Security Evaluation of Practical Quantum Communication Systems

Modern information and communication technology (ICT), including internet, smart phones, cloud computing, global positioning system, e-commerce, e-Health, global communications and internet of things (IoT), all rely fundamentally - for identification, authentication, confidentiality and confidence - on cryptography. However, there is a high chance that most modern cryptography protocols will be annihilated upon the arrival of quantum computers. This necessitates taking steps for making the current ICT systems secure against quantum computers. The task is a huge and time-consuming task and there is a serious probability that quantum computers will arrive before it is complete. Hence, it is of utmost importance to understand the risk and start planning for the solution now. At this moment, there are two potential paths that lead to solution. One is the path of post-quantum cryptography: inventing classical cryptographic algorithms that are secure against quantum attacks. Although they are hoped to provide security against quantum attacks for most situations in practice, there is no mathematical proof to guarantee unconditional security (`unconditional security' is a technical term that means security is not dependent on a computational hardness assumption). This has driven many to choose the second path: quantum cryptography (QC). Quantum cryptography - utilizing the power of quantum mechanics - can guarantee unconditional security in theory. However, in practice, device behavior varies from the modeled behavior, leading to side-channels that can be exploited by an adversary to compromise security. Thus, practical QC systems need to be security evaluated - i.e., scrutinized and tested for possible vulnerabilities - before they are sold to customers or deployed in large scale. Unfortunately, this task has become more and more demanding as QC systems are being built in various style, variants and forms at different parts of the globe. Hence, standardization and certification of security evaluation methods are necessary. Also, a number of compatibility, connectivity and interoperability issues among the QC systems require standardization and certification which makes it an issue of highest priority. In this thesis, several areas of practical quantum communication systems were scrutinized and tested for the purpose of standardization and certification. At the source side, the calibration mechanism of the outgoing mean photon number - a critical parameter for security - was investigated. As a prototype, the pulse-energy-monitoring system (PEMS) implemented in a commercial quantum key distribution (QKD) machine was chosen and the design validity was tested. It was found that the security of PEMS was based on flawed design logic and conservative assumptions on Eve's ability. Our results pointed out the limitations of closed security standards developed inside a company and highlighted the need for developing - for security - open standards and testing methodologies in collaboration between research and industry. As my second project, I evaluated the security of the free space QKD receiver prototype designed for long-distance satellite communication. The existence of spatial-mode-efficiency-mismatch side-channel was experimentally verified and the attack feasibility was tested. The work identified a methodology for checking the spatial-mode-detector-efficiency mismatch in these types of receivers and showed a simple, implementable countermeasure to block this side-channel. Next, the feasibility of laser damage as a potential tool for eavesdropping was investigated. After testing on two different quantum communication systems, it was confirmed that laser damage has a high chance of compromising the security of a QC system. This work showed that a characterized and side-channel free system does not always mean secure; as side-channels can be created on demand. The result pointed out that the standardization and certification process must consider laser-damage related security critical issues and ensure that it is prevented. Finally, the security proof assumptions of the detector-device-independent QKD (ddiQKD) protocol - that restricted the ability of an eavesdropper - was scrutinized. By introducing several eavesdropping schemes, we showed that ddiQKD security cannot be based on post selected entanglement. Our results pointed out that testing the validity of assumptions are equally important as testing hardware for the standardization and certification process. Several other projects were undertaken including security evaluation of a QKD system against long wavelength Trojan-horse attack, certifying a countermeasure against a particular attack, analyzing the effects of finite-key-size and imperfect state preparation in a commercial QKD system, and experimental demonstration of quantum fingerprinting. All of these works are parts of an iterative process for standardization and certification that a new technology - in this case, quantum cryptography- must go through before being able to supersede the old technology - classical cryptography. I expect that after few more iterations like the ones outlined in this thesis, security of practical QC will advance to a state to be called unconditional and the technology will truly be able to win the trust to be deployed on large scale

Invisible Trojan-horse attack

We demonstrate the experimental feasibility of a Trojan-horse attack that remains nearly invisible to the single-photon detectors employed in practical quantum key distribution (QKD) systems, such as Clavis2 from ID Quantique. We perform a detailed numerical comparison of the attack performance against Scarani-Acin-Ribordy-Gisin (SARG04) QKD protocol at 1924nm versus that at 1536nm. The attack strategy was proposed earlier but found to be unsuccessful at the latter wavelength, as reported in N.~Jain et al., New J. Phys. 16, 123030 (2014). However at 1924nm, we show experimentally that the noise response of the detectors to bright pulses is greatly reduced, and show by modeling that the same attack will succeed. The invisible nature of the attack poses a threat to the security of practical QKD if proper countermeasures are not adopted.Comment: 8 pages, 3 figures, due to problem in the compilation of bibliography, we are uploading a corrected versio

Bright-light detector control emulates the local bounds of Bell-type inequalities

It is well-known that no local model - in theory - can simulate the outcome statistics of a Bell-type experiment as long as the detection efficiency is higher than a threshold value. For the Clauser-Horne-Shimony-Holt (CHSH) Bell inequality this theoretical threshold value is $\eta_{\text{T}} = 2 (\sqrt{2}-1) \approx 0.8284$. On the other hand, Phys.\ Rev.\ Lett.\ 107, 170404 (2011) outlined an explicit practical model that can fake the CHSH inequality for a detection efficiency of up to $0.5$. In this work, we close this gap. More specifically, we propose a method to emulate a Bell inequality at the threshold detection efficiency using existing optical detector control techniques. For a Clauser-Horne-Shimony-Holt inequality, it emulates the CHSH violation predicted by quantum mechanics up to $\eta_{\text{T}}$. For the Garg-Mermin inequality - re-calibrated by incorporating non-detection events - our method emulates its exact local bound at any efficiency above the threshold. This confirms that attacks on secure quantum communication protocols based on Bell violation is a real threat if the detection efficiency loophole is not closed.Comment: 7 pages, 3 figure

Insecurity of detector-device-independent quantum key distribution

Detector-device-independent quantum key distribution (ddiQKD) held the promise of being robust to detector side-channels, a major security loophole in QKD implementations. In contrast to what has been claimed, however, we demonstrate that the security of ddiQKD is not based on post-selected entanglement, and we introduce various eavesdropping strategies that show that ddiQKD is in fact insecure against detector side-channel attacks as well as against other attacks that exploit device's imperfections of the receiver. Our attacks are valid even when the QKD apparatuses are built by the legitimate users of the system themselves, and thus free of malicious modifications, which is a key assumption in ddiQKD.Comment: 7 pages, 5 figures, 1 tabl

Testing random-detector-efficiency countermeasure in a commercial system reveals a breakable unrealistic assumption

In the last decade, efforts have been made to reconcile theoretical security with realistic imperfect implementations of quantum key distribution (QKD). Implementable countermeasures are proposed to patch the discovered loopholes. However, certain countermeasures are not as robust as would be expected. In this paper, we present a concrete example of ID Quantique's random-detector-efficiency countermeasure against detector blinding attacks. As a third-party tester, we have found that the first industrial implementation of this countermeasure is effective against the original blinding attack, but not immune to a modified blinding attack. Then, we implement and test a later full version of this countermeasure containing a security proof [C. C. W. Lim et al., IEEE Journal of Selected Topics in Quantum Electronics, 21, 6601305 (2015)]. We find that it is still vulnerable against the modified blinding attack, because an assumption about hardware characteristics on which the proof relies fails in practice.Comment: 12 pages, 12 figure

Attacking quantum key distribution by light injection via ventilation openings

Quantum cryptography promises security based on the laws of physics with proofs of security against attackers of unlimited computational power. However, deviations from the original assumptions allow quantum hackers to compromise the system. We present a side channel attack that takes advantage of ventilation holes in optical devices to inject additional photons that can leak information about the secret key. We experimentally demonstrate light injection on an ID~Quantique Clavis2 quantum key distribution platform and show that this may help an attacker to learn information about the secret key. We then apply the same technique to a prototype quantum random number generator and show that its output is biased by injected light. This shows that light injection is a potential security risk that should be addressed during the design of quantum information processing devices

Publisher Correction: Invisible Trojan-horse attack

A correction to this article has been published and is linked from the HTML version of this paper. The error has been fixed in the paper

Experimental quantum key distribution with source flaws

Decoy-state quantum key distribution (QKD) is a standard technique in current quantum cryptographic implementations. Unfortunately, existing experiments have two important drawbacks: the state preparation is assumed to be perfect without errors and the employed security proofs do not fully consider the finite-key effects for general attacks. These two drawbacks mean that existing experiments are not guaranteed to be secure in practice. Here, we perform an experiment that for the first time shows secure QKD with imperfect state preparations over long distances and achieves rigorous finite-key security bounds for decoy-state QKD against coherent attacks in the universally composable framework. We quantify the source flaws experimentally and demonstrate a QKD implementation that is tolerant to channel loss despite the source flaws. Our implementation considers more real-world problems than most previous experiments and our theory can be applied to general QKD systems. These features constitute a step towards secure QKD with imperfect devices.Comment: 12 pages, 4 figures, updated experiment and theor