Homodyne-detector-blinding attack in continuous-variable quantum key distribution

Homodyne-detector-blinding attack in continuous-variable quantum key distribution

Hao Qin qinhao@casquantumnet.com Institute for Quantum Computing, University of Waterloo, Waterloo, ON, N2L 3G1 Canada Department of Combinatorics and Optimization, University of Waterloo, Waterloo, ON, N2L 3G1 Canada Department of Physics and Astronomy, University of Waterloo, Waterloo, ON, N2L 3G1 Canada CAS Quantum Network Co., Ltd., 99 Xiupu road, Shanghai 201315, People’s Republic of China    Rupesh Kumar Department of Physics, University of York, York YO10 5DD, UK    Vadim Makarov Russian Quantum Center and MISIS University, Moscow, Russia Department of Physics and Astronomy, University of Waterloo, Waterloo, ON, N2L 3G1 Canada    Romain Alléaume Télécom ParisTech, LTCI, 46 rue Barrault, 75634 Paris Cedex 13, France
July 16, 2019
Abstract

We propose an efficient strategy to attack a continuous-variable quantum key distribution (CV-QKD) system, that we call homodyne detector blinding. This attack strategy takes advantage of a generic vulnerability of homodyne receivers: a bright light pulse sent on the signal port can lead to a saturation of the detector electronics. While detector saturation has already been proposed to attack CV-QKD, the attack we study in this paper has the additional advantage of not requiring an eavesdropper to be phase locked with the homodyne receiver. We show that under certain conditions, an attacker can use a simple laser, incoherent with the homodyne receiver, to generate bright pulses and bias the excess noise to arbitrary small values, fully comprising CV-QKD security. These results highlight the feasibility and the impact of the detector blinding attack. We finally discuss how to design countermeasures in order to protect against this attack.

I Introduction

Quantum Key distribution (QKD) Scarani et al. (2009); Gisin et al. (2002) is one of the most important and practical applications of quantum information processing. It has already been made commercially available and has deployed in test and production environments. QKD allows two remote parties Alice and Bob, to establish a secret key over a public quantum channel, assisted by a classical communication channel. QKD security can notably be guaranteed even against computationally unbounded adversaries, making QKD the only available information-theoretic secure key establishment scheme practically available to date, beyond the use of physically-protected secret couriers. QKD information-theoretic security is however relies on some minimal set of assumptions: Alice and Bob labs, where secret information is stored and processed, should not leak this information to the outside world, moreover, Alice and Bob hardware (laser, modulators, detectors) are supposed to behave (at least approximately) according to an abstracted model, that then allows to proof theoretical security. However, in practice, the real-world QKD implementations not act exactly verify the aforementioned assumptions and such deviations may lead to vulnerabilities and enable an eavesdropper, Eve, to launch so-called side channel attacks and break the security of practical QKD devices.

In discrete-variable (DV) QKD, single photon detector (SPD) is the most exposed device, from the implementation security viewpoint, and several attack strategies have been proposed to exploit SPD vulnerabilities and attack DV-QKD implementations. Attacks such as time shift Qi et al. (2007); Zhao et al. (2008), after gate Wiechers et al. (2011), blinding Makarov (2009), spatial mode mismatch Sajeed et al. (2015a) attacks and etc. may all lead to security breach. Among those attacks, the blinding attack is probably considered as the most powerful attack, as this attack strategy allows Eve to actively control Bob’s SPD remotely, using intense light. Such kind of attack has been experimentally demonstrated on commercial QKD systems Lydersen et al. (2010a) and in a full-field deployment Gerhardt et al. (2011). Various countermeasures Huang et al. (2016); Lydersen et al. (2010b) have been proposed against detector-based attacks. However only measurement-device-independent (MDI) QKD Lo et al. (2012); Braunstein and Pirandola (2012), i.e. QKD protocols where security can be established without trusting the detector, can firmly demonstrate to be immune against these attacks targeting SPDs.

Continuous-variable QKD (CV-QKD) Weedbrook et al. (2012), is another promising approach to perform quantum key distribution. It relies on continuous modulation of the light field quadratures and measurements with coherent detection (homodyne or heterodyne detectors) instead of SPDs in DV-QKD system. Benefiting from coherent detection, CV-QKD can be fully implemented with off-the-shelf optical communication components Lodewyck et al. (2007a); Fossier et al. (2009); Jouguet et al. (2013a). Moreover, the local oscillator (LO) in the coherent detection acts as a ”built-in” filter to efficiently remove any noise photons in different modes, which enable CV-QKD to be deployed in co-existence with intense classical channels over optical networks Kumar et al. (2015) and to be possibly implemented in day light free space environments. CV-QKD practical implementations however also suffer from potential vulnerabilities. For example LO manipulation is a long standing security problem: if LO is sent on the public channel, then an attacker can modify LO pulses in different ways Jouguet et al. (2013b); Ma et al. (2014a, 2013); Huang et al. (2013, 2014) and learn secret keys without being discovered. A generic solution to this issue has however been recently proposed: by generating locally the LO (LLO) pulses at Bob side Qi et al. (2015); Soh et al. (2015); Huang et al. (2015); Marie and Alléaume (2017). Regarding the homodyne detection (HD), which is a central component in CV-QKD, it has been shown in Qin et al. (2013, 2016), under the name “saturation attack” that HD saturation can be induced by an attacker and exploited to launch attacks that can fully break CV-QKD security. More precisely it has been shown that HD saturation induced by a coherent displacement can bias the excess noise estimation and conceal the presence of an eavesdropper, performing intercept-resend attack on the signals sent by Alice. However, coherently displacing the signal sent by Alice, without adding detectable excess noise is highly challenging, making this attack strategy difficult to implement in practice.

In this paper, inspired by the blinding attack in DV-QKD, we propose a simple and practical way to saturate a homodyne detector with finite linear detection range. The attack exploits the loss imbalance of the two ports, in a balanced HD and consists in sending a bright pulse onto the signal port, to induce electronic saturation. Such loss imbalance is quite generic to any HD implementation: the two photodiodes quantum efficiencies as well as the beam-splitter reflection/transmittance coefficients are never perfectly balanced. This implies the need for additional balancing, that is in general ensured by introducing some variable attenuation in one of the optical arms. Such balancing must be done with precision with respect to the LO port, since LO pulses are intense. But as a consequence, a good balancing in practice cannot, in return, be guaranteed with respect to the other port, i.e. the signal port. As a consequence, any relatively strong light impinging on the signal port will produce a comparatively stronger photocurrent on one of the HD photodetectors, which will further cause HD’s amplifier electronic saturation.

Due to HD saturation, Bob’s HD output signals are limited within some finite range. This however violates a basic assumption generally used in CV-QKD security proof: linearity, namely that Bob’s HD output signal is supposed to be linearly proportional to the input optical quadratures. The principle of the blinding attack we introduce here consists, for Eve, to actively drive Bob’s HD into a saturated response mode, by sending strong external pulses on the signal port. We will show that such manipulation can be used to reduce the estimated excess noise, under certain conditions. More precisely, we will show that combining the sending of strong light pulses to Bob, with a full intercept-resend attack, Eve can break the security of the widely used Gaussian Modulated Coherent State (GMCS) CV-QKD protocol Grosshans and Grangier (2002); Grosshans et al. (2003). We will analyze the conditions such that Eve can achieve a full security break, illustrating that this attack can be implemented with current technologies and a low-complexity experimental system. Importantly, our attack only targets on the HD which means even the recent proposed LLO CV-QKD scheme is not immune to this attack if no countermeasure is considered. This highlights that detector loopholes also exist in CV-QKD and can potentially affect all CV-QKD implementations. Finally we will discuss possible countermeasures against detector-based attacks in CV-QKD and compare them with countermeasures against blinding attack in DV-QKD.

This paper is organized as follows. In Sec. II, we present the security basis of GMCS CV-QKD: parameter estimation and its relation to quantum hacking. In Sec. III, we study experimentally several imperfections of a practical HD and predict the shot noise measurements with the proposed HD model. In Sec. IV, we introduce the attack strategy of the HD blinding attack. In Sec. V, we perform the security analysis of the proposed strategy and demonstrate its security breach feasibility in simulations. At last, we discuss possible countermeasures against HD blinding attack in CV-QKD in Sec. VI, and conclude in Sec. VII.

Ii Practical security in CV-QKD

In this section, we briefly present the Gaussian Modulated Coherent State (GMCS) CV-QKD protocol. This protocol is widely used, notably thanks to a well-understood security proof, base on the optimality of Gaussian attacks Diamanti and Leverrier (2015). We will be focused on the GMCS protocol throughout the paper, and illustrate in this section the connection between the parameter estimation phase, and the practical attack strategy.

ii.1 GMCS protocol and parameter estimation

In GMCS protocol Grosshans and Grangier (2002), Alice prepares the coherent state as the quantum signal, in which amplitude and phase quadratures are continuously modulated with a centered Gaussian distribution with a variance . The shot noise is the HD variance when the input signal is vacuum field. At Bob’s side, he performs HD on Alice’s signal by interfering it with strong phase reference LO. Bob randomly chooses to apply a phase modulation or on LO in order to measure quadrature or in phase space. Note that, it is not necessary for Alice to send LO over the insecure channel, Bob can generate the LO at his side and recover the phase information with help of additional reference pulses from Alice Qi et al. (2015); Soh et al. (2015); Huang et al. (2015); Marie and Alléaume (2017). By repeating such process and sifting, Alice and Bob then obtain correlated Gaussian variables as the raw keys. With reverse reconciliation Grosshans and Grangier (2002); Jouguet et al. (2011), Alice and Bob can extract an identical bits string from the correlated variables and obtain a secret key through privacy amplification.

In order to estimate Eve’s knowledges on the raw key and eliminate them in privacy amplification, an important step for Alice and Bob is to perform the parameter estimation to estimate excess noise, channel transmission and secret key rate. Security proofs of CV-QKD show that Gaussian attack is the optimal one which has been proven in collective attacks with asymptotic limit García-Patrón and Cerf (2006); Navascués et al. (2006), in recent composable security proofLeverrier (2015) and in arbitrary attacks with finite size Leverrier (2017). Such security proofs enable Alice and Bob to describe their quantum channel as a Gaussian linear channel which connects the raw data and with a Gaussian noise factor . This channel model allows Alice and Bob to determine the two characteristics of the quantum channel: excess noise and channel transmission by performing four measurements. Particularly, Alice’s modulation variance , Bob’s HD variance , Alice-Bob covariance and shot noise calibration of Bob’s HD variance when there is only LO input:

(1)
(2)
(3)
(4)

in which and are Bob’s HD overall efficiency and electronic noise which are calibrated before QKD, is the shot noise variance. Alice and Bob can extract a portion of the raw key and estimate the channel transmission based on Eqs. 2 and 1; and excess noise in shot noise units based on Eqs. 4 and 3. They can then estimate the security key rate with a given security proof and decide whether to proceed to the key generation step or abort the protocol if there the secure key rate estimation is non-positive. Note that we need to take statistical fluctuation into account for the variance measurements with a realistic data block size Jouguet et al. (2012) in practice. In this paper, we want to emphasize the idea of the attack strategy, we only consider the collective attacks in asymptotic limit ().

ii.2 Quantum hacking in CV-QKD

The goal of Eve’s quantum hacking on CV-QKD system is to steal Alice and Bob’s secret keys without being discovered. To achieve this, Eve is allowed to use every possible measure that is allowed by quantum mechanics to attack the open quantum channel. Some CV-QKD quantum hacking strategies such as wavelength attack Huang et al. (2013) and LO intensity fluctuation attack Ma et al. (2014a) are only possible in theory that Eve has full access to future quantum computer with enough quantum memory. Under such cases, loopholes lead to increase of Eve’s mutual information with Alice or Bob and to decrease the final secret key rate. It is however more important to study possible quantum hacking strategies in a realistic scenario when Eve’s power is limited by current technologies, as it would bring immediate threats to CV-QKD security.

In CV-QKD, excess noise estimation is the reference for Alice and Bob to decide to abort the protocol or proceed to key generation. Any flaw in the excess noise estimation can lead to security problem that Eve’s attack action is undiscovered, which may fully compromise CV-QKD security. In order to attack CV-QKD with current technologies, Eve can perform an intercept-resend (IR) attack by using optical heterodyne detection Lodewyck et al. (2007b) which corresponds to a “entanglement breaking” channel. Under IR attack, Eve always has an information advantage over Alice and Bob but she also introduces at least into their excess noise estimation due to the heterodyne measurement disturbance and coherent state shot noise. Meanwhile, Eve can take advantage of CV-QKD implementation imperfections to formalize particular attack strategies to bias Alice and Bob’s excess noise estimation in order to hide her IR action and achieve a full security breach. For examples, in calibration attack Jouguet et al. (2013b), Eve delays the LO pulse such that Alice and Bob overestimate the shot noise based on their pre-established calibration, which results in underestimation of the excess noise. In saturation attack Qin et al. (2013, 2016), Eve induces saturation on Bob’s HD measurement and directly bias Alice and Bob’s excess noise. In this paper, we also follow this idea and will take advantage of several imperfections in a HD to archive a security breach on GMCS CV-QKD implementations.

Iii Imperfect homodyne detection in CV-QKD

In this section, we analyze HD imperfections such as imbalance and electronics saturation. These HD imperfections are the key elements that will be used in the HD blinding attack strategy.

iii.1 Practical homodyne detection with imperfections

Figure 1: A simplified scheme of a practical HD, BS: beam-splitter, VOA: variable optical attenuator, PD: photodiode, AMP: amplifiers, ADC: analog-to-digital converter, solid line: optical signal, dash line: electronic signal.

In the context of CV-QKD , HD performance is usually measured by its overall efficiency and its electronic noise Lodewyck et al. (2007a); Jouguet et al. (2013a). However, imperfections such as limited bandwidth, linearity range, imperfect balance, etc., can also affect HD behavior and potentially impact on CV-QKD performance Kumar et al. (2012). Some of these HD imperfections may even open security loopholes in CV-QKD to Eve which need to be carefully studied. Here, we are particularly interested in the imperfection of the HD on the optical part: imbalanced 50/50 beam-splitter (BS) and on the electronic part: finite linear range of detection.

As shown in Fig. 1, a practical HD consists both optical and electronic parts. The input optical signals and LO pulses go into the two ports of 50/50 BS and with one another. Two output optical pulses then travel to two identical p-i-n photodiodes (PDs) which convert optical lights into two photocurrents with finite quantum efficiencies. An electronic subtraction is then performed on the two photocurrents and the subtracted photocurrent is amplified into a small voltage through a trans-impedance amplifier or a charge amplifier. The voltage signal is further amplified by a second stage amplifier to be detected by the Analog-to-digital converter (ADC) device (i.e., oscilloscope or data acquisition card). The final digitized data is so-called HD output signal which is proportional to the input optical quadratures. The selection of the quadrature is dependent on the relative phase between LO and signal pulse.

Thanks to the subtraction of HD, most LO intensities are eliminated while the rest energy carries the small quantum signal fluctuation which is “amplified” by LO’s amplitude. However due to the imbalance imperfection of the HD, a non-negligible leakage of LO contributes to the final HD output signal as an offset. Such leakage may also contribute LO intensity fluctuation noise into HD measurements if LO intensity is relatively high Chi et al. (2011). In order to adjust the balance of HD, a variable optical attenuator (VOA) and a variable delay line (VDL) need to be added to one of the optical paths after the 50/50 BS. The balancing of HD is evaluated by the common-mode rejection ratio (CMRR) which is defined as with as the overall imbalance factor Chi et al. (2011), quantifies the small deviation that varies from a perfect balanced HD. For example, a typical CMRR value of a well balanced HD is around Kumar et al. (2012) which means the difference between the two photocurrents before subtraction is over their total currents.

In order to quantify the impact of such imbalance imperfection on HD, we analyze the case of shot noise measurement when there is no signal but only LO pulses sent into HD, in which we look at the first and second moment of HD statistics: mean and variance. To simplify the analysis, we consider the model of unbalanced HD with two ports in Ref. Ma et al., 2013. If there is only LO impinging on HD, the HD output state can be given:

(5)

in which is the overall transmission of HD, which includes the transmission of the 50/50 BS, optical loss in the optical path and efficiency of the PD while is the overall reflection, is thus the overall imbalance factor. is the number of photons per one LO pulse (which is linear dependent on LO power or intensity), is the vacuum state, is the HD electronic noise with a variance of . We observe that the HD output is displaced by a value [first term in Eq. 5] that is linearly proportional to due to LO leakage, which directly determine the mean of :

(6)

here the vacuum state is centered on zero , and we assume the offset due to the HD electronics is small enough to be neglected . We can further deduce the HD variance based on Eq. 5 with the definition of variance:

(7)

in which is the intensity fluctuation ratio of LO over the measurement time and the first quadratic term of is the noise variance due to LO intensity fluctuations Chi et al. (2011). If we consider a typical CV-QKD implementation Jouguet et al. (2013a) with a low LO power as the order of and HD is adjusted to be balanced (), we can neglect the LO intensity fluctuation noise and the degradation effect due to imbalance as the factor . Eq. 7 can be further simplified into:

(8)

where the first term is known as the shot noise in CV-QKD, which is proportional to and it can be interpreted as the HD signal variation due to interference between LO and the vacuum state with . The amplification of LO also applies to vacuum state which attributes to the term of in Eq. 8. As shown in Eq. 5 and Eq. 7, LO leakage due to HD imbalance contributes an offset of in HD output signals and associated LO intensity noises in the HD variance measurement.

Beside the HD imbalance imperfection, finite linear detection range of the electronics part can also influence HD measurements and may lead to security loopholes Qin et al. (2013, 2016). An important assumption in CV-QKD is that Bob’s HD measurement varies linearly with the input optical quadrature. However such assumption does not always hold in a practical HD, because if input field quadrature overpasses certain threshold, the corresponding photocurrent would be relatively large, which can saturate the electronics and results in saturation of HD output signal. Electronics saturations usually happen on the amplifier or on the data acquisition card (DAQ). Depends on the specific electronics design, the amplifiers usually saturate at few volts which is the intrinsic characteristics of the electronics. DAQ detection range in CV-QKD is usually set to a small range (typically between and ) to ensure its measurement step precision, in principle, this range can be set as large as possible but not infinite. However the overall linear detection range is still limited by the amplifier. Two p-i-n PDs in HD can also become saturated mainly due to screening of the electric field caused by photo-generated carriers Williams et al. (1992). However such limit is often relatively high (e.g., few mW for Thorlabs FGA01FC) and total optical power of LO and signal in CV-QKD system is much lower than this limit. Thus PD saturation is usually not the reason causes HD saturation and we consider this realistic assumption in this paper. In practice, HD saturation is unavoidable and it is important to make sure HD works in the linear region. HD saturation effect can be modeled by a simple HD model Qin et al. (2013, 2016) with upper and lower bounds and , where Bob’s HD output signal after ADC can be given as:

(9)

in which is given by Eq. 5. This model shows that the linearity range of HD is limited by [], otherwise HD output signals will be saturated to the limits. The limits and need to be calibrated in practice and they are dependent on HD electronics as mentioned. Due to HD saturation, variations of HD signals become much lower compared to the case in linear detection region, which will affect the correctness of HD statistic measurements Qin et al. (2013, 2016). Moreover, when there is also the offset due to imbalance imperfection on HD, it can significantly change the pre-calibrated linear detection ranges if the offset factor becomes comparable to or , which needs to be further studied in experiments.

iii.2 Experimental analysis on a practical homodyne detector

In order to study influences of HD imbalance and electronics saturation on HD output signals, we design a simple experimental test on HD shot noise measurement. We slightly modify the standard shot noise measurement procedure and compare the results under different balancing settings. The key idea of this test is that we intentionally unbalance HD to study its influence on HD saturation limit and further on HD output signals.

The experimental setup can be refereed to Fig. 1 where we only send LO pulses and then measure HD signals. We use a distributed feedback (DFB) laser (Alcatel LMI1905) to first prepare a train of optical pulses with pulse widths 100 ns and repetition rate at 1 MHz as LO pulses. Our HD consists of two PDs (JDS Uniphase EPM 605), the AmpTek A250 as the first stage amplifier with a charge amplifier setting and a MAX4107 as the second stage amplifier. This HD features a low noise (with a noise variance at the order of ) and a low bandwidth (about 10 MHz). We send LO pulses into port 2 of HD (Fig. 1) and roughly minimize the HD output by adjusting optical loss of one path in order to balance the HD, which is considered as the 1st HD balance setting. After measuring the average optical power of the input pulses with a power meter, we then record HD signals over 1 second which corresponds to pulses. We adjust our DAQ (Model NI6111) detection range to as the detection limits. Any HD signals out of this range will be saturated to or . Note this is not the saturation limit of our HD amplifier which is about , but we want to limit the linear detection range to be small in order to highlight its influence on HD signals. Based on the measured HD signals, we then estimate the mean and variance of this set of data, which is considered as one shot noise measurement for a given LO intensity. With the same balance setting, we repeat this shot noise measurement by gradually increasing LO intensity.

Figure 2: Characterization of HD output voltage statistics, in absence of signal: under two different balancing conditions (solid lines and dashed lines). (a) Mean value () versus LO power. (b) Variance () versus LO power.

The experimental results for the 1st setting are shown as blue squares in Fig. 2. As shown in Fig. 2(a), the mean value first increases linearly with respect to LO intensity, which matches the prediction of Eq. 6. However, when the LO intensity reaches to about 35 , the mean value stops increasing but saturates at . This is obviously due to the HD saturation effect predicted by Eq. 9 when the imbalance offset reaches to the detection upper limit . By applying Eq. 7 into Eq. 9 and fitting experimental data in the linear region, we successfully predict the behavior of HD mean values as shown on the blue solid curve in Fig. 2(a).

Regarding to variance measurements, from Fig. 2(b) we can verify that HD variance increases linearly with LO intensity which matches the prediction of Eq. 7. Similarly, when LO intensity reaches to a relatively high value around 35 , the variance drops quickly and becomes zero at about 45 . It is because the HD signals variation becomes much lower when HD is saturated as any HD signal fluctuations beyond have been cut off. We also observe that HD variance does not immediately turn into zero, because only parts of HD signals due to vacuum fluctuations have been limited by between 35 and 45 LO intensity. We use the saturation model [Eq. 9] and shot noise variance [Eq. 7] to simulate HD variance behaviors as for the blue solid curve. As shown in Fig. 2(b), the simulation curve matches the behaviors of experimental HD variances data, which means we can account for the saturation model for further analysis.

In order to illustrate the impact of HD imbalance on HD signals, we now slightly adjust the optical loss of one path after BS to unbalance the HD. Such balance setting (2nd) imposes more LO leakage, which will further affect the behaviors of HD means and variances. With this balance setting, we repeat HD statistic measurements mentioned above and compare them with previous results at same LO intensity levels. Experimental and simulation results are shown as red diamonds and dashed curves in Fig. 2, respectively. As shown in Fig. 2(a), HD mean under 2nd setting reaches to saturation limit around compared to the one at in the 1st setting. It confirms Eq. 7 that HD offset due to LO intensity leakage is proportional to and thus the equivalent displacements on HD signals of the 2nd setting is larger than the one of the 1st setting. In consequence, HD signal of 2nd setting reaches to the detection limit at a smaller value of LO intensity compared to the 1st setting, which can be observed by experimental (red diamonds) and simulation (red dashed curve) data in Fig. 2(b). The simulation curves also confirm the HD statistical behaviors, which shows that HD imbalance imperfections can influence the relation between HD saturation level and LO input intensity at a certain extent. Note in CV-QKD, HD is designed to precisely detect weak quantum signals, it can be saturated easily if the HD is not well balanced as LO intensity is usually many orders of magnitude stronger than quantum signal Chi (2009); Fossier (2009).

These experimental and simulation results inspire us to formalize a new attack strategy in CV-QKD similar to blinding attack in DV-QKD, where Eve inserts external lights into signal port of Bob’s HD to influence HD output signals by taking advantage of HD imbalance and saturation imperfections.

Iv Homodyne detector blinding attack on GMCS CV-QKD

iv.1 Principle of the attack

Based on the previous analysis, Eve can formalize a simple strategy to saturate Bob’s HD output signal by sending another incoherent classical light into HD’s signal port instead of preparing coherent displacement as in saturation attack Qin et al. (2013, 2016). Since Bob balances his HD with respect to the LO light that goes into LO port, any relatively strong light going into signal port cannot be subtracted as much as the one on LO port. Thus the external light contributes a strong offset on the HD output signal, at certain point it can cause HD saturation as shown in the previous section. In order to prevent inference with LO pulses, Eve can send the external lights in a different mode of the LO pulse, in practice she can use a different wavelength other than the one used for LO pulses. Moreover, due to the BS wavelength dependent properties, Eve has the possibility to “control” the transmission of Bob’s BS by selecting proper wavelength of the external light Huang et al. (2013); Ma et al. (2013); Li et al. (2011). On the other hand, the two PDs used in HD are classical detectors and usually have large wavelength ranges (typically from 800-1700 nm). Any lights in the sensitive range of the PD can produce photocurrents and contribute to final HD signals, which is impossible for Alice and Bob to distinguish the source of light by only measuring HD signals. However, as Eve’s external light is incoherent with Alice and Bob’s LO in CV-QKD, the external lights contribute excess noises into Alice and Bob’s HD measurements. On the other hand, such excess noises due to the external lights can be “sufficiently filtered” by the LO pulses, in the sense that external light is not interfered with LO and the related excess noise will be further normalized by a factor of .

As mentioned, in order to break the security with current technologies, Eve can combine this strategy with the IR attack. If Bob’s HD works in the linear region, Alice and Bob can always notice the excess noise due to Eve’s IR attack and the external light. However, Eve can always cause Bob’s HD signal saturation by sending the external light strong enough. In this sense, Eve is able to “control” Bob’s HD signals and manipulate the HD statistic measurements. If Eve carefully selects the properties of the external light, her manipulation of Bob’s HD signals can further lead Alice and Bob to underestimate the excess noises from Eve’s actions which fully compromise the security. We will see that such attack strategy is simple to realize in experiments but powerful enough for Eve to steal keys without being discovered in the following sections.

Figure 3: A concept scheme of Eve’s HD blinding attack in CV-QKD. Alice: preparation of the coherent state with Gaussian modulation (); Eve: Heterodyne measurement , re-preparation and external light state ; Bob: HD measurement:; BS: beam-splitter, LO: local oscillator, PD, pin photodiode, AMP: amplifiers, ADC: analog-to-digital converter

iv.2 Eve’s attack strategy

By targeting on a typical implementation of CV-QKD Jouguet et al. (2013a), we now present Eve’s HD blinding attack strategy step by step along with a realistic implementation of Alice and Bob’s GMCS CV-QKD protocol (a concept scheme of the attack strategy is shown in Fig. 3):

  1. In GMCS CV-QKD, Alice prepares quantum signal in which amplitude and phase quadratures are continuously modulated with a bivariate centered Gaussian distribution (Due to the symmetric of and , we will only look at the quadrature in our analysis):

    (10)

    with a variance and the vacuum noise .

  2. Eve cuts down the quantum channel and performs a full IR attack Lodewyck et al. (2007b) : Eve intercepts Alice’s signals by performing heterodyne detection on and quadratures to obtain measurement result:

    (11)

    here, due to the BS in heterodyne detection, there is a factor for loss and a vacuum state added. According to her measurements (), Eve prepares and resends her noisy coherent states as signals to Bob through a lossy channel with transmission of :

    (12)

    in which, is the gain factor to compensate the loss due to heterodyne detection and is a noise term due to coherent state encoding of Eve. and all follow a centered normal distribution with unity variance.

  3. Along with her resending signals, Eve inserts external laser pulses into the signal port of Bob’s HD which is not coherent with CV-QKD signals. In practice, Eve needs to choose the properties of the external light: wavelength is slightly different from Alice’s signal; pulse width and repetition rate are same as Alice’s signals; intensity or photons per pulse depends on how much Eve wants to influence on Bob’s HD measurement which will be analyzed in the next section. In order to insert such pulses into Bob’s HD, Eve can set the polarization of them as the ones of the CV-QKD signals, if polarization multiplexing technique is used Jouguet et al. (2013b).

  4. Bob performs HD measurements on the incoming Eve’s signal pulses interfering with LO pulses and the external laser pulses interfering with vacuum. Since the external laser pulses are incoherent with CV-QKD signals, there are no interferences between the external light and LO pulses, we can independently analyze the impact of external laser and Eve’s IR signals on Bob’s HD output signals. Regarding to a HD with an ideal infinite detection range () and an efficiency of , Bob’s HD output signal can be given as:

    (13)

    in which is the noise term due to any technical noises from Eve, Alice and Bob’s devices; is another vacuum state due to loss in Bob’s HD; is the external light state that impacts on Bob’s HD output, which can be treated as the case there is only LO pulses go into HD (Eq. 5 in Sec. III.1):

    (14)

    here is the overall transmission of HD regarding to the external light pulses that goes into signal port, is number of photons per external light pulse, is the vacuum state that interferes with the external light. As Bob’s HD balance setting is only valid for LO pulses go into LO port, the overall imbalance factor of the external light pulses will contribute non-negligible offsets to final HD signals. The second term of Eq. 14 will contribute its own shot noise into CV-QKD excess noise. In a realistic case, Bob’s HD only operates linearly with a finite detection range [] as discussed in Sec. III, thus Bob’s HD output signal is given by Eq. 9 in which [Eq. 13] replaces the term of .

  5. Alice and Bob perform classical post processing on their correlated data (): sifting, parameter estimation, reverse reconciliation and privacy amplification in order to obtain keys. Due to Eve’s external light, Alice and Bob may believe their excess noise is still below the null threshold which will cause them to accept compromised keys.

  6. Eve listens to the classical communication between Alice and Bob, in order to perform the same post processing of Alice and Bob on her data to get identical keys.

V Security analysis and simulations

In this section, we will demonstrate in simulation of Eve’s attack strategy in Sec. IV.2 and show that how Eve can in practice break the security of Alice and Bob GMCS CV-QKD system with a realistic parameter setting.

v.1 Realistic assumptions of Alice, Bob and Eve

In the security analysis, it is necessary to assume Alice and Bob’s CV-QKD implementation setup; and Eve’s power in a realistic scenario such that Eve’s security breach can be valid. We first consider the assumptions of Alice and Bob’s CV-QKD implementation and their device parameters:

  • Alice optimizes her Gaussian modulation variance based on the distance Jouguet et al. (2011).

  • Bob balances his HD on the LO pulses that go into LO port such that and one LO pulse contains number of photons at Bob side. Thus the impact of LO leakage on HD is assumed to be negligible.

  • Alice and Bob implement real time shot noise calibration as in Ref. Jouguet et al. (2013b), their shot noise is assumed to be not tampered by Eve. Such assumption can be extended to the case that Alice and Bob use LLO scheme Qi et al. (2015)

  • Bob’s HD efficiency , electronic noise variance , linear detection limit . Such limits are considered large enough to ensure Bob’s HD operating in normal case. Alice and Bob calibrate and before CV-QKD protocol.

  • Alice and Bob perform reverse reconciliation with a reconciliation efficiency of .

We now consider Eve’s attack strategy assumptions:

  • Eve’s station is right after Alice station. The loss between Alice and Bob is identical to the one between Eve and Bob which is given by , is the distance between Alice and Bob, is the standard loss coefficient of single mode fiber in 1550 nm.

  • Eve inserts the external light beside Bob’s station such that Eve can control precisely its power () without it going through the lossy channel.

  • Eve inserts the external light into Bob’s HD signal port and its overall transmission on Bob’s HD is . Note Eve is assumed to know and can control its value by using shorter or longer wavelength as in the wavelength attack Ma et al. (2013); Huang et al. (2013, 2014).

v.2 Eve’s impact and excess noise contribution

Based on these assumptions, we can now analyze Eve’s impact and excess noise contribution over Alice and Bob CV-QKD protocol. From Alice and Bob’s point of views, all the statistical quantities need to be normalized into shot noise units which will be considered in the following analysis. From Eve’s strategy mentioned above, there are mainly three parts of excess noise due to Eve’s attack: noise due to IR attack , noise due to the external light and noise due to technical imperfections . Since LO pulses and external light pulses are in different modes, we can separately evaluate and .

As in the step (2) of Eve’s strategy, Eve’s IR attack adds one vacuum noise due to the 50/50 BS in the heterodyne detection () and another one due to coherent encoding () which gives Lodewyck et al. (2007b). We further consider total technical noise due to Alice, Bob and Eve devices imperfections as which is an experimental result in Ref. Lodewyck et al. (2007b).

Regarding to noise due to the external light in the step (3) and (4) of Eve’s strategy, as the analysis in Sec. III.1, there are mainly two parts: the external light’s own shot noise and laser intensity fluctuation noise due to insufficient subtraction of Bob’s HD. If we further express these values into shot noise units with , we can know their excess noise contribution:

(15)
(16)

in which is external laser’s intensity fluctuation ratio, we consider that Eve has an ultra stable laser source or a normal laser source . Thus the total noise due to Eve’s external light is given by:

(17)
(18)

in which is the ratio between photon number of one Eve’s external light pulse and one Bob’s LO pulse. Note is the noise due to external light at Bob side, the equivalent noise of on Alice side needs take the transmission into account. Thus the total excess noise due to the external light is given as:

(19)

We now summarize all these noises due to Eve’s attack in Fig. 4. As we can see, and due to external laser increases with . If Eve uses a stable laser source as her external light with , the dominant noise contribution is from its shot noise . However if Eve uses a common laser source with , the intensity fluctuation noise will take the lead and induce more disturbances on CV-QKD signals, which needs to consider in practice. In our later analysis, we will consider in Eve’s attack. We can also observe that Eve’s external light noise increases with Alice and Bob distance due to the factor of , as the external light is inserted at Bob’s side.

Figure 4: Excess noise contributions, for different blinding attack parameters, as a function of the photon number per pulse ratio . Solid curves stand for the excess noise due to blinding laser intensity fluctuation (see text). Dashed curve stands for excess noise added by blinding laser shot noise. The upper dashed dotted line stands for the excess noise due to the IR attack, the lower dashed dotted line stands for the technical excess noises, which are independent of the external blinding laser.

On the other hand, Eve’s external light also contributes a non-negligible offset on Bob’s HD output signal as discussed in Sec. III.1, which is under Eve’s control through and :

(20)

Note is normalized in . As is proportional to , it means if Eve wants more influence from external light on Bob’s HD, she needs to increase which may potentially limit the power of the attack. In order to achieve a security breach, Eve needs to properly set in order to cause large enough offset to force Bob’s HD works in the saturation region, which will help Eve to effectively bias the noises , and due to the attack.

v.3 Alice and Bob’s parameter estimation under Eve’s attack

In order to determine whether Eve can have a security breach under the HD blinding attack, we need to evaluate the parameter estimation of Alice and Bob: channel transmission and excess noise , to see whether Eve can bias the excess noise due to the attack small enough such that Alice and Bob believe they can still share a secret key. A security breach thus corresponds to the condition: , in which is the null key threshold corresponds to the maximum excess noise that allows Alice and Bob to extract a secret key under collective attack modelNavascués et al. (2006) for given values of and . According to the standard parameter estimation procedure of CV-QKD in Sec. II.1, we can estimate and based on Eqs. 3 and 2.

We first consider the case where Bob’s HD linear range is infinite (). In this case, we can predict the mean of Bob’s HD measurement and its variance:

(21)
(22)

in which, we can directly deduce the channel transmission estimation of Alice and Bob: and their excess noise estimation: . It is obvious that Alice and Bob can easily spot Eve’s attack action if Bob’s HD works in linear region, as at any distances.

Figure 5: Simulation of the impact of detector saturation on the quadratures distribution versus , for two sets of parameters. Red (dark gray): HD detection range , green (light gray): HD ideal linear case. The corresponding estimation of and are both given in the legend for and respectively. (a) , no security breach as ; (b) , security breach as . For both case, .

However, if Bob performs a realistic HD measurement with a finite linear range [], Eve can manipulate Bob’s HD signal statistics by controlling through which affect Bob’s HD output statistics and further bias Alice and Bob’s parameter estimation. We now demonstrate Eve’s action on and its impact on Alice and Bob’s data () in simulation. As shown in Fig. 5 (a) and (b) , we consider Eve uses and respectively in her strategy at distance , in which (green or light gray) correspond to Bob’s HD linger range is infinite () and () (red or dark gray) correspond to Bob’s HD is limited to []. If Alice and Bob perform parameter estimation based on (), there is only a displacement has been introduced on Bob’s data, they can still notice Eve’s attack base on and . However, Alice and Bob may not be able to detect Eve’s action based on (), as Eve can gradually increase in order to force parts of Bob’s HD signals saturated and bias the estimation and . Due to Bob’s HD saturation, variation is limited by Bob’s upper detection limit which results in smaller variance of Bob compared to the one of and a weaker covariance correlation between Alice and Bob, which leads . If Eve chooses properly the value of , she can eventually meet the condition . In Fig. 5(a) Eve’s choice of can not lead to a security breach as at . If Eve keeps increasing , as shown in Fig. 5(b) the choice of corresponds to a security breach condition as . In Fig. 5, statistical measurements are based on simulation data for linear HD (green or light gray) and saturation HD case (red or dark gray). It shows that Eve’s external light power needs to be high enough to affect sufficiently Bob’s data distribution in order to achieve a security breach, otherwise, Alice and Bob can still detect the noise due to Eve’s attack.

We further analyze Eve’s choice of to meet the condition . In the simulation of Eve’s attack, we use the HD model in Sec. III.1 and standard parameter estimation procedure of CV-QKD in Sec. II.1 to estimate and for Alice and Bob. Particularly, we calculate and by increasing the value of and thus the ratio . In Fig. 6, we show the impact of on over distance .

Figure 6: Alice and Bob’s transmission estimation versus distance under Eve’s HD blinding attack. The black dashed curve (top one) corresponds to that is estimated by in the linear case ; while the other lower curves correspond to in the realistic case that are estimated by with from top to bottom.

As shown in Fig. 6, Eve’s external light reduce Alice and Bob’s channel transmission as expected, however such reduction will not prevent Alice and Bob to proceed to key generation. As long as , there is still a security breach. To illustrate Eve’s impact on Alice and Bob’s estimation of , we continuously increase and deduce corresponding and for a given setting of and . The results of and versus are shown in Fig. 7 for different distances , in which excess noise in HD linear region increases with and with distance due to the factor of . According to the previous analysis, Eve’s noises consist constant noises: due to technical imperfections and due to IR attack; variable noises increasing with : the shot noise of the external laser and its intensity fluctuation noise. The total noise is much higher than the tolerable excess noise for Alice and Bob to generate a key () and thus it will reveal Eve’s presence.

However decrease sharply when , since corresponding offset overpass the HD detection limit , such that is effectively biased by Eve. As shown in previous analysis, due to HD saturation, Bob’s HD variance and his data’s covariance with Alice both become smaller. However the impact of HD saturation on its variance degradation is much larger than on the covariance, which results in a quick drop of . Although the curves in Fig. 7(a) sharply decreases around , each value of only corresponds to one value of . As shown in Fig. 7(b), a more precise control of will help Eve to manipulate to an arbitrary value between and . It means once Eve has enough precision on the power of the external laser, she can accurately manipulate Alice and Bob’s excess noise estimation to any small value she desires. For example, according to the simulations, a successful attack is possible with the choice of and which shows that Eve needs a precision of photons and a stability of photons level on one external laser pulse in order to accurately bias the excess noise estimation. Such precision is realistic and achievable with current technology.

For a given distance, Eve can in practice choose a proper value of to achieve such that Alice and Bob still believe they share a secure key according to their parameter estimation and proceed to key generation however the generated keys are not secure at all because of Eve’s IR attack. In principle, Eve can set to be arbitrary close to zero, which further enables her to control Alice and Bob key rate generation. Figure 7 is a reference for Eve to properly set the value of .

Figure 7: Excess noise estimation of Alice and Bob versus photon number ratio , , , , . (a) Rang of : 0-0.14, (b) Range of : 0.124-0.13. The upper five curves stand for the excess noise estimations at different distances, the lower two curves stand for the null key thresholds at 20 and 40 .

Vi Countermeasures

In DV-QKD, blinding attack is well known for breaking security on various protocols through controlling different types of SPDs such as avalanche photodiode (APD) Makarov (2009); Lydersen et al. (2010a) and superconducting nanowire SPD Lydersen et al. (2011a, b). This kind of detector controlled attack based on bright illumination now extends to CV-QKD using HD as shown in this paper. In both CV and DV case, Eve is required to send a relatively strong classical light to actively control Bob’s detector. Due to such similarity, countermeasures against blinding attack in DV-QKD are thus worth to consider to defeat HD blinding attack in CV-QKD. Here we briefly discuses several possible countermeasures against HD blinding attack in CV-QKD and compare them with the ones in DV-QKD.

In the first approach, a straight forward countermeasure is to monitor the light intensity that is going into signal port of HD. Bob can implement such countermeasure using a sensitive p-i-n photodiode, in order to detect any strong light impinging on the signal port. Such method can be also used for energy test that is required in some security proofs Leverrier (2017). It is however challenging to build a detection system that can give in practice the capability to detect light in any optical mode that Eve ay try to use. In DV-QKD, such watchdog detectors have been proposed Gerhardt et al. (2011) and implemented Dixon et al. (2017) to detect blinding attack. However, it has been shown that practical watchdog may not always be able to rise the alarm Sajeed et al. (2015b). Moreover, Eve may also use high power laser to damage the photodiode watchdog and bypass the security alarm of the QKD protocol Makarov et al. (2016).

Bob’s HD consists of two classical photodiodes (PDs). Hence, instead of measuring the difference between the two photocurrents, Bob may also monitor one, or the sum of the two photocurrents, from two PDs. This may be however challenging in practice, as it will disturb the HD output, and as it can be difficult to set a proper discrimination level to correctly detect, against blinding attack. In our proposed blinding attack strategy, Eve only need to increase the overall energy by about 12%. Hence LO intensity fluctuations, due to Alice’s laser source and channel environment may exceed the external light’s energy, which can lead to false alarms. In addition, it is currently been technically challenging to design a high gain, high bandwidth, high efficiency, low noise HD in practice for CV-QKD purposes. Adding extra electronics components can increase the electronic noises and reduce HD performance. A similar approach in DV-QKD has been also proposed, in which Bob monitors the photocurrent from APD Yuan et al. (2010). Unfortunately, such method was later proven not sufficiently to detect the blinding attack in many particular cases Lydersen et al. (2010b). Moreover, in addition to monitoring the photocurrent from APD, one may use the synchronization detector as an auxiliary monitor to detect the blinding light Wang et al. (2014).

A third countermeasure has been proposed in the Ref.Kunz-Jacques and Jouguet (2015): Alice and Bob test the linearity between the noise and signal measurement by using an active attenuation device on Bob’s side, i.e. an amplitude modulator. Such method explores the linearity of HD and can thus in principle prevent the HD blinding attack: the randomization of signal port’s attenuation prevents Eve to properly set the intensity of blinding pulses. However, a practical amplitude modulator is wavelength sensitive which can loose its amplitude extension when the wavelength is out of the spectral range. In addition, such linearity test increases the implementation complexity and detector losses. A similar approach, based on random detector efficiency has also been proposed in DV-QKD Lim et al. (2015), yet it has been shown that it is not always effective in a practical implementation Huang et al. (2016).

The three previous approaches require some modifications to the CV-QKD system hardware, leading to additional experimental complexity. We suggest, on the other hand, that data post-processing combined with calibrated homodyne detection, can be a simple and efficient way to counter the blinding attack. We propose the following generic method: Bob sets security thresholds [] inside the HD limits []. In the parameter estimation stage, Alice and Bob can thus estimate, for each block, the fraction of the HD measurement data that have been recorded outside of the interval []. If a too large fraction of HD measurements is recorded beyond the thresholds, then Alice and Bob know the HD was not working in its linear range for some non neglectable fraction of the quantum communication phase, and they discard the block. This approach relies on the per-calibration of HD detection limits (the values of and which is required to be performed with a good precision (compared to ) and in a safe environment. Setting the value of the confidence interval [] and the fraction of rejected data that can be tolerated will require further work taking finite-size effects into account and including a characterization of statistical fluctuations.

Finally, since HD blinding attack is a detector-based attack, MDI CV-QKD Li et al. (2014); Ma et al. (2014b); Pirandola et al. (2015a) can be a potential solution to defeat such attack. Although a proof-of-principle demonstration of MDI CV-QKD has been already performed in experiment Pirandola et al. (2015a), there is still a large gap between practical implementation and theoretical proposal. There are even debates on whether MDI CV-QKD can become practical regarding to its theoretical performance limitations and current available technologies Xu et al. (2015); Pirandola et al. (2015b). Recent works in finite size Papanastasiou et al. (2017) and composable Lupo et al. (2018) security proofs of MDI CV-QKD have shown some practical feasibilities of such protocol from theoretical perspectives. This paper may be an additional motivation for future development of practical MDI in CV-QKD, similarly to the role played by the blinding attack in DV-QKD, to trigger the birth of MDI QKD Braunstein and Pirandola (2012); Lo et al. (2012) and its deployment Yin et al. (2016).

These countermeasures show that current CV QKD implementations need some upgrades in hardware or software to defeat the proposed attack. It is even more important to verify the functionality of these countermeasures in practice, as they may fail to defeat the attacks if they are not correctly implemented as in the cases of DV-QKD Huang et al. (2016); Lydersen et al. (2010b).

Vii Conclusion

In this paper, we detail an attack strategy exploiting the homodyne detection vulnerability Qin et al. (2016, 2013) that is moreover implementable with low experimental complexity. Inspired by and analogous to the blinding attack in DV-QKD, our attack allows Eve to influence Bob’s homodyne detection response, by sending external light. We demonstrate that this attack can constitutes a powerful strategy, that can fully break the security of practical CV-QKD systems. Based on experimental observations, we propose an effective model to account for homodyne detection imperfections and use it to model Eve’s attack. Simulation results illustrate the feasibility of our proposed attack under realistic experimental conditions. Compared to other side channel attacks in CV-QKD requiring complex experimental techniques Qin et al. (2013); Huang et al. (2014, 2013), we believe our strategy should be simple enough to allow effective eavesdropping demonstration on deployed CV-QKD. This attack hence highlights the importance of exploring the assumptions in security proofs when implementing CV-QKD protocols and the necessity to implement suitable countermeasure to ensure the practical security of CV-QKD systems.

Acknowledgements.
This work was funded by NSERC of Canada (programs Discovery and CryptoWorks21), CFI, MRIS of Ontario, French National Research Agency (ANR Emergence project Quantum-WDM), European Commission (Marie Skłodowska-Curie ITN project QCALL), and Quantum Communications Hub through EPSRC UK National Quantum Technology Programme.

References

Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
240292
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description