Quantum hacking of two-way continuous-variable quantum key distribution using Trojan-horse attack
Ma Hong-Xin1, 2, Bao Wan-Su1, 2, †, , Li Hong-Wei1, 2, Chou Chun1, 2
PLA Information Engineering University, Zhengzhou 450001, China
Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei 230026, China

 

† Corresponding author. E-mail: 2010thzz@sina.com

Project supported by the National Basic Research Program of China (Grant No. 2013CB338002) and the National Natural Science Foundation of China (Grant Nos. 11304397 and 61505261).

Abstract
Abstract

We present a Trojan-horse attack on the practical two-way continuous-variable quantum key distribution system. Our attack mainly focuses on the imperfection of the practical system that the modulator has a redundancy of modulation pulse-width, which leaves a loophole for the eavesdropper inserting a Trojan-horse pulse. Utilizing the unique characteristics of two-way continuous-variable quantum key distribution that Alice only takes modulation operation on the received mode without any measurement, this attack allows the eavesdropper to render all of the final keys shared between the legitimate parties insecure without being detected. After analyzing the feasibility of the attack, the corresponding countermeasures are put forward.

1. Introduction

Quantum key distribution (QKD)[1] enables two authenticated users, Alice and Bob, to share secure private keys in the presence of eavesdroppers. Quantum physics allows for unconditionally secure communication through insecure communication channels. The QKD protocols are classified into two main classes: discrete-variable (DV)QKD[25] and continuous-variable (CV) QKD,[610] both of whose unconditional security have been proved in theory.[1114] The first proposed QKD protocol[2] is based on discrete variables, such as the polarization of a single photon. In CVQKD, the information is encoded on the continuous variables, such as the position or momentum quadratures of coherent states. In recent years, CVQKD has received close attention in the research area of quantum communication. One of the most outstanding CVQKD protocols is the Gaussian-modulated coherent state protocol,[9] whose composable security has been fully proven.[15] This protocol has been experimentally demonstrated both in laboratory[16,17] and field tests.[18] In the last few years, the high-speed CVQKD has been experimentally demonstrated,[19] and the high-bit-rate CVQKD system over 50-km fiber channel has successfully passed the field tests.[20] Moreover, a recent work shows that the secure transmission of CVQKD can be extended to 150 km.[21]

In comparison to DVQKD, CVQKD has some advantages. On one hand, the modulation of continuous variables relies on Gaussian modulation of the light field quadratures, which is a mature technology in experiment. On the other hand, CVQKD can achieve higher detection efficiency, which may lead to higher bit rate of the secure key. Furthermore, most of the operation in CVQKD can be implemented efficiently by standard telecommunication networks and technologies that are currently available and in widespread use, which means CVQKD can be integrated into the current telecommunication networks by using well-established optical fiber networks and practical devices.

In spite of the above advantages, the general one-way CVQKD still has serious shortcomings. In the case of direct reconciliation, GG02 protocol has the limitation of 3 dB,[9] which means there is no secret key when channel attenuation exceeds 3 dB. Although people put forward the post-processing[22] and reverse reconciliation[16] method to overcome 3-dB limit, the problem that one-way CVQKD is susceptible to excessive noise has not yet been resolved. No matter if there is direct reconciliation or reverse reconciliation, secret key rate will be affected by excess noise obviously, which severely restricts the security transmission distance. In order to enhance the tolerable excess noise, Stefano Pirandola[23] first proposed the two-way CVQKD protocol, which overcomes 3-dB limit and tolerates more excess noise than one-way protocols. Furthermore, Alice only needs one modulator in the two-way CVQKD protocol, which makes the hardware requirements on Alice’s side in two-way CVQKD protocol lower than the one in one-way protocol. This characteristic gives the two-way CVQKD protocol a unique advantage in the situation in which Alice can only equip a small number of devices.

Recently, breakthrough progress has been made the in the security analysis of the two-way CVQKD protocol in theory. Carlo Ottavini[24] proved the security of the two-way CVQKD protocol under coherent attacks in direct reconciliation. However, the practical QKD systems have imperfections that cannot satisfy the assumptions of ideal devices in theoretical security proofs. The imperfect devices in commercial quantum key distribution systems open security loopholes that an eavesdropper may exploit. In the two-way CVQKD protocol, Alice only takes modulation operation on the received mode without any measurement. Moreover, the modulator has a redundancy of modulation pulse-width in the practical system, which leaves loopholes for Eve to take an attack strategy. Based on the above two factors, we propose a Trojan-horse attack strategy on the two-way CVQKD protocol, which allows the eavesdropper to render all of the final keys shared between the legitimate parties insecure without being detected. We discuss the feasibility of this attack and suggest countermeasures to prevent such an attack.

The paper is organized as follows. In Section 2, the general two-way CVQKD protocol is briefly introduced followed by the proposed Trojan-horse attack strategy on the two-way CVQKD protocol in Section 3. In Section 4, the feasibility of the Trojan-horse attack strategy is analyzed in detail and the corresponding countermeasures are put forward. The conclusion is drawn in Section 5.

2. The general two-way CVQKD protocol

In the one-way CVQKD protocol, the quantum states encoding information is always sent by Alice and detected by Bob after passing through the quantum channel, where the signal source is only controlled by Alice. The two-way CVQKD protocol proposed by Stefano Pirandola broke the fixed thinking that the signal source should only be controlled by Alice, where the signal sources are symmetrically distributed on both sides of Alice and Bob. In their protocol, Bob initially sends a mode to Alice and Alice encodes her information by applying a random displacement operator to the received mode and sends it back to Bob, where Bob detects both his original mode and the received mode to decode Alice’s modulations.

The procedure of implementing the general two-way CVQKD protocol with homodyne detection is illustrated in Fig. 1 and can be described as follows.

Fig. 1. The entanglement-based (EB) scheme of general two-way CVQKD protocol with homodyne detection.

Step 1 Before the communication, Bob prepares EPR pairs with variance V, then he keeps one mode B1 and sends the other mode to Alice through the forward quantum channel.

Step 2 Alice applies a random phase-space displacement operator D(α) on her received mode A1 to encode her information, obtaining the mode A2. Then she sends the mode A2 back to Bob through the backward quantum channel. Note that α = (QA + iPA)/2, where QA and PA follow the Gaussian distribution with the variance of V – 1.

Step 3 Bob performs homodyne detections on both his original mode B1 and received mode B2 to obtain the variables xB1 (or pB1) and xB2 (or pB2), respectively.

Step 4 Alice and Bob implement the reconciliation and privacy amplification to obtain a string of identical keys that Eve does not know. In this step, Bob uses the measurement values of the modes B1 and B2 to construct the optimal estimation to Alice’s corresponding variables QA (PA).

3. Trojan-horse attack strategy on the two-way CVQKD system

Our attack mainly focuses on the imperfection in the practical system that the modulator has a redundancy of modulation pulse-width and the unique characteristics of two-way CVQKD systems that Alice only takes modulation operation on the received mode without any measurement. By implanting a Trojan-horse pulse, our proposed attack strategy can partially or fully obtain the information transmitted between the two legal communication sides without being detected. Our attack strategy can be divided into two parts, which is illustrated in the Eve part of Fig. 1.

Attack part 1 Eve intercepts the signal pulse sent by Bob in the forward channel and then implants a Trojan-horse pulse after the original signal pulse. Eve notes the time domain implanting Trojan-horse pulse and sends the processed pulse to Alice.

Attack part 2 After Alice modulates the received pulse, Eve intercepts the modulated pulse sent by Alice in the backward channel, picks up the modulated Trojan-horse pulse according to the time domain noted in part 1 and sends the remaining pulse to Bob. Then Bob takes homodyne detection on the quantum state of the extracted pulse. Combined with the quadrature component of the implanted Trojan-horse pulse in part 1, Bob finally obtains the information encoded by Alice.

Here we need to note that the security of the general two-way CVQKD protocol against coherent attacks can be achieved by switching randomly between one-way (switch OFF, where Alice detects the incoming mode and sends a new state back to Bob) and two-way schemes (switch ON),[23] as shown in Fig. 1. When Alice switches OFF, the two-way CVQKD protocol turns into a one-way protocol, where we can take the existing Trojan-horse attacks strategy proposed by Khan[25] to hack the communication system. Our attack strategy mainly focuses on the situation that Alice switches ON, where the protocol performs truly two-way communication.

4. Feasibility analysis and Countermeasures

According to the attack steps and the loophole which is utilized, the feasibility of the Trojan-horse attack strategy is mainly based on the following three factors.

Firstly, in two-way CVQKD systems, Alice only takes modulation operation on the received mode without any measurement. Therefore, the Trojan-horse pulse implanted by Eve can smoothly enter the modulator of Alice’s side without being detected. Secondly, for the convenience of operation in practical experiments, the modulation pulse-width of the modulator is always larger than the pulse-width of each signal pulse. Eve can make full use of the redundancy of modulation pulse-width to make the Trojan-horse pulse receiving the same modulation process as the original signal pulse, which is the linchpin of successfully eavesdropping the key information. Finally, throughout the attack process, Eve does not take any measurement operation on the original quantum signal, which means that Eve’s behavior will not introduce any excess noise under ideal conditions.

According to the above three factors, we can conclude that Eve’s attack cannot be detected by Alice and Bob. Meanwhile, the information hacked by Eve cannot be eliminated by Alice and Bob through the reconciliation and privacy amplification. Thence, the Trojan-horse attack strategy allows the eavesdropper to render all of the final keys shared between the legitimate parties insecure without being detected.

However, in practical operations, the added Trojan-horse pulse and original signal pulse may have crosstalk, which may affect the final secret key rate. In order to judge the attack impact of our Trojan-horse attack strategy, we need to quantitative describe the effect of crosstalk between the Trojan-horse pulse and original signal pulse. For simplicity in security analysis, we replace Alice’s displacement operation with a beam splitter and EPR pairs,[26] which has been illustrated in Fig. 2. The transmission of the beam splitter is TA. Here we denote the crosstalk as the excess noise introduced into the backward channel, which can be described in formula as where nc is the coefficient representing the degree of the crosstalk. For example, nc = 0 represents that the Trojan-horse pulse and original signal pulse has no crosstalk.

Fig. 2. The equivalent scheme to figure 1 with post processing when Alice is switched ON.

The Gaussian attack is optical in the security analysis of two-way CVQKD protocol as the corresponding covariance matrix of the state B2B1A2A1 is known to Alice and Bob.[27] In the following security analysis, we note that the Eve mentioned is the one taking Gaussian collective attack instead of the one taking Trojan-horse attack.

In Fig. 1, the final key rate of the two-way CVQKD protocol with homodyne detection in reverse reconciliation is[28]

where IBA is the mutual information between Alice and Bob, χBE are the Holevo bounds between Bob and Eve, which put an upper limit on the information available to Eve on Bob’s key. β ∈ [0,1] is the reconciliation efficiency. The classical mutual information between Alice and Bob can be written as

where VAM = (1/2)(VA + 1) is Alice’s variance, and VAM|B is Alice’s conditional variance on Bob, which can be obtained with Alice’s and Bob’s data. According to Holevo bound, χBE can be obtained as[29]

where S is the von Neumann entropy of the quantum state ρ. mB represents the measurement of Bob, and it can take the form mB = xB for a homodyne detector. is Eve’s state conditional on Bob’s measurement result, p(mB) is the probability density of the measurement.

Since the state ρB2B1A2A1E is a pure state,

As the entropy can be calculated from its corresponding covariance matrix for the Gaussian state,[30] the corresponding covariance matrix of state ρB2B1A2A1 is obtained that

where Π2 is a 2 × 2 identity matrix, the diagonal elements stand for the variance quadratures of the mode B2, B1, A2, A1 in turn, and the nondiagonal elements stand for the convariance between these modes. For example,

Then Eve’s von Neumann entropy can be obtained by

where λi = fλi(αmn) is the symplectic eigenvalues of the covariance matrix γB2B1A2A1 characterizing the state ρB2B1A2A1, which is the function of element αmn of γB2B1A2A1.[23] We have

For simplicity to calculate the final key rate, we apply a symplectic transformation γk to the modes B2 and B1, obtaining the modes B4 and B3, which is illustrated in Fig. 2. Then we can get mB by measuring the quadrature of B4 (or B3). The corresponding covariance matrix of the state ρB4B3A2A1 is

where γk is a continuous-variable C-NOT gate:[31]

As the symplectic transformation γk does not change the von Neumann entropy of the state ρB2B1A2A1, Eve’s von Neumann entropy and conditional von Neumann entropy on Bob in Fig. 2 is equivalent to those in Fig. 1. As the state ρB3A2A1E is a pure state when Bob obtains mB by measuring the quadrature of B4, we have

The corresponding covariance matrix of the state S(ρB3A2A1) conditioned on mB is[32]

where Xx = diag(1,0), CB4 is their correlation matrix, MP denotes the inverse on the range γB3A2A1 and γB4 are the corresponding reduced matrixes of the states ρB3A2A1 and ρB4 in ρB4B3A2A1. Similar to Eq. (5), we obtain

where λ′ = fλi(αmn) is the symplectic eigenvalue of which is the function of the element αmn of It can be found that the von Neumann conditional entropy does not depend on Bob’s measurement mB. Therefore, the Holevo bound χBE is simply equal to

Then the final key rate is obtained

In practice, Alice and Bob calculate αmn and αmn by measuring the variance quadratures of the mode B2, B1, A2, A1. For simplicity, we assume that the forward and backward channels are independent and linear with the same transmittances T. The noise referred to the input is χ1 = (1 − T)/T + ε, where ε is the channel excess noises referred to the input. Because we assume the crosstalk between Trojan-horse pulse and original signal pulse as the noise introduced into the backward channel, which is formulated as the noise referred to the input of the backward channel is

We can calculate the elements of Eq. (4),

and

where

TA is the transmittance of the beam splitter on Alice’s side in Fig. 2.

When nc = 0, there is no crosstalk between the Trojan-horse pulse and original signal pulse, which means that the operation of Trojan-horse attack does not introduce any excess noise in the communication. Figure 3 shows the “secret key rate” of the two-way CVQKD protocol against Trojan-horse attack as a function of the transmittance. The “secret key rate” is the final key rate shared between the legitimate parties, which is rendered totally insecure by the Trojan-horse attacker. Clearly, the “secret key rate” decreases with the increase of nc. However, the legitimate parties cannot detect the existence of the Trojan-horse attacker through the variation of the “secret key rate”. The reason is as follows: The observable result introduced by crosstalk between the Trojan-horse pulse and original signal pulse is the enlargement of excess noise. However, the source of the increased excess noise is blind for legitimate parties. They do not know where the increased excess noise comes from, maybe due to the imperfection of the device, or because of a mutation in the surrounding environment. The only requirement to consider during the attack is the “secret key rate” should be positive. Only in this situation can the communication between Alice and Bob be realized successfully, and Eve can effectively obtain the key information through the Trojan-horse attack.

Fig. 3. “Secret key rate” of the two-way CVQKD protocol against Trojan-horse attack as a function of the transmittance of the channel for nc = 0,0.1,0.2,0.4,0.6. The curve is plotted for V = VA = 16, ε = 0.65, β = 0.9, TA = 0.7.

From Fig. 3 we can find that the final key becomes negative when nc ≥ 0.4, which means that the legitimate parties share nothing about the final key at this moment. This makes our attack lose the original impact. In order to carry out the Trojan-horse attack more viably and efficiently, we need to cut down the crosstalk between the Trojan-horse pulse and original signal pulse, bringing 0 ≤ nc < 0.4. The most effective solution is making the wavelength of the Trojan-horse pulse different from the one of the original signal pulse.

To prevent the Trojan-horse attack, the most efficient way is monitoring and removing the Trojan pulse. In one-way CVQKD system, installing isolators and wavelength filters on Bob’s side have been the most suitable countermeasures against Trojan-horse attack.[33,34] However in the two-way CVQKD system, the former one cannot be used, which will hinder the normal communication. But the latter one can certainly be useful. Therefore, the technical countermeasure specifically for the two-way CVQKD system is as follows: Bob implants a tag frame into the original signal pulse every time interval t, and a waveform detector is added before the modulator on Alice’s side, which is used to detect the tag frames. When the signal pulse passes through the waveform detector, Alice records the time interval between every two adjacent tag frames. If the time interval is t, the pulse between the two tag frames is reserved into the modulator; otherwise, the pulse is removed. This countermeasure can effectively eliminate the Trojan pulse, but it will also increase the complexity of the devices on Alice’s side, which weakens the superiority of two-way CVQKD system.

5. Conclusion

In conclusion, the Trojan-horse attack on the two-way CVQKD system is proposed by inserting a Trojan-horse pulse into the original signal pulse. If the legitimate users do not take any necessary countermeasures, the final secret key will be totally insecure under this attack, where the attacker can obtain all the information about the final key without being detected. After analyzing the feasibility of the attack, we give the limitation of successfully carrying out the attack. Finally, a technical countermeasure is provided to resist the Trojan-horse attack on the two-way CVQKD system.

Reference
1Gisin NRibordy GTittel WZbinden H 2002 Rev. Mod. Phys. 74 145
2Bennett C HBrassard G1984Proceedings of IEEE International Conference on Computers, Systems and Signal ProcessingBangaloreIndia175
3Ekert A K 1991 Phys. Rev. Lett. 67 661
4Bennet C H 1992 Phys. Rev. Lett. 68 3121
5Chen MLiu X 2011 Chin. Phys. 20 100305
6Ralph T C 1999 Phys. Rev. 61 010303
7Hillery M 2000 Phys. Rev. 61 022309
8Zhao JGuo XWang XWang NLi YPeng K 2013 Chin. Phys. Lett. 30 60302
9Grosshans FGrangier P 2002 Phys. Rev. Lett. 88 057902
10Wang XBai ZWang SLi YPeng K 2013 Chin. Phys. Lett. 30 010305
11Lo H KChau H F 1999 Science 283 2050
12Shor P WPreskill J 2000 Phys. Rev. Lett. 85 441
13Yang WBao WLi HZhou CLi Y 2014 Chin. Phys. 23 080303
14Leverrier AGarcia-Patron RRenner RCerf N J 2013 Phys. Rev. Lett. 110 030502
15Leverrier A 2015 Phys. Rev. Lett. 114 070501
16Grosshans FAssche G VWenger JBrouri RCerf N JGrangier P 2003 Nature 421 238
17Jouguet PKunz-Jacques SLeverrier AGrangier PDiamanti E 2013 Nat. Photon. 7 378
18Fossier SDiamanti EDebuisschert TVilling ATualle-Brouri RGrangier P 2009 New. J. Phys. 11 045023
19Huang DLin DWang CLiu WFang SPeng JHuang PZeng G 2015 Opt. Express 23 17511
20Wang CHuang DHuang PLin DPeng JZeng G 2015 Sci. Rep. 5 14607
21Huang DHuang PLin DZeng G 2016 Sci. Rep. 6 19201
22Silberhorn CRalph T CLutkenhaus NLeuchs G 2002 Phys. Rev. Lett. 89 167901
23Pirandola SMancini SLloyd SBraunstein S L 2008 Nat. Phys. 4 726
24Ottaviani CMancini SPirandola S 2015 Phys. Rev. 92 062323
25Khan IJain NStiller BJouguet PKunz-Jacques SDiamanti EMarquardt CLeuchs G2014QCrypt2014, Paris, France151–5
26Sun MPeng XShen YGuo H 2012 Int. J. Quantum Infor. 10 1250059
27Garcéa-Patron RCerf N J 2006 Phys. Rev. Lett. 97 190503
28Leverrier AAlleaume RBoutros JZéemor GGrangier P 2008 Phys. Rev. 77 042325
29Weedbrook CPirandola SGarcéa-Patron RCerf N JRalph T CShapiro J HLloyd S 2012 Rev. Mod. Phys. 84 621
30Serafini A 2006 Phys. Rev. Lett. 96 110402
31Yoshikawa J IMiwa YHuck AAndersen U Lvan Loock PFurusawa A 2008 Phys. Rev. Lett. 101 250501
32Eisert JPlenio M B 2003 Int. J. Quantum Infor. 1 479
33Jain NAnisimova EKhan IMakarov VMarquardt CLeuchs G 2014 New J. Phys. 16 123030
34Jain NStiller BKhan IMakarov VMarquardt CLeuchs G 2015 IEEE J. Selec. Top. Quantum Electron. 21 168