Quantum Hacking on Continuous-Variable Quantum Key Distribution System using a Wavelength Attack

Quantum Hacking on Continuous-Variable Quantum Key Distribution System using a Wavelength Attack

Jing-Zheng Huang Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, 230026, China    Christian Weedbrook Center for Quantum Information and Quantum Control, Department of Electrical and Computer Engineering and Department of Physics, University of Toronto, Toronto, M5S 3G4, Canada    Zhen-Qiang Yin111yinzheqi@mail.ustc.edu.cn Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, 230026, China    Shuang Wang222wshuang@ustc.edu.cn Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, 230026, China    Hong-Wei Li Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, 230026, China    Wei Chen Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, 230026, China    Guang-Can Guo Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, 230026, China    Zheng-Fu Han Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, 230026, China
July 15, 2019

The security proofs of continuous-variable quantum key distribution are based on the assumptions that the eavesdropper can neither act on the local oscillator nor control Bob’s beam splitter. These assumptions may be invalid in practice due to potential imperfections in the implementations of such protocols. In this paper, we consider the problem of transmitting the local oscillator in a public channel and propose a wavelength attack which can allow the eavesdropper to control the intensity transmission of Bob’s beam splitter by switching the wavelength of the input light. Specifically we target continuous-variable quantum key distribution systems that use the heterodyne detection protocol using either direct or reverse reconciliation. Our attack is proved to be feasible and renders all of the final key shared between the legitimate parties insecure, even if they have monitored the intensity of the local oscillator. To prevent our attack on commercial systems, a simple wavelength filter should be randomly added before performing the monitoring detection.

I Introduction

Quantum key distribution (QKD) enables two distant partners, Alice and Bob, to share common secret keys in the presence of an eavesdropper, Eve Sca09 (); qkd (). In theory, the unconditional security of QKD protocol is guaranteed based on the laws of physics, in particular the no-cloning theorem. But in practice, the key components of practical QKD systems have imperfections that do not fulfill the assumptions of ideal devices in theoretical security proofs. In discrete-variable QKD, the imperfect devices such as single photon detectors, phase modulators, Faraday mirrors and fiber beam splitters, open security loopholes to Eve and lead to various types of attacks Qi2007 (); Zhao2008 (); Lydersen2010 (); Gerhardt2011 (); Wiechers2011 (); Lars (); Xu (); Weier (); Jain (); WaveAtt ().

Continuous-variable (CV) QKD Weedbrook2011 () has developed immensely over the past decade Jouguet2012 () to the point that there are companies selling commercially available systems quintessencelabs (); securenet (). Even so, CV-QKD is potentially vulnerable to such idealization-to-practical problems that plague its discrete variable counterpart. In the CV-QKD protocols, Alice encodes the key information onto the quadratures, and , on a bunch of coherent states and sends them onto Bob. Bob measures one or both quadratures by performing homodyne cv () or heterodyne detection cv-het () on the signal with a relatively strong local oscillator (LO). Finally, they perform direct or reverse reconciliation and privacy amplification process to distill a common secret key Weedbrook2011 (); Sca09 (). In practice, it is extremely difficult for Bob to generate the LO with the same initial polarization and phase to Alice’s signal. Therefore, Alice prepares both the signal and LO, and send them to Bob in the same optical fiber channel at the same time to avoid the large drifts of the relative polarization and phase cv-exp (). However, this implementation leaves a security loophole open for Eve.

In Ref. testlo (), the authors proposed an equal-amplitude attack. To perform this attack, Eve first intercepts the signal and LO, and measures both of the quadratures by performing heterodyne detection on them. According to her measurement results, she reproduces two weak squeezed states which have the same intensity level to the signal, and sends them onto Bob. Bob treats these two fake states as signal and LO, and performs detections on them as usual. But now the detection is neither homodyne nor heterodyne detection, therefore Eve is able to make the extra noise of Bob’s measurement much lower than the shot noise level. As a result, the total deviation between Bob’s measurement and Alice’s preparation is lower than the tolerable threshold derived from the theoretical security proofs cv-sec (); het-sec (). Hence Alice and Bob can not discover the presence of Eve.

In order to prevent this attack without modifying the original measurement setup, Bob needs to monitor the total intensity or the LO intensity testlo (). We note that in this attack, Eve is assumed to be unable to control the beam splitters of Bob. But in one of our recent studies WaveAtt (), we found that it is possible for Eve to control the outputs of fiber beam splitters by utilizing its wavelength dependent property bs-0 (); bs-1 (); bs-2 (). Importantly, such wavelength dependent properties can be found in commercial CV-QKD systems quintessencelabs (); securenet (). Making use of this loophole, we propose a new wavelength attack on a practical CV-QKD system using heterodyne detection protocol cv-het (). By using this attack Eve can in principle achieve all of the secret key without being discovered, even if Bob has monitored the total intensity or the LO intensity. Such an attack has practical and commercial consequences.

In the security analysis of CV-QKD protocols with direct (reverse) reconciliation, (), Alice (Bob)’s conditional variance of Bob (Alice), has the similar status as the quantum bit error rate (QBER) in the discrete-variable QKD protocols. To show that the hidden Eve would not be discovered in our attack, our method is proving that the upper bound of  () under our wavelength attack is always lower than the maximum value allowed by the secret key rate formula cv-het (); het-sec ().

This paper is organized as follows. In Section II, we first review the heterodyne protocol and the wavelength-dependent property of certain fiber beam splitters, then we propose a wavelength attack scheme on an all-fiber CV-QKD system using heterodyne protocol in Section III. We prove the feasibility of this wavelength attack in Section IV, and finally conclude in Section V.

Ii Preliminary

ii.1 Heterodyne detection protocol

In the heterodyne protocol cv-het (), Alice first prepares a displaced vacuum state that will be sent to Bob. This is realized by choosing two real numbers and from a Gaussian distribution of variance and zero mean. The whole ensemble of coherent states Alice will send to Bob is given by the thermal state with variance . Bob receives this coherent state and simultaneously measures both the amplitude and phase quadratures of the state using heterodyne detection. After repeating this process many times, they finally extract a binary secret key by using either direct reconciliation Grosshans2002 () or reverse reconciliation algorithm cv-het (). A typical CV-QKD system using heterodyne protocol can be realized by the schematic shown in Fig. 1. In this scheme, time and polarization multiplexing are used so that the signal and LO can be transmitted in the same channel without interfering. To avoid the equal-amplitude attack testlo (), Bob uses a 10:90 beam splitter(not depicted in the figure) before the polarization beam splitter to monitor the LO intensityJouguet2012 ().

Figure 1: The schematic diagram of heterodyne detection protocol. BSa: beam splitter; BSb: 50/50 beam splitter; PM: phase modulator; AM: amplitude modulator; PBS: polarization beam splitter; PC: polarization controller. Alice generates coherent light pulses by a  nm laser diode, then separates them into a weak signal and a strong LO by a beam splitter. The signal is then modulated randomly following the centered Gaussian distribution in both quadratures, by using phase and amplitude modulators. The signal and LO are separated in time and modulated into orthogonal polarizations by the PBS before begin inserted into the channel.

To perform the heterodyne detection, Bob uses the photo-detector to convert the photons into a photocurrent . Here and the photon number are related by , where and are the annihilation and creation operators of the light state, and q is a suitable constant cv-rev (). The extra quantum noise is unavoidable in Bob’s measurement results when he uses heterodyne detection due to the unused port of the beam splitter. To show this, let us first describe the signal and LO by operators and , respectively. These operators can be broken up into two contributions book (): the mean values of the amplitude as well as the quantum noise fluctuations . The operators can be written as


where and are complex numbers and we assume that the amplitude of the LO is much larger than the signal, i.e., , and and are the fluctuations of the signal and LO, respectively.

The photocurrents read by the four photo-detectors can be written as follows


Here we have absorbed the vacuum noise terms into the terms . For simplicity, let us assume that is a real number. To derive the quadratures and , the difference of the two photocurrents should be measured


where and are the exact quadratures that Bob wants to measure, and are the quantum noises entering into Bob’s measurement. Several terms have been neglected above according to the fact that . and satisfy the canonical commutation relation , therefore the Heisenberg uncertainty relation is derivable cv-rev ().

Under the condition that Eve cannot act on the LO (a common assumption in the security proofs Sca09 ()), it is only when the excess noise reaches two times the shot-noise level that Eve can perform an intercept-resend attack on the channel cv-sec0 (). It is due to the fact that Eve will introduce vacuum noise by using heterodyne detection and consequently, suffer the quantum fluctuations when she reproduces the signal state in a simple intercept-resend attack.

ii.2 Wavelength-dependent fiber beam splitter

In Ref. WaveAtt (), we studied the wavelength-dependent property of the fiber beam splitter which is made by the fused biconical taper technology bs-0 (). The fused biconical taper beam splitter is made by closing two or more bare optical fibers, fusing them in a high temperature environment and drawing their two ends at the same time. Subsequently, a specific biconic tapered waveguide structure can be formed in the heating area. The fused biconical taper beam splitter is widely use in the fiber QKD systems because of the feature of low insertion loss, good directivity and low cost. However, intensity transmission of the fused biconical taper beam splitter is wavelength-dependent, and most types of fused biconical taper beam splitters work only in a limited range of wavelengths (limited bandwidths), where the intensity transmission of the beam splitter can be defined as , where () is output light intensity from beam splitter’s output port 1 (2). Typical coupling ratio at the center wavelength provides optimal performance, but the intensity transmission varies periodically with wavelength changes. The relationship between wavelength and the intensity transmission by using the coupling model is given in Ref. bs-1 (); bs-2 ():


where is the fraction of power coupled, is the coupling coefficient, and is the heat source width.

Iii Wavelength Attack on a CV-QKD system using heterodyne protocol

Figure 2: (Color on line)The schematic diagram of the wavelength attack scheme. WT-LD: the wavelength tunable laser diode; IM: the intensity modulator; BS: 50/50 beam splitter. The WT-LD and IM are used in producing fake coherent states with the specific wavelength and amplitude set by the controller. The red (dotted) beam splitters are the ones controlled by Eve. The red beam splitter on the left has transmission , while the red beam splitter down the bottom has transmission . For simplicity, the 10:90 beam splitter and the generation of are not shown.

The basic idea of the wavelength attack is shown in Fig. 2. Eve intercepts the coherent states sent by Alice. She makes heterodyne measurement of the signal using the LO to achieve the quadrature values and . After that, Eve generates and re-sends three coherent states: a fake signal state , a fake LO state and together with a ancillary state . Different from the previous intercept-resend attack, these fake states have different wavelengthes, denoted as (for ), (for ) and (for ). According to Eq. (4), the performance of Bob’s beam splitter is dependent on the wavelength of the incoming light. Therefore the fake signal with wavelength , the transmission of Bob’s beam splitter is determined by the function which is defined in Eq. (4). Similarly, the intensity transmission of Bob’s beam splitter to the fake LO state is determined by . In other words, Eve can control Bob’s beam splitter by tuning the wavelength of her fake states.

With the help of the wavelength tunable laser diodes and intensity modulators, the wavelength and amplitude of these fake states are carefully chosen to satisfy the following conditions


where . Here is the channel transmission efficiency, and are the amplitudes of the original signal and the LO, respectively, , and are the amplitudes of the fake signal and the fake LO, are the intensity transmissions of Bob’s 10:90 beam splitter (for monitoring the LO light intensity).

Condition (i) makes sure the method of monitoring the LO intensity is invalid to Eve. Here we assume that Bob uses a 10:90 beam splitter to split the total light before being inserted into the PBS note (). Because the 10:90 beam splitter is also wavelength-dependent, its intensity transmission can be determined by a function similar to Eq. (4), which is denoted by . Here is used for compensating the intensity when and are both small. Eve selects an appropriate wavelength such that , therefore the intensity of is much lower than the shot noise level and negligible.

As Bob measures the quadratures and by performing heterodyne detection on the fake signal and the fake LO, conditions (ii) and (iii) make Bob’s measurement results coincide with the ones attained by Eve. To see explicitly where these relations come from, see Eqs. (28) and (29) in the Appendix. Notice that the fake signal and the fake LO have different wavelengths, and hence, no interference occurs in this detection. The effect of this on the measurement detection is that we no longer have heterodyne detection outputs but rather outputs that are proportional to Eve’s measurements. Therefore, the photocurrents recorded by the photo-detectors consist of parts from the signal and the LO. Eve should also make and much smaller than in order to suppress the shot noise. We are going to prove in Section IV that the extra noise introduced by Bob’s measurement is much lower than the shot-noise level, therefore the total noise can be kept under the alarm threshold. In other words, Eve can safely achieve the key information without being discovered by Alice or Bob.

Finally, we note that as there are limitations on the intensities, conditions (ii) and (iii) may not always be satisfied. However, as the analysis in Appendix. A, we find that the probability of failing condition (ii) or (iii) is extremely close to zero.

Iv Feasibility Analysis

To analyze the feasible of the wavelength attack, we first note that the following assumptions should be satisfied:

(1) This attack is restricted to an all-fiber coherent-state CV-QKD using heterodyne protocol.

(2) All of Bob’s beam splitters have the same wavelength dependent property, i.e., their intensity transmissions are all determined by Eq.(4) with the same parameters. This function and the detection efficiencies of Bob’s detectors are both known by Eve. Here we assume that the detection efficiencies are wavelength independent for simplicity. In practice, Eve can simply absorb the differences into the light amplitudes modulated by her and the final results are unchanged.

(3) Eve has the ability to replace the quantum channel with a noiseless fiber, and her detectors have high efficiency and negligible excess noise.

Before analyzing the feasibility of the wavelength attack, let us first rapidly review the security analysis of the Gaussian protocols based on coherent states and heterodyne detections under individual attacks. In what follows, we restrict ourselves to Gaussian attacks which are proven optimal GarciaPatron2007 ().

In the case of Gaussian attacks, the channel connecting Alice and Bob can be fully characterized by its transmission , and its excess noise above the shot noise level, such that the total noise measured by Bob is (in shot noise units) cv-exp (). Alternatively, one may use the total added noise defined as for convenience. The secret key rates for Heisenberg-limited individual attack in direct reconciliation and reverse reconciliation are given, respectively, by GarciaPatron2007 ()


where is the variance of Alice’s modulated state as it was mentioned in Sec.II.A. Note that we use the ‘Heisenberg-limited attack’ rather than the optimal attack het-sec (); GarciaPatron2007 () as such an attack upper bounds Eve’s information thereby emphasizing our wavelength attack which can even beat such a stringent attack. From the above formulas, we can see that when V and are settled in practice, the secret key rate is fully determined by , which can be precisely estimated from the experimental data cv-exp ().

Another important parameter in the security proof is Alice’s (Bob’s) conditional variance of Bob’s (Alice’s) measurement () in direct reconciliation (reverse reconciliation),which can be thought of as the uncertainty in Alice’s (Bob’s) estimates of Bob’s (Alice’s) quadrature measurement result. In the CV-QKD, Alice and Bob use () to estimate the shot noise and modulation imperfections cv-exp (). is defined(where both quadratures are symmetrized) as


and similarly, we have defined as


We note that () performs a role in CV-QKD protocols similar as the quantum bit error rate in discrete variable QKD protocols, which provide Alice and Bob an intuitive tool to detect the presence of Eve. To clarify this idea, let us first state the relation between () and . As the Gaussian character of the channel maintains no matter Eve performs the Gaussian attacks or not, the conditional variance between Alice and Bob, which we will denote as and , can be calculated as follows GarciaPatron2007 ()


Note that there may be a little different from the expressions in GarciaPatron2007 () due to the differences on the definitions of V.

On the other hand, to make the secret key rate positive, we require that ( according to Eq. (6) and (7) )


with for direct reconciliation or


with for reverse reconciliation, should be satisfied.

Combining Eq. (10) with Eq. (12), we can find that for the sake of deriving a positive secret key rate, the upper bound of yields


In other words, if is smaller than this threshold, the heterodyne protocol in direct reconciliation is considered to be secure. Similarly, the upper bound of is derived to be


And the heterodyne protocol in reverse reconciliation is considered to be secure if is smaller than this threshold.

For these reasons, we can prove our attack feasible by showing that Eve can make (in the direct reconciliation protocol) and (in the reverse reconciliation protocol) when she is performing the wavelength attack.

iv.1 Eve’s Wavelength Attack

When Eve performs the wavelength attack, with channel noise, from a real value chosen by Alice to the measurement result achieved by Bob is listed as follows (we write down the quadrature only since the other quadrature can be presented in the similar way)


where represents the vacuum noise in Eve’s heterodyne detection whose variance is normalized to , and is the vacuum noise introduced by the heterodyne detection. The variance of each of the terms is given by: and . Here can then be considered as Eve’s conditional variance of Bob’s measurement result. In Appendix B, we derive the value of and show that it is smaller than 0.13. We are now ready to derive the conditional variances under Eve’s attack, which are denoted as and .

iv.1.1 in direct reconciliation

According to the definition of in Eq. (8), the value of can be computed as follows


Combining with Eq. (32,33) and the discussions above, we can estimate that the value of is not larger than 1.9. As shown in Fig. 3 (where we set and  het-sec ()), is always lower than , so that Alice and Bob can never discover the eavesdropper under this attack. Besides, one should notice that is always lower than the normal level when the channel loss is larger than  dB, therefore Eve should increase the deviations on purpose to make close to in order to avoid suspicion.

Figure 3: (Color on line)In direct reconciliation, the relation between the channel loss and the conditional variance in three cases: (a) the maximum tolerable value . (b) the value of and (c) the value of . See main text for details. The curves are plotted for experimentally realistic values, and . We can see that is always lower than and lower than when the channel loss is larger than  dB at which point the key between Alice and Bob is no longer secure.

iv.1.2 in reverse reconciliation

In reverse reconciliation, using Eq. (9) with Eq. (16), the value of can be computed as


Combining with Eq. (32,33) and the discussions above, we can estimate that the value of is never larger than . As shown in Fig. 4 (where again we have set and ), it is always lower than the value of so that Alice and Bob can never discover the eavesdropper under such an attack. Besides, one should notice that is lower than the when the channel loss is larger than  dB. Hence, Eve should increase the deviations to make close to in order to avoid suspicions.

Figure 4: (Color on line)In reverse reconciliation, the relation between the channel loss and the conditional variance in three cases: (a) the maximum tolerable value . (b) the value of and (c) the value of . See main text for details. The curves are plotted for experimentally realistic values, and . We can see that is always lower than and lower than when the channel loss is greater than  dB, again leading to an insecure key.

V Discussions and Conclusion

There are two points about the wavelength attack that should be remarked:

  1. As shown in Fig. 3 and Fig. 4, and are lower than and respectively when . It is impossible when the protocol works normally, therefore Eve should add extra noise on her measurement result to increase and . So that perfect heterodyne detection is not necessary for Eve. In other words, assumption (3) listed in Section IV can be compromised.

  2. In theory, the wavelength attack cannot be avoided by adding wavelength filter before the monitoring detector, because Eve can simply increase the input light intensity WaveAtt (). To make this method work, Bob should randomly choose to add or not to add a wavelength filter before the monitoring detector and observe the differences.

Finally, we note that a commercial CV-QKD system, as sold by securenet (), currently uses a wavelength-dependent beam splitter. Although, it does not fall into the regime studied in this paper because it uses homodyne detection rather than heterodyne detection. However, our results show that if one were going to use heterodyne detection with a commercial QKD unit, then the precautions mentioned here would need to be taken. Furthermore, possible quantum hacking opportunities with homodyne detection and wavelength-dependent beam splitters warrant further investigation.

In conclusion, we have proposed a new type of realistic quantum hacking attack, namely the wavelength attack, on continuous-variable QKD systems using heterodyne detection. If Alice and Bob don’t take the necessary precautions for such an attack, the final secret key is in principle, totally insecure as Eve can obtain all the information about the final key. This is different from the equal-amplitude attack proposed in Ref. testlo () as in the wavelength attack, Eve has the ability to control Bob’s beam splitter and therefore the suggestion of testing the total intensity in Ref. testlo () would not prevent such an attack from occurring. To close such a loophole in practical CV-QKD systems, it is simply enough for Bob to randomly add a wavelength filter before his detection.

Added note: To suppress the shot noise, Eve can also apply squeezed state instead of coherent state to generate the fake pulses. In this case, the constraint about maximum fake pulse intensity can be loosed. We would like to thank Dr. Bing Qi for providing this idea to us.

v.1 Acknowledgement

This work was supported by the National Basic Research Program of China (Grants No. 2011CBA00200 and No. 2011CB921200), National Natural Science Foundation of China (Grants No. 60921091 and No. 61101137). C. W. acknowledges support from the Ontario postdoctoral fellowship program, CQIQC postdoctoral fellowship program, CIFAR, Canada Research Chair program, NSERC, and QuantumWorks.

Appendix A Achievable and

We estimate the achievable range of and in this appendix. Before the analysis, let us first rewrite Eq. (4) as follow


where and , here we set F=1 for simplicity. For the BS, where 1550nm, hence . For other wavelengths, and we can get .

For the BS, we similarly rewrite its transmission as and easily derive that . Therefore,


Moreover, as it is mentioned in Sec. IV.1, for suppressing the shot noise we should make and much smaller than . In a practical CV QKD system, the LO pulse arrived at Bob’s side typically includes more than photonsJouguet2012 (). For this reason, we constrain the maximum value of both and to be . On the other hand, to guarantee condition (i), Eve should also make and not larger than . We then get the following maximum value constrains on the fake state intensities:


From condition (ii) and (iii), we can get


Combining Eq. (20), (21) and (3), now we have enough information to derive the achievable value range of and by analytical calculations or numerical simulations. Either of these methods shows that satisfying are always achievable. To see how high the probability of (or ) is, we can apply the error integral function erfc and get or erfc, where V is the variance of and chosen by Gaussian distributionbook2 (). For an experimentally realistic value V=11, we get erfc, which concludes our claim in Sec. III. When or is out of reach, Eve can simply turn to perform the original intercept-resend strategy. The extra noise it involves is 1 (shot noise unit) times this extremely low probability, which is negligible.

Appendix B Derivation of

To derive , let us start from the generation of Eve’s fake states. As we have described in Section III, Eve generates the fake signal state and the fake LO state according to her measurement results and sends them to Bob. These fake states can be described by the following operators


Where complex numbers and are the amplitudes and and represent the fluctuations of the amplitudes as discussed in Section II.1. Similarly, , where and , k = s, LO. After the (original) beam splitter, they are turned to be


where , are the vacuum noises that interfere with the fake signal and the fake LO, respectively, at the beam splitter. , and similar to LO.

Bob performs heterodyne detection on these fake states. According to Eq. (4), Bob’s beam splitter has different intensity transmissions for and because of their different wavelengths, denoted as and . After passing the first set of beam splitters, is separated into and , while is separated into and (cf. Fig. 2), which can be expressed as follows


To simplify the symbols, let us define , , and . Furthermore, we define the quadratures of by and where . Finally, after combining at the second set of beam splitters, the electromagnetic fields arrive at the four detectors can be written as


where the photocurrents are given by . Bob’s quadrature measurement results are then derived from the difference in photocurrents, using the method in Section II.1. Firstly, for detectors and , we have