How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we...
Transcript of How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we...
![Page 1: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/1.jpg)
1
Lecture at Hacking at Random, August 14, 2009
How we eavesdroppedpp100% of a quantum cryptographic key% q yp g p y
Vadim Makarov, Qin Liu, Ilj G h dt A tí L Li Ch i ti K t i fIlja Gerhardt, Antía Lamas-Linares, Christian Kurtsiefer
Centre forQuantumTechnologies, Singapore
![Page 2: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/2.jpg)
2Outline
• Introduction to quantum cryptography
• The quantum cryptosystem at CQT
• Problems with photon detectors
• Att k th l t• Attack on the real system
• What was a photon? – Perspectives• What was a photon? Perspectives
![Page 3: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/3.jpg)
3Quantum cryptography timeline
ca. 1970 Concept (“money physically impossiblet t f it”)to counterfeit”)
1984 First key distribution protocol (BB84)1984 First key distribution protocol (BB84)
1989 Proof-of-the-principle experiment1993 Key transmission over fiber optic link
2004 First commercial offers (20~50 km fiber links)2004 First commercial offers (20 50 km fiber links)2007 200 km in fiber, 144 km free-space demonstrated2009 A quantum cryptosystem fully hacked :)2009 A quantum cryptosystem fully hacked :)
![Page 4: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/4.jpg)
4Key distribution
P bli (i ) BobAlice
Encoder Decoder
Public (insecure)channel
BobAliceMessageMessage
E d dEncoder DecoderEncoded message
Keyy
Secure channelSecure channel
• Secret key cryptography requires secure channel forSecret key cryptography requires secure channel for key distribution
• Quantum cryptography distributes the key• Quantum cryptography distributes the keyby transmitting quantum states in an open channel
![Page 5: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/5.jpg)
5Quantum key distribution
B bAlice
BobDiagonalAlice Diagonal detector basis
Horizontal-Diagonal
polarization filters0
1 Horizontalvertical detector basis
p
Horizontal-vertical polarization filters
01
Alice’s bit sequence 1 0 1 1 0 0 1 1 0 0 1 1 1 0
Light source
Bob’s measurement 1 0 0 1 0 0 1 1 0 0 0 1 0 0Bob’s detection basis
q
Retained bit sequence 1 – – 1 0 0 – 1 0 0 – 1 – 0Image reprinted from article: W. Tittel, G. Ribordy, and N. Gisin, "Quantum cryptography," Physics World, March 1998
![Page 6: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/6.jpg)
6Commercial offers (as of August 2009)
id Quantique VPN encryptor (AES)q(Switzerland) +
quantum keytSALE generatorSALE
€100,000(*maybe cheaper)
MagiQ
( maybe cheaper)
MagiQTechnologies VPN &
quantum key(USA)
q ygenerator
SmartQuantum VPN &
(France)quantum keygenerator
![Page 7: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/7.jpg)
7Motivation for attack
• How secure is quantum key distribution (QKD) practically?
To build the first complete working eavesdroppingworking eavesdropping
.experiment in the world!
• Eve lost the battle against security proofs but
she can exploit component imperfections(e.g., saturation and blinding behavior of passively-quenched APDs)
![Page 8: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/8.jpg)
8The system under attack
• QKD system from CQT in Singapore
♦ B i ll ll t l bl♦ Basically all systems vulnerable
• Entanglement based QKDEntanglement based QKD
♦ What is entanglement?
♦ How can it be used for QKD?
♦ What is Bell’s inequality…?
![Page 9: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/9.jpg)
9Entanglement
S1 2S1 2
![Page 10: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/10.jpg)
10Entanglement
• “Spooky action at a distance”
Ei t i P d l k d R 1935♦ Einstein, Podolsky and Rosen, 1935
♦ John Bell, 1964: How to measure what’s going on, g g
![Page 11: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/11.jpg)
11Bell state measurement
PBS PBS
SPBS PBS
Soutput port
1output port
2
output port1’
output port2’
![Page 12: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/12.jpg)
12Entanglement-based QKD
• No need for random numbersNo need for random numbers
• Different photons, different colors?♦ Dimensionality of Hilbert space needs to be known for
security, measuring Bell’s inequality
![Page 13: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/13.jpg)
13Entanglement-based QKD
New J. Phys. 11, 045007 (2009)
![Page 14: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/14.jpg)
14Entanglement-based QKD
• Pair source: ♦ Blue photon in, two red photons out♦ Strong temporally correlated ☺g p y♦ Spectrally broader than dimmed lasers
50 cm25 cm
![Page 15: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/15.jpg)
15Detection of photons
• Detection: Polarization analyzer
λ/2
50:50PBS
APD, 4 °
22.5°
+45°
PBS V
45°H -45°HJ.G. Rarity et al., J. Mod. Opt. 41, 2345 (1994)
![Page 16: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/16.jpg)
16Detector response
• Ideal and real detector response:
Ideal detector
]
Real detector
out [
#]C
licks
o
Detector should seelight, but is ‘blind’
C
Light in [# of photons] Pblind
![Page 17: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/17.jpg)
BIAS
APD
ComparatorPassively‐
17
390 kBIASvoltage
Comparatoryquenched detector 100
Si l h t
V
Single‐photon response
Bright V
rightillumination
D t t k t b l b kd lt k i l i l d !Detector kept below breakdown voltage, now works in classical mode!→ Detector is blind (”0”) to single photons→ Detector will click (”1”) if classical pulse above comparator threshold→ Detector will click ( 1 ) if classical pulse above comparator threshold
![Page 18: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/18.jpg)
18Control intensity diagrams
Popt
No clickP
Pbackground ≥ PblindPbackground
PPopt
threshold
Single clickPb k d
threshold
Faked statePbackground Faked state
![Page 19: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/19.jpg)
19Intercept-resend (faked-state) attack
Eve forces her detection result onto Bob by sendingBackground light to keep all detectors blinded (circular polarization)- Background light to keep all detectors blinded (circular polarization)
- Faked-state above intensity threshold to make target detector click(linear polari ation)(linear polarization)
I0/2
2I0 I0/2
0
I0
In conjugate basis faked-state is split in half below threshold (no click)In conjugate basis, faked state is split in half, below threshold (no click)
arXiv:0809.3408
![Page 20: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/20.jpg)
20Normal QKDQKD under attack
![Page 21: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/21.jpg)
2121Eavesdropping on installed QKD lineon campus of the National University of Singaporeon campus of the National University of Singapore
290 m of fiberEve
BobAlice
Bob
Satellite image ©Google
![Page 22: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/22.jpg)
2222Eve, installed and running
+ recording all classical+ recording all classicalcommunication Alice–Bob(Wireshark)
![Page 23: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/23.jpg)
23Does Eve really have 100% key information?
Clicks in Eve:Clicks in Eve and Bob:
45clic
ked
H
clic
ked
45H
0 1 2 3 4 5 6 7 8 9 10
+45V
-45
Det
ecto
r c
0 1 2 3 4 5 6 7 8 9 10
Det
ecto
r c
+45V
-45
Clicks in Bob:
0 1 2 3 4 5 6 7 8 9 10Time (ms)
0 1 2 3 4 5 6 7 8 9 10Time (ms)
-45clic
ked
H Good correlation
0 1 2 3 4 5 6 7 8 9 10
+45V45
Det
ecto
r
• Eve forcing a click in Bob: ≈97% probabilityMore clicks in Eve0 1 2 3 4 5 6 7 8 9 10Time (ms)
Eve forcing a click in Bob: 97% probability
• Eve has 100% information of the wiretappedline because Bob has to reveal which clicks
More clicks in Evedoesn’t matter
line, because Bob has to reveal which clickswere received
![Page 24: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/24.jpg)
24What about a ‘workaround’?
• Sure... there will be a workaround
♦ BUT♦ BUT:
♦ No universal security measure, like a ‘quantum state’!y , q
![Page 25: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/25.jpg)
25Generating arbitrary quantum states
• Eve is able to fake an EPR source
♦ Al i t ti f th i t♦ Also interesting for other experiments
• The laws of physics:
♦ Quantum correlations:
♦ No eavesdropper??♦ No eavesdropper??
• Applicable to schemes which expect single photons
![Page 26: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/26.jpg)
26Questions and perspectives:
• What is a photon?
♦ A h t i i l li k d t t♦ A photon is a single click on a detector…
(Anton Zeilinger)
♦ well....
• You cannot delegate security!• You cannot delegate security!
♦ Don’t trust ‘security’ in a black box, even if it’s y ,
expensive or called ‘quantum’
![Page 27: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/27.jpg)
27Our attack
• First experimental implementation
• Eve has 100% key information• Eve has 100% key information
D t t d d i d• Demonstrated eavesdropping under realistic conditions (290 m fiber run via4 b ildi )4 buildings)
![Page 28: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/28.jpg)
2828
Thank you. www.iet.ntnu.no/groups/optics/qcrwww.quantumlah.org
![Page 29: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/29.jpg)
29
More technical details about the attackMore technical details about the attack
that we didn’t have time to show in the talk
![Page 30: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/30.jpg)
Eve can exploit blinding of APD under bright illumination...and make a single photon detector work as a classical detector!
30
and make a single photon detector work as a classical detector!
EG&G SPCM‐200‐PQ
Entire Bob with four APDs (NUS)
Do‐it‐yourself (MSU)
PblindAbove Pblind, detector totally blind to single photons, dark counts, afterpulsesNew J. Phys. 11, 065003 (2009)
![Page 31: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/31.jpg)
31Bob control efficiency
![Page 32: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/32.jpg)
32Improved control intensity diagram
100% 0 %
100%
100%
100%0 %
![Page 33: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/33.jpg)
33Final Eve’s scheme
![Page 34: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/34.jpg)
34Timing performance
After Eve insertedChannel No.(Alice - Bob)
1-1
Channel No.(Alice - Bob)
1-11 2
Normal QKD without Eve After Eve’s delay stages adjusted
1-2 1-3 1-4
2 1
1-2 1-3 1-4
2-1 2-1 2-2 2-3 2-4
2-2 2-3 2-4
3 1 3-1 3-2 3-3 3-4
3-1 3-2 3-3 3-4
-507 -506 -505 -504
4-1 4-2 4-3 4-4-295 -294 -293 -292 -507 -506 -505 -504
4-1 4-2 4-3 4-4
Delay between Alice and Bob (ns)Delay between Alice and Bob (ns) Delay between Alice and Bob (ns)
FWHMavg. = 761 ps FWHMavg. = 779 ps
Compare the average FWHM of 16 combinations:→ After Eve inserted, the FWHMs is practically unchanged
![Page 35: How we eavesdropped - Quantum optics Lecture at Hacking at Random,August 14, 2009 How we eavesdropped 100% of a qqypgpyuantum cryptographic key Vadim Makarov, Qin Liu, Ilj G h dtIlja](https://reader034.fdocuments.net/reader034/viewer/2022042120/5e998f96ae16b4418e5c0223/html5/thumbnails/35.jpg)
3535Attack also works via free-space link
C lli t
Bob
Collimator
Eve’s faked state generator Instruments assessing performance of the attack