Eavesdropping attacks

2.6.1.1 Photon number splitting (PNS) attacks

By using a strongly attenuated coherent source in a quantum cryptography system allows Eve to perform a type of attack called the beam splitting attack. This attack results from the multiphoton probability from a weak coherent pulse and the loss in the transmission line. In Quantum cryptography experiments the mean photon number per pulse is usually 0.1 which means that about 1 in 10 pulses contain only photon and 1 in about 200 pulses contain two or more photons. The eavesdropper can use this to tap off a fraction of the signal by means of a beamsplitter so that in some cases both Bob and Eve each receive a photon. If a polarisation encoding scheme is used both Bob and Eve can receive the photon such that the polarisation state remains undisturbed. If Eve can store the photon until Bob publicly announces the representation that he choose she can then use this information to perform a measurement in the same basis announced by Bob and she is able to obtain some of the key. The transmission of the key becomes

completely insecure with a high channel loss as Eve can replace it with a lower loss one [37]. For four state protocols like BB84, Eve can obtain full information from three-photon pulses using unambiguous discrimination techniques [38]. She can measure the total number of photons in each signal state by performing a quantum non-demolition measurement which does not introduce any error on the signal [39].

2.6.1.2 Intercept resend attack

The intercept-resend attack is an attack in which Eve measures the photons emitted from Alice and then retransmits the measured photons via a lossless quantum channel.

Eve measures each qubit in one of the two basis sets for the BB84 protocol in the same manner as Bob would perform. She then sends another qubit in a state which corresponds to her measurement result. In 50% of the time she measures in the correct basis set and then transmits the qubit to Bob. In this occasion the eavesdropper in not detected by Alice or Bob. However 50% of the time she measures the qubit in the wrong basis set and transmits this to Bob. In this case after Alice and Bob eliminate the cases where they used incompatible basis sets they obtain a 25% error in their sifted key which alerts them to the presence of an eavesdropper [17].

2.6.1.3 QKD security attacks based on imperfect detectors

Very recently attacks on QKD systems have concentrated on using design imperfections in single-photon avalanche photodiodes (APD) [40]. The operation of these devices is discussed more thoroughly in section 2.11. These attacks are not based on any flaws in the cryptographic protocol but only on the engineering implementation as QKD has already been proved to have unconditional security. APDs are operated in Geiger mode, in the case of Si-APD (Perkin Elmer) they are biased by a high voltage source through a 360 kΩ bias resistor about 10 volts above the breakdown voltage (Figure 2.17). Two stray capacitances in the device help in the operation. When there is no current following in the APD the capacitors are biased at the bias voltage. During an avalanche process the capacitors quickly discharges through the APD which produces a short current pulse. When the voltage at the APD drops below the bias voltage the avalanched is quenched and the capacitors are slowly recharged through the bias resistor. While the capacitors are charging the detectors are insensitive to single-photons. A photon which arrives before the capacitors are fully charged can reset the voltage but without causing the detector to click. In this way the detector can be blinded indefinitely. In this attack scheme Eve makes use of the intercept resend attack which allows her full knowledge of Bob’s systems. She intercepts the state which Alice

transmits but she has a 50% chance of measuring in the correct basis set. She sends the state not at the single-photon level but instead sends bright trigger pulses which enables her to force Bob’s detector to click only when he measures in the same basis set as Eve and with the correct bit value. Lydersen’s group demonstrated this attack on the comerically available id3110 Clavis2 and QPN 5505 QKD systems from IDQuantique [41]. Using bright light illumination they managed to successfully blind gated InGaAs/InP avalanche photodiodes (APD) which converts them to classical linear detectors. In this way the detector are fully controllable by classical laser pulses superimposed over the bright continuous-wave illumination. Subsequently work by Yuan et al. [42] sought to eliminate this security loophole in QKD. Their work focused on the bias resistor in the APD. A photon is detected if the voltage drop across the sensing resistor Rs exceeds the discriminator voltage level which ideally is set as low as possible. Yuan et al. showed that the range of continuous wave input powers over which the detector is blind to single-photons narrows as the bias resistor Rs is decreased.

For most gated Geiger mode APDs this resistor is redundant and can be removed therefore eliminating the blinding attack.

Figure 2.17. Equivalent circuit diagram for APD. The two stray capacitors are shown to the left [42].

2.6.1.4 Time shifted attacks

Another form of attack which can be used to gain an eavesdropper information on the shared key is via the time-shifted attack [43]. This has shown that there is a non-zero probability (4%) of breaking the security of the QKD system. This form of attack relies

on the fact that most if not all QKD systems will have at least two detectors and each will have a slight difference in the detection efficiency. This detection can vary as a function of time, frequency, polarization or spatial information. Eve has the ability to manipulation one of these variables to slightly change the detection efficiency at her choosing. In QKD it is assumed that Bob’s detector will have an equal number of binary “1” and “0” values but this is not necessary the case under such an attack. Eve has the ability to time delay the signal so that in the case of a two detector system, detector 1 and detector 2, she can delay the signal so that the photons arrive at Bob when detector 1 has higher detector efficiency than detector 2 thereby manipulating the number of binary ones and zeros that Bob receives. The time-shift attack can also be more generalised to spatial, spectral, and polarisation-shift attacks which also make use of the detection efficiency mismatch.

2.6.1.5 Trojan horse attacks

Instead of Alice attempting to gain information about the quantum states sent between Alice and Bob it is also possible for her to send signals into Alice’s and Bob’s systems through the quantum channel. Eve can send bright pulses of light into their systems and analyse the back-reflected light in an attempt to gain information about which detectors fired or the settings of phase and polarisation modulators. The “plug-and play” system is particular susceptible to this attack as light is reflected off Faraday mirrors in Alice’s system back to Bob [17].