Quantum hacking of two-way continuous-variable quantum key distribution using Trojan-horse attack

Cite this Article

Ma Hong-Xin, Bao Wan-Su, Li Hong-Wei, Chou Chun. Quantum hacking of two-way continuous-variable quantum key distribution using Trojan-horse attack. Chinese Physics B, 2016, 25(8): 080309 Copy to clipboard

Permissions

Quantum hacking of two-way continuous-variable quantum key distribution using Trojan-horse attack

Ma Hong-Xin^{1, 2}, Bao Wan-Su^{1, 2, †,}, Li Hong-Wei^{1, 2}, Chou Chun^{1, 2}

1PLA Information Engineering University, Zhengzhou 450001, China

2Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei 230026, China

† Corresponding author. E-mail: 2010thzz@sina.com

Project supported by the National Basic Research Program of China (Grant No. 2013CB338002) and the National Natural Science Foundation of China (Grant Nos. 11304397 and 61505261).

Abstract

We present a Trojan-horse attack on the practical two-way continuous-variable quantum key distribution system. Our attack mainly focuses on the imperfection of the practical system that the modulator has a redundancy of modulation pulse-width, which leaves a loophole for the eavesdropper inserting a Trojan-horse pulse. Utilizing the unique characteristics of two-way continuous-variable quantum key distribution that Alice only takes modulation operation on the received mode without any measurement, this attack allows the eavesdropper to render all of the final keys shared between the legitimate parties insecure without being detected. After analyzing the feasibility of the attack, the corresponding countermeasures are put forward.

PACS: 03.67.Hk;03.67.–a;03.67.Dd

Keyword:quantum hacking;two-way;continuous-variable;quantum key distribution;Trojan-horse

Show Figures

1. Introduction

Quantum key distribution (QKD)^[1] enables two authenticated users, Alice and Bob, to share secure private keys in the presence of eavesdroppers. Quantum physics allows for unconditionally secure communication through insecure communication channels. The QKD protocols are classified into two main classes: discrete-variable (DV)QKD^[2–5] and continuous-variable (CV) QKD,^[6–10] both of whose unconditional security have been proved in theory.^[11–14] The first proposed QKD protocol^[2] is based on discrete variables, such as the polarization of a single photon. In CVQKD, the information is encoded on the continuous variables, such as the position or momentum quadratures of coherent states. In recent years, CVQKD has received close attention in the research area of quantum communication. One of the most outstanding CVQKD protocols is the Gaussian-modulated coherent state protocol,^[9] whose composable security has been fully proven.^[15] This protocol has been experimentally demonstrated both in laboratory^[16,17] and field tests.^[18] In the last few years, the high-speed CVQKD has been experimentally demonstrated,^[19] and the high-bit-rate CVQKD system over 50-km fiber channel has successfully passed the field tests.^[20] Moreover, a recent work shows that the secure transmission of CVQKD can be extended to 150 km.^[21]

In comparison to DVQKD, CVQKD has some advantages. On one hand, the modulation of continuous variables relies on Gaussian modulation of the light field quadratures, which is a mature technology in experiment. On the other hand, CVQKD can achieve higher detection efficiency, which may lead to higher bit rate of the secure key. Furthermore, most of the operation in CVQKD can be implemented efficiently by standard telecommunication networks and technologies that are currently available and in widespread use, which means CVQKD can be integrated into the current telecommunication networks by using well-established optical fiber networks and practical devices.

In spite of the above advantages, the general one-way CVQKD still has serious shortcomings. In the case of direct reconciliation, GG02 protocol has the limitation of 3 dB,^[9] which means there is no secret key when channel attenuation exceeds 3 dB. Although people put forward the post-processing^[22] and reverse reconciliation^[16] method to overcome 3-dB limit, the problem that one-way CVQKD is susceptible to excessive noise has not yet been resolved. No matter if there is direct reconciliation or reverse reconciliation, secret key rate will be affected by excess noise obviously, which severely restricts the security transmission distance. In order to enhance the tolerable excess noise, Stefano Pirandola^[23] first proposed the two-way CVQKD protocol, which overcomes 3-dB limit and tolerates more excess noise than one-way protocols. Furthermore, Alice only needs one modulator in the two-way CVQKD protocol, which makes the hardware requirements on Alice’s side in two-way CVQKD protocol lower than the one in one-way protocol. This characteristic gives the two-way CVQKD protocol a unique advantage in the situation in which Alice can only equip a small number of devices.

Recently, breakthrough progress has been made the in the security analysis of the two-way CVQKD protocol in theory. Carlo Ottavini^[24] proved the security of the two-way CVQKD protocol under coherent attacks in direct reconciliation. However, the practical QKD systems have imperfections that cannot satisfy the assumptions of ideal devices in theoretical security proofs. The imperfect devices in commercial quantum key distribution systems open security loopholes that an eavesdropper may exploit. In the two-way CVQKD protocol, Alice only takes modulation operation on the received mode without any measurement. Moreover, the modulator has a redundancy of modulation pulse-width in the practical system, which leaves loopholes for Eve to take an attack strategy. Based on the above two factors, we propose a Trojan-horse attack strategy on the two-way CVQKD protocol, which allows the eavesdropper to render all of the final keys shared between the legitimate parties insecure without being detected. We discuss the feasibility of this attack and suggest countermeasures to prevent such an attack.

The paper is organized as follows. In Section 2, the general two-way CVQKD protocol is briefly introduced followed by the proposed Trojan-horse attack strategy on the two-way CVQKD protocol in Section 3. In Section 4, the feasibility of the Trojan-horse attack strategy is analyzed in detail and the corresponding countermeasures are put forward. The conclusion is drawn in Section 5.

2. The general two-way CVQKD protocol

In the one-way CVQKD protocol, the quantum states encoding information is always sent by Alice and detected by Bob after passing through the quantum channel, where the signal source is only controlled by Alice. The two-way CVQKD protocol proposed by Stefano Pirandola broke the fixed thinking that the signal source should only be controlled by Alice, where the signal sources are symmetrically distributed on both sides of Alice and Bob. In their protocol, Bob initially sends a mode to Alice and Alice encodes her information by applying a random displacement operator to the received mode and sends it back to Bob, where Bob detects both his original mode and the received mode to decode Alice’s modulations.

The procedure of implementing the general two-way CVQKD protocol with homodyne detection is illustrated in Fig. 1 and can be described as follows.

	Figure Option View Download New Window
	Fig. 1. The entanglement-based (EB) scheme of general two-way CVQKD protocol with homodyne detection.

Step 1 Before the communication, Bob prepares EPR pairs with variance V, then he keeps one mode B₁ and sends the other mode to Alice through the forward quantum channel.

Step 2 Alice applies a random phase-space displacement operator D(α) on her received mode A₁ to encode her information, obtaining the mode A₂. Then she sends the mode A₂ back to Bob through the backward quantum channel. Note that α = (Q_A + iP_A)/2, where Q_A and P_A follow the Gaussian distribution with the variance of V – 1.

Step 3 Bob performs homodyne detections on both his original mode B₁ and received mode B₂ to obtain the variables x_B₁ (or p_B₁) and x_B₂ (or p_B₂), respectively.

Step 4 Alice and Bob implement the reconciliation and privacy amplification to obtain a string of identical keys that Eve does not know. In this step, Bob uses the measurement values of the modes B₁ and B₂ to construct the optimal estimation to Alice’s corresponding variables Q_A (P_A).

3. Trojan-horse attack strategy on the two-way CVQKD system

Our attack mainly focuses on the imperfection in the practical system that the modulator has a redundancy of modulation pulse-width and the unique characteristics of two-way CVQKD systems that Alice only takes modulation operation on the received mode without any measurement. By implanting a Trojan-horse pulse, our proposed attack strategy can partially or fully obtain the information transmitted between the two legal communication sides without being detected. Our attack strategy can be divided into two parts, which is illustrated in the Eve part of Fig. 1.

Attack part 1 Eve intercepts the signal pulse sent by Bob in the forward channel and then implants a Trojan-horse pulse after the original signal pulse. Eve notes the time domain implanting Trojan-horse pulse and sends the processed pulse to Alice.

Attack part 2 After Alice modulates the received pulse, Eve intercepts the modulated pulse sent by Alice in the backward channel, picks up the modulated Trojan-horse pulse according to the time domain noted in part 1 and sends the remaining pulse to Bob. Then Bob takes homodyne detection on the quantum state of the extracted pulse. Combined with the quadrature component of the implanted Trojan-horse pulse in part 1, Bob finally obtains the information encoded by Alice.

Here we need to note that the security of the general two-way CVQKD protocol against coherent attacks can be achieved by switching randomly between one-way (switch OFF, where Alice detects the incoming mode and sends a new state back to Bob) and two-way schemes (switch ON),^[23] as shown in Fig. 1. When Alice switches OFF, the two-way CVQKD protocol turns into a one-way protocol, where we can take the existing Trojan-horse attacks strategy proposed by Khan^[25] to hack the communication system. Our attack strategy mainly focuses on the situation that Alice switches ON, where the protocol performs truly two-way communication.

4. Feasibility analysis and Countermeasures

According to the attack steps and the loophole which is utilized, the feasibility of the Trojan-horse attack strategy is mainly based on the following three factors.

Firstly, in two-way CVQKD systems, Alice only takes modulation operation on the received mode without any measurement. Therefore, the Trojan-horse pulse implanted by Eve can smoothly enter the modulator of Alice’s side without being detected. Secondly, for the convenience of operation in practical experiments, the modulation pulse-width of the modulator is always larger than the pulse-width of each signal pulse. Eve can make full use of the redundancy of modulation pulse-width to make the Trojan-horse pulse receiving the same modulation process as the original signal pulse, which is the linchpin of successfully eavesdropping the key information. Finally, throughout the attack process, Eve does not take any measurement operation on the original quantum signal, which means that Eve’s behavior will not introduce any excess noise under ideal conditions.

According to the above three factors, we can conclude that Eve’s attack cannot be detected by Alice and Bob. Meanwhile, the information hacked by Eve cannot be eliminated by Alice and Bob through the reconciliation and privacy amplification. Thence, the Trojan-horse attack strategy allows the eavesdropper to render all of the final keys shared between the legitimate parties insecure without being detected.

However, in practical operations, the added Trojan-horse pulse and original signal pulse may have crosstalk, which may affect the final secret key rate. In order to judge the attack impact of our Trojan-horse attack strategy, we need to quantitative describe the effect of crosstalk between the Trojan-horse pulse and original signal pulse. For simplicity in security analysis, we replace Alice’s displacement operation with a beam splitter and EPR pairs,^[26] which has been illustrated in Fig. 2. The transmission of the beam splitter is T_A. Here we denote the crosstalk as the excess noise introduced into the backward channel, which can be described in formula as where n_c is the coefficient representing the degree of the crosstalk. For example, n_c = 0 represents that the Trojan-horse pulse and original signal pulse has no crosstalk.

	Figure Option View Download New Window
	Fig. 2. The equivalent scheme to figure 1 with post processing when Alice is switched ON.

The Gaussian attack is optical in the security analysis of two-way CVQKD protocol as the corresponding covariance matrix of the state B₂B₁A₂A₁ is known to Alice and Bob.^[27] In the following security analysis, we note that the Eve mentioned is the one taking Gaussian collective attack instead of the one taking Trojan-horse attack.

In Fig. 1, the final key rate of the two-way CVQKD protocol with homodyne detection in reverse reconciliation is^[28]

where I_BA is the mutual information between Alice and Bob, χ_BE are the Holevo bounds between Bob and Eve, which put an upper limit on the information available to Eve on Bob’s key. β ∈ [0,1] is the reconciliation efficiency. The classical mutual information between Alice and Bob can be written as

where V_A^M = (1/2)(V_A + 1) is Alice’s variance, and V_A^M|B is Alice’s conditional variance on Bob, which can be obtained with Alice’s and Bob’s data. According to Holevo bound, χ_BE can be obtained as^[29]

where S is the von Neumann entropy of the quantum state ρ. m_B represents the measurement of Bob, and it can take the form m_B = x_B for a homodyne detector.

is Eve’s state conditional on Bob’s measurement result, p(m_B) is the probability density of the measurement.

Since the state ρ_{B₂B₁A₂A₁E} is a pure state,

As the entropy can be calculated from its corresponding covariance matrix for the Gaussian state,^[30] the corresponding covariance matrix of state ρ_{B₂B₁A₂A₁} is obtained that

where Π₂ is a 2 × 2 identity matrix, the diagonal elements stand for the variance quadratures of the mode B₂, B₁, A₂, A₁ in turn, and the nondiagonal elements stand for the convariance between these modes. For example,

Then Eve’s von Neumann entropy can be obtained by

where λ_i = f_{λ_i}(α_mn) is the symplectic eigenvalues of the covariance matrix γ_{B₂B₁A₂A₁} characterizing the state ρ_{B₂B₁A₂A₁}, which is the function of element α_mn of γ_{B₂B₁A₂A₁}.^[23] We have

For simplicity to calculate the final key rate, we apply a symplectic transformation γ_k to the modes B₂ and B₁, obtaining the modes B₄ and B₃, which is illustrated in Fig. 2. Then we can get m_B by measuring the quadrature of B₄ (or B₃). The corresponding covariance matrix of the state ρ_{B₄B₃A₂A₁} is

where

γ_k is a continuous-variable C-NOT gate:^[31]

As the symplectic transformation γ_k does not change the von Neumann entropy of the state ρ_{B₂B₁A₂A₁}, Eve’s von Neumann entropy and conditional von Neumann entropy on Bob in Fig. 2 is equivalent to those in Fig. 1. As the state ρ_{B₃A₂A₁E} is a pure state when Bob obtains m_B by measuring the quadrature of B₄, we have

The corresponding covariance matrix of the state S(ρ_B₃A₂A₁) conditioned on m_B is^[32]

where X_x = diag(1,0), C_B₄ is their correlation matrix, MP denotes the inverse on the range γ_B₃A₂A₁ and γ_B₄ are the corresponding reduced matrixes of the states ρ_B₃A₂A₁ and ρ_B₄ in ρ_{B₄B₃A₂A₁}. Similar to Eq. (5), we obtain

where λ′ = f_{λ′_i}(α′_mn) is the symplectic eigenvalue of

which is the function of the element α′_mn of

It can be found that the von Neumann conditional entropy

does not depend on Bob’s measurement m_B. Therefore, the Holevo bound χ_BE is simply equal to

Then the final key rate is obtained

In practice, Alice and Bob calculate α_mn and α′_mn by measuring the variance quadratures of the mode B₂, B₁, A₂, A₁. For simplicity, we assume that the forward and backward channels are independent and linear with the same transmittances T. The noise referred to the input is χ₁ = (1 − T)/T + ε, where ε is the channel excess noises referred to the input. Because we assume the crosstalk between Trojan-horse pulse and original signal pulse as the noise introduced into the backward channel, which is formulated as the noise referred to the input of the backward channel is

We can calculate the elements of Eq. (4),

and

where

T_A is the transmittance of the beam splitter on Alice’s side in Fig. 2.

When n_c = 0, there is no crosstalk between the Trojan-horse pulse and original signal pulse, which means that the operation of Trojan-horse attack does not introduce any excess noise in the communication. Figure 3 shows the “secret key rate” of the two-way CVQKD protocol against Trojan-horse attack as a function of the transmittance. The “secret key rate” is the final key rate shared between the legitimate parties, which is rendered totally insecure by the Trojan-horse attacker. Clearly, the “secret key rate” decreases with the increase of n_c. However, the legitimate parties cannot detect the existence of the Trojan-horse attacker through the variation of the “secret key rate”. The reason is as follows: The observable result introduced by crosstalk between the Trojan-horse pulse and original signal pulse is the enlargement of excess noise. However, the source of the increased excess noise is blind for legitimate parties. They do not know where the increased excess noise comes from, maybe due to the imperfection of the device, or because of a mutation in the surrounding environment. The only requirement to consider during the attack is the “secret key rate” should be positive. Only in this situation can the communication between Alice and Bob be realized successfully, and Eve can effectively obtain the key information through the Trojan-horse attack.

	Figure Option View Download New Window
	Fig. 3. “Secret key rate” of the two-way CVQKD protocol against Trojan-horse attack as a function of the transmittance of the channel for n_c = 0,0.1,0.2,0.4,0.6. The curve is plotted for V = V_A = 16, ε = 0.65, β = 0.9, T_A = 0.7.

From Fig. 3 we can find that the final key becomes negative when n_c ≥ 0.4, which means that the legitimate parties share nothing about the final key at this moment. This makes our attack lose the original impact. In order to carry out the Trojan-horse attack more viably and efficiently, we need to cut down the crosstalk between the Trojan-horse pulse and original signal pulse, bringing 0 ≤ n_c < 0.4. The most effective solution is making the wavelength of the Trojan-horse pulse different from the one of the original signal pulse.

To prevent the Trojan-horse attack, the most efficient way is monitoring and removing the Trojan pulse. In one-way CVQKD system, installing isolators and wavelength filters on Bob’s side have been the most suitable countermeasures against Trojan-horse attack.^[33,34] However in the two-way CVQKD system, the former one cannot be used, which will hinder the normal communication. But the latter one can certainly be useful. Therefore, the technical countermeasure specifically for the two-way CVQKD system is as follows: Bob implants a tag frame into the original signal pulse every time interval t, and a waveform detector is added before the modulator on Alice’s side, which is used to detect the tag frames. When the signal pulse passes through the waveform detector, Alice records the time interval between every two adjacent tag frames. If the time interval is t, the pulse between the two tag frames is reserved into the modulator; otherwise, the pulse is removed. This countermeasure can effectively eliminate the Trojan pulse, but it will also increase the complexity of the devices on Alice’s side, which weakens the superiority of two-way CVQKD system.

5. Conclusion

In conclusion, the Trojan-horse attack on the two-way CVQKD system is proposed by inserting a Trojan-horse pulse into the original signal pulse. If the legitimate users do not take any necessary countermeasures, the final secret key will be totally insecure under this attack, where the attacker can obtain all the information about the final key without being detected. After analyzing the feasibility of the attack, we give the limitation of successfully carrying out the attack. Finally, a technical countermeasure is provided to resist the Trojan-horse attack on the two-way CVQKD system.

Reference

1	Gisin NRibordy GTittel WZbinden H 2002 Rev. Mod. Phys. 74 145
2	Bennett C HBrassard G1984Proceedings of IEEE International Conference on Computers, Systems and Signal ProcessingBangaloreIndia175
3	Ekert A K 1991 Phys. Rev. Lett. 67 661
4	Bennet C H 1992 Phys. Rev. Lett. 68 3121
5	Chen MLiu X 2011 Chin. Phys. 20 100305
6	Ralph T C 1999 Phys. Rev. 61 010303
7	Hillery M 2000 Phys. Rev. 61 022309
8	Zhao JGuo XWang XWang NLi YPeng K 2013 Chin. Phys. Lett. 30 60302
9	Grosshans FGrangier P 2002 Phys. Rev. Lett. 88 057902
10	Wang XBai ZWang SLi YPeng K 2013 Chin. Phys. Lett. 30 010305
11	Lo H KChau H F 1999 Science 283 2050
12	Shor P WPreskill J 2000 Phys. Rev. Lett. 85 441
13	Yang WBao WLi HZhou CLi Y 2014 Chin. Phys. 23 080303
14	Leverrier AGarcia-Patron RRenner RCerf N J 2013 Phys. Rev. Lett. 110 030502
15	Leverrier A 2015 Phys. Rev. Lett. 114 070501
16	Grosshans FAssche G VWenger JBrouri RCerf N JGrangier P 2003 Nature 421 238
17	Jouguet PKunz-Jacques SLeverrier AGrangier PDiamanti E 2013 Nat. Photon. 7 378
18	Fossier SDiamanti EDebuisschert TVilling ATualle-Brouri RGrangier P 2009 New. J. Phys. 11 045023
19	Huang DLin DWang CLiu WFang SPeng JHuang PZeng G 2015 Opt. Express 23 17511
20	Wang CHuang DHuang PLin DPeng JZeng G 2015 Sci. Rep. 5 14607
21	Huang DHuang PLin DZeng G 2016 Sci. Rep. 6 19201
22	Silberhorn CRalph T CLutkenhaus NLeuchs G 2002 Phys. Rev. Lett. 89 167901
23	Pirandola SMancini SLloyd SBraunstein S L 2008 Nat. Phys. 4 726
24	Ottaviani CMancini SPirandola S 2015 Phys. Rev. 92 062323
25	Khan IJain NStiller BJouguet PKunz-Jacques SDiamanti EMarquardt CLeuchs G2014QCrypt2014, Paris, France151–5
26	Sun MPeng XShen YGuo H 2012 Int. J. Quantum Infor. 10 1250059
27	Garcéa-Patron RCerf N J 2006 Phys. Rev. Lett. 97 190503
28	Leverrier AAlleaume RBoutros JZéemor GGrangier P 2008 Phys. Rev. 77 042325
29	Weedbrook CPirandola SGarcéa-Patron RCerf N JRalph T CShapiro J HLloyd S 2012 Rev. Mod. Phys. 84 621
30	Serafini A 2006 Phys. Rev. Lett. 96 110402
31	Yoshikawa J IMiwa YHuck AAndersen U Lvan Loock PFurusawa A 2008 Phys. Rev. Lett. 101 250501
32	Eisert JPlenio M B 2003 Int. J. Quantum Infor. 1 479
33	Jain NAnisimova EKhan IMakarov VMarquardt CLeuchs G 2014 New J. Phys. 16 123030
34	Jain NStiller BKhan IMakarov VMarquardt CLeuchs G 2015 IEEE J. Selec. Top. Quantum Electron. 21 168