Sequential Attack with Intensity Modulation on the Differential-Phase-Shift Quantum Key Distribution Protocol Toyohiro Tsurumaru arXiv:quant-ph/0612204v1 25 Dec 2006 Mitsubishi Electric Corporation, Information Technology R&D Center 5-1-1 Ofuna, Kamakura-shi, Kanagawa, 247-8501, Japan In this paper, we discuss the security of the differential-phase-shift quantum key distribution (DPSQKD) protocol by introducing an improved version of the so-called sequential attack, which was originally discussed by Waks et al.[5]. Our attack differs from the original form of the sequential attack in that the attacker Eve modulates not only the phases but also the amplitude in the superposition of the single-photon states which she sends to the receiver. Concentrating especially on the “discretized gaussian” intensity modulation, we show that our attack is more effective than the individual attack, which had been the best attack up to present. As a result of this, the recent experiment with communication distance of 100km reported by Diamanti et al.[3] turns out to be insecure. Moreover it can be shown that in a practical experimental setup which is commonly used today, the communication distance achievable by the DPSQKD protocol is less than 95km. I. INTRODUCTION The differential-phase-shift quantum key distribution (DPSQKD) protocol[4] is a promising protocol for quantum key distribution (QKD) featuring the tolerance against photon number splitting attacks. However, its security has only been investigated so far against limited types of attacks; The most effective attack up to present had been a particular type of individual attacks investigated by Waks et al. [5], in which Eve acts on photons individually rather than on signals. Several long-distance experiments claiming security along its line have been reported (see, e.g.,[3] and references therein). Another important class of attacks is a variant of intercept-resend attacks called sequential attacks which was also discussed originally by Waks et al.[5] and later improved by Curty et al.[2]. However, they still remain less effective than the individual type for most probable applications. We will here present a further improvement on the sequential attack in which the attacker Eve modulates not only the phases but also the amplitude in the superposition of the single-photon states which she sends to the receiver. In this paper, with a slight abuse of terminology, we call such differentiations in the amplitude an intensity modulation and investigate its consequence. Concentrating especially on the “discretized gaussian” intensity modulation, we show that our attack is more effective than the individual attack, which had been the best attack. As a result of this, the recent experiment with communication distance of 100km reported by Diamanti et al.[3] turns out to be insecure. Moreover it can be shown that in a practical experimental setup which is commonly used today, the communication distance achievable by the DPSQKD protocol is less than 95km. In what follows, we shall consider a conservative definition of security, i.e., we assume that Eve can control some flaws in Alice’s and Bob’s devices (e.g., the detection efficiency and the dark count probability of the detectors), together with the losses in the channel, and she exploits them to obtain maximal information about the shared key. II. DPSQKD PROTOCOL The DPSQKD protocol proceeds as follows[4, 5]. 1. Alice generates a random bit string x = (x0 , . . . , xN ), xi ∈ {0, 1} and sends to Bob the coherent light pulses with phase φi = πxi + φ and intensity α, where φ, α ∈ R, α > 0. That is, Alice generates the following |Ψi and sends to Bob: |Ψi = |αeiφ0 i ⊗ · · · ⊗ |αeiφN i. Intensity α is related to the average photon number n̄ per pulse as n̄ = |α|2 . 2. Using a Mach-Zehnder interferometer (Fig.1), Bob measures the phase difference zi = xi + xi−1 of each adjacent pair of pulses[6]. The outcome of the measurement is recorded as the sifted key b = (b1 , . . . , bl ), ba = xia + xia −1 , where i1 ,. . .,il are the times when photons are detected. 3. Communicating on an authenticated classical channel, Alice and Bob perform key reconciliation and the generalized privacy amplification[1, 5] to calculate the secret key. We denote by T the transmission of the communication channel including the loss in fiber and Bob’s interferometer, and the quantum efficiency of Bob’s detector. We also denote by d the dark count of Bob’s detector. Then the signal and detection rate pclick at Bob’s side is given by pclick = T n̄ + d. (1) Thus in the second step above, the average length l of the sifted key is l = N pclick . 2 3. Eve sends ǫN pulses which she kept intact in the first step, and sends them to Alice. In what follows, we assume that transmission T and pclick/n̄ are small enough (e.g., with the communication distance being sufficiently large) so that ǫ can be neglected. FIG. 1: Basic experimental setup of a DPSQKD system. Here PM denotes a phase modulator, and BS a 50:50 beamsplitter. ∆t represents the time difference between two consecutive pulses. Photon detectors Det0 and Det1 output the phase differece zi = 0 and 1 respectively. III. SEQUENTIAL ATTACK WITH INTENSITY MODULATION In this section, we first define our attack and then calculate several probabilities that are necessary for later analyses, i.e., the error rate which Bob detects as a result of the attack and the success probability of Eve’s attack. The necessary conditions for Eve to carry out the attack are also derived in terms of experimental parameters, such as the average photon number n̄ and the transmission T . A. B. Description of Attack The basic scheme of our sequential attack is the same as the previous versions given in Ref.[5]. The only difference is that the state Ψ which Eve sends is a superposition of single-photon states with different amplitudes (see Fig.2). The precise definition of our attack is as follows: 1. Using unambiguous state discrimination (USD, see Ref.[2]) measurement, Eve measures the phase xi of all but small portion of the pulses that Alice sent and records the outcome. Here the small portion means a pulse sequence of length ǫN with ǫ = (1−r)pclick /n̄. The ratio r ∈ R, 0 < r ≤ 1 is a parameter to be specified later. 2. For rpclick N sequential detection events of length k or larger, Eve does as follows: If the detected phases were, say, xa , . . . , xa+k−1 , she generates state |Φi defined as |Φi := a+k+M X i=a−M (−1)yi Ai a†i |0i, FIG. 2: Graphical image of our sequential attack. (1)Alice emits coherent light pulses with an equal intensity, and Eve detects them. (2)When sequential detection events are found, Eve sends out single-photon state |Φi of Eqn.(2), which is a superposition of single-photon states having the same phases as Alice’s original signal but with different amplitudes. (2) and sends it to Bob. Here parameter M ∈ N is a sufficiently larege number, and yi are set as yi = xi for a ≤ i ≤ a + k − 1, and other yi ∈ {0, 1}’s are randomly chosen values. The creation operator a†i denotes a single photon pulse incident to Bob for time interval i. Probability of Sequential Detection The USD measurement performed in the first step succeeds for each pulse with probability pUSD (n̄) = 1 − exp(−2n̄), where n̄ = |α|2 is the average number of photon per pulse[2]. It can easily be shown that when Eve repeats it for a sufficiently long sequence of pulses, a sequential detection with length k or larger occurs with probability pseq (k, n̄) = (1 − pUSD (n̄)) (pUSD (n̄))k . (3) In other words, as a result of USD measurements on N pulses, Eve finds on average N pseq (k, n̄) events of sequential detections of at least length k. Hence rpclick ≤ pseq (k, n̄) is necessary in order for Eve to carry out her attack. C. Error Rate Due to Φ Every state |Φi sent by Eve in the second step will always yield one detection event in Bob’s detector in either of time i. In other words, Bob’s overall detection probability of |Φi is strictly one. However, the detection can generally occur in a wrong detector causing the bit flip in the sifted key, or it may click in time i where Eve does not know the corresponding phase shift, in which case she fails to steal the sifted key bit. 3 To evaluate these effects we will below obtain, in terms of the amplitude Ai , the formulae for the error rate E(k) caused by each |Φi, and the probaility D(k) that Eve ends up reading the sifted key bit using |Φi. In what follows, we suppose that N is sufficiently large and Ai converges to zero fast enough for i → ±∞, so that parameter M introduced in the second step of our attack can be regarded as infinite . Suppose that Eve has succeeded in determining k subsequent phases xa , . . . , xa+k−1 in the first step and knows the corresponding phase differences za+1 , . . ., za+k−1 . Then in the second step, state |Φi of Eqn.(2) sent to Bob evolves inside his interferometer as |Φi → ∞ 1 X [(−1)yi Ai + (−1)yi−1 Ai−1 ] d†0i |0i 2 i=−∞ + (4) ∞ 1 X [−(−1)yi Ai + (−1)yi−1 Ai−1 ] d†1i |0i, 2 i=−∞ where creation operators d†0i and d†1i denotes the single photons incident to the detectors outputting zi = 0 and 1 respectively. An error in zi occurs when the spectrum d†zi +1,i |0i contained in Eqn.(4) is measured by Bob. Hence Bob detects error with probability E(k) = ∞ 1 X 2 (−1)xi +yi Ai − (−1)xi−1 +yi−1 Ai−1 . 4 i=−∞ By summing this over for Eve’s random choices of yi for i < a and a + k ≤ i, we have a+k−1 1 X |Ai − Ai−1 |2 (5) E(k) = 4 i=a+1 ! ∞ a X X   1 |Ai |2 + |Ai−1 |2 . + + 4 i=−∞ i=a+k On the other hand, Eve ends up knowing Alice and Bob’s raw key bit when Bob detects either one of phase differences za+1 , . . .,za+k−1 , which occurs with probability a+k−1  1 X  D(k) = |Ai |2 + |Ai−1 |2 . 2 i=a+1 (6) Note here that we are justified in including error events in D(k) because the corresponding sifted key bit will always match between Eve and Bob due to key reconciliations to be performed later, as long as the detected error rate is smaller than the threshold QBER. D. Effective Error Rate Hence in order for Eve to carry out the attack it is sufficient that there exist parameters 1 ≤ k and 0 ≤ r ≤ 1 such that rpclick ≤ pseq (k, n̄), rE(k) ≤ eexp , (7) (8) where eexp is the QBER in the absence of Bob. Inequality (7) means that Eve has an enough number of sequential events, and Inequality (8) is to guarantee that the error rate is small enough so that the presence of Eve will not be noticed by Bob. And as a result of the attack, Eve steals rD(k)N pclick bits out of an sifted key of length N pclick bits on average while the error rate measured by Bob is rE(k). Since key reconciliation and the generalized privacy amplification are used in the secret key generation of the DPSQKD [1, 5], the key generation rate R is bounded from above as R ≤ pclick (I(A; B) − I(A; E)) = pclick (1 − H2 (eexp ) − rD(k)) , where I(A; B) and I(A; E) are the mutual informations between Alice and Bob, and between Alice and Eve, respectively. Clearly, I(A; B) equals 1 − H2 (eexp ) with H2 (x) being the binary entropy function H2 (x) := −x log2 x − (1 − x) log2 (1 − x), and I(A; E) is given by rD(k) in our sequential attack. Thus if Eve is not interested in obtaining as many sifted key bits as possible, but rather she is only willing to invalidate the key distribution between Alice and Bob, the best strategy for her is to minimize the error rate rE(k) by suppressing the ratio r. That is, when Inequalities (7) and (8) are satisfied for r = 1 and a certain value of k, the error rate rE(k) measured by Bob can be further reduced by taking r such that 1 − H2 (rE(k)) − rD(k) = 0. (9) In what follows, we will call such minimum value of rE(k) the effective error rate and denote it by Eeff (k). IV. GAUSSIAN INTENSITY MODULATION In the original form of sequential attacks as introduced by Waks et al.[5], the amplitude Ai s were  √ 1/ k for a ≤ i ≤ a + k − 1, Ai = 0 otherwise, for which the error and detection rates were E(k) = 1/2k, and D(k) = (k − 1)/k. (10) In this section we demonstrate how these can be improved by selecting an appropriate wave form for Ai . One can generally seek for the best attack strategy, i.e., the best pattern of Ai with the smallest E(k) possible for each value of k while maintaining the enough 4 ratio D(k) of bits accessible to Eve, as long as ks are sufficiently small. Indeed it is not difficult at all to find out the best Ai , e.g., by doing numerical simulations, but in this paper, as the first trial, we will concentrate on the following (discretized) gaussian pattern:   (i − c)2 . (11) Ai = C exp − 4σ 2 The constant PC appearing on the right hand side normalizes |Φi as n |An |2 = 1, c denotes the time offset, and σ is the standard deviation to be adjusted later. For the present we will set c at the center of Eve’s detected signals, i.e., when Eve has detected phases xa , · · · , xa+k−1 , we set c = a + (k − 1)/2. A. First-Order Approximation of E(k) and D(k) In order to have a rough idea as to how effective the gaussian intensity modulation in Eqn.(11) is, we first investigate it in the continuous limit of k, σ → ∞, where E(k) and D(k) given in Eqn.(5)√and (6) can be explicitly calculated. In this limit C → ( 2πσ)−1/2 and we have ∞ |C|2 X |Ai − Ai−1 |2 4 i=−∞ ! ∞ a X X |C|2 + Ai Ai−1 + 2 i=−∞ i=a+k  ∞  −(i−c)2 (i−c−1/2)2 1 |C|2 X e 2σ2 − e− 2σ2 − 8σ2 = 2 i=−∞ E(k) = 2 − 8σ12 −|C| e ∞ X e− (i−c−1/2)2 2σ2 i=a+k  e−1/8σ 2 1 1 − e−1/8σ + √ ≃ 2 2π   1 k √ ≃ + 1 − erf 16σ 2 2 2σ 2 Z ∞ dx e−x 2 /2 k/2σ with erf(·) being the error function Z x 2 2 √ erf(x) := dt e−t . π 0 Thus by choosing k = 4σ for example, we have E(k) ≃ 1/k 2 + 0.0228, which is far smaller than Eqn.(10). Similarly, the detection rate can be calculated as   Z k/2σ k 1 −x2 /2 √ . dx e = erf D(k) ≃ √ 2π −k/2σ 2 2σ B. Corrections Due to Discretization In reality, we must take into account the corrections due to dicretization. Adjusting values of σ, we numerically calculated for each value of k the smallest of error rate E(k) as shown in Table I. These values agree with the above first-order approximation within 10% for k ≥ 8. k 4 5 6 7 8 9 10 σ 0.871 1.03 1.18 1.34 1.49 1.63 1.78 E(k) 0.105 0.0748 0.0562 0.0438 0.0353 0.0290 0.0243 D(k) 0.881 0.930 0.954 0.968 0.977 0.982 0.987 Eeff (k) 0.0614 0.0495 0.0405 0.0335 0.0282 0.0239 0.0206 TABLE I: The smallest error rate E(k) caused by |Φi with the gaussian intensity modulation given in Eqn.(11). These minimums are obtained by adjusting the standard deviation σ for each value of k. Here k denotes the length of Eve’s sequential detection, D(k) the corresponding detection rate, and Eeff (k) the effective error rate measured by Bob. V. COMPARISONS WITH EXPERIMENTS In this section, we discuss how our attack limits communication distances of the DPSQKD experiments. The main purpose here is to show that in many of practical experimental setups, our attack works more effectively than the individual attack introduce by Waks et al.[5], hence reevaluating the security of several experiments reported up to now. We will first show that the experiment with a communication distance of 100km reported by Diamanti et al.[3] is in fact insecure. Then we will also show that for a set of parameter values which are commonly used in today’s QKD experiments and security analysis, e.g. in Ref.[3, 5], the DPSQKD cannot be secure for distances larger than 95km no matter how one adjusts the average photon number n̄. A. 100km Experiment by Diamanti et al. Diamanti et al.[3] performed a DPSQKD experiment with communication distance of 100km using the following set of parameters: - Average photon number n̄ = 0.2, - Optical fiber of 100km = loss of 20dB, - Bob’s Mach-Zehnder interferometer = loss of 2dB, - Efficiency of Bob’s detector = 4 × 10−3 , - Bob’s dark count probability d = 3.5 × 10−8 , 5 from which Bob’s signal and dark count rate pclick of Eqn.(1) can be calculated as pclick = 5.12 × 10−6 both monotonically increasing in n̄, and it holds that for n̄ = 0.30, pseq (9, n̄ = 0.30) > pclick (T, n̄ = 0.30) and eexp (T, n̄ = 0.30) = 0.0302 > Eeff (9) = 0.239. The effectiveness in other regions can be shown similarly. and the QBER they measured was eexp = 3.4%. With these values, however, Eve can mount our sequential attack with k = 9 and invalidate the secret key distribution. The conditions (7) and (8) for k = 9 are satisfied since pclick < pseq (k = 9, n̄ = 0.2) = 3.08 × 10−5 as can be found from Eqn.(3), and Eeff (9) = 2.39% < eexp from Table I. B. Limitations on the Communication Distance for a Practical Setup Next we compare our result with a more general set of experimental parameters given in Refs.[3] and [5]. The signal and the dark count detection probability pclick is as given in (1), where the transmission T typically takes the form T = ηint ηdet 10−αfiber L/10 . Here αfiber = 0.2dB/km is the fiber attenuation, L the fiber length, ηint = 2dB the loss in Bob’s Mach-Zehnder interferometer[3], and ηdet = 0.1 the quantum efficiency of Bob’s detector[5]. On the other hand, the error rate in the absence of Eve is given by eexp = µpclick + d/2 , pclick (12) where µ is the baseline error rate of the system due to imperfections in the state preparation, channel induced noise, and imperfect detection apparatus [5]. The typical values for µ and the dark count d are µ = 0.01 and d = 10−5 [5]. Now let the communication distance L = 95km, or T = 10−3.1 (loss of 31dB). Then it can be shown that key distribution is shown to be impossible for any value of n̄ as follows; For n̄ ≤ 0.14 and 0.36 ≤ n̄, the gain formula Rind based on individual attack[5] yields negative values: Rind = −pclick [(1 − 2n̄) log2 PC0 + H2 (eexp )] , (1 − 6eexp)2 PC0 ≤ 1 − e2exp − . 2 On the other hand, for n̄ ≤ 0.14 and 0.36 ≤ n̄, Inequalities (7) and (8) are satisfied for values of k given in Table II. For example, Eve can mount the attack for k = 9 when 0.30 ≤ n̄ ≤ 0.36 because in this parameter region, pseq (9, n̄) − pclick and eexp (n̄, T ) are 0 0.14 0.19 0.25 0.30 0.36 n̄ ∼ ∼ ∼ ∼ ∼ ∼ Attack Type individual sequential sequential sequential sequential individual 0.14 0.19 0.25 0.30 0.36 ∞ k – 6 7 8 9 – TABLE II: The list of suitable attack type for a 95km DPSQKD experiment depending on parameter regions of the average photon number n̄. The corresponding length k of a sequential detection event are also shown in the right column. VI. CONCLUSION In this paper, we presented an improved version of sequential attacks with intensity modulation, which works more effectively than the individual attack. Using this attack, we have shown that the recent experiment with communication distance of 100km reported by Diamanti et al.[3] is in fact insecure. We also showed that in a practical experimental setup which is commonly used today, the communication distance achievable by the DPSQKD protocol is less than 95km. There are several straightforward ways to improve our result. First, although we restricted ourselves in this paper to the discretized gaussian distribution of Eqn.(11), numerically optimizing Ai can yield a better form of state |Φi with smaller error rate E(k) while maintaining detection rate D(k), as mentioned at the beginning of Sec.IV. Moreover, by letting |Φi be a superposition of states with different photon numbers, we can increase the detection counts caused by each |Φi to more than one. For instance, instead of the single-photon state |Φi given in Eqn.(2), it is possible that a coherent state ! X † yi (−1) Ai ai + h.c. |0i |Φcoh i = exp i leads to a more effective attack. Here h.c. P stands for hermite conjugate. Note that the norm i |Ai |2 of Ai corresponds to the average photon number contained in this state and need not be normalized. Acknowledgment This work was supported by the project “Research and Development on Quantum Cryptography” of the NICT as part of MPHPT of Japan’s program “R&D on Quantum Communication Technology.” 6 [1] C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “Generalized Privacy Amplification,” IEEE Trans. IT41, 1915 (1995). [2] M. Curty, L.-L. Zhang, H.-K. Lo, and N. Lütkenhaus, “Sequential attacks against differential-phase-shift quantum key distribution with weak coherent states,” arxiv.org, quant-ph/0609094, (2006). [3] E. Diamanti, H. Takesue, C. Langlock, M. M. Fejer, and Y. Yamamoto, “100km secure differential phase shift quantum key distribution with low jitter up-conversion detec- tors,” arXiv.org, quant-ph/0608110 (2006). [4] K. Inoue, E. Waks, and Y. Yamamoto, “Differential Phase Shift Quantum Key Distribution,” Phys.Rev.Lett.,89, 037902 (2002). [5] E. Waks, H. Takesue, and Y. Yamamoto, “Security of differential-phase-shift quantum key distribution against individual attacks,” Phys. Rev. A, 73, 012344 (2006). [6] Throughout this paper, summations over xi , zi , bi are always in modulo 2.