Sequential Attack with Intensity Modulation on the Differential-Phase-Shift Quantum
Key Distribution Protocol
Toyohiro Tsurumaru
arXiv:quant-ph/0612204v1 25 Dec 2006
Mitsubishi Electric Corporation,
Information Technology R&D Center
5-1-1 Ofuna, Kamakura-shi,
Kanagawa, 247-8501, Japan
In this paper, we discuss the security of the differential-phase-shift quantum key distribution
(DPSQKD) protocol by introducing an improved version of the so-called sequential attack, which
was originally discussed by Waks et al.[5]. Our attack differs from the original form of the sequential attack in that the attacker Eve modulates not only the phases but also the amplitude in the
superposition of the single-photon states which she sends to the receiver. Concentrating especially
on the “discretized gaussian” intensity modulation, we show that our attack is more effective than
the individual attack, which had been the best attack up to present. As a result of this, the recent
experiment with communication distance of 100km reported by Diamanti et al.[3] turns out to be
insecure. Moreover it can be shown that in a practical experimental setup which is commonly used
today, the communication distance achievable by the DPSQKD protocol is less than 95km.
I.
INTRODUCTION
The differential-phase-shift quantum key distribution
(DPSQKD) protocol[4] is a promising protocol for quantum key distribution (QKD) featuring the tolerance
against photon number splitting attacks. However, its
security has only been investigated so far against limited
types of attacks; The most effective attack up to present
had been a particular type of individual attacks investigated by Waks et al. [5], in which Eve acts on photons
individually rather than on signals. Several long-distance
experiments claiming security along its line have been
reported (see, e.g.,[3] and references therein). Another
important class of attacks is a variant of intercept-resend
attacks called sequential attacks which was also discussed
originally by Waks et al.[5] and later improved by Curty
et al.[2]. However, they still remain less effective than
the individual type for most probable applications.
We will here present a further improvement on the sequential attack in which the attacker Eve modulates not
only the phases but also the amplitude in the superposition of the single-photon states which she sends to the
receiver. In this paper, with a slight abuse of terminology,
we call such differentiations in the amplitude an intensity modulation and investigate its consequence. Concentrating especially on the “discretized gaussian” intensity
modulation, we show that our attack is more effective
than the individual attack, which had been the best attack. As a result of this, the recent experiment with communication distance of 100km reported by Diamanti et
al.[3] turns out to be insecure. Moreover it can be shown
that in a practical experimental setup which is commonly
used today, the communication distance achievable by
the DPSQKD protocol is less than 95km.
In what follows, we shall consider a conservative definition of security, i.e., we assume that Eve can control some
flaws in Alice’s and Bob’s devices (e.g., the detection efficiency and the dark count probability of the detectors),
together with the losses in the channel, and she exploits
them to obtain maximal information about the shared
key.
II.
DPSQKD PROTOCOL
The DPSQKD protocol proceeds as follows[4, 5].
1. Alice generates a random bit string x = (x0 , . . . ,
xN ), xi ∈ {0, 1} and sends to Bob the coherent
light pulses with phase φi = πxi + φ and intensity
α, where φ, α ∈ R, α > 0. That is, Alice generates
the following |Ψi and sends to Bob:
|Ψi = |αeiφ0 i ⊗ · · · ⊗ |αeiφN i.
Intensity α is related to the average photon number
n̄ per pulse as n̄ = |α|2 .
2. Using a Mach-Zehnder interferometer (Fig.1), Bob
measures the phase difference zi = xi + xi−1 of
each adjacent pair of pulses[6]. The outcome of
the measurement is recorded as the sifted key b =
(b1 , . . . , bl ), ba = xia + xia −1 , where i1 ,. . .,il are the
times when photons are detected.
3. Communicating on an authenticated classical channel, Alice and Bob perform key reconciliation and
the generalized privacy amplification[1, 5] to calculate the secret key.
We denote by T the transmission of the communication
channel including the loss in fiber and Bob’s interferometer, and the quantum efficiency of Bob’s detector. We
also denote by d the dark count of Bob’s detector. Then
the signal and detection rate pclick at Bob’s side is given
by
pclick = T n̄ + d.
(1)
Thus in the second step above, the average length l of
the sifted key is l = N pclick .
2
3. Eve sends ǫN pulses which she kept intact in the
first step, and sends them to Alice.
In what follows, we assume that transmission T and
pclick/n̄ are small enough (e.g., with the communication
distance being sufficiently large) so that ǫ can be neglected.
FIG. 1: Basic experimental setup of a DPSQKD system. Here
PM denotes a phase modulator, and BS a 50:50 beamsplitter. ∆t represents the time difference between two consecutive pulses. Photon detectors Det0 and Det1 output the phase
differece zi = 0 and 1 respectively.
III.
SEQUENTIAL ATTACK WITH INTENSITY
MODULATION
In this section, we first define our attack and then calculate several probabilities that are necessary for later
analyses, i.e., the error rate which Bob detects as a result of the attack and the success probability of Eve’s
attack. The necessary conditions for Eve to carry out
the attack are also derived in terms of experimental parameters, such as the average photon number n̄ and the
transmission T .
A.
B.
Description of Attack
The basic scheme of our sequential attack is the same
as the previous versions given in Ref.[5]. The only difference is that the state Ψ which Eve sends is a superposition of single-photon states with different amplitudes (see
Fig.2). The precise definition of our attack is as follows:
1. Using unambiguous state discrimination (USD, see
Ref.[2]) measurement, Eve measures the phase xi of
all but small portion of the pulses that Alice sent
and records the outcome.
Here the small portion means a pulse sequence of
length ǫN with ǫ = (1−r)pclick /n̄. The ratio r ∈ R,
0 < r ≤ 1 is a parameter to be specified later.
2. For rpclick N sequential detection events of length k
or larger, Eve does as follows:
If the detected phases were, say, xa , . . . , xa+k−1 ,
she generates state |Φi defined as
|Φi :=
a+k+M
X
i=a−M
(−1)yi Ai a†i |0i,
FIG. 2: Graphical image of our sequential attack. (1)Alice
emits coherent light pulses with an equal intensity, and Eve
detects them. (2)When sequential detection events are found,
Eve sends out single-photon state |Φi of Eqn.(2), which is a
superposition of single-photon states having the same phases
as Alice’s original signal but with different amplitudes.
(2)
and sends it to Bob. Here parameter M ∈ N is a
sufficiently larege number, and yi are set as yi = xi
for a ≤ i ≤ a + k − 1, and other yi ∈ {0, 1}’s are
randomly chosen values. The creation operator a†i
denotes a single photon pulse incident to Bob for
time interval i.
Probability of Sequential Detection
The USD measurement performed in the first step succeeds for each pulse with probability
pUSD (n̄) = 1 − exp(−2n̄),
where n̄ = |α|2 is the average number of photon per
pulse[2]. It can easily be shown that when Eve repeats
it for a sufficiently long sequence of pulses, a sequential
detection with length k or larger occurs with probability
pseq (k, n̄) = (1 − pUSD (n̄)) (pUSD (n̄))k .
(3)
In other words, as a result of USD measurements on N
pulses, Eve finds on average N pseq (k, n̄) events of sequential detections of at least length k. Hence rpclick ≤
pseq (k, n̄) is necessary in order for Eve to carry out her
attack.
C.
Error Rate Due to Φ
Every state |Φi sent by Eve in the second step will
always yield one detection event in Bob’s detector in either of time i. In other words, Bob’s overall detection
probability of |Φi is strictly one. However, the detection
can generally occur in a wrong detector causing the bit
flip in the sifted key, or it may click in time i where Eve
does not know the corresponding phase shift, in which
case she fails to steal the sifted key bit.
3
To evaluate these effects we will below obtain, in terms
of the amplitude Ai , the formulae for the error rate E(k)
caused by each |Φi, and the probaility D(k) that Eve
ends up reading the sifted key bit using |Φi. In what
follows, we suppose that N is sufficiently large and Ai
converges to zero fast enough for i → ±∞, so that parameter M introduced in the second step of our attack
can be regarded as infinite .
Suppose that Eve has succeeded in determining k subsequent phases xa , . . . , xa+k−1 in the first step and knows
the corresponding phase differences za+1 , . . ., za+k−1 .
Then in the second step, state |Φi of Eqn.(2) sent to
Bob evolves inside his interferometer as
|Φi →
∞
1 X
[(−1)yi Ai + (−1)yi−1 Ai−1 ] d†0i |0i
2 i=−∞
+
(4)
∞
1 X
[−(−1)yi Ai + (−1)yi−1 Ai−1 ] d†1i |0i,
2 i=−∞
where creation operators d†0i and d†1i denotes the single
photons incident to the detectors outputting zi = 0 and
1 respectively.
An error in zi occurs when the spectrum d†zi +1,i |0i contained in Eqn.(4) is measured by Bob. Hence Bob detects
error with probability
E(k) =
∞
1 X
2
(−1)xi +yi Ai − (−1)xi−1 +yi−1 Ai−1 .
4 i=−∞
By summing this over for Eve’s random choices of yi for
i < a and a + k ≤ i, we have
a+k−1
1 X
|Ai − Ai−1 |2
(5)
E(k) =
4 i=a+1
!
∞
a
X
X
1
|Ai |2 + |Ai−1 |2 .
+
+
4 i=−∞
i=a+k
On the other hand, Eve ends up knowing Alice and
Bob’s raw key bit when Bob detects either one of phase
differences za+1 , . . .,za+k−1 , which occurs with probability
a+k−1
1 X
D(k) =
|Ai |2 + |Ai−1 |2 .
2 i=a+1
(6)
Note here that we are justified in including error events in
D(k) because the corresponding sifted key bit will always
match between Eve and Bob due to key reconciliations
to be performed later, as long as the detected error rate
is smaller than the threshold QBER.
D.
Effective Error Rate
Hence in order for Eve to carry out the attack it is
sufficient that there exist parameters 1 ≤ k and 0 ≤ r ≤ 1
such that
rpclick ≤ pseq (k, n̄),
rE(k) ≤ eexp ,
(7)
(8)
where eexp is the QBER in the absence of Bob. Inequality
(7) means that Eve has an enough number of sequential
events, and Inequality (8) is to guarantee that the error
rate is small enough so that the presence of Eve will not
be noticed by Bob. And as a result of the attack, Eve
steals rD(k)N pclick bits out of an sifted key of length
N pclick bits on average while the error rate measured by
Bob is rE(k).
Since key reconciliation and the generalized privacy
amplification are used in the secret key generation of the
DPSQKD [1, 5], the key generation rate R is bounded
from above as
R ≤ pclick (I(A; B) − I(A; E))
= pclick (1 − H2 (eexp ) − rD(k)) ,
where I(A; B) and I(A; E) are the mutual informations between Alice and Bob, and between Alice and
Eve, respectively. Clearly, I(A; B) equals 1 − H2 (eexp )
with H2 (x) being the binary entropy function H2 (x) :=
−x log2 x − (1 − x) log2 (1 − x), and I(A; E) is given by
rD(k) in our sequential attack.
Thus if Eve is not interested in obtaining as many
sifted key bits as possible, but rather she is only willing to invalidate the key distribution between Alice and
Bob, the best strategy for her is to minimize the error
rate rE(k) by suppressing the ratio r. That is, when Inequalities (7) and (8) are satisfied for r = 1 and a certain
value of k, the error rate rE(k) measured by Bob can be
further reduced by taking r such that
1 − H2 (rE(k)) − rD(k) = 0.
(9)
In what follows, we will call such minimum value of rE(k)
the effective error rate and denote it by Eeff (k).
IV.
GAUSSIAN INTENSITY MODULATION
In the original form of sequential attacks as introduced
by Waks et al.[5], the amplitude Ai s were
√
1/ k for a ≤ i ≤ a + k − 1,
Ai =
0
otherwise,
for which the error and detection rates were
E(k) = 1/2k, and D(k) = (k − 1)/k.
(10)
In this section we demonstrate how these can be improved by selecting an appropriate wave form for Ai .
One can generally seek for the best attack strategy,
i.e., the best pattern of Ai with the smallest E(k) possible for each value of k while maintaining the enough
4
ratio D(k) of bits accessible to Eve, as long as ks are sufficiently small. Indeed it is not difficult at all to find out
the best Ai , e.g., by doing numerical simulations, but in
this paper, as the first trial, we will concentrate on the
following (discretized) gaussian pattern:
(i − c)2
.
(11)
Ai = C exp −
4σ 2
The constant
PC appearing on the right hand side normalizes |Φi as n |An |2 = 1, c denotes the time offset, and
σ is the standard deviation to be adjusted later. For the
present we will set c at the center of Eve’s detected signals, i.e., when Eve has detected phases xa , · · · , xa+k−1 ,
we set c = a + (k − 1)/2.
A.
First-Order Approximation of E(k) and D(k)
In order to have a rough idea as to how effective the
gaussian intensity modulation in Eqn.(11) is, we first investigate it in the continuous limit of k, σ → ∞, where
E(k) and D(k) given in Eqn.(5)√and (6) can be explicitly
calculated. In this limit C → ( 2πσ)−1/2 and we have
∞
|C|2 X
|Ai − Ai−1 |2
4 i=−∞
!
∞
a
X
X
|C|2
+
Ai Ai−1
+
2
i=−∞
i=a+k
∞
−(i−c)2
(i−c−1/2)2
1
|C|2 X
e 2σ2 − e− 2σ2 − 8σ2
=
2 i=−∞
E(k) =
2 − 8σ12
−|C| e
∞
X
e−
(i−c−1/2)2
2σ2
i=a+k
e−1/8σ
2
1
1 − e−1/8σ + √
≃
2
2π
1
k
√
≃
+
1
−
erf
16σ 2
2 2σ
2
Z
∞
dx e−x
2
/2
k/2σ
with erf(·) being the error function
Z x
2
2
√
erf(x) :=
dt e−t .
π 0
Thus by choosing k = 4σ for example, we have E(k) ≃
1/k 2 + 0.0228, which is far smaller than Eqn.(10). Similarly, the detection rate can be calculated as
Z k/2σ
k
1
−x2 /2
√
.
dx e
= erf
D(k) ≃ √
2π −k/2σ
2 2σ
B.
Corrections Due to Discretization
In reality, we must take into account the corrections
due to dicretization. Adjusting values of σ, we numerically calculated for each value of k the smallest of error
rate E(k) as shown in Table I. These values agree with
the above first-order approximation within 10% for k ≥ 8.
k
4
5
6
7
8
9
10
σ
0.871
1.03
1.18
1.34
1.49
1.63
1.78
E(k)
0.105
0.0748
0.0562
0.0438
0.0353
0.0290
0.0243
D(k)
0.881
0.930
0.954
0.968
0.977
0.982
0.987
Eeff (k)
0.0614
0.0495
0.0405
0.0335
0.0282
0.0239
0.0206
TABLE I: The smallest error rate E(k) caused by |Φi with
the gaussian intensity modulation given in Eqn.(11). These
minimums are obtained by adjusting the standard deviation
σ for each value of k. Here k denotes the length of Eve’s
sequential detection, D(k) the corresponding detection rate,
and Eeff (k) the effective error rate measured by Bob.
V.
COMPARISONS WITH EXPERIMENTS
In this section, we discuss how our attack limits communication distances of the DPSQKD experiments. The
main purpose here is to show that in many of practical experimental setups, our attack works more effectively than
the individual attack introduce by Waks et al.[5], hence
reevaluating the security of several experiments reported
up to now.
We will first show that the experiment with a communication distance of 100km reported by Diamanti et
al.[3] is in fact insecure. Then we will also show that for
a set of parameter values which are commonly used in
today’s QKD experiments and security analysis, e.g. in
Ref.[3, 5], the DPSQKD cannot be secure for distances
larger than 95km no matter how one adjusts the average
photon number n̄.
A.
100km Experiment by Diamanti et al.
Diamanti et al.[3] performed a DPSQKD experiment
with communication distance of 100km using the following set of parameters:
- Average photon number n̄ = 0.2,
- Optical fiber of 100km = loss of 20dB,
- Bob’s Mach-Zehnder interferometer = loss of 2dB,
- Efficiency of Bob’s detector = 4 × 10−3 ,
- Bob’s dark count probability d = 3.5 × 10−8 ,
5
from which Bob’s signal and dark count rate pclick of
Eqn.(1) can be calculated as
pclick = 5.12 × 10−6
both monotonically increasing in n̄, and it holds that for
n̄ = 0.30, pseq (9, n̄ = 0.30) > pclick (T, n̄ = 0.30) and
eexp (T, n̄ = 0.30) = 0.0302 > Eeff (9) = 0.239. The effectiveness in other regions can be shown similarly.
and the QBER they measured was
eexp = 3.4%.
With these values, however, Eve can mount our sequential attack with k = 9 and invalidate the secret key distribution. The conditions (7) and (8) for k = 9 are satisfied
since pclick < pseq (k = 9, n̄ = 0.2) = 3.08 × 10−5 as can
be found from Eqn.(3), and Eeff (9) = 2.39% < eexp from
Table I.
B.
Limitations on the Communication Distance for
a Practical Setup
Next we compare our result with a more general set of
experimental parameters given in Refs.[3] and [5].
The signal and the dark count detection probability
pclick is as given in (1), where the transmission T typically
takes the form
T = ηint ηdet 10−αfiber L/10 .
Here αfiber = 0.2dB/km is the fiber attenuation, L the
fiber length, ηint = 2dB the loss in Bob’s Mach-Zehnder
interferometer[3], and ηdet = 0.1 the quantum efficiency
of Bob’s detector[5].
On the other hand, the error rate in the absence of Eve
is given by
eexp =
µpclick + d/2
,
pclick
(12)
where µ is the baseline error rate of the system due to
imperfections in the state preparation, channel induced
noise, and imperfect detection apparatus [5]. The typical
values for µ and the dark count d are µ = 0.01 and d =
10−5 [5].
Now let the communication distance L = 95km, or
T = 10−3.1 (loss of 31dB). Then it can be shown that key
distribution is shown to be impossible for any value of n̄
as follows; For n̄ ≤ 0.14 and 0.36 ≤ n̄, the gain formula
Rind based on individual attack[5] yields negative values:
Rind = −pclick [(1 − 2n̄) log2 PC0 + H2 (eexp )] ,
(1 − 6eexp)2
PC0 ≤ 1 − e2exp −
.
2
On the other hand, for n̄ ≤ 0.14 and 0.36 ≤ n̄, Inequalities (7) and (8) are satisfied for values of k given
in Table II. For example, Eve can mount the attack
for k = 9 when 0.30 ≤ n̄ ≤ 0.36 because in this
parameter region, pseq (9, n̄) − pclick and eexp (n̄, T ) are
0
0.14
0.19
0.25
0.30
0.36
n̄
∼
∼
∼
∼
∼
∼
Attack Type
individual
sequential
sequential
sequential
sequential
individual
0.14
0.19
0.25
0.30
0.36
∞
k
–
6
7
8
9
–
TABLE II: The list of suitable attack type for a 95km DPSQKD experiment depending on parameter regions of the average photon number n̄. The corresponding length k of a
sequential detection event are also shown in the right column.
VI.
CONCLUSION
In this paper, we presented an improved version of sequential attacks with intensity modulation, which works
more effectively than the individual attack. Using this
attack, we have shown that the recent experiment with
communication distance of 100km reported by Diamanti
et al.[3] is in fact insecure. We also showed that in a practical experimental setup which is commonly used today,
the communication distance achievable by the DPSQKD
protocol is less than 95km.
There are several straightforward ways to improve our
result. First, although we restricted ourselves in this paper to the discretized gaussian distribution of Eqn.(11),
numerically optimizing Ai can yield a better form of state
|Φi with smaller error rate E(k) while maintaining detection rate D(k), as mentioned at the beginning of Sec.IV.
Moreover, by letting |Φi be a superposition of states with
different photon numbers, we can increase the detection
counts caused by each |Φi to more than one. For instance, instead of the single-photon state |Φi given in
Eqn.(2), it is possible that a coherent state
!
X
†
yi
(−1) Ai ai + h.c. |0i
|Φcoh i = exp
i
leads to a more effective attack. Here h.c.
P stands for
hermite conjugate. Note that the norm i |Ai |2 of Ai
corresponds to the average photon number contained in
this state and need not be normalized.
Acknowledgment
This work was supported by the project “Research and
Development on Quantum Cryptography” of the NICT
as part of MPHPT of Japan’s program “R&D on Quantum Communication Technology.”
6
[1] C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “Generalized Privacy Amplification,” IEEE Trans. IT41, 1915 (1995).
[2] M. Curty, L.-L. Zhang, H.-K. Lo, and N. Lütkenhaus, “Sequential attacks against differential-phase-shift quantum
key distribution with weak coherent states,” arxiv.org,
quant-ph/0609094, (2006).
[3] E. Diamanti, H. Takesue, C. Langlock, M. M. Fejer, and Y.
Yamamoto, “100km secure differential phase shift quantum key distribution with low jitter up-conversion detec-
tors,” arXiv.org, quant-ph/0608110 (2006).
[4] K. Inoue, E. Waks, and Y. Yamamoto, “Differential Phase
Shift Quantum Key Distribution,” Phys.Rev.Lett.,89,
037902 (2002).
[5] E. Waks, H. Takesue, and Y. Yamamoto, “Security of
differential-phase-shift quantum key distribution against
individual attacks,” Phys. Rev. A, 73, 012344 (2006).
[6] Throughout this paper, summations over xi , zi , bi are
always in modulo 2.