RANDOMIZED ANCILLARY QUBIT OVERCOMES DETECTOR -CONTROL AND INTERCEPT -RESEND HACKING OF QUANTUM KEY DISTRIBUTION
2025-04-29
0
0
4.53MB
17 页
10玖币
侵权投诉
RANDOMIZED ANCILLARY QUBIT OVERCOMES
DETECTOR-CONTROL AND INTERCEPT-RESEND HACKING
OF QUANTUM KEY DISTRIBUTION
Salem F. Hegazy
National Institute of Laser Enhanced Sciences,
Cairo University,
Giza 12613, Egypt
salem@niles.cu.edu.eg
Salah S. A. Obayya
Center for Photonics and Smart Materials,
Zewail City of Science and Technology,
Giza 12578, Egypt
sobayya@zewailcity.edu.eg
Bahaa E. A. Saleh
CREOL, The College of Optics & Photonics,
University of Central Florida,
Orlando, FL, 32816, USA
besaleh@creol.ucf.edu
October 5, 2022
ABSTRACT
Practical implementations of quantum key distribution (QKD) have been shown to be subject to
various detector side-channel attacks that compromise the promised unconditional security. Most
notable is a general class of attacks adopting the use of faked-state photons as in the detector-control
and, more broadly, the intercept-resend attacks. In this paper, we present a simple scheme to overcome
such class of attacks: A legitimate user, Bob, uses a polarization randomizer at his gateway to distort
an ancillary polarization of a phase-encoded photon in a bidirectional QKD configuration. Passing
through the randomizer once on the way to his partner, Alice, and again in the opposite direction,
the polarization qubit of the genuine photon is immune to randomization. However, the polarization
state of a photon from an intruder, Eve, to Bob is randomized and hence directed to a detector in a
different path, whereupon it triggers an alert. We demonstrate theoretically and experimentally that,
using commercial off-the-shelf detectors, it can be made impossible for Eve to avoid triggering the
alert, no matter what faked-state of light she uses.
1 Introduction
The unconditional security offered by quantum key distribution (QKD) relies on laws of quantum physics [
1
,
2
], which
dictate that any attempt by an adversary to know about the secret key, would inevitably introduce disturbance that alerts
the legitimate parties [
3
,
4
]. This ultimate information-theoretic security has been proved for idealized devices [
4
,
5
,
6
]
and also under semi-realistic conditions [
7
,
8
,
9
]. In practice, however, real-life components of QKD systems may
deviate from these idealized theoretical models, or encounter new scenarios, offering effective vulnerabilities to the
adversary.
For instance, the imperfect preparation of the single-photon state may lead to leaking information about the key.
This gap between theory and real-life practice allows for a plethora of source-side attacks ranging from the photon-
number-splitting (PNS) attack [
10
,
11
], the phase-remapping attack [
12
,
13
], the wavelength-selected photon-number-
splitting attack [
14
], and the pattern-effect attack [
15
], to the nonrandom-phase attacks based on unambiguous-state-
discrimination [16], and laser seed control [17,18,19].
arXiv:2210.01204v1 [quant-ph] 3 Oct 2022
APREPRINT - OCTOBER 5, 2022
Compared to the source-side attacks, imperfections on the detection side are known to show much higher vulnerability
to quantum hacking [
20
]. For example, detector imperfections such as breakdown fluorescence [
21
], finite (
∼µ
s)
dead time [
22
], nonzero dark counts, less-than-unity efficiency, and nonfixed efficiency within the gate time [
23
], all
of which can be exploited by Eve to compromise QKD security. This leads in practice to a significant number of
potential attacks such as detector fluorescence [
24
], faked-state [
25
,
26
], time-shift [
27
,
23
], time-side-channel [
28
],
channel calibration [
29
], laser damage [
30
,
31
], spatial mismatch [
33
,
32
], detector saturation [
34
], and polarization
shift [
35
] attacks. More interestingly, the single-photon detectors (SPDs) of the receiver (Bob), normally operating in the
Geiger mode [
36
], can be turned by Eve into linear mode, which allows for various blinding and remote-control attacks
[
37
,
38
,
39
,
40
,
41
,
42
,
43
,
44
]. Among the detection-side attacks, the latter is widely known to be the most powerful
[
20
], with successful demonstrations on various types of SPDs, including passively and actively quenched avalanche
photodetectors (APDs) [
37
,
45
], gated/non-gated APDs [
46
,
38
], and superconducting nanowire single-photon detectors
(SNSPDs) [47].
Since the inception of quantum encryption [
1
], the intercept-resend strategies have been developed through many
quantum hacking paradigms. Its original version based on resending single photons was easily neutralized by QKD [
3
].
Employing detector imperfections, more crafty intercept-resend versions have evolved via resending faked multiphoton
states either solitarily (e.g., the after-gate attack [
42
], the faint-after-gate attack [
47
], and the detector-control attack
under specific laser damage [
30
]) or teamed with a blinding light (e.g., continuous-wave blinding attack [
38
,
39
],
sinkhole blinding attack [48], thermal blinding attack [48,45], and pulsed illumination attack [44]).
Currently, there exist two main approaches against the intercept-resend and detector-control hacking strategies. The first
is based on monitoring some detector measures, such as its photocurrent, for anomalously excessive values [
49
,
50
,
51
].
This includes also observing the detector’s count rates versus random variations of either the detection efficiency
[
52
,
53
], or the attenuation in front of the detector [
54
]. These security patches could defeat the original attacks they
were designed for, but unfortunately they fail against subsequent ad-hoc modified attacks [46,55].
The second is the measurement-device-independent QKD (MDI-QKD) approach [
56
], which enables elimination of all
detector side-channels [
57
], offering security regardless of the nature of the detection apparatus. However, MDI QKD
builds on performing a remote Bell-state measurement, which requires high-visibility two-photon interference between
independent photons from Alice’s and Bob’s laser sources, a practically challenging procedure.
In this paper, we present a scheme to protect practical QKD systems against various attacks based on faked-state
light, including the detector-control attacks and more generally the class of intercept–resend attacks. The scheme
uses phase encoding and a two-way configuration, similar to the plug-and-play configuration [
58
,
59
,
60
], which uses
polarization-assisted routing through Bob’s transceiver, and a Faraday mirror at Alice’s site. In our scheme, however,
the polarization qubit serves a different function. A photon generated at Bob’s transceiver is transmitted through a
polarization randomizer, which assigns it a random state of polarization, and upon reflection from the Faraday mirror it
passes once more through the same randomizer, in a state orthogonal to its original state, and is directed to a specific
path, whereupon the photon is detected in accordance with the phase-encoded BB84 protocol. Light pulses generated
by an intruder must pass through the randomizer at the gateway to Bob’s transceiver, and since they pass only once, they
acquire a random state and end up in a different path, whereupon their detection triggers an alert. The randomizer is
fixed during the course of the photon roundtrip and is refreshed after every cycle of photon transmission and detection.
Thus, the polarization qubit serves as a carrier of a password that allows genuine photons to be directed to the secured
detectors, while an intruder’s fake photons are randomized and possibly end up at the alert detectors.
We further consider the case that Eve launches a generalized detector-control attack. To render her attack unnoticeable,
she tailors the parameters of triggering pulses and blinding light in order to meet two requirements: (i) to avoid
triggering alert detectors, and (ii) to be able to sometimes trigger the secured detectors in the right way. These two
requirements lead us to a necessary and sufficient condition that Bob’s secured and alert detectors have to satisfy. We
note that commercially available detectors can violate this necessary and sufficient condition and thereby guarantee
that these two requirements are impossible to meet simultaneously. We experimentally demonstrate how various faked
states by Eve fail to simultaneously meet these two requirements of unnoticeable attack. Security analysis of the system
shows that for various types of attacks Eve cannot diminish the alert rate, even if she has complete control over Bob’s
secured detectors.
2 QKD scheme
As shown in Fig. 1(a), Bob employs a single photon with two encoded qubits: a time-bin qubit communicating the
key, and an ancillary polarization qubit serving as a security pass [
61
]. As in typical interferometric QKD systems,
the photon undergoes a roundtrip from Bob to Alice, where the time-bin qubit is modulated, and sent back to Bob
whereupon it is directed to two sets of detectors depending on its state of polarization. Entry into Bob’s receiver is
2
APREPRINT - OCTOBER 5, 2022
Figure 1:
(a)
Optical layout of the QKD system. Bob creates single photons with time-bin (key) and polarization
(ancillary) qubits. The polarization qubit is randomized by an operator
U
, only known to Bob. Alice’s phase modulator
(PM) encodes the time-bin state by a phase
φA∈ {0, π}
or
{π/2,3π/2}
. A Faraday mirror (FM) compensates Bob’s
back-tracing photon for all encountered polarization variations, including the randomization
U
. The polarization-based
Mach-Zehnder interferometer (PMZI) swaps the time-bin/polarization qubits for polarization/path qubits. Therefore,
the key qubit is measured in path
b
in either diagonal-antidiagonal (
D/A
) or right-left (
R/L
) circular polarization
bases. The polarization randomizer
U
– which may be implemented by means of high-speed electro-optic polarization
controller – is active against Eve’s fake photons and may direct them, without Eve’s notice, to the alert detectors in path
a
. A click of the alert detectors in path
a
is a sign for Eve’s intrusion. The polarization switch
Ua
alternates between
measurements bases:
D/A
and
R/L
. BS: beam splitter; PBS: polarization beam splitter; PC: polarization controller;
Cir: optical circulator; VA: variable attenuator; BF: narrow band-pass filter.
(b)
The timeline for the operations on
qubits of the three photonic degrees of freedom, path, time bin, and polarization, during the course of a roundtrip from
Bob to Alice and back along a channel
Uc
. The operator
U
describes the polarization transformation, when light enters
Bob’s system. In the opposite direction, it encounters a transformation
UT
.
(c)
Optical setup demonstrating Eve’s
system. The half-wave plate HWP1 and the following polarization-based two-path system control the purity of the
polarization state via mixing orthogonal polarization components of two subsequent laser pulses. The subsequent half-
and quarter-wave plates, HWP2 and QWP, alter the polarization state unitarily. The two-path system in the last stage
performs the time-bin phase encoding.
secured by a polarization randomizer applying a random transformation
U
(based on Haar measure) that changes every
photon-roundtrip duration. Alice uses a Faraday mirror (FM) that switches the polarization qubit into an orthogonal
state so that as the photon crosses the polarization randomizer in the opposite direction, the randomization is cleared.
Since its state is only known to Bob, the randomizer is a secure polarization-based gateway that directs the photon to
specific detectors in the receiver.
The process begins as shown in Fig. 1(a) with Bob sending single-photon pulses along path
a
in a polarization-path
state:
|ψ1i= 1/√2(|Hi+|Vi)|ai.(1)
This is subsequently swapped for a time-polarization state
|ψ2i= 1/√2(|tli+|tsi)|Hi(2)
by use of an unbalanced polarization-based Mach-Zehnder interferometer (PMZI) with a polarization controller (PC)
placed in its short arm, converting the V (H) polarization into H (V) polarization.
On Alice’s side, the leading time bin
|tsi
is encoded with a phase shift
φA
of
0
or
π
, and
π/2
or
3π/2
. Upon reflection
from the FM, the photon polarization is flipped to its orthogonal state. This compensates for the undesired polarization
changes accompanying the phase modulation [
62
], and also for the birefringence-based polarization fluctuations along
the optical fiber [
63
,
64
]. Upon re-entry into Bob’s transceiver, since
U
is fixed during the photon roundtrip, its effect is
also cancelled out by transmission in the opposite direction. The state is now:
|ψ3i=1
√2(|tli+eiφA|tsi)|Vi.(3)
3
APREPRINT - OCTOBER 5, 2022
Bob’s receiver is gated to select roundtrip passage via the short-long and the long-short arms of the PMZI arms. It is
also configured such that with single-photon interference in the PMZI, the time-polarization state
|ψ3i
is swapped back
to a polarization-path state
|ψ4i= 1/√2(|Hi+eiφA|Vi)|bi.(4)
The photon is therefore directed to path
b
, which we call the secure path. As will be shown later, detection of a photon
in path ais an indication that the system has been tampered with, and path ais therefore called the alert path.
After swapping the key qubit back to polarization, the BB84 measurement is performed passively in one of the conjugate
bases: diagonal-antidiagonal (
D/A
) or right-left (
R/L
) circular polarization. The system’s action on the different
degrees of freedom (path, time, and polarization) of the photon during its roundtrip course is illustrated in Fig. 1(b).
In yet another measure of added security, Bob randomly directs the received photon – in a managed way – to path
a
instead of path
b
for measurement. This is accomplished by appropriate control of the polarization randomizer. This
random-switching tactic unveils types of attacks that can bias triggering actions to path
b
such as pulsed-blinding
[44,55,22] and wavelength-dependent attacks [69].
Alice’s phase coding and Bob’s gated detection require precise time synchronization between the two sides which is
done via a wavelength-multiplexed classical channel carrying bright pulses. A portion of the power received by Alice is
monitored to detect Trojan horse attacks [63].
Here, an ideal single-photon source is assumed for convenience. To defend against the PNS attack, Bob applies a
decoy-state technique [65,66,67]; verifying that his produced decoy pulses encounter the same single-photon loss.
3 Randomized routing of faked-state light
Eve’s goal is to signal the detectors in the secure path
b
without registering a click on the detectors of the alert path
a
.
In a typical intercept–resend strategy, Eve would measure Alice’s encoded state and then send faked-state light in a
phase modulated state
(|tli+eiφE|tsi)/√2
, mimicking the measured key qubit, together with a polarization qubit in
a state
ρp
. Upon transmission through the PMZI, and within the detection window (centered at:
ts+tl
), the state of
Eve’s photon(s) becomes
1
2|HihH|(|biX+eiφE|ai)UρpU+
×(Xhb|+e−iφEha|)|HihH|
+1
2|VihV|(|aiX+eiφE|bi)UρpU+
×(Xha|+e−iφEhb|)|VihV|.
(5)
The NOT operator
X
is due to action of the PC in the PMZI. To obtain the which-path statistics, we trace over
polarization and obtain the reduced density operator of the path states
pa|aiha|+ cos φEhH|UρpU+|Vi|aihb|
+ cos φEhV|UρpU+|Hi|biha|+pb|bihb|.(6)
The probabilities that Eve’s photon(s) ends up in the alert path
a
is
pa=hH|UρpU+|Hi
, while that of reaching path
b
is
pb= 1 −pa=hV|UρpU+|Vi
. If Eve were to know the operator
U
, she would be able to make
pa= 0
by use of a
pure state
ρp= U+|VihV|U
. Not knowing
U
, if she runs the conventional intercept-resend attack [
1
,
68
] by measuring
the Alice-encoded photon and re-sending a new photon prepared in accordance with the measurement outcome to
Bob, then the average probability that it passes to path
a
is 25% (obtained by averaging over the continuum of random
realizations of
U
based on Haar measure, assuming ideal single-photon sources, measurements, and detection). This
alert rate is on top of the normal 25% quantum bit error rate (QBER) of the BB84 key qubit.
4 Necessary criteria for Bob’s detectors
4.1 Criteria formulation
A more stealth intercept–resend strategy that we now investigate in more details is Eve’s use of blinding light together
with triggering multi-photon pulses [
38
,
39
,
48
,
45
,
44
]. Upon blinding, the SPD in the linear mode never clicks when
the triggering pulse energy is below a threshold
Enever
, and always clicks when the energy is greater than a threshold
Ealways
[
46
,
44
]. When the energy falls between these two levels, the detector clicks with a probability between 0 and
1.
4
摘要:
展开>>
收起<<
RANDOMIZEDANCILLARYQUBITOVERCOMESDETECTOR-CONTROLANDINTERCEPT-RESENDHACKINGOFQUANTUMKEYDISTRIBUTIONSalemF.HegazyNationalInstituteofLaserEnhancedSciences,CairoUniversity,Giza12613,Egyptsalem@niles.cu.edu.egSalahS.A.ObayyaCenterforPhotonicsandSmartMaterials,ZewailCityofScienceandTechnology,Giza12578,E...
声明:本站为文档C2C交易模式,即用户上传的文档直接被用户下载,本站只是中间服务平台,本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私,请立即通知玖贝云文库,我们立即给予删除!
分类:图书资源
价格:10玖币
属性:17 页
大小:4.53MB
格式:PDF
时间:2025-04-29
作者详情
相关内容
-
行政事业单位内部控制报告-关于印发编外聘用人员管理制度和编外聘用人员年度考核制度
分类:办公文档
时间:2025-03-03
标签:无
格式:DOC
价格:5.9 玖币
-
行政事业单位内部控制报告-风险评估管理制度
分类:办公文档
时间:2025-03-03
标签:无
格式:DOCX
价格:5.9 玖币
-
行政事业单位内部控制报告-采购管理内部控制制度
分类:办公文档
时间:2025-03-03
标签:无
格式:DOCX
价格:5.9 玖币
-
行政事业单位内部控制报告-部署单位内部控制专题培训和风险评估工作会议纪要
分类:办公文档
时间:2025-03-03
标签:无
格式:DOC
价格:5.9 玖币
-
行政事业单位内部控制报告-关键岗位轮岗及专项审计制度
分类:办公文档
时间:2025-03-03
标签:关键
格式:DOCX
价格:5.9 玖币
渝公网安备50010702506394
