In the last quantum cryptography blog post we looked at the popular BB84 protocol and discussed how it is, at least theoretically, a secure protocol.
This time we’ll see how, when put into practice, physical implementations of the protocol can introduce vulnerabilities that we can exploit to undermine the entire key exchange!
When testing these types of systems, vulnerabilities can be broken down into two broad classes:
- Inherent flaws – These occur when an assumption made during the creation of a protocol doesn’t hold to be true, a new mathematical technique for example may break the security of the protocol. An example of a protocol with inherent flaws would be SSLv3.
- Implementation flaws – These occur because physical systems aren’t perfect, nor is our adaptation of theoretical principles to physical mediums. Where these imperfections exist so does the potential for exploitation.
Today we’ll be looking at some implementation flaws, but to begin let’s have a think about the set-up Alice and Bob will need to carry out the steps of the BB84 protocol.
Alice will need a process for encoding her qubits which is likely to take the form of some kind of photon generator. As most commonly qubits are encoded as polarised photons, a laser is a good candidate for her photon generator. Bob on the other hand will need a device to observe and carry out measurements on Alice’s qubits and so would probably employ a photon detector. Eve (our eavesdropper) can attempt to exploit hardware weaknesses in these components to compromise the security afforded by the BB84 protocol.
Compromising The Key Exchange
Practically, single photon sources are difficult to manufacture. As a result, weak coherent pulses are often used, these are pulses that contain a low number of photons on average within a given pulse. Such pulses can be generated by passing short low-power laser pulses through an attenuator. However, this technological limitation gives rise to the possibility of conducting a Photon Number Splitting (PNS) Attack which takes advantage of the fact that with weak coherent pulse generators multiple-photon pulses are sometimes emitted. Eve can take advantage of this and intercept a portion of the multi-photon pulse before sending the remainder to Bob. She can then wait for Alice and Bob to announce their respective transmission and detection bases and measures her captured photons to build her key. Whilst it sounds simple, the PNS attack is quite complex to implement. The probability that a multiple-photon beam is emitted is around 5% and as such Eve has to check whether the emitted pulse contains multiple photons or not, which demands proper hardware and algorithms. In addition to this, decoy states may be used which further increases the difficulty of conducting the attack.
As the BB84 protocol involves Alice sending Bob qubits that have been encoded, Eve can construct a list of all possible states that Alice may use to encode her qubits. She can then intercept Alice’s qubits as they’re transmitted to Bob and measure them to find their value in an indirect copying attack. Once Eve has done this, she can discard the intercepted qubits and generate her own using the information she learned through her measurements. This way she’s able to replicate Alice’s original signal and pass it along to Bob. Then as Bob and Alice build their key, Eve can do the same right alongside them. However, for this attack to work Eve must know all the states Alice can use to encode her qubits, in addition to this she needs to keep her time interval between successive qubits as close as possible to Alice’s original sequence and keep the delay between Alice sending and Bob receiving as small as possible otherwise her presence might be noted.
The final attack we’ll touch upon briefly is the Light Injection Attack. Eve sends light pulses towards the sender’s or receiver’s device, which returns as a reflected pulse. Because of the design of Alice and Bob’s hardware, the reflected pulse will indicate which process, or photon generator, will be used by Alice to generate the next qubit (or which photon detector will be used by Bob to measure the next qubit). Eve can use the information contained within the reflected pulse to potentially learn the basis used for transmission or detection. Now that Eve knows which process will be used, she can perform an intercept-and-replay attack without fear of altering the signal. When she targets Alice, she knows the encoding base and so she can perform her intercept-and-replay attack with a signal that’s identical to the original. When she targets Bob, she measures using the same detection base he would use and so when he’s right she’d also be right and when she’s wrong he’d be wrong too and the qubit would be discarded so either way her tampering is not evident. Ideally, Eve manages to acquire this information before the photon reaches Bob’s side, then Eve can execute a man in the middle attack without being detected.
Securing The Key Exchange
Mitigation efforts for securing the protocol will depend on the physical implementation of BB84, these measures will be either passive, active or potentially both:
- Passive measures – inherent properties of the infrastructure that make them resistant to such attacks.
- Active measures – the introduction of tools designed to mitigate such attacks.
If we take the light injection attack for example, passive measures could involve an attenuator at the output of Alice’s set-up, this would require Eve to use a more powerful laser. If Alice were then to add an optical isolator and band pass filter, the power requirements of Eve’s pulse would become untenable. (Note: If we incorporate an attenuator, we need to change from single photon states to weak coherent pulses. However, as previously mentioned, this is very often how practical implementations are configured and so shouldn’t pose a problem.)
An active measure may involve a detector to warn Alice and Bob should the average and/or peak power of an incoming pulse rise above a specified level, which would indicate the presence of Eve.
Watch this space
Quantum cryptography is a massively dynamic field at the forefront of cryptographic research and development, it’s rapidly evolving and has the potential to fundamentally alter how secure communications are conducted.