Quantum cryptography and quantum hacking Dr. Lars Lydersen GOVCERT.NL, Rotterdam 5. November 2
Quantum Hacking group NTNU, Trondheim & UNIK, Kjeller www.iet.ntnu.no/groups/optics/qcr/ Prof. Johannes Skaar Postdoc Vadim Makarov PhD students Qin Liu, Lars Lydersen, Øystein Marøy Collaborations: CQT Singapore, KTH Stockholm, Max Planck inst. Erlangen...
Quantum Hacking group. Discovering vulnerabilities Security proofs Demonstrating attacks Hardware countermeasures
What is quantum cryptography? Quantum = quantum physics = small particles Cryptography = coding of secrets Often called Quantum Key Distribution (QKD) Secret key used to code the message Provably secure Eavesdropping attempts detected 4
Quantum key distribution Alice Bob Optical fiber Internet (authenticated) 5
Photons as quantum bits Propagation direction H/V-basis ±45 -basis 6
BB84 7
What about Eve? Eve causes 25% QBER (Quantum bit error rate) 8
Post-processing All errors are assumed due to Eve Alice and Bob use error correction Eve's information is removed through privacy amplification key random matrix = raw key QKD offers perfect security with perfect devices (QBER < %) 9
How secure is practical QKD?
How avalanche photo diodes (APDs) work Geiger mode IAPD IAPD Ith Pth Popt Ith ng i h enc u Q Single photon VAPD Breakdown voltage Vbr L. Lydersen et al. Nat. Photonics 4, 686-689 (2)
Faked-state attack in APD linear mode Identical bases & bit values Eve Alice.Bob.Alice Bright state Bob Listen, do same, get same final key Eve using right basis: Eve using wrong basis: Bits get lost! 2 L. Lydersen et al. Nat. Photonics 4, 686-689 (2)
Launching bright pulse after the gate... VAPD Vbr Vbias afterpulses, increased QBER t bright C. Wiechers et al., New J. Phys. 3, 343 (2) < 2 photons L. Lydersen et al. Phys. Rev. A 83, 3232 (2) Add CW light... Bias to APD (Vbias) Rbias VHV 4 V VAPD Vbr Detector blind! Zero dark count rate Vbias t 3 L. Lydersen et al. Nat. Photonics 4, 686-689 (2)
Detector blinding ID Quantique Clavis2: MagiQ Technologies QPN 555: 4 L. Lydersen et al. Nat. Photonics 4, 686-689 (2)
Full detector control ID Quantique Clavis2: 5 L. Lydersen et al. Nat. Photonics 4, 686-689 (2)
Photo 2 Vadim Makarov Testing MagiQ Technologies QPN 555
Countermeasures suggested by Yuan et al. Vgate Input gate (PECL) DD SYH842 Vcomp R 72 DA MAX96 C.n APD Vclick == R2 5 C2 n R4 5 Output click (PECL) Vbias Resistor shorted R3 k Vth 8 mv VHV 43 V Changes proposed by Yuan et al.: - Rbias = or - Reduce Vth Z. L. Yuan et al. Nat. Photonics 4, 8 (2) Rbias = and reducing Vth is insufficient! L. Lydersen et al. Nat. Photonics 4, 8 (2) 7
Sinkhole blinding L. Lydersen et al. Opt. Express 8, 27938 (2)
Sinkhole blinding Vgate Input gate (PECL) DD SYH842 Vcomp AC-coupling R 72 DA MAX96 C.n APD Vclick == R2 5 C2 n R4 5 Output click (PECL) Vbias R3 k Vth 8 mv VHV 43 V Shorter sinkholes lower amplitude 9 L. Lydersen et al. Opt. Express 8, 27938 (2)
How avalanche photo diodes (APDs) work Geiger mode IAPD IAPD Ith Pth Popt Ith ng i h enc u Q Single photon VAPD Breakdown voltage Vbr 2 L. Lydersen et al. Nat. Photonics 4, 686-689 (2)
5 45 4 35 3 25 2 5 D e te cto r D e te cto r 5 2 4 6 8 2 ptical illumination, mw mw CW Ooptical illumination, Blind! 2.4 rre nt 3 4 cu 3 5 TE C Cold plate temperature, C 2 5 l o C 4 5 5 2 3 d a pl te te m p a er t e ur 2.2 2.8 ITEC, A Heat dissipation in the APD, mw Thermal blinding.6 C old pla te te m p e ra tu re TEC cu rre n t 4 5 6 7.4 8 Total heat dissipation in the APDs, mw L. Lydersen et al. Opt. Express 8, 27938 (2) 2
Thermal blinding of frames 22 L. Lydersen et al. Opt. Express 8, 27938 (2)
Eavesdropping on installed QKD line on campus of the National University of Singapore 29 m of fiber S4 S3 Bob S2 Alice S5 Satellite image Google Eve
Eve does not affect QKD performance Before attack: 3 Raw key rate (cps) During attack: 2 QBER (%) 9 8 7 6 5 4 3 2 5 5 2 Time (s) 25 3 5 5 2 Time (s) 25 3 35 24
Stages of secure technology Quantum cryptography. Idea / proof-of-the-principle 97 993 2. Initial implementations 994 25 3. Weeding out implementation loopholes (spectacular failures patching) Now! 4. Good for wide use 25
Can we eavesdrop on commercial systems? ID Quantique s Cerberis: Dual key agreement PKI RSA-248 Key Symmetric cipher QKD PKI Key AES-256 Symmetric cipher Photo 2 Vadim Makarov QKD BB84
Summary Imperfect implementations may be disastrous QKD-systems were vulnerable to detector control (responsibly disclosed). Full intercept-resend attack has been implemented on an experimental QKD-setup, catching the full key. QKD is forward secure. Email: charlotte.rugers@atos.net 27