Hacking energy-time-entanglement quantum key distribution using classical light
Quantum key distribution (QKD) uses the laws of quantum mechanics to protect secret information from being captured by eavesdroppers. Traditional, classic encryption technologies, such as advanced encryption standard (AES) or Rivest-Shamir-Adleman (RSA), rely on mathematical problems assumed to be hard to solve. QKD, on the other hand, is secure even if the attacker has an infinitely fast computer. However, we have shown that certain implementations of QKD are vulnerable to attack because of a flawed security proof.1 Here, we describe how an attacker might exploit this weakness to violate the supposedly unbreakable security of QKD.
In 1984, Bennett and Brassard created the field of QKD with their seminal paper on generating a random key using quantum mechanics.2 The BB84 protocol, named after its inventors, encodes information onto polarized photons sent from Alice to Bob. If an eavesdropper, Eve, attempts to intercept the photons, she will introduce errors due to Heisenberg's uncertainty principle. Alice and Bob detect these errors and abort the transmission. If no eavesdropper is detected, Alice and Bob can use the photons to generate a random key that only they know. They can then use this key to perform a one-time pad encryption, a cipher that proves secure as long as the key is good enough.
There are other ways to perform QKD that do not require polarization encoding. A demonstration in 19893 showed that QKD is possible using so-called energy-time entanglement, where time is used instead of polarization. In contrast to polarization, which is hard to maintain in optical fibers, time is robust, enabling future QKD devices that are simple to operate and maintain.
In this scenario, a source device emits pairs of photons, one going to Alice and one to Bob. The source device plays a crucial role in the security of energy-time-entangled QKD. If Eve were to control it, she could cleverly craft photons that may make Alice or Bob unintentionally reveal the secret key. The protocol protects against such an attack by an elegant method known as the Bell test.4 Simply put, the Bell test is a statistical measurement that distinguishes between entangled quantum states and those that are not. When Alice and Bob perform this Bell measurement, they can immediately detect whether the source device behaves incorrectly.
The Bell test allows Alice and Bob to perform ‘device-independent’5,6 QKD. This method turns the measurement devices of Alice and Bob into black boxes with unknown content. No matter how the devices are designed and assembled, a QKD device certified by continuous Bell testing is secure, even if Eve controls the source device. If the Bell test fails at any time, Alice and Bob abort the transmission.
Device-independence works, if correctly implemented. Therefore, we asked the question: Can we implement device-independent QKD with a Franson interferometer, the primary candidate for achieving usable QKD through energy-time entanglement? If yes, then we could use robust energy-time entanglement together with the Bell test.
Unfortunately, the answer is no. We have shown how the Bell test in the Franson interferometer can be fooled into certifying a compromised system as device-independent.1 We built an experiment using standard fiber optic components, and showed how Eve could control the key output of Alice and Bob without them noticing.
First, we noted that the Bell test is statistical, and must take the entire statistical ensemble into account. Then we noted that the Franson system must include a post-selection step7 where, on average, half of the recorded events must be discarded. Suddenly, it becomes apparent that the measurements performed by Alice and Bob are not really a Bell test, but are simply a shadow of it. They do not take the whole statistical ensemble into account. Therefore, the numerical value they measure will be skewed in Eve's favor. In other words, the Bell test gives a false positive for the Franson interferometer. Eve can now easily build a trojan source device, fake a violation of the Bell test, and then hack Alice and Bob's key distribution. No matter what measurements Alice and Bob perform, they will not detect Eve's intrusion.
In our experiment, we tested the attack using commercial single-photon detectors operating at 218K (see Figure 1). We overlaid a pulsed laser on a continuous-wave laser, and performed the attack by modifying the phase modulation of the pulses. The Bell test passes if the measured value exceeds 2, and we can experimentally produce values as high as 3.6386±0.0096, even though there is no entanglement.
In summary, we have demonstrated the first example of an attack on device-independent QKD that uses a post-selection step. The results show that the standard Bell test is inadequate for Franson-based systems. With this in mind, our future work will focus on finding new, fundamentally secure systems that use energy-time entanglement to enable usable QKD.
Department of Electrical Engineering
Jonathan Jogenfors is a PhD student in information coding, with particular interests in QKD, information security, cryptology, and Bitcoin. He graduated from from the University of Linköping in 2012.