Practical Issues in Quantum Cryptography

Transcription

1 Practical Issues in Quantum Cryptography by Feihu Xu A thesis submitted in conformity with the requirements for the degree of Master of Applied Science Graduate Department of Electrical & Computer Engineering University of Toronto Copyright c 2012 by Feihu Xu

2 Abstract Practical Issues in Quantum Cryptography Feihu Xu Master of Applied Science Graduate Department of Electrical & Computer Engineering University of Toronto 2012 Cryptography plays a key role in our life ranging from computer passwords to electronic commerce to national military security. The most widely used modern encryption algorithm is the public-key algorithm. However, the security of all public-key algorithms relies on unproven computational assumptions. Hence, there is a potential loophole for a fast algorithm to compromise their security. Quantum cryptography or quantum key distribution (QKD), on the other hand, is an unbreakable encryption algorithm. In principle, QKD can provide unconditional security based on the fundamental laws of quantum physics. Unfortunately, real-life implementations of a QKD system may contain overlooked imperfections and thus violate the practical security of QKD. It is vital to explore these imperfections. In this thesis, I study two practical imperfections in quantum cryptography: i) Security loophole in QKD system because of imperfect quantum state preparation; ii) How to generate high-speed truly random numbers. i) Discovering security loophole in a commercial QKD system: One key assumption in QKD is that the sender (Alice) can prepare the required quantum states without errors. However, such an assumption may be violated in a practical QKD system. I perform a proof-of-principle experiment to demonstrate a technically feasible quantum attack that exploits such a security loophole in a commercial QKD system. The attack I utilize is called phase-remapping attack. ii) Generating high-speed truly random numbers: An essential element in QKD is a quantum random number generator (QRNG), which can generate true randomness by exploiting the indeterminism of quantum mechanics. However, due to the difficulties of measuring quantum effects in real setups, most approaches to QRNG are limited in speed. Here, I propose and experimentally demonstrate an ultrafast QRNG at a rate over 6 Gb/s, which is based on the quantum phase fluctuations of a laser. Moreover, I consider a potential adversary who has partial knowledge of the raw data and discuss how one can rigorously remove such partial knowledge with post-processing. ii

3 Acknowledgements I would like to take this opportunity to thank various people for making my M.A.Sc. study in the University of Toronto an exciting experience. First and foremost, I owe my deepest gratitude to my supervisor, Prof. Hoi-Kwong Lo, who has supported me with his patience and knowledge during the past two years. I am grateful to him for many useful discussions that motivated me. I would extend my thanks to Dr. Bing Qi, who is my experimental supervisor and kindly teaches me everything in our quantum information technology lab. It has been a great honor to work with him. I am also deeply appreciate the help and advice from Prof. Li Qian and Dr. Xiongfeng Ma, who provide many invaluable suggestions for my research as well as for my future career. Special thanks are extended to Prof. Joyce Poon, Prof. Ben Liang, and Prof. Ashish Khisti for their time and willingness to serve on my thesis committee. Next, it is a pleasure to thank a friendly and cheerful group of fellow students, He Xu, Jiancheng Xuan, Haoxuan Zheng, Viacheslav Burenkov, Zhiyuan Tang, Wei Cui, Dongpeng Kang, Fei Ye, Chao Zhuang, Xiaofeng Xu, David Lynall for many stimulating discussions. I have also largely benefited from the inspiring discussions with many outstanding scientists. In particular, I would like to thank Dr. Christian Weedbrook, Dr. Eric Chritambar, Dr. Vadim Makarov, Dr. Chi-Hang Fred Fung, Dr. Kiyoshi Tamaki, Dr. Richard Hughes and Dr. Zhiliang Yuan. Finally and most importantly, I am very grateful to my family for their endless encouragement and support. This thesis is dedicated to my dear Alice. iii

4 Contents 1 Introduction Motivation Cryptography Quantum cryptography Imperfections of practical quantum cryptography Truly random number generator Highlight and Outline Publications and Presentations Elements of Practical Quantum Key Distribution (QKD) BB84 protocol Intercept-and-resend attack Security proofs QKD implementation Basic components Plug-and-Play QKD system Quantum hacking Attacks on quantum state detection Attacks on quantum state preparation Experimental Phase-Remapping Attack Practical attack strategy Experiment Experimental setup Polarization control Minimized quantum bit error rate Results iv

5 3.3.1 Theoretical quantum bit error rate Experimental quantum bit error rate Discussions Optimization of the attack Countermeasures Conclusions High-speed quantum random number generator Introduction Experimental demonstration Physical model Parameters optimization Experimental procedures Quantum min-entropy evaluation Randomness extraction Extraction schemes: Review Toeplitz-hashing extractor Trevisan s extractor Randomness verification Statistic test Autocorrelation Discussions and conclusions Conclusion and Outlook Conclusion Phase-remapping attack Quantum random number generator Outlook Detector-control attack Other quantum attacks Quantum random number generator Practical QKD Thoughts on future QKD v

6 A Temperature control 62 A.1 Temperature accuracy A.2 Temperature controller B Laser Noise Characterization in Frequency Domain 65 B.1 Parameters quantification B.2 Quantum and classical phase noise C Statistic test 70 C.1 Statistic test suits C.2 Test results Bibliography 71 vi

7 Chapter 1 Introduction 1.1 Motivation The introduction of the Internet has enriched many lives by offering users a plethora of information and convenience. One of the many conveniences is online shopping and the ability to make purchases and other financial transactions online. However, Internet security has become an increasingly important issue and many people question whether or not the information they divulge when making online purchases is really secure. Although current technology protects this vital information from hackers and identity theft, this information will indeed be vulnerable once a super-computer, such as a quantum computer, is developed. In current secure communication system, the key component that can be compromised by future technology is the encryption algorithm. The most widely used modern encryption algorithm is the public-key algorithm. However, the security of all public-key algorithms relies on unproven computational assumptions. Hence, there is a potential loophole of a fast algorithm compromising its security. Indeed, a quantum computer can easily break standard public-key systems via Shor s quantum algorithm. In contrast to the public-key encryption algorithm, quantum cryptography (QC) is the unbreakable encryption algorithm based on the laws of quantum physics. In the past decade, the unconditional security of QC has been rigorously proven and various QC networks have been demonstrated in USA, Europe, China, and Japan. Unfortunately, a crucial problem in QC is the big gap between its theory and practice due to the imperfections in real-life implementation. An adversary may exploit these imperfections and launch specific attacks. In this thesis, my primary interest is to address some of these imperfections and their security consequences in a practical QC system. 1

8 Chapter 1. Introduction Cryptography Cryptography is the art of secret writing and reading. More generally, it is about constructing and analyzing protocols that overcome the influence of adversaries. Cryptography plays a key role in our life ranging from computer passwords to electronic commerce to national military security. Modern cryptography can be divided into two categories, asymmetric and symmetric cryptography, depending on whether the encoding and decoding keys are the same or different. Asymmetric or public-key cryptography involves the use of different keys for encryption and decryption. The principle was proposed in 1976 by W. Diffie and M. Hellman [1]. The first real implementation was then developed by R. Rivest, A. Shamir, and L. Adleman in 1978 [2], which is commonly known as RSA. In fact, RSA is the most popular algorithm in current applications of cryptography. However, the security of public-key cryptosystems rely on unproven computational assumptions. For example, the security of a standard RSA system is based on the difficulty of factoring a large composite number. So far, it has not been possible to prove whether factoring is really difficult or not. This implies the potential existence of a fast algorithm for factorization. Indeed, a quantum computer can easily break standard RSA system via Shor s quantum algorithm (a polynomial algorithm allowing efficient factoring) [3]. Symmetric cryptography, on the other hand, requires a single key for both encryption and decryption. In symmetrical cryptosystems, an unbreakable code does exist. It is called the one-time-pad (OTP), invented by Gilbert Vernam in 1917 [4]. The principle of OTP is the following. The sender (Alice) and the receiver (Bob) first share a private random key. The message (plain-text) is converted into a binary form by a public method, and then combined with the random key to achieve the cipher-text, where the most typical method is an XOR 1 operation between the message and the key. For OTP to be secure, it is important that the key must be as long as the message and used only once. Three decades after OTP was proposed, Shannon proved that OTP can provide perfect secrecy: the cipher-text does not give any additional information on the message [5]. The OTP method is unbreakable, but it has a serious drawback: Alice and Bob must initially share a secure key that is the same length as the message. Is there an efficient way for Alice and Bob to share such a secure key? This is the so-called key 1 The logical operation exclusive disjunction, also called exclusive or, is a logical operation on two logical values, typically the values of two propositions, that produces a value of true only in cases where the truth value of the operands differ.

9 Chapter 1. Introduction 3 distribution problem. One solution to this problem is by trusted couriers. Unfortunately, trusted couriers can be easily bribed or compromised in real life. Another solution is by public-key cryptosystem. Nonetheless, as mentioned earlier, the security of publickey cryptography is only based on unproven computational assumptions. Therefore, the security of its whole implementation can be compromised. If classical communication and classical physics can not provide an optimal way to the key distribution problem, quantum mechanics, or more precisely, quantum cryptography would constitute the only solution Quantum cryptography The idea of using quantum physics to achieve missions impossible in classical information was first mentioned in the early 1970s by Stephen Wiesner. He proposed an idea of counterfeit-free quantum money. However, his paper was rejected and could not be published until a decade later [6]. In 1984, Charles H. Bennett and Gilles Brassard applied Wiesner s idea to solve the key distribution problem in classical cryptography and published the famous Bennett-Brassard-1984 (BB84) protocol [7]. Quantum cryptography, or quantum key distribution (QKD) [8, 9, 10, 11] enables an unconditionally secure means of distributing secret keys between Alice and Bob. Its security is rigorously based on the fundamental laws of quantum physics. In QKD, an encryption key is generated randomly by using quantum states. In contrast to classical physics, in quantum mechanics there is a quantum no-cloning [12] theorem: an unknown quantum state cannot be perfectly copied. This theorem is closely related to another important theorem: information gain implies disturbance. More specifically, given one state of a quantum system chosen from distinct nonorthogonal states, any operation that can gain information about the state necessarily disturbs the state. Now, we describe the picture of how QKD works as follows. If an eavesdropper (Eve) attempts to learn information about some signals (quantum states, for instance photons) sent through a quantum channel, she will have to perform some measurements on the signals. These measurements will generally disturb the state of those signals. Alice and Bob can catch an eavesdropper by searching for traces of this disturbance, such as checking the bit error rate of a random sample of the raw transmission data. The absence of disturbance ensures to Alice and Bob that Eve does not have any information about the transmitted quantum signals. Therefore, the security of QKD is rigorously guaranteed by the quantum no-cloning theorem. The best-known QKD protocol is the

10 Chapter 1. Introduction 4 BB84 protocol [7], which will be discussed in Section Imperfections of practical quantum cryptography The unconditional security of QKD is based on the laws of quantum mechanics and has been rigorously proven during the past decade [13, 14, 15]. Nevertheless, owing to the imperfections in the real-life implementations of QKD, there is still a large gap between its theory and practice. To connect the theory with practice, security proofs of QKD have already considered some of these imperfections, such as weak coherent pulses, detector dark counts [16, 17] and detector efficiency mismatch [18]. Unfortunately, a practical QKD system has many other imperfections. Eve may try to exploit these imperfections and launch quantum hacking not covered by the original security proofs. Is it possible that a small unnoticed imperfection spoils the security of the otherwise carefully designed QKD system? This question has drawn a lot of attention. Various quantum attacks, including the Trojan-horse attack [19, 20], the faked-state attack [21], the time-shift attack [22, 23], and the detector-control attack [24], have been proposed. Meanwhile, the time-shift attack [23] and the detector-control attack [24] have already been successfully demonstrated against commercial QKD systems. To close the gap between the theory and the practice of QKD, it is important to investigate these hacking strategies. Nonetheless, previous studies are largely concentrated on the imperfections in the quantum-state-detection stage of a QKD process. For instance, both the faked-state attack [21] and the time-shift attack [22, 23] exploit the imperfection of the detection-efficiency mismatch between the two detectors in a standard QKD system. Hence, a natural question is: Are there any security loopholes in the quantum-state-preparation stage of QKD? In this thesis, one of my primary interests is addressing such a security loophole in a practical QKD system with imperfect quantum state preparations. We experimentally investigate a specific quantum hacking strategy, called phase-remapping attack, against a widely-used commercial QKD system. Fig. 1.1 shows the commercial ID-500 QKD system (manufactured by ID quantique) I cracked in our lab Truly random number generator Another potential imperfection in QKD is the requirement for a truly random number generator (RNG). A RNG is an essential element because most QKD protocols require

11 Chapter 1. Introduction 5 Figure 1.1: ID-500 commercial QKD system in our lab (manufactured by ID quantique). Alice and Bob to actively choose random basis/signals. Moreover, in all security proofs of QKD, the fundamental assumption is that Alice and Bob can generate perfectly random numbers. Traditionally, pseudo-rng based on computer algorithms has long been used for applications. However, due to its deterministic nature, it cannot generate truly random numbers with theoretically provable randomness. In contrast, quantum-rng can generate true randomness by exploiting the fundamental indeterminism of quantum physics [25]. In the past decade, several quantum-rngs based on different schemes have already been demonstrated [25, 26, 27, 28, 29, 30, 31] and commercial products have appeared on the market [32]. Intel usually integrates an analog-hardware quantum-rng based on thermal noise in some of its chips [33, 34]. Unfortunately, due to the difficulties of measuring quantum effects in real setups, most approaches to quantum-rng are limited in speed (typically near 20 Mbits/s). Furthermore, in practice, quantum randomness may be compromised due to the mixing with classical noise, which may be observed or even controlled by Eve. In this thesis, an ultrafast and unique quantum-rng is proposed and experimentally demonstrated. A rigorous method to remove the contamination of classical noise is implemented. Our approach is based on measuring the quantum phase fluctuations of a laser operating near its threshold.

12 Chapter 1. Introduction Highlight and Outline In Chapter 2, the preliminaries of QKD, including the BB84 QKD protocol, security proofs, real-life QKD implementations, and quantum hackings, are presented. In Chapter 3, one of the first successful quantum attacks, called phase-remapping attack, against a widely-used commercial QKD system is experimentally demonstrated. This work has been published in Ref. [35], and I was the first author. The demonstration highlights not only the vulnerabilities of practical QKD systems, but also the importance for QKD researchers to re-double their efforts on the study of the imperfections of QKD and their counter-measures. After the publication of this work, it has been widely reported in the news media including new articles in Nature, The Economist, New Scientist, Physics World, MIT Technology Review, and so forth. It has been cited 24 times by Google Scholar. In Chapter 4, the world s fastest truly random number generator is presented. A preprint version of this work has been been posted [36], and I was the first author. The approach is by measuring the quantum phase fluctuations of a laser. The key advantages of our approach are simplicity, high-speed and informationtheoretically provable randomness. This work not only demonstrates the large potential for random number generations by quantum phase fluctuations as the true entropy source, but also highlights the importance on the rigorous quantification and distillation of quantum randomness in a practical quantum-rng. In Chapter 5, I conclude my thesis with a summary and an outlook. 1.3 Publications and Presentations Journal papers Feihu Xu, Bing Qi, and Hoi-Kwong Lo, Experimental demonstration of phaseremapping attack in a practical quantum key distribution system, New Journal of Physics, 12, , Feihu Xu, Bing Qi, Xiongfeng Ma, He Xu, Haoxuan Zheng, and Hoi-Kwong Lo, An ultrafast quantum random number generator based on quantum phase fluctuations, submitted, [preprint arxiv: ]

13 Chapter 1. Introduction 7 Refereed conference proceedings Feihu Xu, Bing Qi, Xiongfeng Ma, He Xu, Haoxuan Zheng, and Hoi-Kwong Lo, A high-speed quantum random number generator based on quantum phase fluctuations, in Proceedings of the 11th Asian Conference on Quantum Information Science (11th AQIS), Conference talks Feihu Xu, An ultrafast quantum random number generator with quantum phase fluctuations, contributed talk (25 min), QCRYPT 2011: First Annual Conference on Quantum Cryptography, Zurich, Switzerland (Sep. 2011) Feihu Xu, Bing Qi, A high speed quantum random number generator based on quantum phase noise, contributed talk (20 min, presented by Bing Qi), 11th AQIS, Busan, Korea (Aug. 2011) Bing Qi, Feihu Xu, Viacheslav Burenkov, et al., Security of practical quantum key distribution system, invited talk (presented by Bing Qi), Updating Quantum Cryptography and Communications (UQCC), Tokyo, Japan (Oct. 2010) Poster presentations and Conference attending Feihu Xu, A high speed quantum random number generator based on quantum phase noise, poster presentation, Conference on Quantum Information and Quantum Control IV (CQIQC IV), Toronto, Canada (Aug. 2011) Feihu Xu, Experimental demonstration of phase-remapping attack in a practical quantum key distribution system, poster presentation, 10th Canada Research Chairs Conference (10th CRC), Toronto, Canada (Nov. 2010) Feihu Xu, Experimental demonstration of phase-remapping attack in a practical quantum key distribution system, poster presentation, 10th International Conference on Quantum Communication, Measurement and Computation (10th QCMC), Brisbane, Australia (Jul. 2010) Feihu Xu, attending, Tropical QKD conference, Institute for Quantum Computing, Waterloo, Canada (Jun. 2010)

14 Chapter 2 Elements of Practical Quantum Key Distribution (QKD) A theory is acceptable to us only if it is beautiful. - Albert Einstein The first quantum information task to reach the level of practical applications is quantum key distribution (QKD). In the past decade, QKD has experienced a dramatic development in both theoretical study and experimental demonstration. In theory, the principle of QKD has been rigorously proven based on the laws of quantum physics and information theory [13, 14, 15]. In experiment, QKD has achieved a key generation rate of over 1 Mbits/s [37] and a transmission distance of over 200 km [38]. Various QKD networks have already been built in USA [39], Europe [40], China [41, 42], and Japan [37]. There have also been demonstrations of QKD in a Swiss election and the 2010 World Cup. Moreover, commercial QKD products, for instance the ID Quantique system [32] and the MagiQ system [43], have appeared on the market. These products have been used by a number of Swiss banks to encrypt critical traffic. There are excellent up-to-date reviews [8, 9, 10, 11] summarizing this development. In this chapter, we only focus on a few basics of QKD that are relevant to this thesis. 2.1 BB84 protocol BB84 [7] is the best-known protocol of QKD. The basic tool of BB84 protocol is a quantum channel (such as optical fiber) connecting Alice and Bob, and an authenticated public 8

15 Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 9 classical channel (such as Internet) 1. The quantum channel represents that information through this channel is encoded on the quantum state of photons. Eve is allowed to fully control the quantum channel, but she is not allowed to sneak into Alice s or Bob s local laboratory to steal information. For public channel, Eve is allowed to listen passively, but not change the transmitted message. Before introducing the procedure of BB84 protocol, it is important to be aware that the quantum no-cloning theorem [12] cannot be applied to a set of orthogonal states. In other words, at least two non-orthogonal bases should be employed to perform a secure quantum communication. Basis represents how Alice encodes the random bits on the quantum states. For instance, Alice can randomly choose two state bases, rectilinear basis + and diagonal basis. In rectilinear basis, she uses horizontal polarization state to represent bit 0 and vertical polarization state to represent bit 1. In diagonal basis, she uses 45 degree polarization to represent bit 0 and 135 degree polarization to represent bit 1. In quantum mechanics, these two bases are complementary bases, whose measurement operators do not commute with each other 2. Hence, it is impossible to measure in both basis simultaneously and measuring in one basis automatically disturbs the outcome in the other basis. In BB84 protocol, for each transmission between Alice and Bob, Alice randomly chooses to use either rectilinear or diagonal basis to encode her random number. The polarization of each photon is randomly chosen from a set of {horizontal, vertical, 45 degree, 135 degree}. Therefore, it is impossible for Eve to determine its polarization state without knowing the encode basis chosen by Alice. If Eve uses a polarization beam splitter to project the input photon into either horizontal or vertical polarization state, which is called a measurement in rectilinear basis, then she will destroy information encoded in diagonal basis, since a 45 degree or 135 degree polarized photon has the same chance to be projected into either horizontal or vertical polarization state. As a result, any operation by Eve to randomly choose the basis and perform the measurement will introduce some errors, and these errors can be statistically calculated by Alice and Bob. 1 An authenticated classical channel is essentially required in QKD. In classical cryptography, an information-theoretically secure authentication algorithm does exist, for instance the Wegman-Carter algorithm [44], where authentication can be done with a rather short key. Authentication of an m- bit classical message requires only logarithmic in m-bit of an authentication key. Note that without authentication by a pre-shared secret between Alice and Bob, Eve can disguise herself as Bob, which leads the scheme not secure. Therefore, the goal of QKD is to allow Alice and Bob with a small amount of pre-shared secret to expand it into a much longer one. 2 In linear algebra, it corresponds to two no-commuting matrices, which generally cannot be simultaneously diagonalized.

16 Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 10 This is the essence of the security of BB84 protocol. The full procedure of BB84 protocol is stated as follows (see Table 2.1). 1. Alice randomly selects a sequence of photons from one of the four polarizations, vertical, horizontal, 45-degrees and 135-degrees, and sends the sequence to Bob. 2. For each photon, Bob randomly chooses one of the two measurement bases (rectilinear basis and diagonal basis) to perform a measurement and records his measurement basis and results Alice and Bob both broadcast their basis of measurements. 4. Alice and Bob discard all events where they use different basis for a signal. The remaining results are called sifted data. 5. Alice randomly chooses a fraction of remaining events as testing events, and she publicly broadcasts the testing events positions and polarizations. Bob then broadcasts the measured polarizations of the testing events. 6. Alice and Bob compute the quantum bit error rate (QBER) of the testing events. If the computed error rate is larger than some prescribed threshold value, they stop the process. Otherwise, they proceed to the next step. 7. Alice and Bob convert all remaining data into a binary string. They perform classical post-processing such as error correction and privacy amplification to generate a final key. 2.2 Intercept-and-resend attack Let us see what happens if an eavesdropper (Eve) launches a simple intercept and resend attack: For each photon sent from Alice, Eve performs a measurement in a randomly chosen basis and re-sends a new photon to Bob according to her measurement result. Let us focus on those cases when Alice and Bob happen to use the same basis since they will throw away other cases. If Eve happens to use the correct basis (50%), then both she and Bob will decode Alice s bit value correctly. No error is introduced 3 Rectilinear and diagonal are two conjugate basis, where measurement in one basis randomizes the outcome of a measurement in the other basis.

17 Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 11 Alice s encoding bits Alice s basis Alice s photon polarization ր տ տ Bob s measurement basis Bob s measured result ր ր Bob s raw data Bob s sifted data Table 2.1: Schematics of BB84 protocol. +, rectilinear basis;, diagonal basis;, photon lost. by Eve. On the other hand, if Eve uses the wrong basis (50%), then both she and Bob will have random measurement results. This suggests that if Alice and Bob compare a subset of the sifted key, they will see a significant amount of errors, called quantum bit error. Here, for these bits, the photons will be passed on to Bob in the wrong basis, so regardless of Eve s measurement result, Bob will have a 50% probability of measuring the opposite of Alice s bit value. In other words, Eve s attack will introduce 50% quantum bit error rate (QBER) for half of the total bits, and thus a total of 25% QBER. This example illustrates the basic principle behind QKD: Eve can only gain information at the cost of introducing errors, which will expose her existence. 2.3 Security proofs The basic idea of the BB84 protocol is beautiful and its security can be intuitively understood from the quantum no-cloning theorem [12] as following. Non-orthogonal quantum states cannot be perfectly distinguished. Thus, it is impossible for Eve to find out which state has been sent by Alice without knowing the basis. However, proving the security of QKD in a practical implementation is an extremely difficult problem, because it is very hard to take all possible Eve s attacks into account. It took a long time after BB84 was proposed, but finally, the unconditional security of QKD was proven [13, 14, 15]. Among the security proofs, the one by Shor and Preskill [15] is very simple. Their proof essentially converts an entanglement distillation protocol (EDP)-based QKD protocol proposed by Lo and Chau [14] to the BB84 protocol by using the quantum error correction idea. With one-way classical communication between Alice and Bob, Shor and Preskill s proof shows that BB84 is secure whenever the QBER is less

18 Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 12 than 11% [15]. If allowing two-way classical communications, Gottesman-Lo proof [45] has improved the tolerable QBER to 18.9%, which has been further improved by Chau to 20% [46]. Note that the above QBER bounds apply only to perfect single-photon sources and in the asymptotic limit of infinite signals. Security proofs of QKD were further extended to explicitly accommodate some imperfections in practical QKD settings [16, 17, 18]. One important imperfection is that the laser source used in practice is weak coherent pulse (WCP), which occasionally contains more than one photon in each signal (see subsection 2.4.1). Hence, it is not a single-photon source that the other security proofs [13, 14, 15] assumed. In particular, BB84 may become insecure when WCP with strong intensity is used. For instance, Eve can launch a so called photon-number-splitting (PNS) attack [47], in which she blocks all single-photon pulses and splits multi-photon pulses. She keeps one photon of each of the split pulses to herself and forwards the rest to Bob through a lossless channel. After the basis announcement by Alice and Bob, Eve can unambiguously identify the bit values of the multi-photon signals of which she has kept copies, thereby learning the entire secret key. Refs. [16, 17] have shown that secure QKD is still possible even with a WCP source. However, the drawback is that the PNS attack puts severe limits on the distance and the key generation rate of QKD. A novel solution to this problem is the decoy-state QKD protocol [48, 49, 50], which uses extra test states, called decoy states, to learn the properties of the channel (channel transmission) and the eavesdropping on the key-generating signal states. 2.4 QKD implementation Basic components The basic components in a typical QKD setup are stated as follows. Random number generator: Random number generator (RNG) is an essential element for QKD because most QKD protocols require Alice and Bob to actively choose random basis/signals. Moreover, in all security proofs of QKD, the fundamental assumption is that Alice and Bob can generate perfectly random numbers. Traditionally, pseudo-rng based on computer algorithms has long been used for applications. Recently, physical-rng based on chaotic behaviors of semiconductor lasers has been proposed to generate fast random bits [51, 52, 53, 54]. However, due

19 Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 13 to their deterministic nature, both of the schemes cannot generate truly random numbers with information-theoretically provable randomness. Quantum-RNG, on the other hand, can generate true randomness from the fundamentally probabilistic nature of quantum processes. In the past decade, several Quantum-RNG schemes, such as single-photon detections [25, 26, 27], quantum non-locality [28, 29], and vacuum state fluctuations [30, 31], have been demonstrated. Meanwhile, commercial ones, like ID Quantique system [32], have already appeared on the market. Unfortunately, due to the difficulties of measuring quantum effects, previous implementations have been limited to a relatively slow rate (typically near 20 Mbits/s). In 2009, Qi et al. proposed and built a fast QRNG by measuring the quantum phase fluctuations of a laser, which yields a speed of 500 Mb/s [55, 56]. A similar scheme at a lower speed has also been demonstrated by Guo et al. [57]. Nonetheless, the key point is, the generation rates of all previous QRNGs are still too low for many applications, such as high-speed QKD operating over gigahertz [58]. Furthermore, in practice, some imperfections in the numbers generated by a quantum-rng are inevitable [29]. The theoretical foundation of QKD is still at risk because security proofs (discussed above) all assume the existence of perfect RNGs and do not apply to imperfect RNGs. Source: In most QKD implementations, the attenuated laser is commonly used as the source due to its simplicity and low-cost. Attenuated laser source is essentially the same as the laser source used in classical optical communication except for that heavy attenuation is applied on it (usually attenuated to below 1 photon per pulse). The output state from a laser is a coherent state, which can be expressed as a Poissonian mixture of the different number states: e µ µ n ρ = n n (2.1) n! n=0 where n is the number state 4, µ is the mean number of photons in a pulse, and phase-randomization has been assumed. Attenuated lasers were considered to be non-ideal for BB84 as they always have the probability of emitting multi-photon pulses. Fortunately, as discussed in the subsection 2.3, the discovery of decoystate method [48, 49, 50] made weak coherent lasers much more appealing without significant losses on the performance of a BB84 QKD system. 4 In quantum mechanics, a physical state is represented by a state vector in a complex vector space. (called ket) and (called bra) are two physical-states notations following Dirac in quantum mechanics.

20 Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 14 Another important class of QKD sources is entangled photon source, which is used in the Ekert91 5 [59] and the BBM92 [60] QKD protocols, and is an essential ingredient in quantum computing [61]. A widely used entangled photon source is based on parametric down-conversion, where a high energy photon propagates through a highly non-linear crystal, producing two entangled photons with frequency halved. Quantum channel: The fundamental requirements for a quantum channel are low-loss and preservation of quantum state (avoiding de-coherence from the environment). In practice, two types of channels have these desirable properties: single-mode optical fiber and free-space. Standard optical fibers have been developed and used in telecommunication for four decades. Currently, standard optical fiber is the most popular choice for QKD implementations, because it can easily connect two arbitrary points and be extended to a network. The loss α of an optical fiber is usually measured in db/km. The probability for a single photon to be transmitted through an optical fiber of length l, is given by 10 αl/10. The losses depend heavily on the wavelength of the photons, and are minimal in the two telecom window wavelengths : around 0.35 db/km at 1330nm, and 0.21 db/km at 1550nm. In QKD, since loss is critical for the transmission range and key generation rate, the 1550nm wavelength is usually used. The main disadvantage of optical fiber is its birefringence. The strong polarization dispersion made it hard to implement polarization-coding system. Moreover, it has strong spectral dispersion, which affects the high-speed QKD systems heavily as the pulses are broadened and overlap with each other. Therefore, the loss in fibers puts an limit on the longest distance that a fiber-based QKD system can reach (typical, less than 400 km). Free-space links have negligible dispersions on the polarization and the frequency. There are atmospheric transmission windows that have small loss (α < 0.1 db/km) in clear weather. It is an ideal link for the polarization-coding QKD. Recently, free-space QKD has attracted more attention [62, 63, 64, 65]. Nonetheless, over long distance communication, atmospheric fluctuations make it challenging to predict the arrival point of a photon and align the optical beams. Another disadvantage of the free-space link is that it requires a line-of-sight between Alice and Bob. Buildings and mountains are serious obstacles for free-space QKD systems. The 5 This QKD protocol is essentially connected to the fundamental testing of Bell s inequality.

21 Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 15 greatest motivation for open-air QKD scheme is the hope for ground-to-satellite and satellite-to-satellite quantum communications [63, 64, 65]. As there is negligible optical absorption in the outer space, we may be able to achieve an inter-continental quantum communication with free-space QKD. Indeed, many countries, including USA, Japan, China and Canada, have proposed to build the satellite-based quantum communications. Detector: In QKD, the most popular type of single-photon detector is InGaAs avalanche photodiode (APD) [66]. Single-photon detectors are typically threshold detectors, i.e. the detector output is binary and distinguishes between 0 and one or more photons. InGaAs-APD utilizes the avalanche effect of semiconductor diodes. A strong biased voltage is applied on the InGaAs diode. The incident photon will trigger the avalanche effect, generating a voltage pulse. The narrow band gap of InGaAs makes it possible to detect photons at telecom wavelengths. They normally work below -50 C to lower the dark count rate (i.e. the event that the detector generates a detection click while no actual photon hits it). This temperature can be easily achieved by thermal-electric coolers. The quantum efficiency (detection efficiency) of InGaAs-APDs is usually around 10%. During an avalanche, carriers are trapped in impurities in the semiconductor. Hence, there is a high dark count probability due to the decay of trapped carries after an avalanche. This is called after-pulse effect. To reduce the after-pulse effect, the detector is usually set to be deactivated for a time period, which is called the dead time, after a detection event. The dead time should be set to long enough so that when the detector is re-activated, the after-pulse effect is negligible 6. Moreover, in a practical QKD system, the APDs are often operated at a gating mode, where the detectors are only activated when the photons are expected to hit them. This activated time period is called a gate. The gates are usually applied at a high repetition rate and a number of gates is removed after a detection event, such as the id Quantique system [32]. Gating mode indeed reduces the dark count rate by several orders and is thus used in most InGaAs APDs. However, it may open up a security loophole, such as the time-shift attack [22, 23] and the detector-control attack [24, 67, 68] (to be introduced below). For more details of 6 The dead time is typically in the order of microseconds. At a lower temperature, it takes a longer time for the trapped carries to decay, and therefore low temperature effectively reduces the detection rate. Typically, the InGaAs-APDs work no faster than several megahertz.

22 Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 16 single-photon detectors, see Ref. [69] Plug-and-Play QKD system There are excellent reviews of different QKD implementation schemes [8, 9, 10]. So, this section only contains a brief review of the QKD scheme relevant to this thesis: Plugand-Play QKD system. Besides the polarization-coding BB84 protocol described in Section 2.1, BB84 can be implemented with any two-level quantum system (qubits). Indeed, other coding methods, particularly phase-coding, also exist. In phase-coding BB84, a signal consists of a superposition of two time-separated pulses, known as the reference pulse and the signal pulse. The information is encoded in the relative phase between the two pulses. Hence, the encoded relative phases of {0, π/2, π, 3π/2} in the phase-coding BB84 are essentially equivalent to the encoded polarizations of {Horizon, 45 degree, Vertical, 135 degree} in the polarization-coding BB84. They are simply different embodiments of the same BB84 protocol. The phase-coding BB84 has been practically implemented based on various schemes, and one specific scheme is Plug-and-Play QKD implementation. Practical limitations associated with phase and polarization instabilities over long distance fibers have led to the development of bidirectional QKD schemes, such as the plug-and-play [70] and the Sagnac QKD structure [71]. Specially, the plug-and-play BB84 structure is widely used in commercial QKD systems [32]. Its schematic is shown in Fig We can see that it employs the phase-coding QKD shceme, which is an improved version of the double Mach-Zehnder interferometer scheme [72]. It has only one Mach-Zehnder interferometer and the light propagates through the same channel and interferometer twice due to the faraday mirror on Alice s side. This system works as follows. Bob first sends two strong laser pulses (signal pulse and reference pulse) to Alice. Alice uses the reference pulse as a synchronization signal to activate her phase modulator. Then Alice modulates the phase of the signal pulse only, attenuates the two pulses to single photon level, and sends them back to Bob. Bob randomly chooses his measurement basis by modulating the phase of the returning reference pulse. Owing to its good phase and polarization stability, the Plug-and-Play QKD system has attracted much scientific attention. However, in plug-and-play system, since Alice allows signals to go in and go out of her device, this opens a potential back door for Eve

23 L D M Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 17 to launch various attacks [19, 20], such as the Trojan-horse attack 7. One specific attack is the phase-remapping attack [73] (to be discussed below). e t 1 L D P M B e t 2 P M A B S B o b A l i c e Figure 2.1: Schematic for plug-and-play BB84 QKD system. LD, laser diode. Det1/Det2, single-photon detector; PMA/B, phase modulator; C, circulator. PBS, polarization beam splitter; CD, classical photodetector; DL, delay line; FM, Faraday mirror. 2.5 Quantum hacking Owing to the imperfections in a real-life QKD system, there is still a large gap between the theory and practice of QKD. Particularly, Eve may try to exploit these imperfections and launch specific attacks, called quantum hacking, not covered by original security proofs [13, 14, 15]. In this section, a number of well-known quantum hacking strategies that are outside of standard security proofs are reviewed Attacks on quantum state detection In 2005, Makarov et al. proposed a faked-state attack, which exploits the efficiency mismatch of two detectors in a practical QKD system [21]. As discussed in subsection 2.4.1, in practice, the standard single-photon detectors (such as InGaAs APDs) are often operated in a gated mode. Therefore, the detection efficiency of each detector is 7 Trojan-horse attack employs the unwanted internal reflection from a phase modulator [19, 20]. This attack is more vulnerable in a Plug-and-Play QKD system, because Alice allows signals to go in and go out of her device. In Alice s system, the phase modulator setting contains the bit and basis value. The back-reflections passing the phase modulator in a phase-coding QKD implementation reveal the setting of the phase modulator. It is also called large-pulse attack. In this attack [20], Eve sends a strong laser pulse to Alice s laboratory to try to read off Alice s phase modulator setting from a reflected signal. As a result, Eve may learn which BB84 state Alice is sending to Bob.

24 ₁ 2 e Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 18 time-dependent. Since QKD systems require the detection of two different bit values, they require at least two detectors. Then it is inevitable that finite manufacturing precision in the detector and the electronics, and difference in optical path length will slightly misalign the two detector gates, and cause detector-efficiency mismatch. This problem often exist in practical QKD systems, and it will leave a back door for Eve to launch the faked-state attack as follows. A conceptual schematic of this attack is shown in Fig At the expected arrival time T, the detection efficiencies of the two detectors are similar. However, if the signal is chosen to arrive at some unexpected times (such as t 1 and t 2 in Fig. 2.2), it is possible that the detector efficiencies of the two detectors differ greatly. ₁ E f f i c i e n c y S P D S P D ₂ i m Figure 2.2: Schematic of detection efficiency mismatch. SPD, single-photon detector. At the expected arrival time T, the detection efficiencies of SPD 1 (represent the event of bit 0) and SPD 2 (represent the event of bit 1) are the same. However, at time t 1, SPD 1 is more sensitive to the incoming photon than SPD 2. The faked-state attack is an intercept-and-resend attack. For each signal, Eve randomly chooses one of the two BB84 basis (rectilinear or diagonal) to perform a measurement and obtain a measurement result. Then, she re-sends the opposite bit value from her measurement result in the opposite basis, at a time when the detector for the opposite bit has a lower detection efficiency than the other detector. As shown in Ref. [21], Eve introduces less than 11% QBER if the detection efficiency η The faked-state attack, while conceptually interesting, is hard to implement in a reallife QKD system. This is because it is an intercept-resend attack and as such involves finite detection efficiency in Eve s detectors and precise synchronization between Eve and Alice-Bob s system. Therefore, the faked state attack has never been implemented

25 Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 19 in practice. A typical countermeasure against detector-efficiency mismatch is the fourstate QKD protocol [21]. In 2007, Qi et al. [22] proposed the time-shift attack, which is also based on the detection-efficiency mismatch in the time domain, but is much easier to implement than the faked-state attack. Let us suppose Fig. 2.2 illustrates the detection efficiencies of the two single-photon detectors in a real-life QKD system. Eve can simply shift the arrival time of each pulse sent from Alice by employing a variable optical delay line. For example, Eve randomly shifts the pulse from Alice to arrive at t 1 or t 2 through a shorter path or a longer path of optical line. This shifting process can partially reveal the bit value of Bob: if the pulse arrived at t 1 (or t 2 ) and Bob announces receipt, the bit value is more likely to be 0 (1). Moreover, Eve can carefully set how many bits should be shifted forward and how many should be shifted backward to ensure that the distribution of bit 0 and bit 1 received by Bob is balanced. Hence, the time-shift attack does not make any measurement on the quantum state, and quantum information is not destroyed. Since Eve does not need to make any measurement or state preparation, the time-shift attack is practically feasible with current technology. In 2007, it has been successfully implemented on a commercial QKD system by Zhao et al. [23]. This is the first successful demonstration of quantum hacking on a widely-used commercial QKD system. In their experiment [23], Eve got an information-theoretical advantage in around 4% of her attempts. It shows that a practical QKD system has non-negligible probability to be vulnerable to the time-shift attack Attacks on quantum state preparation Previous studies of quantum attacks are largely concentrated on the imperfections in the quantum-state-detection stage of a QKD process. For instance, both the fakedstate attack [21] and the time-shift attack [22, 23] exploit the imperfection of detectionefficiency mismatch in a standard QKD system. Hence, a substantial question is: Is it really secure in the quantum-state-preparation stage of QKD? Fung et al. [73] answered this question negative, and proposed a novel quantum attack, called phase-remapping attack, exploiting such a security loophole. In fiber-based phasecoding Plug-and-Play BB84 QKD system (see Fig. 2.1), LiNbO 3 waveguide phase modulator is commonly used to encode random bits. In practice, a phase modulator has finite response time, as shown in Fig Ideally, Bob s signal pulse passes through Alice s phase modulator in the middle of the modulation signal and undergoes a proper

26 e Chapter 2. Elements of Practical Quantum Key Distribution (QKD) 20 Phase shift 0. P M 0 / t / t. t i m Figure 2.3: Diagram of phase modulation (PM) signal. t 0 is the original time location where Bob s signal pulse is properly modulated to have phase φ 0. Eve time shifts the signal pulse from t 0 to t 1. This pulse will undergo a new modulated phase φ 1. Reproduced from [35] with permission. c 2010 IOP. modulation (time t 0 in Fig. 2.3). However, if Eve changes the time difference between the reference and the signal pulse, the signal pulse will pass through the phase modulator at a different time (time t 1 in Fig. 2.3), and the encoded phase will be different. Originally, Alice uses {0, π/2, π, 3π/2} to encode {0 1 (bit 0 in basis1), 0 2 (bit 0 in basis2), 1 1 (bit 1 in basis1), 1 2 (bit 1 in basis2)}. Now, after Eve s remapping process, Alice s encoded phases will be mapped to {0, φ 1, φ 1 +φ 2, φ 1 +φ 2 +φ 3 }, where φ i (i=1,2,3) is the new phase difference between two adjacent states. This phase-remapping process allows Eve to launch a novel intercept-and-resend attack: phase-remapping attack [73]. The theory of the phase-remapping attack was first proposed in Nonetheless, it did not draw much scientific attention at that time. In my first year of M.A.Sc study, I experimentally demonstrated this attack on top of a widely-used commercial QKD system, Plug-and-Play QKD system. The resulting quantum bit error rate is 19.7%, which is substantially lower than the well-known 25% error rate for an intercept-andresend attack in BB84. The success of my demonstration has attracted more attention from both the QKD community and the public. This work not only has been cited 24 times by Google Scholar but also has been widely reported in the news media including new articles in Nature, The Economist, New Scientist, Physics World, MIT Technology Review and so forth. The details of my demonstration are stated in the following section.

27 Chapter 3 Experimental Phase-Remapping Attack If you think cryptography is the answer to your problem, then you don t know what your problem is. - Peter G. Neumann In this chapter, we present the experimental investigation of the phase-remapping attack in a commercial QKD system. In our experiment, we found that the phaseremapping process in a practical QKD system was much more complicated than the theoretical model described in Ref. [73]. To adapt to this complexity, we modified the original phase-remapping attack into type I and type II practical attacks. It is well known that in a standard BB84 QKD system, a simple intercept-and-resend attack will introduce a quantum bit error rate (QBER) of 25%, which alarms the users that no secure keys can be generated. Our experimental results show that by performing the phase-remapping attack, Eve can gain the full information at the cost of only introducing a QBER of 19.7%. Hence, a key assumption in the security proof of QKD has been substantially violated by this attack. The content of this chapter is heavily based on Ref. [35]. 3.1 Practical attack strategy We implement the phase-remapping attack on top of a Plug-and-Play QKD system. In our experiment, the practical attack strategy is stated as follows. 1. Eve intercepts Bob s strong pulse and sends a time-shifted pulse to Alice via her 21

28 Chapter 3. Experimental Phase-Remapping Attack 22 own device. Note that Eve can change the actual values of φ i (i=1,2,3) by changing the time displacement. However, she cannot change φ 1, φ 2, and φ 3 independently. 2. Eve s strategy is to either distinguish {0 1 } from {0 2, 1 1, 1 2 } or {1 2 } from {0 1, 0 2, 1 1 } with minimal errors. To distinguish {0 1 }, Eve introduces a phase shift of {φ 1 + φ 2 } by using her phase modulator on the reference pulse sent back by Alice and performs an interference measurement. If detector1 (Det1) has a click 1, Eve sends a standard BB84 state {0 1 } to Bob. Otherwise, Eve simply discards it. A similar procedure is performed to distinguish {1 2 }, where Eve introduces a phase shift of {φ 1 }. Here, we define Eve s phase shift {φ 1 } as Basis X, {φ 1 + φ 2 } as Basis Y. Now, assume that Eve uses Y to distinguish {0 1 }; given Alice sends different states {0 1, 0 2, 1 1, 1 2 }, Det1 s detecting probabilities {P 01, P 02, P 11, P 12 } are {sin 2 ( φ 1+φ 2 ), 2 sin 2 ( φ 2 ), 0, 2 sin2 ( φ 3)}. After Eve s attack, the error probabilities introduced are {0, 1/2, 2 1, 1/2}. The analysis in X can be carried out similarly. So, the QBERs are Y : QBER Y = X : QBER X = sin 2 ( φ 2 2 ) + sin2 ( φ3 2 ) 2 2 sin 2 ( φ 1+φ 2 2 ) + sin 2 ( φ 2 2 ) + sin2 ( φ 3 sin 2 ( φ 1 2 ) + sin2 ( φ2 2 ) 2 2 sin 2 ( φ 2+φ 3 2 ) + sin 2 ( φ 2 2 ) + sin2 ( φ 1 Ref [73] assumed φ 1 = φ 2 = φ 3 = φ, then the overall QBER is given by QBER = QBER X + QBER Y 2 = 2 ) (3.1) 2 ) (3.2) sin 2 ( φ 2 ) sin 2 (φ) + 2 sin 2 ( φ 2 ) (3.3) As shown in Fig. 3.1, there is a range of φ that allows QBER to go below 20.0%, which is tolerable in the BB84 protocol [45, 46]. Hence, if Eve remaps the phase small enough into this range, she can successfully apply this intercept-and-resend attack. 3.2 Experiment Experimental setup We implemented the phase-remapping attack in a commercial ID-500 QKD system (manufactured by id Quantique), as shown in Fig Bob s (replaced by Eve) signal pulse, 1 After the Mach-Zehnder interferometer, if the phase difference between reference and signal pulse is π (0), detector1 (detector2) clicks.

29 Chapter 3. Experimental Phase-Remapping Attack QBER /16 /8 3 /16 /4 Phase difference Figure 3.1: QBER of phase-remapping attack. Eve remaps the four BB84 states with the same new phase difference (φ 1 = φ 2 = φ 3 = φ). reference pulse and Alice s phase modulation signal of the original QKD system are shown in Fig Note that in Fig. 3.3, since Alice uses the reference pulse as a trigger signal, the time delay t 1 is determined by the internal delay of Alice s system and can t be controlled by Eve. On the other hand, since Alice doesn t monitor the arrival time of the signal pulse, Eve can change the time delay t 3 without being detected. Furthermore, the rising edge time (10-90%) of the phase modulation signal is around 6ns, while the width of the laser pulse is about 500ps (FWHM). Eve can easily place her pulse on the rising edge to get partial phase modulation 2. This specific QKD design opens a security loophole which allows Eve to launch the phase-remapping attack. In our experiment, Eve utilized the same setup as Bob to launch her attack. Eve modified the length of the short arm of her Mach-Zehnder interferometer by adding a variable optical delay line (VODL in Fig. 3.2) to shift the time delay between the reference pulse and the signal pulse. To remap the phase small enough into the low QBER range, the optimal strategy we found is: by using VODL, Eve shifts the forward signal pulse out and only the backward signal pulse in the phase modulation range (see Fig. 3.4(b)); by using polarization controller (PC in Fig. 3.2), Eve aligns the polarization direction of 2 Eve could also use a laser source with a much narrower pulse width to launch this attack.

30 C D Chapter 3. Experimental Phase-Remapping Attack 24 L D D e t 1 P M B 4 8 n s D e t 2 P M A 1 2 k m D L F M P B S V O D L E v e A l i c e Figure 3.2: (Color online). Experimental implementation of the phase-remapping attack in a commercial ID-500 QKD system. Original QKD system: LD, laser diode. Det1/Det2, single photon detector; PMA/B, phase modulator; C, circulator. PBS, polarization beam splitter; CD, classical photodetector; DL, delay line; FM, Faraday mirror. Our modifications: Eve replaces Bob; VODL, variable optical delay line; PC, polarization controller. Reproduced from [35] with permission. c 2010 IOP. the backward signal pulse orthogonal to the principal axis [74] of the phase modulator Polarization control One crucial issue in our experiment is polarization control. Practical phase modulator, for instance the one in Alice s system, is polarization dependent and has one principle axis. When the voltage is applied on the phase modulator, photons with different polarization directions will be phase-modulated differently. Photons with polarization aligned with the principle axis will undergo a large phase modulation, while photons with orthogonal polarization state will undergo a small phase modulation [74]. In our experiment, we find the relative modulation magnitude ratio of the two polarizations is about 1:3 3. In the original plug and play system, the signal pulse will be modulated twice as it passes through Alice s phase modulator back and forth (see Fig. 3.4(a)). Because of the Faraday mirror, the total phase shift is independent of the polarization state of the signal pulse. However, since Eve s signal pulse will pass through the modulator at a different time and 3 The relative magnitude ratio is experimentally tested by appling different voltages on Alice s phase modulator (PMA in Fig. 3.2) to modulate the signal pulses with the two polarization directions (adjusted by PC in Fig. 3.2). From the data of applied voltages and modulating phases, we got the relative ratio is about 1:3. Ref. [74] gives the parameters of LiNbO3 phase modulator and the relations between phase modulation and the parameters. The relative ratio is 9.6 : 30.9 (see Section 9.2 and Table 9.2 of Ref [74]).

31 Chapter 3. Experimental Phase-Remapping Attack 25 Figure 3.3: (Color online). Time patterns of the reference pulse (Ref), the signal pulse (Sig) and the phase modulation signal in the commercial ID-500 QKD setup. Here, Alice s encoding phase is {π} and we only show the forward pulses. Reproduced from [35] with permission. c 2010 IOP. be modulated only once (see Fig. 3.4(b)), the above auto-compensating method will not work. Eve has to control the polarization direction either aligned with or orthogonal to the principal axis of the phase modulator when her signal pulse is modulated. This is achieved by adding a polarization controller (PC in Fig. 3.2) and adjusting it carefully. Here, Eve can assume that the polarization has been aligned properly by maximizing the total counts of D1+D2 (D1 and D2 denote the counts of Det1 and Det2) 4. By combining variable shifting time and two different polarization directions, Eve can apply two types of practical phase-remapping attack: Type I practical attack is shown in Fig. 3.4(b). Eve shifts the forward signal pulse out of the phase modulation signal and the backward pulse to the rising edge, and adjusts the PC to control the backward pulse s polarization direction aligned with the modulator s principal axis. Here, we remark that if the width of laser pulse is comparable with the rising time of the modulation signal, type I attack will cause 4 If the polarization is not properly controlled by PC, after Alice s modualtion, the original linear polarization state of the signal pulse will change to circular or ellipse polarization state. So, when the signal pulse returns back and passes through Eve s PBS (see Fig. 3.2), part of it will wrongly go to the long arm instead of the short arm. Since the Detector (Det in Fig. 3.2) is gated, this part will hit the Detector at a wrong time and thus cannot be detected.

32 t t t Chapter 3. Experimental Phase-Remapping Attack 26 R e f S i g P M R e f (a) S i g P M R e f (b) S i g P M (c) Figure 3.4: Time pattern of practical phase-remapping attack. Sig: signal pulse. Ref: reference pulse. PM: phase modulation signal. (a) Normal QKD operation. (b) Type I practical phase-remapping attack. (c) Type II practical phase-remapping attack; here, even if we assume Alice has a perfect phase modulator with strictly sharp rising and following edge, type II attack still works. Reproduced from [35] with permission. c 2010 IOP. an unreasonably high QBER, thus it is easy for Alice and Bob to detect the attack. Type II practical attack is shown in Fig. 3.4(c). Eve shifts the backward pulse to the plateau region of the phase modulation signal, and aligns its polarization direction orthogonal to the principal axis. Since the orthogonal direction has the smallest phase modulation, Eve can successfully remap the phase small enough into the low QBER range. One important advantage is: even if Alice s phase modulator is good enough with strictly sharp rising and following edge (force type I attack noneffective), Eve can still apply type II attack in practical QKD systems Minimized quantum bit error rate Fung et al. [73] assumed that Eve could remap Alice s encoded phase with φ 1 = φ 2 = φ 3. However, in our experiment, the relation among φ 1, φ 2, and φ 3 is more complicated. As shown in Fig. 3.5, Alice s phase modulation signals {π/2, π, 3π/2} not only start at different times but also have different average rising times. Furthermore, there is also an overshoot after the rising edge, and the time of the overshoot is different from each other. So, if we use different lengths of VODL to shift the pulse either to the rising edge

33 Chapter 3. Experimental Phase-Remapping Attack 27 or to the overshooting range, the pulse will not undergo a proportional phase modulation. Eve s remapping phase will be φ 1 φ 2 φ 3. These complicated phases will thus cause an effect of QBER, as shown in equations (3.1) and (3.2). In our experiment, the optimal length of VODL was determined by minimizing the resulting QBER. We finally applied two optimal VODL (see Fig. 3.5(b)) to launch two types of practical phase-remapping attack: VODL I: 5.8m and VODL II: 4.65m. Our attack strategy was the one discussed in Subsection 3.1. We finally remark two experimental details: (i) from the time pattern graph in Fig. 3.3, the laser pulse is narrow enough to allow us to apply type I attack; (ii) in type I attack, to make the remapping phase small enough, we still control the polarization of the backward signal pulse orthogonal to the principal axis of the phase modulator (a) π/2 π 3π/ (b) 2 Applied Voltage (V) Applied Voltage (V) VODL B VODL A Time (ns) Time (ns) Figure 3.5: (Color online). (a) Alice s phase modulation signals, π/2, π, and 3π/2, respectively. (b) The zoomed rising edge of each modulation signal and the approximate time of the optimal VODL used in our attack. Reproduced from [35] with permission. c 2010 IOP. 3.3 Results Some experimental parameters of our ID-500 commercial QKD system, including dark count rate Y 0, detector error rate e det, Bob s overall quantum efficiency η Bob (including the detection efficiency of single photon detector) and mean photon number µ are listed in Table 3.1. Our transmission distance was a few meters. We repeated the measurement

34 Chapter 3. Experimental Phase-Remapping Attack million times 5 for each state sent by Alice and the experimental results are shown in Table 3.2. Y 0 e det η Bob µ Table 3.1: Experimental parameters. c 2010 IOP. Z X Y State φ A φ E D1 D2 D1 D2 D1 D (a) Z X Y State φ A φ E D1 D2 D1 D2 D1 D (b) Table 3.2: Experiment results. φ A is Alice s original standard BB84 phase. φ E is the new phase remapped by Eve. D1 (D2) is the counts number of Det1 (Det2). Here, Eve introduced phase {0} (Basis Z), {φ 1 } (Basis X), and {φ 1 + φ 2 } (Basis Y), respectively on the reference pulse to measure each state, and repeated the measurement 10 million times for each state. (a) Variable Optical Delay Line I (5.8m). (b) Variable Optical Delay Line II (4.65m). Reproduced from [35] with permission. c 2010 IOP. 5 This data size is large enough to converge the statistical error rate in our experiment.

35 Chapter 3. Experimental Phase-Remapping Attack Theoretical quantum bit error rate We calculate QBER from the theoretical model discussed in Section 3.1. The detecting probability of phase-coding BB84 is Det1 : P 1 = 1 cos(φ A φ B ) 2 Det2 : P 2 = 1 + cos(φ A φ B ) 2 = sin 2 ( φ A φ B ) = 2 = cos 2 ( φ A φ B ) = 2 D1 NY 0 D1 + D2 2NY 0 (3.4) D2 NY 0 D1 + D2 2NY 0 (3.5) where N denotes the gating number 6. Here, we subtract the dark counts number NY 0 from each detector s counts number to get the theoretical detecting probability. If Eve introduces phase shift {0} (Basis Z) on the reference pulse to measure each state, the remapping phase φ E and phase difference φ i (i=1,2,3) are D1 φ E = 2 tan 1 NY0 ( ) D2 NY 0 (3.7) φ i = φ E(i) φ E(i 1) (3.8) Using data in Table 3.2, from Eqns. (3.8), (3.1) and (3.2), we obtain V ODL I : φ 1 = 23.9 ± 1.2 φ 2 = 12 ± 1.2 φ 3 = 10.4 ± 1.2 (3.9) QBER X(I) = 29% ± 1% QBER Y (I) = 8% ± 1% (3.10) V ODL II : φ 1 = 21.1 ± 1.1 φ 2 = 16.7 ± 1.1 φ 3 = 14.9 ± 1.1 (3.11) QBER X(II) = 21% ± 1% QBER Y (II) = 13% ± 1% (3.12) The phase error fluctuations are mainly due to the imperfections of our experimental QKD system. From the results in Table 3.2, we can see that even though Eve uses Basis Z to measure state {0 1 }, it still has about counts on Det1. These error counts are mostly from the imperfect interference between the signal pulse and the reference pulse. Hence, Eqns. (3.12) and (3.10) give the theoretical QBERs introduced by Eve with perfect detection system. 6 We repeated the measurement 10 million times for each state. Notice that, in order to reduce the after-pulsing probability, an external dead time has been introduced to both detectors after the detection of a photon by a detector. On average, after each detection event, the following around 46 gating signals will be blocked. So, the total gating number N can be estimated by N 10 7 (D 1 + D 2 ) (3.6)

36 Chapter 3. Experimental Phase-Remapping Attack Experimental quantum bit error rate We calculate QBER via our direct experimental results. From Table 3.2, we can see the total counts (D1+D2) for each state is almost identical, so Det1 s detecting probability for each state is proportional to D1. Using data in Table 3.2, the QBERs are X : QBER X = Y : QBER Y = D D D D D D D1 12 (3.13) D D D D D D D1 12 (3.14) V ODL I : QBER X(I) = 30.8% QBER Y (I) = 17.6% (3.15) V ODL II : QBER X(II) = 21.8% QBER Y (II) = 19.1% (3.16) If Eve utilizes the optimal strategy to combine two types of attack together and carefully chooses the probability of each attack to ensure the distribution of bit 0 and bit 1 received by Bob is balanced, the overall QBER is QBER = QBER X(II) + QBER Y (I) 2 = 19.7% (3.17) Note that we used a weak coherent pulse (WCP) source in our experiment. Before calculating the QBERs for single-photon (SP) source, we emphasize two facts: (i) the phase shift introduced by the phase modulator is independent of the source. If the source is a SP, the phase will be also remapped to {0, φ 1, φ 1 + φ 2, φ 1 + φ 2 + φ 3 }. (ii) Eve s interference visibility is the same for SP and WCP. Now, assuming that Eve uses Basis1 to launch attack and Det1 s detecting probability for each state is P state, i.e. {P 01, P 02, P 11, P 12 }, Det1 s overall gain and QBERs for the two different sources are: QBER sp = SP : Q sp = η Bob P state + Y 0 η Bob ( P P P ) + 2Y (3.18) 0 η Bob (P 01 + P 02 + P 11 + P 12 ) + 4Y 0 QBER wcp = WCP : Q wcp = i=0 (Y (1 η Bob P state ) i ) µi i! e µ (3.19) = (1 e µη BobP state ) + Y 0 (3.20) 2 e µη Bob P e µη BobP 11 2 e µη BobP Y 0 4 e µη BobP 01 e µη BobP 02 e µη BobP 11 e µη BobP Y 0 (3.21)

37 Chapter 3. Experimental Phase-Remapping Attack 31 Using Eqn. (3.18), (3.21) and data in Table 3.1 and 3.2, the overall QBER difference between SP and WCP for Eve s optimal strategy (combine two types of attack as Eqn. (3.17)) is: QBER = QBER sp QBER wcp = 0.1% (3.22) Therefore, in a practical SP BB84 QKD system, we can expect the QBER is QBER sp =19.8%, which is substantially below the bound of 25% for an intercept-andresend attack in BB84. This shows clearly that an important assumption (Alice prepares her states correctly) in a security proof has been violated. So, the security proofs can not be directly applied to a practical QKD system. 3.4 Discussions Optimization of the attack Our attack can be further improved to lower the QBER: (i) in our experiment, we only use off-the-shelf imperfect detectors and other components. If some adversaries, such as KGB or NSA, have better detectors (e.g. low dark counts and misalignment), lasers (narrow pulse width) and other components, the QBER of phase-remapping attack will be decreased further. So, we can assume that under attack real Bob will introduce the same additional errors as our Eve introduces in our experiment, while Eve will introduce zero (or negligible) errors through the use of better more expensive components. (ii) as shown in Fig. 3.5(a), in principle, Eve can move the signal pulse to the falling edge regain to distinguish 3π/2 with a very low error probability, and thus reduce the QBER. (iii) if Eve launches her attack not on every signal but only on a subset of signals, the introduced QBER will be much lower. (iv) Eve can also maximize her ability to eavesdrop by combining various attacks. For instance, she may combine the phase-remapping attack with the time-shift attack to exploit both the imperfections of Alice s encoding system and Bob s detection system. If she does so, her attacking power will be amplified and the QBER can be reduced further. So, we remark that, it is impossible to remove all imperfections completely in practice. Instead of removing them, what we can do is to quantify them carefully. Once quantified, those imperfections may be taken care of in security proofs [16]. As an example, mismatch in detection efficiency has been taken into account in the security proof of [18].

38 Chapter 3. Experimental Phase-Remapping Attack 32 Unfortunately, our research-version of QKD system from ID Quantique does not perform privacy amplification. Therefore, it is unclear what key rate formula or error threshold should be used. We cannot find any detailed public information about the key rate formula for a commercial-user version of ID Quantique systems. Since it is unclear what privacy amplification is performed, whether decoy state is used and finite-key effects have been considered, we cannot comment on its security neither. For future security research, it would be very useful if the QKD manufacturers could provide these details. Regardless, one might ask As commercial QKD systems might abort at lower QBER such as 10% rather than 20%, does it mean that those commercial QKD systems are secure without patching? In our opinion, the answer is no. Setting a lower error rate is a technological requirement (we could always improve the attack to get lower QBER as discussed above) rather that a guarantee of the laws of physics. More importantly, people are using commercial QKD systems because they are expected to be good implementations of the QKD theory, which offers unconditional (i.e. information-theoretic) security. The very fact that one fundamental assumption correct encoding of signal has been seriously violated means that such systems are very far from offering such type of security. Without patching, those systems only offer ad hoc security, in direct contradiction to the spirit of QKD. Indeed, it is important for manufacture to provide a clear security parameter epsilon for a QKD system and back it up with a clear statement and proof of security with a list of testable assumptions Countermeasures In the plug-and-play QKD system, one specific countermeasure is the following: Alice carefully checks the arrival time of the reference pulse and the signal pulse by monitoring with her classical detector (CD in Fig. 3.2). From the time delay between the two pulses, she can find whether the time difference has been shifted by Eve, and thus counter Eve s attack. Moreover, in our attack, Eve only sends two states to Bob. Alice and Bob can detect this attack by estimating the statistics of the four BB84 states. Note that, once a security loophole has been found, it is often easy to develop countermeasures. However, the unanticipated attacks are the most fatal ones. What is more, this work mainly focuses on one key assumption in unconditional security proofs, i.e. Alice prepares the required states correctly. From a simple experimental demonstration, we show this assumption can be violated by our attack. So, we emphasize that, in a practical QKD system, Alice needs to experimentally verify she is applying

39 Chapter 3. Experimental Phase-Remapping Attack 33 the correct modulations on her states. One possible way in a general QKD system is: after encoding her random bits, Alice uses a beam splitter to split part of each strong modulated signal, and then use a classical detector, such as a high speed photo detector (rather than a single-photon detector), to implement a local measurement to directly verify whether she has performed the correct modulation. In order to achieve unconditional security with a practical QKD system, it is useful to perform such a verification experimentally. In the long term, it is important to work towards QKD with testable assumptions. One might wonder whether publishing results like ours on experimentally attacking a commercial QKD system will in some way aid a hacker and undermine the confidence in the security of QKD. In our opinion, the answer is no. The theory of the phaseremapping attack was published three years ago [73]. An interested hacker could have performed our attack with public information three years ago already. Our work only serves to remind people of the importance of implementing appropriate counter-measures and battle-testing the security of the improved system in future. 3.5 Conclusions We have experimentally demonstrated one of the first successful intercept-and-resend attacks on top of a widely used QKD implementation in commercial QKD systems, where Eve can get full information and only introduces a QBER of 19.7%. The success of our attack highlights not only the importance for Alice to verify that she is encoding the right state during the encoding process, but also, more generally, the importance of verification of the correctness of each step of an implementation of a QKD protocol in a practical QKD system. By finding security loopholes and fixing them early, we hope that our work will make practical QKD systems more secure.

40 Chapter 4 High-speed quantum random number generator The generation of random numbers is too important to be left to chance. - Robert R. Coveyou Anyone who considers arithmetical methods of producing random digits is, of course, in a state of sin. - J. von Neumann In this chapter, we propose and experimentally demonstrate an ultrafast quantum random number generator (QRNG) at a rate over 6 Gbits/s. The approach is by measuring the quantum phase fluctuations of a laser, which is operated near its threshold. Moreover, we consider a potential adversary who has partial knowledge on the raw data and discuss how one can rigorously remove such partial knowledge with post-processing. The simplicity and high-speed of our experimental setup shows the feasibility of a robust, low-cost, high-speed QRNG. The content of this chapter is largely based on Ref. [36]. 4.1 Introduction Random numbers play a key role in many areas, such as statistical analysis, computer simulations [75] and cryptography [7, 76]. Traditionally, pseudo-random number generator (pseudo-rng) based on computer algorithms has long been used for various applications. Recently, physical-rng based on chaotic behaviors of semiconductor lasers has been proposed to generate fast random bits [51, 52, 53, 54]. Generally speaking, due to 34

41 Chapter 4. High-speed quantum random number generator 35 their deterministic nature 1, both of the schemes cannot generate truly random numbers with information-theoretically provable randomness. Quantum random number generator (QRNG), on the other hand, can generate true randomness by exploiting the fundamental indeterminism of quantum physics [25]. As a simple example, we consider the polarization measurement of a polarization quantum 1 state, 2 ( H + V ), in the rectilinear basis of { H, V }. It will yield the unbiased and thus completely unpredictable outcomes H and V. Then by assigning the classical bit values 0 and 1 to these outcomes, a sequence of truly random numbers can be generated. As shown in Fig. 4.1, this scheme can be easily realized by a single-photon source followed by a polarization beam splitter (PBS), and two single-photon detectors (SPDs), one for each output arm of the PBS. Indeed, this scheme has drawn much scientific attention [25, 26], where commercial QRNGs, like ID Quantique system [32], have already appeared on the market. Figure 4.1: QRNG based on polarization measurement. A single-photon source generates a 45 single photon, which passes through a polarization beam splitter (PBS) projecting the photon into either horizontal ( H ) or vertical ( V ) polarization state. The singlephoton is consequently detected by two single-photon detectors (SPDs) assigned with bit 0 ( H ) and bit 1 ( V ). Besides polarization measurement, several QRNGs based on the single-photon detection technology, such as the photon arrival time [27, 77, 78, 79, 80] and the photon number counting [81, 82, 83], have been demonstrated. Another promising approach is relied on Vacuum state fluctuations [30, 31, 84], where a homodyne detection is typically applied to measure the electrical field fluctuation of Vacuum state. Recently, a QRNG 1 For chaotic-laser RNG [51, 52, 53, 54], since the signal of chaotic-laser has a periodicity originated from the photon round trip time, it is essentially not a truly random source.

42 Chapter 4. High-speed quantum random number generator Accurate functioning (a) Eve shifting (b) Probability Probability Eve shift bit 0 bit voltage 0.02 bit 0 bit voltage Figure 4.2: Eve s attack on QRNG. (a) The quantum source follows a Gaussian distribution, which is sampled by a comparator to generate random bit 0 or 1. (b) The adversary (Eve) controls the classical noise to shift the mean value of quantum source, and then guesses random bit 1 to acquire information. based on quantum non-locality has also been proposed [28, 29]. Unfortunately, due to the difficulties of measuring quantum effects in real experiments, previous implementations of QRNG have been limited to a relatively slow rate (typically below 20 Mbits/s) 2. In 2009, Qi et al. proposed and built a fast QRNG by measuring the quantum phase fluctuations of a laser, which yields a speed of 500 Mbits/s [55, 56]. A similar scheme at a lower speed has also been demonstrated by Guo et al. [57]. Nonetheless, the key point is, the generation rates of all previous QRNGs are still too low for many applications, such as high-speed QKD [58]. On the other hand, in real experiments, the quantum randomness is inevitably mixed with the classical noise, which may be observed or even controlled by a potential adversary, Eve. If we consider a scenario where Eve tries to guess the outcomes from a QRNG, then she could take advantage of the side information due to classical noise. Fig. 4.2 illustrates an example about how Eve can control the classical noise to acquire the information on the generated random numbers. This consideration is directly relevant to applications of randomness, specially those in cryptography, such as authentication, onetime pad encryption and QKD. With the exception of Refs. [29, 31], the possibility of such a potential adversary has rarely been considered in previous QRNGs. 2 Very recently, a 2 Gbits/s QRNG based on vacuum state fluctuations has appeared [85].

43 Chapter 4. High-speed quantum random number generator 37 The approach based on quantum non-locality [29] can produce informationtheoretically provable randomness. However, the generation rate is very low (on the order of 1 bit/s) and thus unsuitable for practical applications. Gabriel et al. proposed a practical post-processing method to remove Eve s information [31]. It is important to perform such post-processing on the raw data to distill out a shorter, but more secure, string of random numbers. Unfortunately, the discussion there is based on Shannon entropy, which does not take finite-size effects into consideration. That is, the number of executions of a random process used for generating randomness is always finite in any real experiment. Thus, its randomness is not information-theoretically proven. In theoretical computer science, there has also been a lot of interest in randomness post-processing methods, which is called randomness extractors [44, 86, 87]. The randomness from many extractors has been information-theoretically proven, such as Trevisan s extractor [86]. Nevertheless, none of these extractors have been implemented in a real QRNG experiment. Therefore, there is a large gap between theory and experiment. 4.2 Experimental demonstration It is well known that the fundamental phase fluctuations (or noise) of a laser can be attributed to spontaneous emission, which is quantum mechanical by nature [88]. The quantum phase fluctuations are inversely proportional to the laser output power [88]. By operating the laser at a low intensity level, the quantum phase fluctuations can be dominant over classical phase noise and is readily extracted to generate truly random numbers. We have developed a delayed self-heterodyning system to measure the phase fluctuations. The schematic diagram of the experimental setup is shown in Fig A 1.55 µm single mode cw DFB diode laser (ILX lightwave) operating at a low intensity level is the source of quantum phase fluctuations. A PLC-MZI with a 500ps delay difference (manufactured by NTT) is employed to convert the phase fluctuations to intensity fluctuations, which is subsequently detected by a 5GHz InGaAs photodetector (Thorlab). Note that to achieve a high interference visibility, a polarization maintaining fiber is used to connect the laser and the PLC-MZI. A temperature controller (TC) is used to stabilize the phase difference of PLC-MZI. More discussions of temperature control are shown in Appendix A. The photodetector output is further digitized by an 8-bit analog-to-digital convertor (ADC) to generate random bits.

44 Chapter 4. High-speed quantum random number generator 38 Laser PLC-MZI PD ADC TC Figure 4.3: Experimental setup. Laser, 1550nm cw DFB laser diode (ILX Lightwave); PLC-MZI, planar lightwave circuit Mach-Zehnder interferometer with a 500ps delay difference (manufactured by NTT); TC, temperature controller (PTC 5K from Wavelength Electronics Inc.); PD, 5GHz InGaAs photodetector (Thorlabs SIR5-FC); ADC, 8-bit analog-to-digital convertor inside an oscilloscope (Agilent DSO81204A) Physical model By stabilizing the phase difference of the MZI at [2mπ + π/2] (where m is an integer), the output voltage V (t) from the photodetector (after removing a DC background) can be described by [88, 89] V (t) 2E(t)E(t + τ) sin( θ(t)) P θ(t) (4.1) where E(t) is the electric field of input light, τ is the time delay difference between the two arms of the MZI, θ(t) is total phase fluctuations and P is the laser output power. Here, θ(t) is sufficiently small such that sin( θ(t)) θ(t) 3. We have assumed that the intensity noise of the laser is negligible [88], which has also been verified experimentally (see discussion below). It is convenient to further separate the total phase fluctuations into a quantum part and a classical part. While the quantum phase fluctuations are inversely proportional to laser output power and can be treated as Gaussian white noise [89], the classical phase noise is laser power independent and could be controlled by Eve. Thus, the total phase fluctuations can be written as θ(t) 2 = Q P + C (4.2) where Q P and C represent quantum phase fluctuations and classical phase noise respec- 3 In our system, we measure that θ(t) is around The assumption, sin( θ(t)) θ(t), introduces a error of 0.6 %, which is acceptable in our experiment.

45 Chapter 4. High-speed quantum random number generator 39 tively. In practice, the detection system will also contribute a laser power independent background noise F. Using Eqs. (4.1) and (4.2), the variance of output voltage of a practical system V pr (t) is given by V pr (t) 2 = AQP + ACP 2 + F (4.3) where A is a constant determined by detection system Parameters optimization In Eq. (4.3), the term AQP is quantum fluctuations part, from which true randomness can be extracted. We name it as quantum signal. On the other hand, the term ACP 2 +F quantifies classical noise due to technical imperfections that potentially could be controlled by an eavesdropper. In principle, the amount of extractable quantum randomness is independent of the magnitude of classical noise. However, in practice, it is challenging to extract a small quantum signal on top of a large classical noise background. To generate high-quality random numbers, we would like to maximize the quantum signal while keep the classical noise as low as possible. One commonly used figure of merit in signal processing is the signal-to-noise ratio (SNR), which can be defined as γ = AQP/(ACP 2 + F) in our QRNG system. Given parameters AQ, AC, and F, we can choose a suitable laser power P to maximize γ. To determine the parameters AQ, AC, and F experimentally, we have measured the variance of V pr (t) under different optical power level and then fit the experimental data (with least square estimation fitting) using Eq. (4.3). The experimental results and the corresponding confidence intervals (level α = 0.99) are shown in Table 4.1. F (mv 2 ) AQ (mv 2 /mw) AC (mv 2 /mw 2 ) 0.36 ± ± ± 0.16 Table 4.1: Eq. (4.3). Experimental results (with 0.99 confidence intervals) of parameters in Using the data given in Table 4.1, we calculate the SNR γ as a function of laser power. The results are shown in Fig At low and high power range, either the background noise F or the classical phase noise ACP 2 will dominate over the quantum signal. The optimal ratio γ = 21 is achieved at P = 0.95 mw. As discussed in next

46 Chapter 4. High-speed quantum random number generator Quantum signal to classical noise ratio γ of raw data Experiment Theory mw Laser output power (mw) Figure 4.4: Quantum signal to classical noise ratio. The theoretical curve of signal to noise ratio γ = AQP/(ACP 2 + F) is acquired from the results given in Table 4.1, and the experimental results are measured with an oscilloscope under different laser powers. At low and high power range, either the background noise F or the classical phase noise ACP 2 will dominate over the quantum signal. The optimal ratio γ = 21 is achieved at P = 0.95 mw. Section, by operating the laser at this power, the extractable quantum randomness is also maximized. Therefore, we choose 0.95 mw as the laser working point Experimental procedures The experimental procedures for random number generation are as follows. The laser output power is set to 0.95 mw by adjusting its driving current. The TC 4 is carefully adjusted to stabilize the phase difference of PLC-MZI at [2mπ + π/2]. The photodetector output is sampled by an 8-bit ADC at a sampling rate of 1 GSample/s 5. Fig. 4.5 shows the sampling results acquired in 5 ms. As a comparison, in the same figure, we also show the background noise acquired when the laser is turned off. The histograms (Gaussian fit) of the sampling results are shown in Fig. 4.5(b). We also perform measurements in the frequency domain by using an RF spectrum 4 The measured accuracy of temperature controller is 0.01 C, and the fluctuations of the set-point temperature of PLC-MZI are smaller than 0.01 C during a few hours. Details are shown in Appendix A. 5 The sampling time (1 ns) is larger than the addition of MZI time difference (500 ps) and detector response time (200 ps), which reduces the correlations between adjacent samples [56].

47 Chapter 4. High-speed quantum random number generator Time domain of raw data 0.02 Fitted Histogram Total phase fluctuation Background noise Voltage (v) (a) Time (ns) x (b) Points x 10 4 Figure 4.5: (Color online) (a) Time domain of the raw data. The total phase fluctuations are measured at the optimal laser power 0.95 mw, while the background noise is acquired by blocking the laser output. (b) Histogram. Gaussian fit. analyzer. Three different power spectra have been acquired: (1) the total phase fluctuations spectrum under the normal working conditions (0.95 mw); (2) the background noise spectrum acquired by turning off the laser; (3) the intensity noise spectrum acquired by connecting the laser (at 0.95 mw) output directly to the photodetector. The measurement results are shown in Fig We can see that under the normal operating condition, the intensity noise is negligible comparing to the phase fluctuations. This result supports our previous assumption. As we expect from a perfect white noise source, the spectrum of phase fluctuations itself is flat over the whole measurement frequency range. There are a few spectral lines in the spectrum of background noise which could be environmental EM noise picked up by our detector 6. 6 There are mainly five spikes around 0, 100, 200, 500, and 650 MHz. These frequencies are all within practical broadcast radio bands (see

48 Chapter 4. High-speed quantum random number generator Total phase fluctuation Intensity noise Background noise Power Density (dbm) Frequency (MHz) Figure 4.6: (Color online) Noise spectrums. The spectral power density of total phase fluctuations (blue), intensity noise (green), and background noise (red). 4.3 Quantum min-entropy evaluation As mentioned in the above Section, the raw data from our QRNG is a mixture of the quantum signal and the classical noise, and the quantum fluctuations follow a non-uniform (Gaussian) distribution. In order to extract out an uniform-quantum randomness, we apply a post-processing scheme that is composed of two main parts, quantum min-entropy evaluation and randomness extraction. In this Section, we focus on discussing quantum min-entropy evaluation. A physical model is employed to evaluate the quantum randomness (min-entropy defined in Eq. (4.4)) of the raw data. Our assumptions are as follows. 1. Quantum signal is independent of classical noise; 2. Quantum signal follows a Gaussian distribution [89]; 3. Quantum signal to classical noise ratio can be calculated (see Fig. 4.4); 4. Total phase fluctuations, the mixture of quantum signal and classical noise, can be characterized by random sampling. 5. The sequence of the raw data is independent and identically distributed (IID). The quantum randomness of the raw data is evaluated by the min-entropy, defined as below.

49 Chapter 4. High-speed quantum random number generator 43 Definition (min-entropy) The min-entropy of a distribution X on {0, 1} n is defined by ( ) H (X) = log max Pr[X = v]. (4.4) v {0,1} n Based on our physical model, we can calculate the quantum min-entropy of the raw data by the following procedures. 1. Determine the sampling range and evaluate the total variance: the working range of sampling system (see ADC in Fig. 4.3) is determined by the total fluctuations of raw-analogy data. From random sampling, we can obtain the variance of total fluctuations, AQP + ACP 2 + F. 2. Measure signal to noise ratio: from experimental measurements, we derive the quantum signal to classical noise ratio (AQP/(ACP 2 + F) as shown in Fig. 4.4). 3. Evaluate the quantum variance: from step 1 and 2, we can calculate the variance of quantum signal, AQP. Then we can derive the whole Gaussian distribution of the quantum signal. 4. Calculate the quantum min-entropy: given the ADC range, we evaluate the maximal probability from the Gaussian distribution derived from Step 3, which follows the min-entropy of the quantum signal 7. From our QRNG, we lower bound the min-entropy of the quantum signal at different laser optical powers, as shown in Fig We can see that the optimal laser power is around 0.95 mw and the corresponding min-entropy of the quantum signal is 6.7 bits per sample (8 bits, sampled by an 8-bit ADC). The quantum min-entropy is stable for a laser power larger than 0.9 mw. Here, in Step1 of min-entropy calculation, we determine the practical ADC range as that either the first or the last bin of the 256 bins (8-bit ADC) has a 1/256 probability. We remark that, in practice, the ADC range could indeed effect the lower bound value of min-entropy. We perform a mathematical simulation to analyze this assumption as shown in Fig It will be interesting to further investigate how to determine the optimal ADC range and maximize the quantum min-entropy in a real QRNG setup. 7 Given a specific value of classical noise, the quantum signal will be a shifted Gaussian distribution; If the quantum signal is shifted in a small range, the quantum min-entropy is lower bounded as the quantum signal is shifted to the center of any digital bins of sampling system.

50 Chapter 4. High-speed quantum random number generator bits Lower bound of quantum min entropy (bits) mw Laser optical power P (mw) Figure 4.7: Lower bound of the quantum min-entropy of raw data. The optimal laser power is around 0.95 mw and the corresponding quantum min-entropy is 6.7 bits per raw sample (8 bits, sampled by an 8-bit ADC in Fig. 4.3). Figure 4.8: The relation of quantum min-entropy (Z axis) with ADC range (X axis). There is no single optimality, but a range of ADC and laser power matching conditional optimality. To show how much room left for further improvement in post-processing, we also upper-bound the min-entropy. As the setup given in Fig. 4.3, the quantum signal is

51 Chapter 4. High-speed quantum random number generator 45 measured by a PD. In the ideal case, the PD can resolve the photon numbers of the optical signal. The laser power used in our setup is 0.95 mw, and the time-constant of our PD is around 200 ps (5 GHz PD in Fig. 4.3). It corresponds to photons with a wavelength of 1550 nm within 200 ps. Thus, the maximal entropy of a sample from the PD is given by log 2 ( ) = 20.5 bits, which is the upper bound of min-entropy of our QRNG source. In our experimental demonstration, we use an 8-bit ADC in the end, which results a min-entropy of 6.7 bits per sample. Therefore, a factor of 3 improvement on the random number generation rate can be potentially achieved by a better resolution ADC (such as a 16-bit ADC). Nonetheless, this min-entropy is ultimately bounded by 20.5 bits per sample as shown above. 4.4 Randomness extraction After quantifying the quantum randomness, randomness extraction is applied to distill uniform-quantum random numbers from the raw data. In this section, we first briefly review various extraction schemes in QRNG, for instance least significant bits (LSB), XOR (exclusive-or) and Hashing, and then present our extraction scheme: strong randomness extractor. We implement two strong randomness extractors, Toeplitz-hashing [44] and Trevisan s extractor [86], both of which are proven to be information-theoretically secure Extraction schemes: Review A random extraction is an algorithm that generates nearly perfect random numbers from the output of high entropy source. Various randomness extraction schemes have been employed in the implementation of QRNG. The widely-used one is the least significant bits (LSB), which has been used in the QRNG of Refs. [30, 51, 53, 54, 57, 85]. An m-bit LSB takes the last m bits of a bit string and simply discards the rest. Applying LSB effectively flats out a non-uniform distribution to make it more uniform. Intuitively, LSB essentially operates a re-binning by combining certain digital bins. For example, if the pdf (probability density function) of the raw data (sampled by an 8-bit ADC) is a Gaussian curve, a 7-bit LSB is cutting the curve into two halves and super-positioning the second half onto the first. A 6-bit LSB is cutting the resulting pdf from 7-bit LSB into two halves and super-positioning again. The procedure repeats a few times till m-bit LSB.

52 Chapter 4. High-speed quantum random number generator p XOR XOR 7LSB 7 bit numbers p p XOR 6LSB 6 bit numbers XOR 5LSB 5 bit numbers Figure 4.9: The resulting distributions of different XOR (exclusive-or) and LSB (Least Significant Bits) extractions. The Histogram of the raw data follows a Gaussian distribution. XOR combined with 6-LSB has processed the original Gaussian distribution to a Uniform distribution. To reduce the bias and possible correlations of the raw data, another popular randomness extraction scheme is XOR (exclusive-or or mod 2 addition). For instance, in the QRNGs [55, 57, 79], XOR is applied to eliminate correlations between consecutive samples and improve the quality of randomness. Here, we have also tested XOR and LSB scheme on our raw data, which is generated as the procedures discussed in Section 4.2. The resulting distributions of different LSB are shown in Fig We also applied XOR with 6-bit LSB on our 1 Gbits raw data. The extracted results successfully passed the random test suits of Diehard [90] and NIST [91]. We remark however that since we cannot provide an information-theoretical proof of the XOR-LSB procedure, it is arguable that XOR-LSB can indeed extract out perfectly uniform-random bits. Another promising extraction scheme is hashing. In computer science, various hashing functions have been proposed to realize randomness extraction [92]. Hence, we can build the software algorithm and apply it on QRNG. Indeed, more recent scientific attention has been shifted to the hashing functions, for instance the SHA512 function [31], the Bose-Chaudhuri-Hocquenghen function [80] and the Wirhlpool [84]. Among these hashing implementations, the one proposed by Gabriel et al. [31] together with their entropy evolution method is interesting. Their data processing can be

53 Chapter 4. High-speed quantum random number generator 47 essentially divided into two steps, binning and hashing. In the binning process, they start with a 16-bit ADC, and combine some of the bins to form the equal bin area between each other. Then they calculate the Shannon entropy of classical noise and total noise (quantum signal and classical noise) separately given each bit value, and show that the difference of those two entropies plateaus at 5 bits. After determining that the Shannon entropy of the quantum signal is lower bounded by 3.25 bits, they applied the SHA-512 algorithm as the hashing function to extract out 3 bits/sample. In general, this algorithm is carefully developed and can be easily realized by hardware. We remark that it is important to perform such post-processing on the raw data to distill out a shorter but more secure string of random numbers. Unfortunately, the discussion there [31] is based on Shannon entropy, which does not take finite-size effects (i.e., the number of times of executions of a random process used for generating randomness is always finite in any real experiment) into consideration. The entropy evaluation method there is also not efficient. In fact, it costs at least one random bit per sample 8. Furthermore, a non-universal hashing function, SHA-512 function, is not an information-theoretically provable randomness extractor. Therefore, the random numbers generated there could not be theoretically verified as random and unique. In summary, up to now, none of the randomness extraction schemes, including XOR, LSB and hashing, can strictly offer a randomness extractor [44, 86, 87]. Fortunately, in theoretical computer science, there indeed exists information-theoretically proven extractors, such as Trevisan s extractor [86]. However, these extractors have never been implemented in a real QRNG experiment. Therefore, there is a large gap between theory and experiment. Here, we close the gap by implementing two information-theoretically secure extractors, Trevisan s extractor [86] and Toeplitz-hashing [44] Toeplitz-hashing extractor Due to the similarity between the definitions of extractors [44] and privacy amplification [93], any privacy amplification scheme can be used as an extractor in principle. In privacy amplification, the widely-used function is universal-hashing defined as Definition (Universal-hashing) A class G of functions A B is universal 2 (universal for short) if, for any distinct x 1 and x 2 in A, the probability that g(x 1 ) = g(x 2 ) is at most 1/ B when g is chosen at random from G according to the uniform distribution. 8 The scheme [31] does also not work when classical noise is larger than quantum noise.

54 Chapter 4. High-speed quantum random number generator 48 Among the universal-hashing functions, Toeplitz-hashing [94, 95] has the advantages of shorter random-seed (the random bits to construct a hashing function) length and computation simplicity in hardware, thus it is the popular one in privacy amplification. Nonetheless, in practice, the random-seed is assumed to be free in the QKD privacy amplification task [93]. A direct transplant of privacy amplification schemes may not work for randomness extraction. In fact, for Toeplitz-hashing [94, 95], the random-seed used to construct a Toeplitz matrix is longer than the output string. To overcome this, one needs to prove that the privacy amplification scheme constructs a strong extractor. The definition of strong extractor is the following. Definition (Strong extractor) A (k,ε,n,d,m)-strong extractor Ext(X, U d ) is an extractor such that the distribution Ext(X, U d ) U d is ε-close to the uniform distribution on {0, 1} m+d. Fortunately, the extractors constructed by universal hashing functions [96] can be easily proven to be strong extractors by the Leftover Hash Lemma [97]. Lemma (Leftover Hash Lemma [97]) Let H = {h 1, h 2,...,h 2 d} be a universal hashing family, mapping from {0, 1} n to {0, 1} m, and X be a distribution on {0, 1} n with H (X) k. Then for x X and h y H where y U d, the distribution formed by h y (x) y is ε = 2 (m k)/2 -close to U m+d. That is, it forms a (k,2 (m k)/2,n,d,m)-strong extractor. We use Toeplitz matrices for universal hashing function construction [94, 95, 98]. A Toeplitz matrix of dimension n m requires only the specification of the first row and the first column, and the other elements of the matrix is determined by descending diagonally down from left to right. Thus, the total random bits required to construct (choose) a Toeplitz matrix is n + m 1. The procedure of Toeplitz-hashing extractor is given as follows. 1. Given raw data of size n with the min-entropy of k and a security parameter ε, determine output length to be m = k 2 log ε. (4.5) 2. Construct a Toeplitz matrix with an n + m 1 random-seed. For demonstration purpose, we use pseudo random numbers in this step.

55 Chapter 4. High-speed quantum random number generator The extracted random bit string is obtained by multiplying the raw data with the Toeplitz matrix. As calculated in the Section 4.3, the min-entropy of our raw data is bounded by 6.78 bits per sample (8 bits). With the input bit-string length of 2 12 = 4096, the output bit-string length is ( )/ Thus, we use a 4096-by-3471 Toeplitz matrix for randomness extraction. Our implementation of Toeplitz-hashing is based on MatLab in a standard PC. The generation rate is 441 kb/s 9. However, the availability of 64-bit computer with more than 4 GBytes of memory extends the input size from 2 12 = 4096 to 2 14 = 16, 384. Although cost effective in terms of seed length, the increased input length do entail speed penalty due to O(n 2 ) complexity of matrix multiplication. We finally discuss how to generate the random-seed for Toeplitz-hashing. Even though the seed length (n+m 1) to specify a Toeplitz matrices is short, it is still longer than the output length m. Therefore, if we want to use a secure quantum source to randomly pick the seed, we cannot afford picking a new seed for every extraction. Fortunately, reusing the seeds will only increase the deviation of the actual average entropy from Uniform distribution [94, 98]. We could reuse the seeds at a rate that keeps the deviation negligible and the average entropy for each extraction small compared to extracted entropy. One secure scheme to construct the random-seed is using the pre-extracted random bits. In a real setup, using small portion of extracted bits as successive key can be realized by software or hardware. However, we recognize that it is not easy to construct such a hardware circuit that can operate over a GHz range. The solution to this problem is using pseudo-rng for seed generation. As long as the pseudo-rng produces desired uniformity, it can be used to generate the random-seed. In our demonstration, we employ the pseudo-rng of MatLab to generate the random-seed on every 4096-bits input. The extracted bit sequence successfully passes all the statistical test suites of Diehard [90], NIST [91] and TestU01 [99] (Small Crush). The test results are shown in Section Trevisan s extractor Trevisan proposed an approach to construct extractors based on pseudo-rngs [86]. Here, we implement its improved version by Raz, Reingold and Vadhan [100]. There are two main steps to construct a Trevisan extractor: error correction code and combinatorial design. The error correction code is constructed by concatenating a Reed-Solomon code 9 Toeplitz-hashing can be implemented much faster with hardware implementation [95].

56 Chapter 4. High-speed quantum random number generator 50 with a Hadamard code [101]. For the combinatorial design part, we implement a refined version of Nisan-Wigderson design [102, 103]. In our implementation, the top generation rate of our extractor is bits/s. This low speed is a consequence of the lack of efficient implementation of finite field operations. While slow in speed, the Travisan s Extractor do provide more stringent passing of statistical tests (see Section 4.5.1). Although Travisan s Extractor may be more secure than Toeplitz-hashing, the severe restriction on speed has limited its usage in real-time applications. One conclusive result is to use Hashing in speed-critical applications, while Travisan s Extractor in security-critical applications where the speed can be sacrificed to trade for secureness. Furthermore, Our implementation is done on mere personal computer (PC), but a mainframe computer can crunch number-theoretical operations much faster than a PC. As a future perspective, once we tackle the implementation on any graphical processing unit (GPU) platforms, the architecture of GPU will allow us to exploit the intrinsic parallelism of the extractor much more efficiently via multi-threading capability. 4.5 Randomness verification Statistic test We employ three statistic test suits, Diehard [90], NIST [91] and TestU01 [99], to evaluate the randomness of our extracted results from Toeplitz-hashing and Trevisan s extractor. Each test suits contain many individual tests and one individual test evaluates one aspect of randomness (i.e. bias, repetition and so on). The implementation details of these test suits are shown in Appendix C.1. Given the constraint of computational power, we only perform Diehard test on the Trevisan s extractor. Without post-processing, the raw data cannot pass any statistic tests, which is mainly due to the classical noises mixed in the raw data, and the fact that the measured quantum fluctuations follow Gaussian distribution instead of uniform distribution. It demonstrates the requirement of effective post-processing in our QRNG. After Toeplitz-hashing and Trevisan s extractor, the outputs successfully pass all the standard statistic tests. We also perform the statistic tests on a pseudo-rng, MatLab2007 internal RNG. It generates uniformly random numbers from 0 to 255 (as emulation of 8-bits ADC output). After converting the 255-valued integer to bits, the bit sequence is written to a binary file, which is fed into the tests suites. It cannot pass all tests without exposing the underlying

57 Chapter 4. High-speed quantum random number generator 51 determinism. This result has further confirmed the effectiveness of our extractors. The test results are shown in Tables C.2, C.3,and C.4 of Appendix C Autocorrelation Another approach to verify randomness is to evaluate the autocorrelation, and check the absence or periodic correlation. The autocorrelation R of a sequence X is defined as R(τ) = E[(X i µ)(x i+τ µ)] σ 2 (4.6) where E is the expected value operator, τ is the sample delay, µ is the mean and σ is the standard derivation of X. The autocorrelation results of our raw data are shown in Fig. 4.10(a) to Fig. 4.10(d). The raw data from our QRNG is digitalized by an 8-bit ADC, therefore, the autocorrelation between bits (Fig. 4.10(a)) is only significant up to the 7th bit delay and, beyond that, the autocorrelation is negligible. The low values of autocorrelation between samples (Fig. 4.10(b)) support the assumption of IID raw sequence, where a slightly large coefficient at the 2nd delay sample can be attributed to the finite bandwidth of our photodetector. We remark that the correlation among samples cannot reach zero for a practical detector with finite bandwidth. Eve might explore this correlation and gain partial information on the generated random numbers. In principle, we can removed Eve s information by using the same randomness extractor developed in this paper. After post-processing, the autocorrelation of the outputs from both extractors is substantially improved, as shown in Fig. 4.11(a) to Fig. 4.11(d). Here, in theory, for an infinite IID sequence as random process, the autocorrelation is a broadband white curve. However, in practice, due to the inevitable presence of bias and finite data size, the autocorrelation of data sequence can never reach 0. A back-of-envelope calculation [104] shows the effect of truncation on the autocorrelation coefficient. From central limit theorem, one standard deviation will result a range of autocorrelation, [ 1 n, 1 n ], where n is the data size. 4.6 Discussions and conclusions In post-processing, we find that our implementations of randomness extractors with MatLab on a standard laptop computer are not fast enough (with a maximal speed of 441 kbit/s) for a real-time high-speed QRNG. In practice, this might restrict the random

58 Chapter 4. High-speed quantum random number generator 52 bit generation speed. It will be interesting for future investigations to create a real-time extractor (by a better software or hardware implementation) for our high-speed QRNG. Our system can be further improved as follows. The sensitivity of the detection system can be further improved by replacing the photodetector with a balanced detector followed by an electrical substraction circuit. The DFB laser used could be replaced by a combination of a broadband light source and a narrowband optical filter. In this case, the linewidth is determined by the bandwidth of the filter. The real-time oscilloscope can be replaced by a fast and high-resolution ADC. In conclusion, we have successfully demonstrated an ultrafast QRNG at a generation rate of over 6 Gb/s. The randomness is generated from the intrinsic quantum phase fluctuations of a laser. Our work not only highlights the importance on the quantification of quantum randomness and the consideration of possible Eve s attacks in a practical QRNG, but also demonstrates the large potential for random number generations by quantum phase fluctuations as the true entropy source.

59 Chapter 4. High-speed quantum random number generator Positive value Negative value 10 1 Positive value Negative value Delay (bits) (a) Raw data between bits (100 delay) Delay (sample) (b) Raw data between samples (100 delay) Positive value Negative value 10 1 Positive value Negative value Auto correlation coefficient Delay (bits) (c) Raw data between bits (1000 delay) Delay (sample) (d) Raw data between samples (1000 delay) Figure 4.10: Autocorrelation of the raw data. All normalized correlation is evaluated from a 10 Mb record of the raw data. (a) The average value is The most significant correlations are within 8 bits (from one sample digitalized by an 8-bit ADC). (b) The average value is The correlation among samples cannot reach zero for a practical detector with finite bandwidth. (c) The average value is (d) The average value is It demonstrates the absence of long period autocorrelation.

60 Chapter 4. High-speed quantum random number generator Positive value Negative value 10 1 Positive value Negative value Delay (bits) 10 0 (a) Toeplitz-hashing (100 delay) Delay (bits) 10 0 (b) Trevisan s extractor (100 delay) 10 1 Positive value Negative value 10 1 Positive value Negative value Delay (bits) (c) Toeplitz-hashing (1000 delay) Delay (bits) (d) Trevisan s extractor (1000 delay) Figure 4.11: Autocorrelation after randomness extraction (Toeplitz-hashing or Trevisan s extractor). The data size is bits for each case. In theory, for a truly random bit string, the average normalized correlation is 0 and the standard deviation is (a) The average value is (b) The average value is (c) The average value is (d) The average value is

61 Chapter 5 Conclusion and Outlook There is no royal road to science,and only those who do not dread the fatiguing climb of gaining its numinous summits. - Karl Marx 5.1 Conclusion In this thesis, I intensively studied two imperfections in practical quantum cryptosystems - phase-remapping attack and quantum random number generator - and their security consequences Phase-remapping attack Unconditional security proofs of various QKD protocols are built on idealized assumptions. However, a real-life QKD system may contain overlooked imperfections, which can violate some of these assumptions. An adversary could exploit these imperfections and launch specific quantum attacks in a practical implementation of QKD. In this thesis, I investigated one of these imperfections in a commercial plug-and-play system and performed a proof-of-principle experiment to demonstrate a technologically feasible attack, known as a phase-remapping attack. In our attack, Eve could get full information and only introduced a quantum bit error rate of 19.7%. The success of our attack shows clearly an imperfection in the practical QKD implementation. Specifically, this is the first successful intercept-and-resend attack on top of a commercial bidirectional QKD system, and it highlights not only the importance for Alice to verify that she is encoding the right state during the encoding process, but also, more generally, the importance of verification of the correctness of each step of an 55

62 Chapter 5. Conclusion and Outlook 56 implementation of a QKD protocol in a practical QKD system Quantum random number generator A quantum random number generator (QRNG) can generate true randomness by exploiting the fundamental indeterminism of quantum mechanics. Several QRNGs, including commercial products, have already been proposed and demonstrated. Nevertheless, due to the difficulties of measuring quantum effects in real setups, most approaches to QRNG are limited in speed. Moreover, in real experiments, the quantum randomness is inevitably mixed with classical noise, which may be controlled by Eve. In this thesis, I proposed and experimentally demonstrated a fast QRNG at a rate of over 6 Gbits/s. Our approach was based on the quantum phase fluctuations of a laser, which was operated near its threshold. Furthermore, we presented and implemented a rigorous method to remove the contamination of classical noise by modeling our system, quantifying randomness through min-entropy and employing a post-processing function - randomness extractor- to distill randomness. A key advantage of our approach is that its security is theoretically provable based on information theory. The simplicity and high-speed of our experimental setup shows the feasibility of a robust, low-cost, highspeed QRNG. Our work not only highlights the importance of the rigorous quantification and distillation of quantum randomness in a practical QRNG, but also demonstrates the potential for random number generation using quantum phase fluctuations of a laser as a true entropy source. 5.2 Outlook Detector-control attack The detector-control attack [24] has drawn much scientific attention, and has been successfully demonstrated on most types of practical QKD systems [24, 105, 106]. A full implementation of the attacking strategy has been investigated in Ref. [106]. The key concept of detector-control attack is the following. By sending a strong optical pulse to Bob, Eve can force Bob s single-photon detectors to always work in a Linear mode instead of Geiger mode. In the Linear mode, the single-photon detector, such as the one based on InGaAs APDs, is only sensitive to bright illumination. This detector state is called detector blinding. Then, Eve sends a bright pulse with tailored power level such

63 Chapter 5. Conclusion and Outlook 57 that Bob s detector always reports a detection event from the bright pulse, but never reports a detection event from a pulse with half power. As a result, Eve can successfully launch an intercept-and-resend attack without increasing QBERs. For example, when Eve uses the same basis as Bob to measure the quantum state from Alice, Bob gets a detection event as if there is no eavesdropper. And if Eve uses the opposite basis from Bob to measure the quantum state from Alice, her bright pulse will strike both of Bob s detectors with half power, and neither detector will report a detection event. In practice, a simple detector-control attack will introduces a 50% total loss. However, Eve can place her intercept-unit close to Alice s laboratory while compensating the loss in the remaining fiber by re-sending brighter states. The detector-control attack is applicable to various types of single-photon detectors, such as gated APDs [24], passively or actively quenched APDs [107, 108], and SSPDs [109]. How to remove such an attack is still a big challenge for QKD researchers. One proposed countermeasure is carefully operating the single-photon detectors inside Bob s system [67, 68] and monitoring the photocurrent for anomalously high values [110]. However, such a countermeasure may lead away from provable security models of QKD and can often be defeated by advanced hacking technologies. Hence, the eventual solution to this attack may develop a QKD system with free detection loopholes. The deviceindependent QKD protocol [111] can be a perfect candidate to such a task. However, the strict requirement of the detection efficiency of single-photon detector (larger than 83%) makes it still unmature for practical demonstrations (typically, the detection efficiency of a practical single-photon detector is around 10%). Very recently, a promising countermeasure to this attack is the so called measurement-device-independent QKD protocol proposed by Lo et al. [112], which in principle can remove all detector side channels automatically. It is important to demonstrate and verify this scheme in a real setup in the future Other quantum attacks Recently, Sun et al. have studied the imperfections of Faraday mirror and proposed the passive Faraday-mirror attack in a plug-and-play system [113]. Jain et al. have experimentally demonstrated that the calibration routine of a commercial QKD system can be tricked into setting a large detector efficiency mismatch, and proposed an attack strategy on such a compromised system with a QBER less that 7% [114]. Very recently, Li et al [115] have studied the imperfection of a practical beam splitter and demonstrated

64 Chapter 5. Conclusion and Outlook 58 a wavelength-dependent quantum attack on top of a polarization-coding QKD system. A substantial question is thus raised: How to counter such an Eve that she combines various quantum attacks together? For instance, in a commercial plug-and-play QKD system, Eve can perform a quantum attack as follows. Eve employs the phase-remapping attack and the Faraday-mirror attack on Alice s encoding stage, tricks the calibration process to set a large detector efficiency mismatch between Bob s two detectors, and applies the fake-state attack or the time-shift attack on Bob s detection stage. If she does so, the resulting QBER will dramatically reduce. Furthermore, if Eve launches her attack not on every signal but only on a subset of signals, the introduced QBER will be much lower. How to remove such attacks will be a notoriously hard problem. Therefore, we remark that instead of removing the attacks, what we can do is to quantify them carefully. Once quantified, those imperfections may be taken care of in the further security proofs of QKD. Besides the loopholes discussed above, other imperfections of a practical QKD system should also be carefully investigated. In most phase-coding based QKD systems, the polarization component of quantum state is often used to optimize the system design. A natural question is: Is it still secure if Eve actively introduces some polarization redundances into such a QKD system? Moreover, the potential developments of QKD technology are long distances and high bit rates. Therefore, another question is: Will more unnoticed imperfections appear in a long-distance and high-speed QKD system? For example, the detector dead-time issue in a high-speed QKD system has recently been studied in Refs. [116, 117, 118]. Furthermore, there also exists another type of QKD, continuous variable QKD [10, 119], whose security is based on the uncertainty principle of the amplitude quadrature and the phase quadrature of a coherent state. However, the practical security of continuous variable QKD is still unclear and deserves future investigations. Up to now, most of the imperfections that have been studied are in fiber-based QKD systems. Hence, it is still unclear about the practical security of the free-space-based QKD systems. Indeed, the imperfection due to non-single-mode quantum signals is a crucial issue in free-space QKD. Eve can exploit this imperfection and launch the spatial-mode attack against a free-space QKD system [62, 63, 64, 65], such as a satellite-based QKD implementation.

65 Chapter 5. Conclusion and Outlook Quantum random number generator A novel approach to generate and post-process random numbers has been demonstrated in Chapter 4. We can improve the system (Fig. 4.3) by making it more compact and robust. A proposed new system design is shown in Fig Compared to the previous setup (see Fig. 4.3), the improvements are the following. The DFB laser is replaced by a compact OEM laser diode. The photodetector is replaced by a balance detection system with two photodetectors (PD1/2 in Fig. 5.1) followed by a differential amplifier (DA in Fig. 5.1). The real-time oscilloscope is improved by a high-speed (with a sampling rate of over GHz) and high-resolution analog-to-digital convertor (ADC) 1. Furthermore, it is important to create a real-time hardware-based randomness extractor in a practical QRNG system for future investigations. By implementing the above new system design, it will be easy to build a compact, low-cost, high-speed, and robust QRNG system with USB port in the future. A commercial QRNG with USB port and a generation rate of 4 Mbits/s has already appeared on the market (see Fig. 5.2) [32]. PD1 OEM Laser PC PLC MZI DA. ADC PD2 TC Power supply Clock Figure 5.1: New system design of QRNG based on quantum phase fluctuations of a laser. PC, polarization controller; PLC-MZI, planar lightwave circuit Mach-Zehnder interferometer; TC, temperature controller; PD1/2, photodetector; DA, differential amplifier; ADC, analog-to-digital convertor; 1 Optimization of the ADC range is also an interesting direction for future research.

66 Chapter 5. Conclusion and Outlook 60 Figure 5.2: Commercial QRNG with USB port at a rate of 4 Mbits/s [32]. Recently, based on a different type of laser and system design, the intensity fluctuations of a laser have been studied to generate fast random bits [120]. An improved system with a super-luminescent LED has also been demonstrated [121]. Since the fundamental physical origin of both the phase fluctuations and the intensity fluctuations of a laser is amplified spontaneous emissions, it will be interesting to demonstrate a QRNG exploiting both fluctuations Practical QKD One potential development of practical QKD technology is long-distance transmission and global communication. However, as discussed in subsection 2.4.1, the propagation loss in fibers puts a limit on the longest-distance fiber-based quantum communication (typical, less than 400 km). To extend the transmission distance without relying the intermediate nodes, quantum repeater has been proposed [122]. A quantum repeater relys on the concept of entanglement swapping, which allows Alice and Bob to distill out a number of entangled states over long distance. Currently, the main challenge in building a quantum repeater is the limited technology for a quantum memory. Hence, it will be interesting for future research to develop a feasible quantum repeater and thus achieve secure QKD over long distances. A natural way to build a practical QKD network is by using the standard optical fibers, which have been developed and used in daily telecommunication, as the quantum channels. Therefore, an important future topic is the wavelength division multiplexing between QKD (quantum communication) and classical optical communication. Moreover, when QKD is widely used in real-life applications, it is also important to design and build