handofg0d Posted:
Example: Intercept and resend
The simplest type of possible attack is the intercept-resend attack, where Eve measures the quantum states (photons) sent by Alice and then sends replacement states to Bob, prepared in the state she measures. In the BB84 protocol this will produce errors in the key shared between Alice and Bob. As Eve has no knowledge of the basis a state sent by Alice is encoded in, she can only guess which basis to measure in, in the same way as Bob. If she chooses correctly then she will measure the correct photon polarization state as sent by Alice, and will resend the correct state to Bob. However if she chooses incorrectly then the state she measures will be random, and the state sent to Bob will not be the same as the state sent by Alice. If Bob then measures this state in the same basis Alice sent he will get a random result, as Eve has sent him a state in the opposite basis, instead of the correct result he would get without the presence of Eve. An example of this type of attack is shown in the table below.
Alice’s random bit 0 1 1 0 1 0 0 1
Alice’s random sending basis
Photon polarization Alice sends
Eve’s random measuring basis
Polarization Eve measures and sends
Bob’s random measuring basis
Photon polarization Bob measures
PUBLIC DISCUSSION OF BASIS
Shared secret key 0 0 0 1
Errors in key ✓ ✘ ✓ ✓
The probability Eve chooses the incorrect basis is 50% (bumuming Alice chooses her basis randomly), and if Bob measures this intercepted photon in the basis Alice sent he will get a random result, i.e. an incorrect result with probability of 50%. The probability an intercepted photon generates an error in the key string is then 50% x 50% = 25%. If Alice and Bob publicly compare n of their key bits (thus discarding them as key bits, as they are no longer secret) the probability they find disagreement and identify the presence of Eve is
P_d = 1 – \left(\frac{3}{4}\right)^n
So to detect an eavesdropper with probability Pd = 0.999999999 Alice and Bob need to compare n = 72 key bits.
[edit] Security Proofs
The above is just a simple example of an attack. If Eve is bumumed to have unlimited resources, for example clbumical and quantum computing power, there are many more attacks possible. BB84 has been proven secure against any attacks allowed by quantum mechanics, both for sending information using an ideal photon source which only ever emits a single photon at a time[12], and also using practical photon sources which sometimes emit multiphoton pulses[13]. These proofs are unconditionally secure in the sense that no conditions are imposed on the resources available to the Eavesdropper, however there are other conditions required:
1. Eve cannot access Alice and Bob’s encoding and decoding devices.
2. The random number generators used by Alice and Bob must be trusted and truly random (for example a Quantum random number generator).
3. The clbumical communication channel must be authenticated using an unconditionally secure authentication scheme.
[edit] Man in the middle attack
Quantum cryptography is vulnerable to a man-in-the-middle attack when used without authentication to the same extent as any clbumical protocol, since no known principle of quantum mechanics can distinguish friend from foe. As in the clbumical case, Alice and Bob cannot authenticate each other and establish a secure connection without some means of verifying each other’s identities (such as an initial shared secret). If Alice and Bob have an initial shared secret then they can use an unconditionally secure authentication scheme (such as Carter-Wegman,[14]) along with quantum key distribution to exponentially expand this key, using a small amount of the new key to authenticate the next session[15]. Several methods to create this initial shared secret have been proposed, for example using a 3rd party[16] or chaos theory[17].
[edit] Photon number splitting attack
In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice many implementations use laser pulses attenuated to a very low level to send the quantum states. These laser pulses contain a very small number of photons, for example 0.2 photons per pulse, which are distributed according to a Poissonian distribution. This means most pulses actually contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split off the extra photons and transmit the remaining single photon to Bob. This is the basis of the photon number splitting attack[18], where Eve stores these extra photons in a quantum memory until Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then measure her photons in the correct basis and obtain information on the key without introducing detectable errors.
Even with the possibility of a PNS attack a secure key can still be generated, as shown in the GLLP security proof[13], however a much higher amount of privacy amplification is needed reducing the secure key rate significantly (with PNS the rate scales as t2 as compared to t for a single photon sources, where t is the transmittance of the quantum channel).
There are several solutions to this problem. The most obvious is to use a true single photon source instead of an attenuated laser. While such sources are still at a developmental stage QKD has been carried out successfully with them[19]. However as current sources operate at a low efficiency and frequency key rates and transmission distances are limited. Another solution is to modify the BB84 protocol, as is done for example in the SARG04 protocol[20], in which the secure key rate scales as t3 / 2. The most promising solution is the decoy state idea[21], in which Alice randomly sends some of her laser pulses with a lower average photon number. These decoy states can be used to detect a PNS attack, as Eve has no way to tell which pulses are signal and which decoy. Using this idea the secure key rate scales as t, the same as for a single photon source. This idea has been implemented successfully in several QKD experiments[22], allowing for high key rates secure against all known attacks.
[edit] Hacking attacks
Hacking attacks target imperfections in the implementation of the protocol instead of the protocol directly. If the equipment used in quantum cryptography can be tampered with, it could be made to generate keys that were not secure using a random number generator attack. Another common clbum of attacks is the Trojan horse attack[23] which does not require physical access to the endpoints: rather than attempt to read Alice and Bob’s single photons, Mallory sends a large pulse of light back to Alice in between transmitted photons. Alice’s equipment reflects some of Mallory’s light, revealing the state of Alice’s polarizer. This attack is easy to avoid, for example using an optical isolator to prevent light from entering Alice’s system, and all other hacking attacks can similarly be defeated by modifying the implementation. Apart from Trojan horse there are several other known attacks including faked state attacks [24], phase remapping attacks [25] and time-shift attacks [26]. The time-shift attack has even been successfully demonstrated on a commercial quantum crypto-system [27]. This demonstration is the first successful demonstration of quantum hacking against a non-homemade quantum key distribution system.
[edit] Denial of service
Because currently a dedicated fibre optic line (or line of sight in free space) is required between the two points linked by quantum cryptography, a denial of service attack can be mounted by simply cutting or blocking the line or, perhaps more surreptitiously, by attempting to tap it.
Log in to see images!
