Invited talk at CLEO/Europe-EQEC 2011, Munich, Germany, May 22–26, 2011
Cracking quantum cryptography
Vadim Makarov
Photo ©2010 NTNU Info / Geir Mogen
Quantum key distribution
Alice
Bob
1
R
0
0
0.11
QBER
D. Gottesman et al., Quant. Inf. Comp. 4, 325 (2004)
H.-K. Lo et al., Phys. Rev. Lett. 94, 230504 (2005)
Security is based on the laws of physics and model of equipment
Tasks of a quantum hacker
● Discover vulnerabilities
● Countermeasures
● Demonstrate attacks
● Security proofs
Commercial QKD
Classical encryptors:
L2, 2 Gbit/s
L2, 10 Gbit/s
L3 VPN, 100 Mbit/s
WDMs
Key manager
QKD to another node (17 km)
www.swissquantum.com
Photo ©2010 Vadim Makarov
QKD to another node (3 km)
Stages of secure technology
Quantum
cryptography
1. Idea / theory / proof-of-the-principle
1970–1993
2. Initial implementations
1994–2005
3. Weeding out implementation loopholes
(spectacular failures
4. Good for wide use
patching)
◄ Now!
Experimental attacks on QKD
Attack
Demonstrated
Decreased
eavesdropping
key rate?
(% key)?
Target
component
Target
system
detector
ID Quantique
no (fraction)
yes
ID Quantique
no (fraction)
yes
ID Quantique,
MagiQ Tech.
no (100%)
no
research
100%
no
research
98.8%
yes
Time-shift
Y. Zhao et al., Phys. Rev. A 78, 042333 (2008)
Phase-remapping
phase
modulator
F. Xu et al., New J. Phys. 12, 113026 (2010)
Detector control
detector
L. Lydersen et al., Nat. Photonics 4, 686 (2010)
Detector control
detector
I. Gerhardt et al., arXiv:1011.0105
Deadtime
H. Weier et al., arXiv:1101.5289
detector
Experimental attacks on QKD
Attack
Demonstrated
Decreased
eavesdropping
key rate?
(% key)?
Target
component
Target
system
detector
ID Quantique
no (fraction)
yes
ID Quantique
no (fraction)
yes
ID Quantique,
MagiQ Tech.
no (100%)
no
research
100%
no
research
98.8%
yes
Time-shift
Y. Zhao et al., Phys. Rev. A 78, 042333 (2008)
Phase-remapping
phase
modulator
F. Xu et al., New J. Phys. 12, 113026 (2010)
Detector control
detector
L. Lydersen et al., Nat. Photonics 4, 686 (2010)
Detector control
detector
I. Gerhardt et al., arXiv:1011.0105
Deadtime
H. Weier et al., arXiv:1101.5289
detector
How avalanche photodiodes (APDs) work
I
Linear mode
Geiger mode
I
Ith
Pth
Popt
Single photon
Ith
V
Breakdown
voltage Vbr
Faked-state attack in APD linear mode
Identical bases & bit values
Eve
Alice
.Bob´
.Alice´
Bright
state
Bob
Listen, do same,
get same final key
Classical post-processing
Bob chooses same basis as Eve:
“0”
I0
I th
Click!
“1”
Bob chooses different basis:
“0”
I0
I th
t
I1
I th
t
“1”
I1
I th
t
L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, V. Makarov, Nat. Photonics 4, 686 (2010)
t
Launching bright pulse after the gate...
VAPD
Vbr
afterpulses,
increased QBER
Vbias
0
t
bright C. Wiechers et al., New J. Phys. 13, 013043 (2011)
< 120 photons L. Lydersen et al. (unpublished)
Add CW light...
Bias to APD
(Vbias)
VAPD
Vbr
Rbias
VHV  40 V
Detector blind!
Zero dark count rate
Vbias
0
t
L. Lydersen et al., Nat. Photonics 4, 686 (2010)
Detector blinding
ID Quantique
Clavis2:
MagiQ Technologies
QPN 5505:
42
41
40
42
39
41
38
V
bias
,V
43
37
P
40
blind,0
P
blind,0
39
0
0.2
36
=397 W Pblind,1=765 W
0.4
0.6
0.8
1
1.2
Plaser, mW
=60 W
=85 W
P
blind,1
1.4
1.6
1.8
35
0
V
50
100
150
200
250
300
Plaser, W
bias,0
(Rbias ~ 1 kΩ)
V
bias,1
(Rbias = 20 kΩ)
L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, V. Makarov, Nat. Photonics 4, 686 (2010)
Full detector control
3
30
2
1
Detector
Input
output illumination, mW
0
2
 808 W
 647 W
1.5
1
0.5
0
(never clicks)
Logic 1
(always clicks)
Trigger pulse peak power, mW
Gates, V
ID Quantique Clavis2
25
20
15
10
5
0
100
Logic 0
-10
0
10
20
Time, ns
30
-10
0
10
20
30
Time, ns
L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, V. Makarov, Nat. Photonics 4, 686 (2010)
Photo ©2010 Vadim Makarov
Testing MagiQ Technologies QPN 5505
Proposed full eavesdropper
Eve
Alice
Bob´
Basis
Detection result
Alice´
Optical
amplifier
Basis
Bit in
Blinding laser
Bob
Eavesdropping 100% key on installed QKD line
on campus of the National University of Singapore, July 4-5, 2009
290 m of fiber
Eve
Bob
I. Gerhardt, Q. Liu et al.,
arXiv:1011.0105
Image ©2009 DigitalGlobe
Alice
Raw key bit rate, s–1
Eve does not affect QKD performance
Without eavesdropping
During eavesdropping
3000
2000
1000
0
QBER, %
10
8
6
4
2
0
0
100
200
Time, s
300
0
100
200
Time, s
I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, V. Makarov, arXiv:1011.0105
300
Eavesdropping < 100% key
H. Weier et al., “Quantum eavesdropping without interception: An attack exploiting the dead time of single
photon detectors,” arXiv:1101.5289
Controlling superconducting nanowire
single-photon detectors
Comparator input
voltage, a.u.
1. Blind (latch)
0
2. Control
0
10
20
30
Time, ns
Normal singlephoton click
14 mW pulse
7 mW pulse
L. Lydersen, M.K. Akhlaghi, A.H. Majedi, J. Skaar, V. Makarov (unpublished)
2009
Responsible disclosure is important
Example: hacking commercial systems
ID Quantique got a detailed vulnerability report
– reaction: requested time, developed a patch
MagiQ Technologies got a detailed vulnerability report
2010
– reaction: informed us that QPN 5505 is discontinued
Results presented orally at a scientific conference
Public disclosure in a journal paper
L. Lydersen et al., Nat. Photonics 4, 686 (2010)
Countermeasures

L. Lydersen et al. (unpublished)
Ø. Marøy et al., Phys. Rev. A 82, 032337 (2010)
Detector
sensitivity
Time
Bob’s basis
Random
choice
Random
Time
L. Lydersen et al., Phys. Rev. A 83, 032306 (2011)
Can we eavesdrop on commercial
systems?
ID Quantique’s Cerberis:
Dual key agreement
PKI
RSA-2048
Key
Symmetric
cipher
QKD
PKI
Key
AES-256
Symmetric
cipher
Photo ©2010 Vadim Makarov
QKD
BB84
Can we eavesdrop on commercial
systems?
ID Quantique’s Cerberis:
Dual key agreement
PKI
RSA-2048
Key
Symmetric
cipher
QKD
PKI
Key
AES-256
Symmetric
cipher
Photo ©2010 Vadim Makarov
QKD
BB84