Quantum key distribution (QKD) allows two remote parties to grow a shared secret key. Its security is founded on the principles of quantum mechanics, but in reality it significantly relies on the physical implementation. Technological imperfections of QKD systems have been previously explored, but no attack on an established QKD connection has been realized so far. Here we show the first full-field implementation of a complete attack on a running QKD connection. An installed eavesdropper obtains the entire 'secret' key, while none of the parameters monitored by the legitimate parties indicate a security breach. This confirms that non-idealities in physical implementations of QKD can be fully practically exploitable, and must be given increased scrutiny if quantum cryptography is to become highly secure.
Secret communication provided by cryptography is needed in many activities of the human civilization—military, commerce, government and private affairs. The long history of cryptography is a continual cat-and-mouse game of cryptographic systems being broken and replaced with new, stronger ones1. Quantum cryptography, as one of the latest techniques, promised for the first time a security, which is not based on mathematical conjectures but on the laws of physics2,3. Technologically, quantum cryptography has matured to experiments up to 250 km distance4, and several commercial systems are available. Although security of the quantum key distribution (QKD) protocol is unconditionally proven5,6, deviations of actual hardware from the idealized model still present a challenge. Various attacks have been proposed exploiting imperfections of components in QKD scheme: light modulators7,8, photon sources9,10 and detectors11,12,13,14,15,16,17. However, none of these proposals implemented an attack that eavesdropped the secret key, leaving the question of practicality of technological vulnerabilities unresolved.
We chose one of the proposed attack methods, fully implemented an eavesdropper Eve, and used it to attack an installed QKD line. The QKD system under attack is a well-designed one used previously in several experiments18,19,20, and openly documented21. We treated QKD hardware and software as 'given' and kept all its settings as they had been set for QKD before this study. The hardware and software are assumed fully known to Eve, according to Kerckhoffs' principle22.
In this paper, we demonstrate the full-field implementation of this eavesdropping attack in realistic conditions over a 290-m fibre link between the transmitter Alice and the receiver Bob. From multiple QKD sessions over a few hours, Eve obtains the same 'secret' key as Bob, while the usual parameters monitored in the QKD exchange are not disturbed, leaving Eve undetected.
The faked-state attack
We have chosen a 'faked-state attack' (Fig. 1a)23. Eve uses a replica of the legitimate receiver unit (Bob′) to intercept and measure all quantum states sent by Alice. She further uses a faked-state generator (FSG) to force Bob to output identical bases and bit values, so that Eve and Bob have the same raw key. Eve also records unencrypted communication in the classical channel, and computes the final secret key (identical to Alice's and Bob's) by repeating the same sifting, error correction and privacy amplification procedures3,6 as Bob. Unlike the traditional intercept-resend attack2,3, the faked-state attack does not introduce errors in the key and therefore is not detected by the QKD protocol.
Eve's full control of Bob's detection outcomes is crucial to the success of the faked-state attack. Several technological vulnerabilities allow for the needed degree of control12,15,17,23. We have chosen to exploit blindability and controllability of single-photon detectors under strong illumination15,16. The QKD system under attack uses passively quenched single-photon avalanche photodiodes (APDs; Fig. 2a). Ordinarily, the arrival of a single photon generates an electron-hole pair that leads to an avalanche in the APD. The resulting current spike is detected by a comparator and a pulse-shaper as the arrival of a single photon, a 'click'. Spurious capacitances of the device result in a finite recharging time and cause a detector deadtime of ∼1μs. If the illumination level is increased such that no full recharge occurs between individual photons, the avalanche becomes progressively smaller. Under higher illumination conditions, it falls below the comparator threshold and can not be identified as a click; the detector becomes blind (Fig. 2b). Hence, by injecting high light levels into the channel, it is straightforward for Eve to indefinitely blind Bob's detectors. Under these illumination conditions, the APD no longer behaves as a single-photon detector, but as a classical photodiode generating photocurrent proportional to the optical power. A strong light pulse with peak power above a threshold Pth generates a current spike that mimics the signal of a legitimate photon (Fig. 2c)16.
This QKD implementation has four detectors and uses a four-state protocol with polarization coding and passive basis choice (Fig. 1b). Eve can blind all detectors using a laser diode (LD) emitting continuous-wave circularly polarized light, which splits evenly between Bob's detectors. To selectively make one detector click while keeping the other three blinded, Eve adds a linearly polarized pulse of the same polarization as the target detector, and peak power 2Pth. By using four LDs aligned to vertical, horizontal and ±45° polarizations, Eve has the option to deliberately launch a click in any of Bob's detectors. She then executes the faked-state attack.
Before attack, we inserted Eve into the line and manually aligned her polarizations to match Bob's detector settings. Then we characterized fidelity of her control over Bob. During a 5 min session Eve received 8,736,719 clicks and resent an equal number of faked states to Bob. Of the latter, 99.75% caused clicks in Bob, and more importantly those clicks were always produced in the intended detector (Table 1). As the synchronization protocol involves Bob sending to Alice precise timing of every click registered21, Eve can easily identify and discard the few faked states that did not register at Bob, and that will be discarded in the reconciliation between Alice and Bob. After this, she has an identical record with Bob. Owing to small imperfections in tuning Eve's FSG ('Complete Eve's setup' section in Methods), Bob had a probability of 5×10−7 to register simultaneous clicks in two detectors, corresponding to four events in 323 s. In this QKD implementation, such double clicks were treated as noise and discarded (which is obviously insecure but easily patchable by assigning instead random bit values24). We remark that our control scheme could be extended to reproduce arbitrary clicks in several detectors with a more complex FSG, which is, however, not needed in the present experiment.
QKD performance and key extraction
After Eve's calibration, we ran multiple 5–10 min QKD sessions over a few hours, some with Eve inserted in the fibre line and some without. We recorded performance statistics, all public communication data between Alice and Bob, and the generated keys. During QKD, the legitimate parties monitor key rates to check the line transmission. Figure 3 shows results from two typical sessions, one eavesdropped and one not. As expected, inserting Eve does not alter the rates. Small differences in rate averages of the two sessions are not caused by eavesdropping but rather are normal medium-term alignment fluctuations in this QKD system. The quantum bit error ratio of 5–6% is typical for this experiment18,19,20, and well below the security limit for the Bennett–Brassard–Mermin 1992 (BBM92) protocol used here6.
In the sessions in which Eve was connected, she extracted Bob's sifted key from her clicks and the recorded public communication Alice–Bob. Alice and Bob identify photon pairs by time-tagging each detector click and exchanging these times over the public channel21. This allows them to synchronize their clocks and to keep track of what photons were detected. Bob also announces his detection bases, and Alice answers for which Bob's clicks she detected the other photon of the pair in the same basis (these pairs form the sifted key). As no measurement outcomes are revealed, this information can be entirely public. In the present implementation, this channel is established over a transmission control protocol and internet protocol (TCP/IP) wireless connection, and is passively wiretapped by Eve. She watches the discussion, synchronizes her clock with Bob's clock, then sifts her key keeping only those of her clicks which are also kept by Alice and Bob in the sifted key. We ran Eve's processing script on recorded experimental data and verified that in all eavesdropped QKD sessions, Eve's sifted key was identical to Bob's (the script and data sample are available, 'Raw experimental data and Eve's key extraction software' section in Methods).
If the source analysers and transmission medium were perfect, this sifted key would directly constitute the secret key. Under realistic conditions, the sifted keys of Alice and Bob are not identical (the difference being quantified by the quantum bit error ratio). Further steps of error correction and privacy amplification complete the public exchange Alice–Bob to produce the secret key3,6. As Eve has the same sifted key as Bob, she can apply the same processing as Bob to it, and is guaranteed to produce the same secret key.
The particular weakness exploited in this work can be closed by developing suitable countermeasures25. Single-photon sensitivity of Bob's APDs can be tested at random times by a calibrated light source placed inside Bob. The incoming blinding light may be detected, either by a separate watchdog detector or by monitoring electrical and thermal parameters of the APDs. Eve introduces 212 ns time delay ('Jitter and insertion delay introduced by Eve' section in Methods), however, monitoring may be impractical, and Eve can compensate this delay by shortening the fibre line. Eve's need to calibrate her FSG before the attack cannot be considered a reliable deterrent, because she may calibrate non-obtrusively23. Other countermeasure proposals that break the described attack exist and may be relatively easy to implement. However, a countermeasure that incorporates into the existing security proofs6,5,26,27 and thus closes this loophole definitely, such as the one in ref. 25, has not yet been implemented.
In conclusion, we have demonstrated a complete and undetected eavesdropping attack against an established QKD system. The success of this demonstration proves that a technological imperfection in a QKD system can be fully exploited using off-the-shelf components. As there is a variety of potentially exploitable loopholes in both research and commercial QKD systems7,8,10,11,12,13,14,15,16,17,23, Eve can design a tailored attack on one or the other implementation problem. We have briefly discussed how one particular loophole can be closed. However, a more pointed question is what problems still lurk unnoticed in the gap between the theoretical description and the practical systems28. Just as in classical cryptography, an ongoing search for backdoors is required to build hardened implementations of quantum cryptography for real-world use.
Complete Eve's setup
The task of Eve's FSG is to make the target detector at Bob click, while keeping his other detectors silent. An optical pulse of a peak power Pth at the target detector causes it click with 100% probability. In order for the FSG depicted in Figure 1b to work, a pulse of power Pth/2 should never cause the two conjugate-basis detectors to click. Unfortunately, for the actual Bob's polarization analyser this condition did not hold, because one of its detectors turned out to have significantly higher click thresholds than the other three (Fig. 4). Note that for blinding power >1μW, the click thresholds of all four detectors rose uniformly. We tried to change the circular blinding polarization to elliptical, such that the detector with higher click threshold received much less blinding power than the other three. This achieved almost perfect fidelity of Eve's control over Bob, with diagonal elements >96.2% (in terms of Table 1) and off-diagonal elements <0.005%. The latter meant Eve had slightly less than full information on the sifted key, compromising the security but requiring an additional cryptanalytic task to complete the eavesdropping.
We then improved the control method by including a polarized pre-pulse that dynamically increased blinding power at the orthogonal-basis detectors 100 ns before the main trigger pulse was sent (Fig. 5). These pre-pulses were emitted by four additional laser diodes. With this setup, clicks never occurred in a wrong detector. When we calibrated Eve's control of Bob by sending the same faked state at a fixed rate, the click probability in any target detector was 100%, and double clicks did not occur. However, as we discovered later in the recorded experimental data, a cross-talk between adjacent faked states (which could be as closely spaced as 550 ns during eavesdropping) led to slightly <100% click probability, as Table 1 illustrates. There were also a few double clicks. Nevertheless, Eve managed to recover complete sifted key by proper post-processing, which shows robustness of this control method.
Jitter and insertion delay introduced by Eve
After initially inserting Eve into the line, her four detection and Bob control channels had slightly different insertion delays (varying by ≲1ns). As Alice and Bob used a tight coincidence window to identify photon pairs, we had to equalize Eve's insertion delays by adjusting the time-delay circuits (shown in Fig. 5). As can be seen in Figure 6, the resulting relative coincidence time distributions were indistinguishable from those without eavesdropping. The jitter between photon pairs stayed about the same and was dominated by timing jitter of the single-photon detectors, ≈500ps full-width at half-magnitude for each detector.
As Figure 6 shows, Eve introduced an overall insertion delay of 212 ns. This went without any consequence, because Alice and Bob synchronized their clocks by photon coincidences, which is a common practice in QKD systems of this type. In general, the propagation delay is not authenticated and is not a part of the QKD security. We remark that if Alice and Bob synchronized their clocks in some independent way (which is probably impractical), Eve could cancel her insertion delay by shortening the fibre-optic line and/or bypassing a part of the line by spatially separating her polarization analyser and FSG and establishing a line-of-sight radio-frequency link between them, in which signals travel ∼1.5 times faster than in fibre23. These tricks would not apply to systems using a free-space line-of-sight QKD link18,19,20,29,30,31,32, but so far none of them implemented a clock synchronization method that would fail because of Eve's insertion delay.
Raw experimental data and Eve's key extraction software
There were four eavesdropped QKD sessions over 2 h. For example, the second session lasted 5 min and produced a 393,323-bit sifted key, which was identical between Bob and Eve. The raw data recorded during this session and the script used to extract Eve's sifted key can be found in a single archive file: http://www.vad1.com/eve-extract-sifted-key.zip (74 MiB). The minimum disc space required is 125 MiB, including files generated by running the script.
The main script to do Eve's key extraction, named eve_extract_sifted_key.m, can be found in the directory scripts-matlab, while the other files in this directory are functions called by the main script, and a log file proclog.txt will be generated after running the script. The script is implemented in MATLAB. We have tested it under both Windows and Linux.
The directory data-raw contains the raw experimental data from this session, recorded during the experiment. To obey realistic eavesdropping conditions, Eve only gets access to the classical channel where the transmission is public (and to her own computer), but not to Bob's or Alice's computers. Hence, the script is run only on the timing and basis choice data sent from Bob to Alice (the subdirectory alice-receivefiles), the sifting response returned from Alice (the subdirectory bob-receivefiles), and Eve's own recorded click data (the subdirectory eve-raw-events). Although not used by the extraction script, both sifted and final secret keys recorded in Alice's and Bob's computers are also provided in the archive, to satisfy a curious reader. The final secret key is 218,462 bit long.
After running the script, Eve's sifted key will be extracted and stored in a new directory named data-produced-by-scripts. The script then does a bitwise comparison between Eve's and Bob's sifted keys, and reports the number of discrepancies (which is zero for all eavesdropped QKD sessions). For convenience, both Bob's and Eve's sifted keys are also saved as two sets of ASCII files.
All data are partitioned into files by epoch (defined as a time span of 229ns ≈ 0.537 s), except the final secret key which is stored in blocks of nine epochs. All file formats are openly defined and documented21, and have been used in several QKD experiments previously18,19,20.
How to cite this article: Gerhardt, I. et al. Full-field implementation of a perfect eavesdropper on a quantum cryptography system. Nat. Commun. 2:349 doi: 10.1038/ncomms1348 (2011).
This work was supported by the National Research Foundation and the Ministry of Education, Singapore, and the Research Council of Norway (grant no. 180439/V30). L. Lydersen and V. Scarani are thanked for useful discussions. We thank the OLPC project for providing a notebook for the eavesdropper.
About this article
Scientific Reports (2017)