In 1990, Arthur Ekert, following his ownpath, developed a different quantum cryptographic method that relies onthe Quantum Entanglement theory. This theory is not in the scope of thisreport, and thus it is only given a brief explanation.

4

1.4 Report Structure

This report constitutes of four chapters. In Chapter 1 a definition of Quan-tum Cryptography is given, its advantages in comparison with classic tech-niques and how it is used practically for information security. The theoret-ical physics background is also explained, for better understanding of thefollowing chapters. In Chapter 2, the most wide known example of QuantumCryptography is presented; that is the Quantum Key Distribution via theBB84 Protocol. Along with the description, its vulnerabilities are listed inorder to move on the Chapter 3 where possible attacks on this protocol arestated, giving a strong emphasize on the Faked-state attack. At the end, inChapter 4, our conclusions and point of view are summarized for QuantumCryptography and its importance.

2 Quantum Key Distribution - BB84 Protocol

2.1 General Description

BB84[6] protocol is the first quantum cryptography protocol developed byCharles Bennett and Gilles Brassard. Its goal is to describe a scheme inwhich a sender, e.g. Alice, can send a private key to a legitimate receiver,e.g. Bob. This protocol describes step by step how Alice can incorporate theinformation that she wants to send to Bob into the photon and how Bod candecode it. Moreover it describes the necessary controls that Alice and Bobshould do in order to be sure that no one intercepts in their communicationand that the information transferred is secure.

The general idea of how this protocol works is described below:In the one side you have a single photon source, which spits out photons.

After that you choose a random number which eventually will make yoursecret key and the basis you want to encode it. The possible ways of encod-ing it is the horizontal/vertical polarization or the diagonal(+/- 45 degreespolarization). Each photon is encoded and send to the legitimate receiver.

On the other side you randomly choose the way that you will measureeach arriving photon and then you get a particular result. Since the receiverdoesn’t know the basis that the information was encoded and because ran-domly chooses between two alternatives, this result that he initially gets ishalf correct since the guess of the receiver is correct with possibility 0.5.

After that, the two legitimate parties communicate in a public networkand discuss about the basis they used. In the case that the basis that thebit was encoded is the same with the basis that the bit was measured, thenboth parties have the same value of the bit. If the basis used was differentthey have a different result and they discard the bit. When this procedurefinish, both parties have a sequence that is supposed to be identical and thathopefully will be their secret key.

5

The problem that now appears and need to be also checked is that maybesomeone had interfere in the communication of the two parties. If so, heshould have left traces and the legitimate parties can easily understand it.In order to find out whether someone was in the middle of the communica-tion, an other control between the parties takes place. In the case that thecontrol was successful, and indicated that no one was in the middle of thecommunication, they keep the key. Otherwise, the blocks of the bits thatwere tried to be spayed are being discarded.

At the end of this process the two parties end up with the final secretkey. The outline of the whole communication process can be seen in Figure4 below:

Figure 4: BB84 Protocol Outline

2.2 More Detailed Description

After having a glance of the functionality of the BB84 protocol, it is time tohave an inside view of the system[4, 7, 8, 9, 10]. The five steps are describedbelow in bigger detail.

2.2.1 Step 1

In this initial step sender, Alice, decides the key that she wants to send andthe way that she wants to encode it. In her possession a single photon sourceexists which will send to the receiver, Bob. She begins the process with twostrings of bits which are randomly chosen, the string a and the string b.Both of them have the same length which is n. The first string indicatesthe original values of the key that needs to be send. Each bit of the firststring will be encoded in a way and transferred to Bob through photons.The second string indicates the way in which the message will be encodedand more specifically the polarization basis of the photon.

During this process string a and string b will be encoded as a string ofn qubits as it can be shown above:

6

|ψ〉 =

n⊗i=1

|ψaibi〉

Where ai and bi are the i-th bits of a and b respectively and after beingcombined they give us one of the following four states of the qubit:

1. |ψ00〉 = |0〉

2. |ψ10〉 = |1〉

3. |ψ01〉 = |+〉 = 1√2|0〉+ 1√

2|1〉

4. |ψ11〉 = |−〉 = 1√2|0〉 − 1√

2|1〉

These four states described above are not mutually orthogonal so youcannot know the state of the qubit without first knowing in which basis thisqubit was encoded.

Each bit of the string a is encoded in this way and is send to the otherside, to Bob, as a qubit, over a public quantum channel which could beeither an optical fiber of the free space.

In Figure 5 below, we can see graphically the process that takes placefrom Alice’s side. In this case we have replaced the active basis choice withthe passive basis choice using a polarising beam splitter, in order to makethe basis choice really random.

Figure 5: Photon Source in Alice’s BB84 equipment

2.2.2 Step 2

Each qubit that is send by Alice, has to be measured by Bob in order to findout which is the value of it. As far as Bob doesn’t know the basis in whichAlice has encoded the qubits, he is forced to randomly choose one basis. Ifthe basis happens to be the same as Alice used to encode the qubit then the

7

result that Bob receives will be valid. Otherwise the result that he gets it istotally random.

The actual device that is used from the Bobs side is shown in Figure6. As we can see it consists of a beam splitter (BS)1, two polarizing beamsplitters (PBS), one half-wave plate(HWP) and four detectors.

Figure 6: Bob’s Detector

As shown in Figure 6 above, the photon inserts in the device and headsto the beam splitter. Normally, when a beam arrives in a beam splitter50% of it gets reflected and 50% of it gets transmitted. In our case, there isonly one photon, which means that it will either be transmitted or reflected.That is how Bob randomly chooses the basis in which he will measure theincoming photon. In the above picture, if the photon is transmitted from thebeam splitter it will be measured in the horizontal/vertical basis. Otherwise,it will be measured in the diagonal basis. After the photon passes the thebeam splitter and enters the polarizing beam splitter it has to be transmittedin one of the two detectors each PBS has and make it “click”.

At this point, if we have chosen the correct basis the detector that clickswill give us the correct value of the qubit. Otherwise, the outcome will berandom. If for example Alice has has tried to encode one bit with value “0“polarized in the h/v basis this means that she sends to Bob an horizontalphoton in the h/v basis. If Bob chooses the h/v basis the detector for thehorizontal photon will click and the value that this click indicates is value“0”. In the unfortunate case that Bob tries to measure it in the diagonalbasis then both of the detectors are able to click with possibility 0.5, so theoutcome will be totally random.

When Bob receives and measures all the qubits that Alice has send him,he has a very initial view of what the key should be. In fact this key iscorrect in a percentage of 50% since this was the possibility of choosing thecorrect measurement basis.

1A polarizing beam splitter is a device which splits a beam into two. In our case usesa half-silvered mirror.[11]

8

Figure 7 below summarises Step 1 and Step 2:

Figure 7: Summary of Step 1 and Step 2 (Polarization Measurement)

2.2.3 Step 3

Now that Bob has received the qubits that Alice has send him, he willcommunicate with her in order to figure out which qubits were encodedand measured with the correct basis and which not. If a qubit is has beenencoded and measured in the same basis, and if no one has intercept thecommunication or noise has manage to distort the result, the value thatAlice has send to Bob is the same that Bob has received.

In the case that there is difference between the encoding and the mea-surement basis, the value of Bob is wrong and both sides discard the bit.The bits that are not discarded consist the current key.In this third step theremaining has been reduced to, more or less, half the length of the initialone.

The discussion between Alice and Bob takes over a public channel, whichmeans that if someone is in the middle, lets say Eve, then he/she is able tolisten.

2.2.4 Step 4

In this final step of the QKD protocol, Alice and Bob do a final controlthat will indicate them if someone has intercept the communication tryingto steal information about the exchanged key.

Lets hypothesize that between Alice and Bob there is Eve who triesto intercept the communication and steal the secret key. In this case, ifEve captures and measures a photon that leads to Bob, then she leaves hertraces. Now the laws of quantum mechanics are applied and ensure that shecannot copy the photon or measure it without distorting it. Heisenberg’s’law of uncertainty, which says that observation causes perturbation, alongwith the non-cloning theorem make Eve being revealed.

9

In order to control the security of the key transfer, Alice and Bob commu-nicate again through the public channel. This time they check the paritiesof the qubits that have remained in blocks of four. If the parities are correctthen Bob and Alice keep the block of qubits considering that no one has in-tercept. Otherwise, they throw it because either someone tries to interceptin the communication or imperfection of the devices, detectors or back-ground light have caused distortions to the resulting key. If the percentageof the errors that revealed are above a threshold then the communication isinterrupted since both parts are sure that someone tries to eavesdrop.

In order to detect and correct the errors that may exist, the paritiescomparison take place in many different combinations of 4-bits blocks. Inthis way that legitimate parts can detect the errors without revealing all thekey. Unfortunately, this process gives some information about the key toEve, since in each pair of four-bits block, 1 bit of information is revealed. InFigure 8 below we can see a brief overview the process:

Figure 8: Error Detection and Correction in QKD

2.2.5 Step 5

The final step is to make sure that you have removed all the informationthat the eavesdropper possibly gained through all the above steps of com-munication and mainly through the parity check step. This process is calledprivacy amplification .Then with a hash function it shrinks the key into finalone. This final key is totally secret and Eve has no knowledge of any bit ofit. Figure 9 shows an example of privacy amplification process.

10

Figure 9: Privacy Amplification in QKD

3 Attack on Quantum Key Distribution Systems

As explained in chapter 1, practically security of quantum key distributionsystem depends not only on the quantum and physics laws, but also fromthe actual implementation of hardware and software to build the quantumcryptography system.

Since quantum and physics laws can not be changed and they do nothave loophole for attacker, existing attacks on quantum-based cryptographysystem exploit the weakness and imperfection of hardware and softwareinside the quantum cryptography system.

In this section,we present several attacks that have been successfullycarried out on quantum key distributed system.

3.1 Easily Solvable Vulnerabilites

3.1.1 Photon Number Attack

The protocol described above can secure the safe distribution from the onepart to the other under some condition. In order to have it perfectly workwe need to ensure that we have only one photon and that the informationis not encoded in a strong light-pulse. In the case that Alice sends a stronglight-pulse there is an easy way for Eve to steal some of the photons of thispulse and intrude the communication without being noticed. This type ofattack is often called photon-number splitting attack.

Moreover, when you work on the single photon level, then you enter therealm of quantum mechanics and then security is bonded by the laws ofquantum mechanics that are unbreakable. [9, 4]

3.1.2 Spectral Attack

The second vulnerability can be introduced in case that the source of photonsis created by four different laser photo diodes, one diode for each polarization

11

in the two polarization basis. In this case you don’t need to know thepolarization basis in order to measure the photon and extract the value.The only thing that you need is the spectral analysis of the photons. Thecolours of the spectral analysis of the photons emitted from different sourcewill be slightly different and thus you can get lots of information about thesecret key.

Figure 10 shows the difference between the four spectral analysis of thefour different photo diodes. [9, 4]

Figure 10: Difference in Spectral Intensity in Spectral Attack

3.1.3 Random Numbers

An other point that introduces vulnerability to the above protocol is thechoice of the random numbers. If the numbers that are chosen are nottotally random then there is again a possibility to have our system attacked.In order to secure the randomness of the numbers we can again use theproperties of quantum-mechanics which are unconditionally secure. For thisreason we will exploit an other property, the entanglement.

An entangled system is a system that cannot be described by describingthe parts of its components. All of its components can be separated in spacebut their full properties can be described only as a whole.

For example, we can suppose that we have an entangled system whichis separated in two parts, part A and part B. Then we cannot describe allthe properties of A separately from the properties of B. In a mathematicalexpression this can be written as:

|ψ〉AB 6= |ψ〉A⊗|ψ〉B

That means that AB system is not the product of A times B.[12]

12

This limitation of the entangled systems is the one that we will use inour and more specifically we will use an entangled photon resource in orderto create the random numbers that we need. The entangled state that iscreated is a Maximilian entangled state and the property that it has is thatwe can create pairs of photons each of which has a totally undeterminedpolarization if it is examined individually. The only thing that you can sayabout it is that it is orthogonal to its pair, no matter the basis you look. Soif you look at one of the photons in an h/v basis and it is horizontal thenthe other photon will be for sure vertical. The same thing happens in thediagonal basis and of course in any other orthogonal basis we can think of.

The schematic of the device that emits entangled photon pairs is shownin Figure 11

Figure 11: Entangled Photon Source

Now this device could be incorporated in our system which changes inthe part of the photons emission. This source of the entangled photon pairsis the main source that supplies both sides with photons. Each side takesone photon of the pair of photons and tries to measure it. This means thatAlice gets one of four results and Bob the orthogonal pair of Alice’s photon.

In this case the communication in this protocol can be described schemat-ically as shown in Figure 12.

13

Figure 12: BB84 with Photon Pairs

After the photons are received and measured the process is exactly thesame as the one in the original BB84 protocol. [9, 4]

3.2 Non-solvable Vulnerability: Faked - State Attack

Faked-state attack is a variation of “intercept-resend” attack. In naive andvery simple intercept-resend attack, Alice and Bob are able to detect eaves-dropper with probability of 0.999999999 after they exchange 72 bits[13].That means it is very easy and fast to detect potential eavesdropper in thekey-exchange process. Therefore in faked-state attack, Eve as the eavesdrop-per does not naively forward the photon, but she will have specialized deviceto perform the attack. In this case, Eve exploits the characteristics of thephoton detectors that are used in the quantum key distribution system[14].Figure 13 below shows the general scheme of the faked state attack.

14

Figure 13: General Scheme of Faked-State Attack

As shown in Figure 13, Eve’s specialized device consists of Bob’ whichis replica of Bob’s detector and FSG block. FSG in this case stands forFake State Generator. The sequence of events when Eve eavesdropping thecommunication is following:

1. Alice sends a single photon

2. Using replica of Bob’s detector (Bob’), Eve captures the photon andmeasure the captured photon. For example, Eve notice that the cur-rent photon has value of 1 when vertical-horizontal basis is used

3. Using the measurement result obtained in step 2, Eve replicates theresult using FSG in such a way. Bob will also received result that thecurrent photon has value of 1 when vertical-horizontal basisis used. Note that the final result is same as what Eve obtains in steptwo

4. Bob thinks that he just received photon from Alice and Bob is notable to detect Eve. Eve’s doesn’t re-send the photon, but, in general,FSG tricks Bob’s detector apparatus so that the detector “think” itreceived a valid photon from Alice

5. Bob performs post-processing of the obtained bit by discussing withAlice regarding the basis used in this transmission

6. Eve is able to listen into their discussion because the discussion isperformed in public channel. Here, Eve has same information as Bob,therefore she is able to reproduce the key that will be used by Aliceand Bob in subsequent communication

15

3.2.1 Practical Implementation

There are several known ways to “trick” Bob’s detector and in this report,we focus on attack by exploiting loopholes of single photon detector understrong illumination[14, 15, 16, 17, 18]. This section presents the analysisof the existing and additional components in Quantum Key Distribution(QKD) system under attack as well as the detail of how the attack is per-formed.

1. Replica of Bob’s receiver

In order to successfully perform the attack, Eve should have replicaof Bob’s receiver module. The replica should have same componentsas Bob’s receiver module. And it consists beam splitter (BS), twopolarizing beam splitter (PBS) as well as the 4 detectors as shown inFigure 14.

Figure 14: Replica of Bob’s Receiver

2. Detector in Bob’s receiver as well as in the replica

Detectors that commonly used in QKD system in 2 are using Single-Photon Avalanche Diode (SPAD). SPAD is a special type of AvalanchePhoto Diode (APD). In general, Photo Diode is a detector which isable to convert light intensity to current or voltage. Figure 15 showsthe example of actual component of SPAD.

16

Figure 15: SPAD Component

Circuit diagram of SPAD[10] is shown in Figure 16 below.

Figure 16: SPAD Circuit Diagram

SPAD in QKD system has two working modes shown in Figure 17.They are

(a) Geiger Mode

In Geiger Mode, arrival of single photon (indicated by red ar-rows) generates enough current and voltage above Comparator’sthreshold to trigger detector-”click” because SPAD’s gain is in-finite.Theoretically, SPAD is in Geiger Mode when its biased-voltage value above SPAD’s voltage breakdown value specifica-tion.

(b) Linear Mode, or it can be called APD mode

APD stands for Avalanche Photo Diode mode. In this mode,arrival of single photon is not able to generate enough voltage(it always below Comparator’s voltage threshold) because APD’sgain is not infinite and less than 1000. Given this amount ofgain, arrival of single photon will not trigger detector-”click”.In this mode, the photo-diode will produce current and voltageproportional to the intensity of optical source that fired to thediode.

17

Figure 17: SPAD Working Mode

3. Fake State Generator

Fake-stated generator main task is tricking Bob so that Bob thinks thathe receives valid photon from Alice. This attack can be performedin the basis of SPAD characteristics under bright continuous waveillumination[16, 10]. Figure 18 shows SPAD characteristics underbright illumination.

Figure 18: SPAD Characteristics Under Illumination

Recall that light consists of many photon. The number of photons isproportional with the light intensity/optical power. The higher thelight intensity, more number of photons will be detected and it isshown as ideal SPAD characteristics in Figure 18 above. (the blue

18

line). When we increase the optical power at the SPAD in term ofWatt(W), the number of photons in term of counts per second alsoincrease.

Interestingly, the practical characteristic is different. If we keep in-creasing the optical power beyond certain point (by appying brightillumination into SPAD), SPAD is not sensitive to photon anymore.SPAD is not in Geiger Mode anymore but it is in Linear mode now.Revisiting SPAD circuit diagram and its characteristics when brightillumination is applied to it[10] as shown in Figure 19 and 20.

Figure 19: SPAD Circuit Diagram with Light Applied on It

Figure 20: SPAD Electric Circuit Characteristics Under Bright Illumination

Figure 19 and Figure 20 above show in more detail the SPAD char-acteristics using its internal circuitry as the parameter. When weincrease the illumination intensity, the SPAD voltage drops, from 220

19

V (which is above SPAD Voltage Breakdown value) to around 200(which is below SPAD Voltage Breakdown value).

Refer to the circuit diagram in Figure 19, under Geiger mode, the1.2pf Capacitor will “re-balance” the voltage in point 2 after the diodereceives a single photon. The term “re-balance” can be described asrestoring voltage at point 2 to 220 V level so that the SPAD is biasedabove Voltage Breakdown value. In Geiger mode, this re-balancingprocess will take around 1s.

However, when bright illumination is applied, the number of photonarriving at the diode is significantly huge and this condition makes theCapacitor is not able to re-balance the voltage at point 2 to its normalvalue of 220 V.

Failing to re-balance causes the SPAD to be biased below VoltageBreakdown value and it enters the Linear Mode and it will not beable to generate enough current and voltage at point 3 to make thedetector “click” when a single photon arrives into the SPAD. Thistechnique to make SPAD lost its photon sensitivity is often called“blinding technique”.

Blinding technique is not enough to carry on the attack since it onlymakes SPAD lost its sensitivity. Eve needs something to force a “click”in certain detector based on the measurement result in her fake Bob’sdetector. So, for example, let’s say Eve receives a photon from Aliceusing vertical-horizontal basis (V/H basis), the photon is polarized inhorizontal axis and detector for horizontal-polarized photon “clicks”.Then, Eve should be able to replicate the “clicks” in Bob’s originaldetector as shown in Figure 21 below

Figure 21: Replicating Click on Bob’s actual detector

20

Fortunately for Eve and unfortunately for Alice and Bob, SPAD inlinear mode can be easily forced into creating a “click”. Sending apulse of light with certain value of illumination power will force Bob’sdetector to register a click [15]. Figure 22 shows the important valueof points 1, 2, 3, and 4 in SPAD circuit diagram when pulse withcertain intensity is applied to the SPAD in linear mode.[10]

Figure 22: Linear Mode Characteristics of SPAD

As shown in Figure 22, the detector produces “click” when the lightintensity is 2.6 mW. The intensity to force detector to produce “click”vary based on the detector specification. In our subsequent discussion,we refer the intensity that forced detector to produce “click” as I0.

Note that I0 is the light intensity that Eve needs to apply in the detec-tor under attack. And before reaching the detector, the light traversesto beam splitter and polarizing beam splitter. Now the remaining puz-zle for Eve is to find how much intensity of the light that Eve needsto send to so that detector under attack receives I0 and the other de-tector doesn’t click. Figure 23 answers Eve’s remaining puzzle andprovides more details on Eve’s fake-state-generator module.

21

Figure 23: Fake-State Generator and Pulse Intensity

In order to obtain I0 in the desired detector, Eve needs to send alight pulse with intensity 2I0 and the light is polarized according tomeasurement in Eve’s replica detector. Recall the fact that the lightpulse consists of many photons, half of the photons in the light pulse isredirected to +45/-45 Polarizing Beam Splitter (PBS) and half of themis redirected to V/H Polarizing Beam Splitter (PBS). This means theintensity of the pulse reduced to half of the original intensity. The newintensity of the light pulse that goes after Beam Splitter is 2I0

2 = I0

Note that in our example, the pulse is polarized in Horizontal valueusing V/H basis. When this group of photons reach PBS with +45/-45 basis, half of them is redirected to detector for +45 polarizationand the other half is redirected to detector for -45 polarization. Thereason for this behaviour is the basis that used to polarized the pulseis not +45/-45 basis. This implies, +45 and -45 SPAD receives lightpulse with intensity I0

2 . However, since SPAD is in Linear mode and

the intensity I02 is below the threshold intensity to make the SPAD

clicks, both SPADs are not “click”.

Meanwhile, when the remaining pulse with intensity I0 arrives at V/HPBS, all of them will be forwarded to Horizontal polarization SPADsince the pulse is polarized using V/H basis by using Horizontal po-larization. This means, the SPAD for Horizontal polarization receivesa light pulse with intensity I0. And since the intensity satisfies the“click” intensity threshold, Eve is able to force the required detectorto “click”.

22

3.2.2 Putting Them All Together

Figure 24: Putting Them All Together

Figure 24 shows the overall diagram of fake state attack. Eve shouldhave enough resource to create Bob’s detector replica and build De-tector Blinding Module as well as the Light Pulse Generator.

3.2.3 Evaluation

Several experiments were conducted with duration between 5 to 10minutes[14]. The performance of the attack is pretty impressive. Table1 shows results in term of percentage of successful recognition of Eve’sfake state.

Bob@V Bob@-45 Bob@H Bob@+45

Bob@V 99.51% 0 0 0Bob@-45 0 99.66% 0 0Bob@H 0 0 99.80% 0

Bob@+45 0 0 0 99.95%

Table 1: Result of Replicating State Result in Bob’s Detector

EveFake@V means Eve receives photon with Vertical polarization us-ing V/H basis and she generate fake state for Vertical polarization inV/H basis. Bob@V means Bob’s detector for photon with Verticalpolarization recognize a “click”. Table 1 shows that the percentage

23

of successful “clicks”, 99.75% of the fake-state causes “clicks” in Bob’sdetector Moreover, the “clicks” always happen in intended detector.Interestingly, the raw-key-rate, secret-key-rate and sifted-key-rate be-tween QKD without eavesdropping and QKD with eavesdropping donot have significant difference and the differences can be easily ignoredby Alice and bob during transmission.

4 Conclusion

Quantum Cryptography is shown to have a significant role in data and com-munication security. Several algorithms have been implemented based onthe laws of physics. In this report we presented a significant algorithm, theprotocol BB84, which is said to be perfect, as it satisfies the laws of physicsduring the communication and message exchange. Private communicationbetween two parties is feasible and if a third party tries to eavesdrop, it isrelieved to the other parties about its presence.

Various attacks have been applied in order to ”win” the algorithm, likethe photon number attack, the spectral attack and the attack based on thechoice of the random numbers. Though, these attacks were encountered,preserving the algorithm at the same efficiency level. However, the perfectionof the protocol exists only theoretically, since the hardware ”disappoints”the evolved algorithm. Due to hardware weaknesses and limitations, theBB84 protocol seems to have flaws. In the faked-state attack, a third partycan use a replica of the receiver’s detector in order to produce a result andmake receiver’s detector to produce the same result.

People from this area are positive that soon enough a solution usingquantum cryptography will be found. Recent work [19] has shown the de-velopment of a multi-purpose optical chip which generates and measures twovery essential phenomena of quantum; entanglement and mixture. This im-plementation is very significant for the evolution of quantum cryptography.

References

[1] G. Brassard and C. Crepeau, “A bibliography of quantum cryptogra-phy,” Journal of Modern Optics, 1993.

[2] 24th Chaos Communication Congress, “Quantum Cryptographyand Possible Attacks.” http://events.ccc.de/congress/2007/

Fahrplan/events/2275.en.html, 2007. [Online; accessed 10-December-2011].

[3] Wikipedia, “Quantum Cryptography.” http://en.wikipedia.org/

wiki/Quantum_cryptography. [Online; accessed 10-December-2011].

24

[4] ChRiStIaAn008, “24C3: Quantum Cryptography and Possible At-tacks.” http://www.youtube.com/watch?v=9eERHINfPYU, 2011. [On-line; accessed 10-December-2011].

[5] W. Wootters and W. Zurek, “A single quantum cannot be cloned,”Nature, vol. 299, no. 5886, pp. 802–803, 1982.

[6] Wikipedia, “BB84.” http://en.wikipedia.org/wiki/BB84. [Online;accessed 10-December-2011].

[7] ChRiStIaAn008, “26C3: How you can build an eavesdropper fora quantum cryptosystem 1/6.” http://www.youtube.com/watch?v=

rKQUmVlR3C0, 2010. [Online; accessed 10-December-2011].

[8] ChRiStIaAn008, “26C3: How you can build an eavesdropper fora quantum cryptosystem 2/6.” http://www.youtube.com/watch?v=

VMdf8Xwxvnw, 2010. [Online; accessed 10-December-2011].

[9] I. Gerhardt, A. Ling, A. Lamas-Linares, and C. Kurtsiefer, “Practi-cal Quantum Cryptography and Possible Attack.” http://www.qolah.

org/papers/24c3_qkd.pdf. [Online; accessed 10-December-2011].

[10] V. Makarov, I. Gerhardt, A. Lamas-Linares, C. Kurtsiefer, S. Sauge,and A. Anisimov, “How You Can Build An Eavesdropper For A Quan-tum Cryptosystem.” http://gerhardt.ch/downloads/1469_26C3_

Sebastien_Sauge_Qin_Liu.pptx. [Online; accessed 10-December-2011].

[11] Wikipedia, “Beam Splitter.” http://en.wikipedia.org/wiki/Beam_

splitter. [Online; accessed 10-December-2011].

[12] Wikipedia, “Quantum Entanglement.” http://en.wikipedia.org/

wiki/Quantum_entanglement. [Online; accessed 10-December-2011].

[13] Wikipedia, “Quantum Key Distribution.” http://en.wikipedia.

org/wiki/Quantum_key_distribution#Example:_Intercept_and_

resend, 2011. [Online; accessed 10-December-2011].

[14] I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, andV. Makarov, “Perfect eavesdropping on a quantum cryptography sys-tem,” Arxiv preprint arXiv:1011.0105, 2010.

[15] V. Makarov, A. Anisimov, and S. Sauge, “Quantum hacking: addinga commercial actively-quenched module to the list of single-photon de-tectors controllable by eve,” Arxiv preprint arXiv:0809.3408, 2009.

[16] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, andV. Makarov, “Hacking commercial quantum cryptography systems by

25

tailored bright illumination,” Nature photonics, vol. 4, no. 10, pp. 686–689, 2010.

[17] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, andV. Makarov, “Thermal blinding of gated detectors in quantum cryp-tography,” Arxiv preprint arXiv:1009.2663, 2010.

[18] S. Sauge, L. Lydersen, A. Anisimov, J. Skaar, and V. Makarov, “Con-trolling an actively-quenched single photon detector with bright light,”Arxiv preprint arXiv:0809.3408, 2008.

[19] U. of Bristol, “Multi-purpose photonic chip paves the way to pro-grammable quantum processors.” http://www.bristol.ac.uk/news/

2011/8109.html. [Online; accessed 20-December-2011].

[20] 26th Chaos Communication Congress, “How you can build an eaves-dropper for a quantum crypto.” http://events.ccc.de/congress/

2009/Fahrplan/events/3576.en.html, 2009. [Online; accessed 10-December-2011].

[21] ChRiStIaAn008, “26C3: How you can build an eavesdropper fora quantum cryptosystem 3/6.” http://www.youtube.com/watch?v=

T3A5ylGleI4, 2010. [Online; accessed 10-December-2011].

[22] ChRiStIaAn008, “26C3: How you can build an eavesdropper fora quantum cryptosystem 4/6.” http://www.youtube.com/watch?v=

YuKcGaQXKCE, 2010. [Online; accessed 10-December-2011].

[23] ChRiStIaAn008, “26C3: How you can build an eavesdropper fora quantum cryptosystem 5/6.” http://www.youtube.com/watch?v=

_LhC2CZ5VXc, 2010. [Online; accessed 10-December-2011].

[24] ChRiStIaAn008, “26C3: How you can build an eavesdropper fora quantum cryptosystem 6/6.” http://www.youtube.com/watch?v=

CXIFtkrwQso, 2010. [Online; accessed 10-December-2011].

[25] M. Haitjema, “Survey of the Prominent Quantum Key Distribu-tion Protocols.” http://www.cs.wustl.edu/~jain/cse571-07/ftp/

quantum/index.html#Bruss07, 2007. [Online; accessed 10-December-2011].

[26] B. Surendranath, “Polarized Wave Applet.” http://surendranath.

tripod.com/Applets/Waves/Polarisation/PW.html. [Online; ac-cessed 10-December-2011].

[27] I. Marcikic, A. Lamas-Linares, and C. Kurtsiefer, “Free-space quan-tum key distribution with entangled photons,” Applied physics letters,vol. 89, p. 101122, 2006.

26

[28] Wikipedia, “Polarizer.” http://en.wikipedia.org/wiki/Polarizer.[Online; accessed 10-December-2011].

[29] T. Rairden, “Eavesdroppers Beware: Single Photon Emission PreparesWay for Quantum Cryptography.” http://engineering.ucsb.edu/

news/104. [Online; accessed 10-December-2011].

27