Quantum Cryptography Alice Eve Ranveer Raaj Joyseeree & Andreas Fognini Bob Classical Algorithms 1. Asymmetrical (public-key) cryptosystems: Message Encrypted message Private Message Public - First implementationnn RSA (Ronald Rivest, Adi Shamir, and Leonard Adleman) 1978 - Very convenient, Internet - Idea is based on computational complexity f(x) = y, x = ?. - rely on unproven assumptions Classical Algorithms 2. Symmetrical (secret-key) cryptosystems: Distribute key over secure channel M M S M: 1 S: 0 0 1 0 0 1 0 0 XOR K: 1 0 0 0 1 1 1 0 XOR K: M: 1 0 1 0 1 0 1 0 S: - only provably secure cryptosystem known today - not handy, key as long as message - key only valid for one transmission - how to send the key in a secure manner? 0 1 0 1 0 1 0 1 0 0 0 1 1 1 0 0 0 1 0 0 1 0 0 Quantum Cryptography: The BB84 Portocol Ingredients: 1) One photon no copying, 2) Two non orthonormal bases sets 3) Insecure classical channel; Internet What it does: Secure distribution of a key, can't be used to send messages How it works: 50% correlated Physikalische Blätter 55, 25 (1999) Eve's copy machine Copy machine: e.g. 50% decrease in correlation! Alice and Bob recognize attack from error rate! Conclusion Quantum cryptography means just the exchange of keys Actual transmission of data is done with classical algorithms Alice & Bob can find out when Eve tries to eavesdrop. Hacking Quantum Key Distribution systems QKD systems promise enhanced security. In fact, quantum cryptography is proveably secure. Surely one cannot eavesdrop on such systems, right? Hacking QKD systems Security is easy to prove while assuming perfect apparatus and a noise-free channel. Those assumptions are not valid for practical systems e.g. Clavis2 from ID Quantique and QPN 5505 from MagiQ Technologies. Vulnerabilities thus appear. Hacking by tailored illumination Lydersen et al. (2010) proposed a method to eavesdrop on a QKD system undetected. The hack exploits a vulnerability associated with the avalanche photo diodes (APD‘s) used to detect photons. Avalanche photo diodes Can detect single photons when properly set. However, they are sensitive to more than just quantum states. Modes of operation of APD’s Geiger and linear modes Geiger mode VAPD is usually fixed and called bias voltage and in Geiger mode, Vbias > Vbr. An incident photon creates an electron-hole pair, leading to an avalanche of carriers and a surge of current IAPD beyond Ith. That is detected as a click. Vbias is then made smaller than Vbr to stop flow of carriers. Subsequently it is restored to its original value in preparation for the next photon. Linear mode Vbias < Vbr. Detected current is proportional to incident optical power Popt. Clicks again occur when IAPD > Ith. Operation in practical QKD systems Vbias is varied as shown such that APD is in Geiger mode only when a photon is expected That is to minimize false detections due to thermal fluctuations. However, it is still sensitive to bright light in linear mode. The hack in detail Eve uses an intercept-resend attack. She uses a copy of Bob to detect states in a random basis. Sends her results to Bob as bright light pulses, with peak power > Pth, instead of individual photons. She also blinds Bob‘s APD‘s to make them operate as classical photodiodes only at all times to improve QBER. The hack in detail C is a 50:50 coupler used in phase-encoded QKD systems. When Eve‘s and Bob‘s bases match, trigger pulse from Eve constructively interferes and hits detector corresponding to what Eve detected. Otherwise, no constructive interference and both detectors hit with equal energy. Click only observed if detected current > Ith. The hack in detail Clicks also only observed when Eve and Bob have matching bases. This means Eve and Bob now have identical bit values and basis choices, independently of photons emitted by Alice. However, half the bits are lost in the process of eavesdropping. Performance issues? Usually, transmittance from Alice to Bob < 50%. APDs have a quantum efficiency < 50%. However, trigger pulses cause clicks in all cases. Loss of bits is thus compensated for and Eve stays undetected Other methods Method presented is not the only known exploit. Zhao et al. (2008) attempted a time-shift attack. Xu et al. (2010) attempted a phase remapping attack. Conclusion QKD systems are unconditionally secure, based on the fundamental laws of physics. However, physical realisations of those systems violate some of the assumptions of the security proof. Eavesdroppers may thus intercept sent messages without being detected. Used Material Rev Mod Phys 74, 145 (2002) Physikalische Blätter 55, 25 (1999) Nature Photonics 4, 686 (2010) Experimental demonstration of phase-remapping attack in a practical quantum key distribution system. Xu et al. (2010) Hacking commercial quantum cryptography systems by tailored bright illumination. Lydersen et al. (2010) Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems. Zhao et al. (2008).