Final project report for SSI module.

1. `
Universitat Politecnica de Catalunya
SSI Project Report
Quantum Cryptography and
Possible Attacks
Author:
Arinto Murdopo Supervisor:
Ioanna Tsalouchidou Jordi Linares
Maria Stylianou
December 20, 2011

2. Contents
1 Introduction to Quantum Cryptography 1
1.1 Why Quantum Cryptography . . . . . . . . . . . . . . . . . . 1
1.2 Theoretical Background . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 Photon Polarization . . . . . . . . . . . . . . . . . . . 2
1.2.2 Quantum Superposition . . . . . . . . . . . . . . . . . 3
1.2.3 Heisenberg Uncertainty Principle (HUP) . . . . . . . . 4
1.2.4 Quantum Entanglement . . . . . . . . . . . . . . . . . 4
1.3 Historical Background . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Report Structure . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Quantum Key Distribution - BB84 Protocol 5
2.1 General Description . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 More Detailed Description . . . . . . . . . . . . . . . . . . . . 6
2.2.1 Step 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.2.2 Step 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.3 Step 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.4 Step 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2.5 Step 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3 Attack on Quantum Key Distribution Systems 11
3.1 Easily Solvable Vulnerabilites . . . . . . . . . . . . . . . . . . 11
3.1.1 Photon Number Attack . . . . . . . . . . . . . . . . . 11
3.1.2 Spectral Attack . . . . . . . . . . . . . . . . . . . . . . 11
3.1.3 Random Numbers . . . . . . . . . . . . . . . . . . . . 12
3.2 Non-solvable Vulnerability: Faked - State Attack . . . . . . . 14
3.2.1 Practical Implementation . . . . . . . . . . . . . . . . 16
3.2.2 Putting Them All Together . . . . . . . . . . . . . . . 23
3.2.3 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . 23
4 Conclusion 24
i

3. List of Figures
1 Behaviour of a photon. Vertical and Horizontal polarization
on the left. -45 and +45 degrees polarization on the right. . . 2
2 Polarizing Beam Splitter . . . . . . . . . . . . . . . . . . . . . 3
3 Results of measurement of polarized photon . . . . . . . . . . 3
4 BB84 Protocol Outline . . . . . . . . . . . . . . . . . . . . . . 6
5 Photon Source in Alice’s BB84 equipment . . . . . . . . . . . 7
6 Bob’s Detector . . . . . . . . . . . . . . . . . . . . . . . . . . 8
7 Summary of Step 1 and Step 2 (Polarization Measurement) . 9
8 Error Detection and Correction in QKD . . . . . . . . . . . . 10
9 Privacy Amplification in QKD . . . . . . . . . . . . . . . . . 11
10 Difference in Spectral Intensity in Spectral Attack . . . . . . 12
11 Entangled Photon Source . . . . . . . . . . . . . . . . . . . . 13
12 BB84 with Photon Pairs . . . . . . . . . . . . . . . . . . . . . 14
13 General Scheme of Faked-State Attack . . . . . . . . . . . . . 15
14 Replica of Bob’s Receiver . . . . . . . . . . . . . . . . . . . . 16
15 SPAD Component . . . . . . . . . . . . . . . . . . . . . . . . 17
16 SPAD Circuit Diagram . . . . . . . . . . . . . . . . . . . . . . 17
17 SPAD Working Mode . . . . . . . . . . . . . . . . . . . . . . 18
18 SPAD Characteristics Under Illumination . . . . . . . . . . . 18
19 SPAD Circuit Diagram with Light Applied on It . . . . . . . 19
20 SPAD Electric Circuit Characteristics Under Bright Illumi-
nation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
21 Replicating Click on Bob’s actual detector . . . . . . . . . . . 20
22 Linear Mode Characteristics of SPAD . . . . . . . . . . . . . 21
23 Fake-State Generator and Pulse Intensity . . . . . . . . . . . 22
24 Putting Them All Together . . . . . . . . . . . . . . . . . . . 23
ii

4. List of Tables
1 Result of Replicating State Result in Bob’s Detector . . . . . 23
iii

5. 1 Introduction to Quantum Cryptography
Quantum Cryptography[1, 2, 3] is described as a set of quantum mechanical
effects used to perform cryptographic functionalities and to break crypto-
graphic systems. The widely known example of quantum cryptography is
the Quantum Key Distribution which is described in detail in this report.
For a start, we should explain how quantum cryptography resulted, under
what circumstances and why.
1.1 Why Quantum Cryptography
Cryptography is the study of information security for the purposes of secure
communication and transmission of data. The objective of cryptography
is to transform readable data into unreadable, transmit it across insecure
networks - like Internet - and re-transform it into readable again when it is
received by the intended recipient.
Two wide-known techniques[4] have been developed and applied so far
for achieving secure communication; the symmetric-key and the asymmetric-
key encryption. In symmetric-key algorithms, a party – let’s say Alice – uses
a secret key to encrypt the message to be sent and the receiving party – let’s
say Bob – uses the same secret key to decrypt the message. The barrier in
such algorithms is to find a secure way to share the secret key between the
two parties, without allowing a third party – for example Eve – to read this
key.
In asymmetric-key algorithms, each party has its own pair of public and
secret key. When Alice wants to send a message to Bob, she encrypts the
message with Bob’s public key and Bob is the only one who can decrypt it
with the use of his secret key. These algorithms base their current ”success”
in hardware limitations on finding the prime factors of very large numbers.
Considering the rapid evolution of technology it is expected to have, sooner
or later, either an algorithm that speeds factorization or a new generation
with quantum computers. This would be a disaster for the security of our
personal data and for the way we, nowadays, use the Internet.
It was an urge to find another way for keeping the communication and
data secure. Quantum Cryptography emerged to help in the symmetric-
key encryption and particularly in the secure key transfer between the two
parties. Quantum cryptography is said to be flawless as it relies on physics
– and more specifically on the laws of quantum mechanics – for detecting
any attempt at eavesdropping from a third party.
It is shown that having a good theoretical model based on physics laws
is not enough. Hardware has a key - role in security as well. In this study,
we focus on a quantum key distribution protocol, called BB84, which is
eventually seemed to be not as flawless as it is firstly stated.
1

6. 1.2 Theoretical Background
As it is stated above, quantum cryptography is used to solve the ”key dis-
tribution problem” appeared in the symmetric encryption. This technique
excels the classic ones, since it does not employ any mathematical techniques
nor it depends on the weakness of current computers to calculate the desired
big numbers. It is simply based on quantum theory to send and receive in-
formation by physical means - for example photons in optical fibres - and to
ensure confidentiality of information.
In physics, a quantum refers to the minimum amount of any physical en-
tity. A photon is a single quantum of light and its properties are exploited
for the sake of quantum cryptography. In this section the most important
principles of quantum mechanics are given in order to understand how se-
curity is combined with laws of physics.
1.2.1 Photon Polarization
Photon polarization[5, 4] is the way to describe a photon. A photon can
be polarized in three different bases of polarization, resulting differently in
each base. The three bases are:
1. Rectilinear base with possible results: horizontal or vertical
2. Diagonal base with possible results: +45 or -45 degrees
3. Circular base with possible results: left-circular or right-circular
And among those three that are mentioned above, only the first two bases
are used in quantum cryptography.
The different behaviours of a photon with the use of rectilinear and
diagonal base are shown in the Figure 1, while in the Figure 2, a Polarizing
Beam Splitter is given. This Polarizing Beam Splitter receives a beam of
light and splits it into two; half of it is transmitted and half of it is reflected.
Since the photon is the minimum amount of light, it cannot be splitted.
Therefore, when it arrives at the splitter, it is either transmitted or reflected.
Figure 1: Behaviour of a photon. Vertical and Horizontal polarization on
the left. -45 and +45 degrees polarization on the right.
2

7. Figure 2: Polarizing Beam Splitter
The following fundamental principles of quantum mechanics apply for
all quantum objects and in our case in terms of photons.
1.2.2 Quantum Superposition
Quantum Superposition is a principle stating that a photon can exist in
all its possible states simultaneously. However, when it comes to measure
the photon, the result corresponds to the configuration given. Considering
the bases listed before, a photon can take whichever result, but when a
particular base is chosen, then the photon can result in one of the two
possible outcomes. The two possible outcomes in each base need to be
orthogonal. This measure determines its orientation in relation to the base
chosen.
In Figure 3, the photon is polarized with 4 different ways (first line)
and then measured with the vertical/horizontal basis (second line) and the
diagonal basis (third line). As we can see, when the photon was prepared
in - let’s say - diagonal basis and then it was measured in the same basis,
then the result was correct (white fields). Otherwise, the result was random
having either the one of the other value (yellow fields).
Figure 3: Results of measurement of polarized photon
3

8. 1.2.3 Heisenberg Uncertainty Principle (HUP)
Heisenberg Uncertainty Principle states that ”observation causes perturba-
tion”. This means that when a photon is observed - or otherwise measured
- it results to an outcome, its state changed. If it is again measured with
a different base, its state will change again and the result from the last
measure will disappear. Thus, it is impossible to determine simultaneously
two polarizations of a photon, like it is impossible to measure the present
position of the photon and at the same time to determine its future motion.
Moreover, from the Heisenberg Uncertainty Principle, the no-cloning
theorem is derived. This theorem forbids the creation of identical copies of
a photon state. This is logical and can be justified easily. If this theorem
wasn’t satisfied, that would mean that more than one copy of a photon
state could exist. If that was possible, then we could measure each copy of
the photon with a different base and, therefore, we could have the different
states of the photon at the same time. That would violate the Heisenberg
Uncertainty Principle and the whole quantum notion would collapse.
As we will see later, this quantum phenomenon is very essential for
detecting possible eavesdropping. This is because measurements on the
photon disturb the state of the photon and leave traces which can be later
translated as eavesdropping.
1.2.4 Quantum Entanglement
Although, this principle seems to be a bit confusing, it is of great importance.
Two photons - let’s say m and n - are said to become entangled when a
property is measured in m, and the opposite state is observed in n. This
“correlation” exists regardless of the distance between the two photons.
1.3 Historical Background
Quantum Cryptography was born in the early 1970’s by Stephen Wiesner,
but was officially proposed in his paper “Conjugate Coding” published in
SIGACT in 1983. Based on his work, Charle’s H. Bennett and Gilles Bras-
sard created the first Quantum Cryptographic protocol, called BB84, in
1984. This protocol was based on the Heisenberg Uncertainty Principle de-
scribed above. Seven years later, the first experimental prototype based on
that protocol was demonstrated. In 1990, Arthur Ekert, following his own
path, developed a different quantum cryptographic method that relies on
the Quantum Entanglement theory. This theory is not in the scope of this
report, and thus it is only given a brief explanation.
4

9. 1.4 Report Structure
This report constitutes of four chapters. In Chapter 1 a definition of Quan-
tum Cryptography is given, its advantages in comparison with classic tech-
niques and how it is used practically for information security. The theoret-
ical physics background is also explained, for better understanding of the
following chapters. In Chapter 2, the most wide known example of Quantum
Cryptography is presented; that is the Quantum Key Distribution via the
BB84 Protocol. Along with the description, its vulnerabilities are listed in
order to move on the Chapter 3 where possible attacks on this protocol are
stated, giving a strong emphasize on the Faked-state attack. At the end, in
Chapter 4, our conclusions and point of view are summarized for Quantum
Cryptography and its importance.
2 Quantum Key Distribution - BB84 Protocol
2.1 General Description
BB84[6] protocol is the first quantum cryptography protocol developed by
Charles Bennett and Gilles Brassard. Its goal is to describe a scheme in
which a sender, e.g. Alice, can send a private key to a legitimate receiver,
e.g. Bob. This protocol describes step by step how Alice can incorporate the
information that she wants to send to Bob into the photon and how Bod can
decode it. Moreover it describes the necessary controls that Alice and Bob
should do in order to be sure that no one intercepts in their communication
and that the information transferred is secure.
The general idea of how this protocol works is described below:
In the one side you have a single photon source, which spits out photons.
After that you choose a random number which eventually will make your
secret key and the basis you want to encode it. The possible ways of encod-
ing it is the horizontal/vertical polarization or the diagonal(+/- 45 degrees
polarization). Each photon is encoded and send to the legitimate receiver.
On the other side you randomly choose the way that you will measure
each arriving photon and then you get a particular result. Since the receiver
doesn’t know the basis that the information was encoded and because ran-
domly chooses between two alternatives, this result that he initially gets is
half correct since the guess of the receiver is correct with possibility 0.5.
After that, the two legitimate parties communicate in a public network
and discuss about the basis they used. In the case that the basis that the
bit was encoded is the same with the basis that the bit was measured, then
both parties have the same value of the bit. If the basis used was different
they have a different result and they discard the bit. When this procedure
finish, both parties have a sequence that is supposed to be identical and that
hopefully will be their secret key.
5

10. The problem that now appears and need to be also checked is that maybe
someone had interfere in the communication of the two parties. If so, he
should have left traces and the legitimate parties can easily understand it.
In order to find out whether someone was in the middle of the communica-
tion, an other control between the parties takes place. In the case that the
control was successful, and indicated that no one was in the middle of the
communication, they keep the key. Otherwise, the blocks of the bits that
were tried to be spayed are being discarded.
At the end of this process the two parties end up with the final secret
key. The outline of the whole communication process can be seen in Figure
4 below:
Figure 4: BB84 Protocol Outline
2.2 More Detailed Description
After having a glance of the functionality of the BB84 protocol, it is time to
have an inside view of the system[4, 7, 8, 9, 10]. The five steps are described
below in bigger detail.
2.2.1 Step 1
In this initial step sender, Alice, decides the key that she wants to send and
the way that she wants to encode it. In her possession a single photon source
exists which will send to the receiver, Bob. She begins the process with two
strings of bits which are randomly chosen, the string a and the string b.
Both of them have the same length which is n. The first string indicates
the original values of the key that needs to be send. Each bit of the first
string will be encoded in a way and transferred to Bob through photons.
The second string indicates the way in which the message will be encoded
and more specifically the polarization basis of the photon.
During this process string a and string b will be encoded as a string of
n qubits as it can be shown above:
6

11. n
|ψ = |ψai bi
i=1
Where ai and bi are the i-th bits of a and b respectively and after being
combined they give us one of the following four states of the qubit:
1. |ψ00 = |0
2. |ψ10 = |1
1 1
3. |ψ01 = |+ = √ |0
2
+ √ |1
2
1 1
4. |ψ11 = |− = √ |0
2
− √ |1
2
These four states described above are not mutually orthogonal so you
cannot know the state of the qubit without first knowing in which basis this
qubit was encoded.
Each bit of the string a is encoded in this way and is send to the other
side, to Bob, as a qubit, over a public quantum channel which could be
either an optical fiber of the free space.
In Figure 5 below, we can see graphically the process that takes place
from Alice’s side. In this case we have replaced the active basis choice with
the passive basis choice using a polarising beam splitter, in order to make
the basis choice really random.
Figure 5: Photon Source in Alice’s BB84 equipment
2.2.2 Step 2
Each qubit that is send by Alice, has to be measured by Bob in order to find
out which is the value of it. As far as Bob doesn’t know the basis in which
Alice has encoded the qubits, he is forced to randomly choose one basis. If
the basis happens to be the same as Alice used to encode the qubit then the
7

12. result that Bob receives will be valid. Otherwise the result that he gets it is
totally random.
The actual device that is used from the Bobs side is shown in Figure
6. As we can see it consists of a beam splitter (BS)1 , two polarizing beam
splitters (PBS), one half-wave plate(HWP) and four detectors.
Figure 6: Bob’s Detector
As shown in Figure 6 above, the photon inserts in the device and heads
to the beam splitter. Normally, when a beam arrives in a beam splitter
50% of it gets reflected and 50% of it gets transmitted. In our case, there is
only one photon, which means that it will either be transmitted or reflected.
That is how Bob randomly chooses the basis in which he will measure the
incoming photon. In the above picture, if the photon is transmitted from the
beam splitter it will be measured in the horizontal/vertical basis. Otherwise,
it will be measured in the diagonal basis. After the photon passes the the
beam splitter and enters the polarizing beam splitter it has to be transmitted
in one of the two detectors each PBS has and make it “click”.
At this point, if we have chosen the correct basis the detector that clicks
will give us the correct value of the qubit. Otherwise, the outcome will be
random. If for example Alice has has tried to encode one bit with value “0“
polarized in the h/v basis this means that she sends to Bob an horizontal
photon in the h/v basis. If Bob chooses the h/v basis the detector for the
horizontal photon will click and the value that this click indicates is value
“0”. In the unfortunate case that Bob tries to measure it in the diagonal
basis then both of the detectors are able to click with possibility 0.5, so the
outcome will be totally random.
When Bob receives and measures all the qubits that Alice has send him,
he has a very initial view of what the key should be. In fact this key is
correct in a percentage of 50% since this was the possibility of choosing the
correct measurement basis.
1
A polarizing beam splitter is a device which splits a beam into two. In our case uses
a half-silvered mirror.[11]
8

13. Figure 7 below summarises Step 1 and Step 2:
Figure 7: Summary of Step 1 and Step 2 (Polarization Measurement)
2.2.3 Step 3
Now that Bob has received the qubits that Alice has send him, he will
communicate with her in order to figure out which qubits were encoded
and measured with the correct basis and which not. If a qubit is has been
encoded and measured in the same basis, and if no one has intercept the
communication or noise has manage to distort the result, the value that
Alice has send to Bob is the same that Bob has received.
In the case that there is difference between the encoding and the mea-
surement basis, the value of Bob is wrong and both sides discard the bit.
The bits that are not discarded consist the current key.In this third step the
remaining has been reduced to, more or less, half the length of the initial
one.
The discussion between Alice and Bob takes over a public channel, which
means that if someone is in the middle, lets say Eve, then he/she is able to
listen.
2.2.4 Step 4
In this final step of the QKD protocol, Alice and Bob do a final control
that will indicate them if someone has intercept the communication trying
to steal information about the exchanged key.
Lets hypothesize that between Alice and Bob there is Eve who tries
to intercept the communication and steal the secret key. In this case, if
Eve captures and measures a photon that leads to Bob, then she leaves her
traces. Now the laws of quantum mechanics are applied and ensure that she
cannot copy the photon or measure it without distorting it. Heisenberg’s’
law of uncertainty, which says that observation causes perturbation, along
with the non-cloning theorem make Eve being revealed.
9

14. In order to control the security of the key transfer, Alice and Bob commu-
nicate again through the public channel. This time they check the parities
of the qubits that have remained in blocks of four. If the parities are correct
then Bob and Alice keep the block of qubits considering that no one has in-
tercept. Otherwise, they throw it because either someone tries to intercept
in the communication or imperfection of the devices, detectors or back-
ground light have caused distortions to the resulting key. If the percentage
of the errors that revealed are above a threshold then the communication is
interrupted since both parts are sure that someone tries to eavesdrop.
In order to detect and correct the errors that may exist, the parities
comparison take place in many different combinations of 4-bits blocks. In
this way that legitimate parts can detect the errors without revealing all the
key. Unfortunately, this process gives some information about the key to
Eve, since in each pair of four-bits block, 1 bit of information is revealed. In
Figure 8 below we can see a brief overview the process:
Figure 8: Error Detection and Correction in QKD
2.2.5 Step 5
The final step is to make sure that you have removed all the information
that the eavesdropper possibly gained through all the above steps of com-
munication and mainly through the parity check step. This process is called
privacy amplification .Then with a hash function it shrinks the key into final
one. This final key is totally secret and Eve has no knowledge of any bit of
it. Figure 9 shows an example of privacy amplification process.
10

15. Figure 9: Privacy Amplification in QKD
3 Attack on Quantum Key Distribution Systems
As explained in chapter 1, practically security of quantum key distribution
system depends not only on the quantum and physics laws, but also from
the actual implementation of hardware and software to build the quantum
cryptography system.
Since quantum and physics laws can not be changed and they do not
have loophole for attacker, existing attacks on quantum-based cryptography
system exploit the weakness and imperfection of hardware and software
inside the quantum cryptography system.
In this section,we present several attacks that have been successfully
carried out on quantum key distributed system.
3.1 Easily Solvable Vulnerabilites
3.1.1 Photon Number Attack
The protocol described above can secure the safe distribution from the one
part to the other under some condition. In order to have it perfectly work
we need to ensure that we have only one photon and that the information
is not encoded in a strong light-pulse. In the case that Alice sends a strong
light-pulse there is an easy way for Eve to steal some of the photons of this
pulse and intrude the communication without being noticed. This type of
attack is often called photon-number splitting attack.
Moreover, when you work on the single photon level, then you enter the
realm of quantum mechanics and then security is bonded by the laws of
quantum mechanics that are unbreakable. [9, 4]
3.1.2 Spectral Attack
The second vulnerability can be introduced in case that the source of photons
is created by four different laser photo diodes, one diode for each polarization
11

16. in the two polarization basis. In this case you don’t need to know the
polarization basis in order to measure the photon and extract the value.
The only thing that you need is the spectral analysis of the photons. The
colours of the spectral analysis of the photons emitted from different source
will be slightly different and thus you can get lots of information about the
secret key.
Figure 10 shows the difference between the four spectral analysis of the
four different photo diodes. [9, 4]
Figure 10: Difference in Spectral Intensity in Spectral Attack
3.1.3 Random Numbers
An other point that introduces vulnerability to the above protocol is the
choice of the random numbers. If the numbers that are chosen are not
totally random then there is again a possibility to have our system attacked.
In order to secure the randomness of the numbers we can again use the
properties of quantum-mechanics which are unconditionally secure. For this
reason we will exploit an other property, the entanglement.
An entangled system is a system that cannot be described by describing
the parts of its components. All of its components can be separated in space
but their full properties can be described only as a whole.
For example, we can suppose that we have an entangled system which
is separated in two parts, part A and part B. Then we cannot describe all
the properties of A separately from the properties of B. In a mathematical
expression this can be written as:
|ψ AB = |ψ A |ψ B
That means that AB system is not the product of A times B.[12]
12

17. This limitation of the entangled systems is the one that we will use in
our and more specifically we will use an entangled photon resource in order
to create the random numbers that we need. The entangled state that is
created is a Maximilian entangled state and the property that it has is that
we can create pairs of photons each of which has a totally undetermined
polarization if it is examined individually. The only thing that you can say
about it is that it is orthogonal to its pair, no matter the basis you look. So
if you look at one of the photons in an h/v basis and it is horizontal then
the other photon will be for sure vertical. The same thing happens in the
diagonal basis and of course in any other orthogonal basis we can think of.
The schematic of the device that emits entangled photon pairs is shown
in Figure 11
Figure 11: Entangled Photon Source
Now this device could be incorporated in our system which changes in
the part of the photons emission. This source of the entangled photon pairs
is the main source that supplies both sides with photons. Each side takes
one photon of the pair of photons and tries to measure it. This means that
Alice gets one of four results and Bob the orthogonal pair of Alice’s photon.
In this case the communication in this protocol can be described schemat-
ically as shown in Figure 12.
13

18. Figure 12: BB84 with Photon Pairs
After the photons are received and measured the process is exactly the
same as the one in the original BB84 protocol. [9, 4]
3.2 Non-solvable Vulnerability: Faked - State Attack
Faked-state attack is a variation of “intercept-resend” attack. In naive and
very simple intercept-resend attack, Alice and Bob are able to detect eaves-
dropper with probability of 0.999999999 after they exchange 72 bits[13].
That means it is very easy and fast to detect potential eavesdropper in the
key-exchange process. Therefore in faked-state attack, Eve as the eavesdrop-
per does not naively forward the photon, but she will have specialized device
to perform the attack. In this case, Eve exploits the characteristics of the
photon detectors that are used in the quantum key distribution system[14].
Figure 13 below shows the general scheme of the faked state attack.
14

19. Figure 13: General Scheme of Faked-State Attack
As shown in Figure 13, Eve’s specialized device consists of Bob’ which
is replica of Bob’s detector and FSG block. FSG in this case stands for
Fake State Generator. The sequence of events when Eve eavesdropping the
communication is following:
1. Alice sends a single photon
2. Using replica of Bob’s detector (Bob’), Eve captures the photon and
measure the captured photon. For example, Eve notice that the cur-
rent photon has value of 1 when vertical-horizontal basis is used
3. Using the measurement result obtained in step 2, Eve replicates the
result using FSG in such a way. Bob will also received result that the
current photon has value of 1 when vertical-horizontal basis
is used. Note that the final result is same as what Eve obtains in step
two
4. Bob thinks that he just received photon from Alice and Bob is not
able to detect Eve. Eve’s doesn’t re-send the photon, but, in general,
FSG tricks Bob’s detector apparatus so that the detector “think” it
received a valid photon from Alice
5. Bob performs post-processing of the obtained bit by discussing with
Alice regarding the basis used in this transmission
6. Eve is able to listen into their discussion because the discussion is
performed in public channel. Here, Eve has same information as Bob,
therefore she is able to reproduce the key that will be used by Alice
and Bob in subsequent communication
15

20. 3.2.1 Practical Implementation
There are several known ways to “trick” Bob’s detector and in this report,
we focus on attack by exploiting loopholes of single photon detector under
strong illumination[14, 15, 16, 17, 18]. This section presents the analysis
of the existing and additional components in Quantum Key Distribution
(QKD) system under attack as well as the detail of how the attack is per-
formed.
1. Replica of Bob’s receiver
In order to successfully perform the attack, Eve should have replica
of Bob’s receiver module. The replica should have same components
as Bob’s receiver module. And it consists beam splitter (BS), two
polarizing beam splitter (PBS) as well as the 4 detectors as shown in
Figure 14.
Figure 14: Replica of Bob’s Receiver
2. Detector in Bob’s receiver as well as in the replica
Detectors that commonly used in QKD system in 2 are using Single-
Photon Avalanche Diode (SPAD). SPAD is a special type of Avalanche
Photo Diode (APD). In general, Photo Diode is a detector which is
able to convert light intensity to current or voltage. Figure 15 shows
the example of actual component of SPAD.
16

21. Figure 15: SPAD Component
Circuit diagram of SPAD[10] is shown in Figure 16 below.
Figure 16: SPAD Circuit Diagram
SPAD in QKD system has two working modes shown in Figure 17.
They are
(a) Geiger Mode
In Geiger Mode, arrival of single photon (indicated by red ar-
rows) generates enough current and voltage above Comparator’s
threshold to trigger detector-”click” because SPAD’s gain is in-
finite.Theoretically, SPAD is in Geiger Mode when its biased-
voltage value above SPAD’s voltage breakdown value specifica-
tion.
(b) Linear Mode, or it can be called APD mode
APD stands for Avalanche Photo Diode mode. In this mode,
arrival of single photon is not able to generate enough voltage
(it always below Comparator’s voltage threshold) because APD’s
gain is not infinite and less than 1000. Given this amount of
gain, arrival of single photon will not trigger detector-”click”.
In this mode, the photo-diode will produce current and voltage
proportional to the intensity of optical source that fired to the
diode.
17

22. Figure 17: SPAD Working Mode
3. Fake State Generator
Fake-stated generator main task is tricking Bob so that Bob thinks that
he receives valid photon from Alice. This attack can be performed
in the basis of SPAD characteristics under bright continuous wave
illumination[16, 10]. Figure 18 shows SPAD characteristics under
bright illumination.
Figure 18: SPAD Characteristics Under Illumination
Recall that light consists of many photon. The number of photons is
proportional with the light intensity/optical power. The higher the
light intensity, more number of photons will be detected and it is
shown as ideal SPAD characteristics in Figure 18 above. (the blue
18

23. line). When we increase the optical power at the SPAD in term of
Watt(W), the number of photons in term of counts per second also
increase.
Interestingly, the practical characteristic is different. If we keep in-
creasing the optical power beyond certain point (by appying bright
illumination into SPAD), SPAD is not sensitive to photon anymore.
SPAD is not in Geiger Mode anymore but it is in Linear mode now.
Revisiting SPAD circuit diagram and its characteristics when bright
illumination is applied to it[10] as shown in Figure 19 and 20.
Figure 19: SPAD Circuit Diagram with Light Applied on It
Figure 20: SPAD Electric Circuit Characteristics Under Bright Illumination
Figure 19 and Figure 20 above show in more detail the SPAD char-
acteristics using its internal circuitry as the parameter. When we
increase the illumination intensity, the SPAD voltage drops, from 220
19

24. V (which is above SPAD Voltage Breakdown value) to around 200
(which is below SPAD Voltage Breakdown value).
Refer to the circuit diagram in Figure 19, under Geiger mode, the
1.2pf Capacitor will “re-balance” the voltage in point 2 after the diode
receives a single photon. The term “re-balance” can be described as
restoring voltage at point 2 to 220 V level so that the SPAD is biased
above Voltage Breakdown value. In Geiger mode, this re-balancing
process will take around 1s.
However, when bright illumination is applied, the number of photon
arriving at the diode is significantly huge and this condition makes the
Capacitor is not able to re-balance the voltage at point 2 to its normal
value of 220 V.
Failing to re-balance causes the SPAD to be biased below Voltage
Breakdown value and it enters the Linear Mode and it will not be
able to generate enough current and voltage at point 3 to make the
detector “click” when a single photon arrives into the SPAD. This
technique to make SPAD lost its photon sensitivity is often called
“blinding technique”.
Blinding technique is not enough to carry on the attack since it only
makes SPAD lost its sensitivity. Eve needs something to force a “click”
in certain detector based on the measurement result in her fake Bob’s
detector. So, for example, let’s say Eve receives a photon from Alice
using vertical-horizontal basis (V/H basis), the photon is polarized in
horizontal axis and detector for horizontal-polarized photon “clicks”.
Then, Eve should be able to replicate the “clicks” in Bob’s original
detector as shown in Figure 21 below
Figure 21: Replicating Click on Bob’s actual detector
20

25. Fortunately for Eve and unfortunately for Alice and Bob, SPAD in
linear mode can be easily forced into creating a “click”. Sending a
pulse of light with certain value of illumination power will force Bob’s
detector to register a click [15]. Figure 22 shows the important value
of points 1, 2, 3, and 4 in SPAD circuit diagram when pulse with
certain intensity is applied to the SPAD in linear mode.[10]
Figure 22: Linear Mode Characteristics of SPAD
As shown in Figure 22, the detector produces “click” when the light
intensity is 2.6 mW. The intensity to force detector to produce “click”
vary based on the detector specification. In our subsequent discussion,
we refer the intensity that forced detector to produce “click” as I0 .
Note that I0 is the light intensity that Eve needs to apply in the detec-
tor under attack. And before reaching the detector, the light traverses
to beam splitter and polarizing beam splitter. Now the remaining puz-
zle for Eve is to find how much intensity of the light that Eve needs
to send to so that detector under attack receives I0 and the other de-
tector doesn’t click. Figure 23 answers Eve’s remaining puzzle and
provides more details on Eve’s fake-state-generator module.
21

26. Figure 23: Fake-State Generator and Pulse Intensity
In order to obtain I0 in the desired detector, Eve needs to send a
light pulse with intensity 2I0 and the light is polarized according to
measurement in Eve’s replica detector. Recall the fact that the light
pulse consists of many photons, half of the photons in the light pulse is
redirected to +45/-45 Polarizing Beam Splitter (PBS) and half of them
is redirected to V/H Polarizing Beam Splitter (PBS). This means the
intensity of the pulse reduced to half of the original intensity. The new
intensity of the light pulse that goes after Beam Splitter is 2I0 = I0
2
Note that in our example, the pulse is polarized in Horizontal value
using V/H basis. When this group of photons reach PBS with +45/-
45 basis, half of them is redirected to detector for +45 polarization
and the other half is redirected to detector for -45 polarization. The
reason for this behaviour is the basis that used to polarized the pulse
is not +45/-45 basis. This implies, +45 and -45 SPAD receives light
pulse with intensity I2 . However, since SPAD is in Linear mode and
0
the intensity I2 is below the threshold intensity to make the SPAD
0
clicks, both SPADs are not “click”.
Meanwhile, when the remaining pulse with intensity I0 arrives at V/H
PBS, all of them will be forwarded to Horizontal polarization SPAD
since the pulse is polarized using V/H basis by using Horizontal po-
larization. This means, the SPAD for Horizontal polarization receives
a light pulse with intensity I0 . And since the intensity satisfies the
“click” intensity threshold, Eve is able to force the required detector
to “click”.
22

27. 3.2.2 Putting Them All Together
Figure 24: Putting Them All Together
Figure 24 shows the overall diagram of fake state attack. Eve should
have enough resource to create Bob’s detector replica and build De-
tector Blinding Module as well as the Light Pulse Generator.
3.2.3 Evaluation
Several experiments were conducted with duration between 5 to 10
minutes[14]. The performance of the attack is pretty impressive. Table
1 shows results in term of percentage of successful recognition of Eve’s
fake state.
Bob@V Bob@-45 Bob@H Bob@+45
Bob@V 99.51% 0 0 0
Bob@-45 0 99.66% 0 0
Bob@H 0 0 99.80% 0
Bob@+45 0 0 0 99.95%
Table 1: Result of Replicating State Result in Bob’s Detector
EveFake@V means Eve receives photon with Vertical polarization us-
ing V/H basis and she generate fake state for Vertical polarization in
V/H basis. Bob@V means Bob’s detector for photon with Vertical
polarization recognize a “click”. Table 1 shows that the percentage
23

28. of successful “clicks”, 99.75% of the fake-state causes “clicks” in Bob’s
detector Moreover, the “clicks” always happen in intended detector.
Interestingly, the raw-key-rate, secret-key-rate and sifted-key-rate be-
tween QKD without eavesdropping and QKD with eavesdropping do
not have significant difference and the differences can be easily ignored
by Alice and bob during transmission.
4 Conclusion
Quantum Cryptography is shown to have a significant role in data and com-
munication security. Several algorithms have been implemented based on
the laws of physics. In this report we presented a significant algorithm, the
protocol BB84, which is said to be perfect, as it satisfies the laws of physics
during the communication and message exchange. Private communication
between two parties is feasible and if a third party tries to eavesdrop, it is
relieved to the other parties about its presence.
Various attacks have been applied in order to ”win” the algorithm, like
the photon number attack, the spectral attack and the attack based on the
choice of the random numbers. Though, these attacks were encountered,
preserving the algorithm at the same efficiency level. However, the perfection
of the protocol exists only theoretically, since the hardware ”disappoints”
the evolved algorithm. Due to hardware weaknesses and limitations, the
BB84 protocol seems to have flaws. In the faked-state attack, a third party
can use a replica of the receiver’s detector in order to produce a result and
make receiver’s detector to produce the same result.
People from this area are positive that soon enough a solution using
quantum cryptography will be found. Recent work [19] has shown the de-
velopment of a multi-purpose optical chip which generates and measures two
very essential phenomena of quantum; entanglement and mixture. This im-
plementation is very significant for the evolution of quantum cryptography.
References
[1] G. Brassard and C. Cr´peau, “A bibliography of quantum cryptogra-
e
phy,” Journal of Modern Optics, 1993.
[2] 24th Chaos Communication Congress, “Quantum Cryptography
and Possible Attacks.” http://events.ccc.de/congress/2007/
Fahrplan/events/2275.en.html, 2007. [Online; accessed 10-
December-2011].
[3] Wikipedia, “Quantum Cryptography.” http://en.wikipedia.org/
wiki/Quantum_cryptography. [Online; accessed 10-December-2011].
24

29. [4] ChRiStIaAn008, “24C3: Quantum Cryptography and Possible At-
tacks.” http://www.youtube.com/watch?v=9eERHINfPYU, 2011. [On-
line; accessed 10-December-2011].
[5] W. Wootters and W. Zurek, “A single quantum cannot be cloned,”
Nature, vol. 299, no. 5886, pp. 802–803, 1982.
[6] Wikipedia, “BB84.” http://en.wikipedia.org/wiki/BB84. [Online;
accessed 10-December-2011].
[7] ChRiStIaAn008, “26C3: How you can build an eavesdropper for
a quantum cryptosystem 1/6.” http://www.youtube.com/watch?v=
rKQUmVlR3C0, 2010. [Online; accessed 10-December-2011].
[8] ChRiStIaAn008, “26C3: How you can build an eavesdropper for
a quantum cryptosystem 2/6.” http://www.youtube.com/watch?v=
VMdf8Xwxvnw, 2010. [Online; accessed 10-December-2011].
[9] I. Gerhardt, A. Ling, A. Lamas-Linares, and C. Kurtsiefer, “Practi-
cal Quantum Cryptography and Possible Attack.” http://www.qolah.
org/papers/24c3_qkd.pdf. [Online; accessed 10-December-2011].
[10] V. Makarov, I. Gerhardt, A. Lamas-Linares, C. Kurtsiefer, S. Sauge,
and A. Anisimov, “How You Can Build An Eavesdropper For A Quan-
tum Cryptosystem.” http://gerhardt.ch/downloads/1469_26C3_
Sebastien_Sauge_Qin_Liu.pptx. [Online; accessed 10-December-
2011].
[11] Wikipedia, “Beam Splitter.” http://en.wikipedia.org/wiki/Beam_
splitter. [Online; accessed 10-December-2011].
[12] Wikipedia, “Quantum Entanglement.” http://en.wikipedia.org/
wiki/Quantum_entanglement. [Online; accessed 10-December-2011].
[13] Wikipedia, “Quantum Key Distribution.” http://en.wikipedia.
org/wiki/Quantum_key_distribution#Example:_Intercept_and_
resend, 2011. [Online; accessed 10-December-2011].
[14] I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and
V. Makarov, “Perfect eavesdropping on a quantum cryptography sys-
tem,” Arxiv preprint arXiv:1011.0105, 2010.
[15] V. Makarov, A. Anisimov, and S. Sauge, “Quantum hacking: adding
a commercial actively-quenched module to the list of single-photon de-
tectors controllable by eve,” Arxiv preprint arXiv:0809.3408, 2009.
[16] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and
V. Makarov, “Hacking commercial quantum cryptography systems by
25

30. tailored bright illumination,” Nature photonics, vol. 4, no. 10, pp. 686–
689, 2010.
[17] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and
V. Makarov, “Thermal blinding of gated detectors in quantum cryp-
tography,” Arxiv preprint arXiv:1009.2663, 2010.
[18] S. Sauge, L. Lydersen, A. Anisimov, J. Skaar, and V. Makarov, “Con-
trolling an actively-quenched single photon detector with bright light,”
Arxiv preprint arXiv:0809.3408, 2008.
[19] U. of Bristol, “Multi-purpose photonic chip paves the way to pro-
grammable quantum processors.” http://www.bristol.ac.uk/news/
2011/8109.html. [Online; accessed 20-December-2011].
[20] 26th Chaos Communication Congress, “How you can build an eaves-
dropper for a quantum crypto.” http://events.ccc.de/congress/
2009/Fahrplan/events/3576.en.html, 2009. [Online; accessed 10-
December-2011].
[21] ChRiStIaAn008, “26C3: How you can build an eavesdropper for
a quantum cryptosystem 3/6.” http://www.youtube.com/watch?v=
T3A5ylGleI4, 2010. [Online; accessed 10-December-2011].
[22] ChRiStIaAn008, “26C3: How you can build an eavesdropper for
a quantum cryptosystem 4/6.” http://www.youtube.com/watch?v=
YuKcGaQXKCE, 2010. [Online; accessed 10-December-2011].
[23] ChRiStIaAn008, “26C3: How you can build an eavesdropper for
a quantum cryptosystem 5/6.” http://www.youtube.com/watch?v=
_LhC2CZ5VXc, 2010. [Online; accessed 10-December-2011].
[24] ChRiStIaAn008, “26C3: How you can build an eavesdropper for
a quantum cryptosystem 6/6.” http://www.youtube.com/watch?v=
CXIFtkrwQso, 2010. [Online; accessed 10-December-2011].
[25] M. Haitjema, “Survey of the Prominent Quantum Key Distribu-
tion Protocols.” http://www.cs.wustl.edu/~jain/cse571-07/ftp/
quantum/index.html#Bruss07, 2007. [Online; accessed 10-December-
2011].
[26] B. Surendranath, “Polarized Wave Applet.” http://surendranath.
tripod.com/Applets/Waves/Polarisation/PW.html. [Online; ac-
cessed 10-December-2011].
[27] I. Marcikic, A. Lamas-Linares, and C. Kurtsiefer, “Free-space quan-
tum key distribution with entangled photons,” Applied physics letters,
vol. 89, p. 101122, 2006.
26

31. [28] Wikipedia, “Polarizer.” http://en.wikipedia.org/wiki/Polarizer.
[Online; accessed 10-December-2011].
[29] T. Rairden, “Eavesdroppers Beware: Single Photon Emission Prepares
Way for Quantum Cryptography.” http://engineering.ucsb.edu/
news/104. [Online; accessed 10-December-2011].
27