OSA's Digital Library

Optics Express

Optics Express

  • Editor: C. Martijn de Sterke
  • Vol. 16, Iss. 21 — Oct. 13, 2008
  • pp: 16680–16690
« Show journal navigation

Secure key generation using an ultra-long fiber laser: transient analysis and experiment

Avi Zadok, Jacob Scheuer, Jacob Sendowski, and Amnon Yariv  »View Author Affiliations


Optics Express, Vol. 16, Issue 21, pp. 16680-16690 (2008)
http://dx.doi.org/10.1364/OE.16.016680


View Full Text Article

Acrobat PDF (246 KB)





Browse Journals / Lookup Meetings

Browse by Journal and Year


   


Lookup Conference Papers

Close Browse Journals / Lookup Meetings

Article Tools

Share
Citations

Abstract

The secure distribution of a secret key is the weakest point of shared-key encryption protocols. While quantum key distribution schemes could theoretically provide unconditional security, their practical implementation remains technologically challenging. Here we provide an extended analysis and present an experimental support of a concept for a classical key generation system, based on establishing laser oscillation between two parties, which is realized using standard fiber-optic components. In our Ultra-long Fiber Laser (UFL) system, each user places a randomly chosen, spectrally selective mirror at his/her end of a fiber laser, with the two-mirror choice representing a key bit. We demonstrate the ability of each user to extract the mirror choice of the other using a simple analysis of the UFL signal, while an adversary can only reconstruct a small fraction of the key. The simplicity of this system renders it a promising alternative for practical key distribution in the optical domain.

© 2008 Optical Society of America

1. Introduction

The need for secure key distribution has created a large interest in physical-layer based cryptographic protocols, which may provide powerful complementary capabilities to those of the more traditional, information theory based coding systems [1

1. S. Singh, The Code Book: The science of secrecy from ancient Egypt to quantum cryptography (Fourth Estate, 1999).

, 2

2. G. Vernam, “Cipher printing telegraph systems for secret wire and radio telegraphic communications,” J. Am. Inst. Electr. Eng. 45, 109–116 (1926).

]. The most widely known example is that of quantum key distribution (QKD) protocols [3

3. C. H. Bennett and G. Brassard, “Quantum public key distribution system,” IBM Tech. Discl. Bull. 28, 3153– 3163 (1985).

20

20. H. Takesue, S. W. Nam, Q. Zhang, R. H. Hadfield, T. Honjo, K. Tamaki, and Y. Yamamoto, “Quantum key distribution over a 40-dB channel loss using superconducting single photon detectors,” Nat. Photon. 1, 343– 348 (2007). [CrossRef]

], in which the key is generated by measurements of the quantum mechanical properties of single photons. However, practical implantation of the idea is complicated [7

7. L.-M. Duan, M. D. Lukin, J. I. Cirac, and P. Zoller, “Long-distance quantum communication with atomic ensembles and linear optics,” Nature 414, 413–424 (2001). [CrossRef] [PubMed]

11

11. C. Gobby, Z. L. Yuan, and A. J. Shields, “Quantum key distribution over 122 km of standard telecom fiber,” Appl. Phys. Lett. 84, 3762–3764 (2004). [CrossRef]

]: technological challenges include the reliable, high yield generation of single photons [5

5. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74, 145–195 (2002). [CrossRef]

, 16

16. N. Lutkenhaus, “Security against individual attacks for realistic quantum key distribution,” Phys. Rev. A 61, 052304 (2000). [CrossRef]

, 17

17. W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, “Long-distance Bell-type tests using energy-time entangled photons,” Phys. Rev. A 59, 4150–4163, (1999). [CrossRef]

], the compensation for fiber channel variations [5

5. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74, 145–195 (2002). [CrossRef]

], and the development of low noise, single photon detectors operating at the telecommunication wavelength of 1550 nm [5

5. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74, 145–195 (2002). [CrossRef]

, 18

18. P. G. Kwiat, A. M. Steinberg, R. Y. Chiao, P. H. Eberhard, and M. D. Petroff, “High efficiency single photon detectors,” Phys. Rev. A 48, R867–870 (1993). [CrossRef] [PubMed]

20

20. H. Takesue, S. W. Nam, Q. Zhang, R. H. Hadfield, T. Honjo, K. Tamaki, and Y. Yamamoto, “Quantum key distribution over a 40-dB channel loss using superconducting single photon detectors,” Nat. Photon. 1, 343– 348 (2007). [CrossRef]

]. QKD is facing a major hurdle in overcoming fiber losses, which may not be compensated for using optical amplifiers [5

5. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74, 145–195 (2002). [CrossRef]

]. Recently, the introduction of decoy states had allowed for the use of faint coherent pulses [12

12. W.-Y. Hwang, “Quantum key distribution with high loss: towards global secure communication,” Phys. Rev. Lett. 91, 057901 (2003). [CrossRef] [PubMed]

14

14. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94, 230503 (2005). [CrossRef] [PubMed]

], and avalanche InGaAs photo-detectors were successfully used in GHz clock rate experiments [15

15. Z. L. Yuan, A. R. Dixon, J. F. Dynes, A. W. Sharpe, and A. J. Shields, “Gigahertz quantum key distribution with InGaAs avalanche photodiodes,” Appl. Phys. Lett. 92, 201104 (2008). [CrossRef]

]. Nonetheless, present day QKD demonstrations must rely on either complicated, sensitive detection schemes, or on sophisticated, cutting edge components [15

15. Z. L. Yuan, A. R. Dixon, J. F. Dynes, A. W. Sharpe, and A. J. Shields, “Gigahertz quantum key distribution with InGaAs avalanche photodiodes,” Appl. Phys. Lett. 92, 201104 (2008). [CrossRef]

, 19

19. A. Tanaka, M. Fujiwara, S. W. Nam, Y. Nambu, S. Takahashi, W. Maeda, K.-I. Yoshino, S. Miki, B. Baek, Z. Wang, A. Tajima, M. Sasaki, and A. Tomita, “Ultra fast quantum key distribution over a 97 km installed telecom fiber with wavelength division multiplexing clock synchronization,” Opt. Express 16, 11354–11360 (2008). [CrossRef] [PubMed]

20

20. H. Takesue, S. W. Nam, Q. Zhang, R. H. Hadfield, T. Honjo, K. Tamaki, and Y. Yamamoto, “Quantum key distribution over a 40-dB channel loss using superconducting single photon detectors,” Nat. Photon. 1, 343– 348 (2007). [CrossRef]

]. The quest for a simpler, classical secure key generation scheme therefore remains meaningful.

Another promising scheme for secure optical communication is based on the synchronization of lasers in the chaotic regime [25

25. J.-P. Goedgebuer, L. Larger, and H. Porte, “Optical cryptosystem based on synchronization of hyperchaos generated by a delayed feedback tunable laser diode,” Phys. Rev. Lett. 80, 2249–2252 (1998). [CrossRef]

]. On the transmitter side, a delayed, non-linear current feedback loop is used to generate chaotic variations to the wavelength of a semiconductor laser diode [25

25. J.-P. Goedgebuer, L. Larger, and H. Porte, “Optical cryptosystem based on synchronization of hyperchaos generated by a delayed feedback tunable laser diode,” Phys. Rev. Lett. 80, 2249–2252 (1998). [CrossRef]

]. The confidential message provides the initial condition of the feedback loop. That initial condition can be recovered using an identical laser diode and feedback loop on the receiver side [25

25. J.-P. Goedgebuer, L. Larger, and H. Porte, “Optical cryptosystem based on synchronization of hyperchaos generated by a delayed feedback tunable laser diode,” Phys. Rev. Lett. 80, 2249–2252 (1998). [CrossRef]

]. The potential of the scheme was demonstrated by a field test, operating at multi gigabit per second (Gb/s) rates over 120 km of standard fiber [26

26. A. Argyris, D. Syvridis, L. Larger, V. Annovazzi-Lodi, P. Colet, I. Fischer, J. Garcia-Ojalvo, C. R. Mirasso, L. Pesquera, and K. A. Shore, “Chaos-based communications at high bit rates using commercial fiber-optic links,” Nature 438, 343–346 (2005). [CrossRef] [PubMed]

]. One weakness of the system, however, is its dependence on a small number of hardware parameters which are difficult to reconfigure. An unauthorized user may reconstruct or commandeer a network receiver, and decode the confidential messages, while the legitimate users remain unaware of such an attack. Another previously proposed optical implementation of one-way functions was based on the speckle patterns generated by scattering in a random medium [27

27. R. Pappu, R. Recht, J. Taylor, and N, Gershenfeld, “Physical one way functions,” Science 297, 2026–2030 (2002). [CrossRef] [PubMed]

]. Although the cloning of scattering tokens is impossible [27

27. R. Pappu, R. Recht, J. Taylor, and N, Gershenfeld, “Physical one way functions,” Science 297, 2026–2030 (2002). [CrossRef] [PubMed]

], they must be physically distributed among legitimate users.

The ultra-long fiber laser (UFL) [28

28. J. Scheuer and J. and A. Yariv, “Giant fiber lasers: a new paradigm for secure key distribution,” Phys. Rev. Lett. 97, 140502 (2006). [CrossRef] [PubMed]

] key distribution system described in this work is not algorithmically and absolutely secure, as QKD ideally would be. Such unconditional security, though, has not been a mandatory pre-requisite for the application of cryptosystems, as many public key encoding schemes rely on the computational difficulty of eavesdropping rather than on a security proof [29

29. R. L. Rivest, A. Shamir, and L. M. Adleman, “A method for of obtaining digital signatures and public key cryptosystems,” Commun. ACM 21, 120–126 (1978). [CrossRef]

, 30

30. G. Brassard, “A note on the complexity of cryptography,” IEEE Trans. Inf. Theory -IT25, 232–233 (1979). [CrossRef]

]. Promising optical schemes achieved major practical benefits by allowing some relaxation of the unconditional security requirement of QKD. For example, Barbosa [31

31. G. A. Barbosa, “Fast and secure key distribution using mesoscopic coherence states of light,” Phys. Rev. A 68, 052307 (2003). [CrossRef]

] had used mesoscopic coherent states in a proposed key generation scheme that is scalable to optical communication rates, and could allow for optical amplification. The UFL system further extends optical key generation towards the classical light regime. Consequently, it requires only readily available, low cost standard fiber-optic components, and its key-establishing rate decreases only linearly with distance [28

28. J. Scheuer and J. and A. Yariv, “Giant fiber lasers: a new paradigm for secure key distribution,” Phys. Rev. Lett. 97, 140502 (2006). [CrossRef] [PubMed]

]. While an intruder may, in principle, obtain some partial knowledge of the UFL generated key, this knowledge can be reduced by any arbitrary amount by means of relatively simple strategies, as discussed below. Unlike OCDMA transmitters, the UFL terminals do not broadcast a fixed code for extended periods, and the generation of subsequent key bits is uncorrelated. As opposed to chaos synchronization based architectures, an intruder may not introduce a replicated UFL terminal and remain undetected.

The remainder of this paper is organized as follows: Sec. II briefly reiterates the principle of operation of the UFL system [28

28. J. Scheuer and J. and A. Yariv, “Giant fiber lasers: a new paradigm for secure key distribution,” Phys. Rev. Lett. 97, 140502 (2006). [CrossRef] [PubMed]

]. Numerical simulations and results are described in Sec. III, and the experimental work is presented in Sec. IV. A brief discussion is provided is Sec. V.

2. Principle of operation

Fig. 1. (a). Schematic of the UFL system. (b). Top: simulated steady state UFL spectra for the four possible combinations of mirror choices by Alice and Bob. The spectra for (0,1) and (1,0) mirror choices are distinguishable only in their weak spectral side lobes. Bottom: reflectivity profiles |r 0(ω)|2, |r 1(ω)|2 of ‘0’ and ‘1’ mirrors used in simulations: r 0(ω)=0.75°sinc2(ω/Δω), r 1(ω)=0.75°sinc2[(ω-ωsep)Δω], with a spectral width of Δω=2π°7GHz, and a frequency separation of ωsep≡2π(f 1-f 0)=2π°5 GHz. The EDFAs small signal gain, saturation power and noise figure are: 10log10 G 0=17dB above transparency, Psat=13dBm and NF=3dB.

A schematic of the UFL system is shown in Fig. 1(a). The system consists of a fiber link with a terminal at each end, one controlled by Alice and the other by Bob. Each terminal includes an Erbium doped fiber amplifier (EDFA) and a set of two spectrally selective mirrors. The peak reflectivity frequencies of the two mirrors in the set are f 0 (mirror ‘0’), and f 1 (mirror ‘1’). In each bit cycle, both Alice and Bob randomly choose one of the mirrors (‘0’ or ‘1’) as an end mirror of the UFL. The combination of mirror choices is identified through measurements of the UFL spectrum, and represents a single bit. Mirror choices (0,0) or (1,1) lead to oscillations near f 0 or f 1, respectively. An eavesdropper (Eve) measuring peak frequencies f 0 or f 1, can thus easily infer the corresponding mirror choices. These data are thus discarded. The choices (1,0) and (0,1) lead (both) to oscillation close to fc≡½(f 0+f 1). If Eve measures fc, she can not easily determine which arrangement, (1,0) or (0,1), was used. Alice, knowing her own mirror choice, can determine the complementary choice of Bob, and vice versa. The two of them can therefore assign, for example, a logical ‘1’ to the choice of (1,0), and a logical ‘0’ to (0,1). The UFL principle of operation is analogous to the idea of “keyless cryptography”, proposed by Alpern and Schneider as early as 1983 [32

32. B. Alpern and F. B. Schneider, “Key exchange using keyless cryptography,” Info. Proc. Lett. 16, 79–81 (1983). [CrossRef]

]. In that scheme, Alice and Bob anonymously post their uncorrelated choices of binary strings on a public blackboard, and only they can recognize the generator of individual messages [32

32. B. Alpern and F. B. Schneider, “Key exchange using keyless cryptography,” Info. Proc. Lett. 16, 79–81 (1983). [CrossRef]

].

3. Numerical simulations

We refer to the optical field propagating from Alice to Bob as E +(ω), ω denoting the optical frequency, and to the field propagating from Bob to Alice is E-(ω). The fields are normalized so that the integral ∫|E±(ω)|2dω represents optical power. The EDFAs used in both terminals are assumed to be identical, characterized by their small signal gain coefficient G 0, saturation output power Psat and noise figure NF. rA(ω) and rB(ω) are the spectral reflectance profiles of the mirrors chosen by Alice and Bob, respectively. The fiber spans connecting the two terminals are both of length L, and have the same propagation constant β.

The build-up of the lasing signal within the UFL following switch-on may be evaluated by the following set of iterative, coupled equations [28

28. J. Scheuer and J. and A. Yariv, “Giant fiber lasers: a new paradigm for secure key distribution,” Phys. Rev. Lett. 97, 140502 (2006). [CrossRef] [PubMed]

]:

E+1+l(ω)=El(ω)(jβL)rA(ω)exp(G+l/2)+Es(ω)
El+1(ω)=E+l(ω)exp(jβL)rB(ω)exp(Gl/2)+Es(ω)
(1)

In Eq. (1), E l ±(ω) denote the optical fields in both directions of propagation, following l one way trips within the UFL. The gain coefficients Gl ± are determined by the overall input power of the EDFAs:

G±l=G01+El(ω)2dω/Psat
(2)

The gain coefficients are assumed to be frequency independent within the reflectivity windows of the mirrors. This is a reasonable assumption, since the reflectivity bandwidths of the mirrors employed in the experiments are below 0.05 nm. The additive term Es(ω) in Eq. (1) represents the random phase optical field of the Amplified Spontaneous Emission (ASE) of the EDFAs. The power of the ASE field within a frequency window of width dω is assumed to be independent of ω:

Es(ω)2dω=hv·NF[exp(G±)1]·dω
(3)

Here, is the energy of a single photon, and Gl ± are used in the evaluation of El ±(ω).

Figure 1(b) shows examples of the simulated UFL steady state spectra P +(ω)≡(ω)|El +(ω)|2 dω, l≫1, for the four possible combinations of mirror choices. When the choices of mirrors are (0,0) or (1,1), the central lasing frequency is f 0 or f 1, correspondingly. The spectra obtained for (1,0) and (0,1) mirror choices, representing ‘1’ and ‘0’ bits, are both centered at fc and their main lobes are identical. In order to distinguish between the two, Eve must examine the spectral side lobes, whose steady state power is 60 dB lower than that of the main lobe. The difference in the available signal power sets an inherent imbalance between the task of Alice and Bob and that of Eve, as one-way functions do in public key, data encoding schemes [29

29. R. L. Rivest, A. Shamir, and L. M. Adleman, “A method for of obtaining digital signatures and public key cryptosystems,” Commun. ACM 21, 120–126 (1978). [CrossRef]

, 30

30. G. Brassard, “A note on the complexity of cryptography,” IEEE Trans. Inf. Theory -IT25, 232–233 (1979). [CrossRef]

].

For example, Eve can use the difference in optical power between the first left hand spectral side lobe and the first right hand side lobe as her decision variable VE. Figure 2(b) shows simulated probability distribution functions of VE, taken 3 ms following the switch-on of a 25 km long UFL, for (0,1) and (1,0) mirror choices. Let us denote these functions as P 01(VE) and P 10(VE), respectively. Here, VE is normalized by the mean side lobe power. In order to quantify the performance of Eve’s attack, we assume that Eve has a prior knowledge of the distributions in Fig. 2(b). For each reading of her variable, Eve would guess that the particular bit was ‘0’ if P 01(VE)>P 10(VE), and vice versa. This decision criterion was shown to be optimal for binary data in the presence of noise [33

33. J. R. Barry, E. A. Lee, and D. G. Messerschmitt, Digital Communication (Kluwer Academic Publisher, 3rd Ed. 2004).

]. In the ideal case of equal histograms, Eve would guess correctly only 50% of the bits, whereas if the histograms are entirely non-overlapping she can obtain 100% of the bits. In Fig. 2(b), P 01(VE) and P 10(VE) overlap only minimally, and Eve can correctly identify 95% of the bits.

We assume that Eve has a shot-noise limited detector, that her detection bandwidth optimally matches the spectral width of the side-lobes, and that she is using the entire rise time of the UFL to average out the measurement noise. We further assume that Eve can tap 10% of the UFL power undetected, even though our experiments show that such power losses can be identified by Alice and Bob. Subject to this model, simulations show that the mean value of |VE| is 20 dB above the shot noise equivalent power, and 30 dB above the level of the beat noise among the multiple UFL modes and the amplified spontaneous emission of the EDFAs. Therefore, an attack strategy based on the asymmetry of time resolved spectra is feasible and poses a relevant threat.

Fig. 2. (a). Simulated time resolved spectra of the UFL signal, with mirrors choice of (0,1) corresponding to a ‘0’ bit. The spectra were calculated after 3 (red), 6 (magenta) and 10 (blue) one-way propagation cycles following the UFL switch-on. (b). Simulated histograms of the difference between the power in the left hand side lobe and that of the right hand side-lobe, 3 ms following switch-on of a 25 km long UFL. Using such time-resolved spectral measurements, Eve can recover 95% of the key.

The combination of lower EDFA gain, intermediate filters and random variations to the peak reflectivity frequencies leads to a substantial overlap between P 01(VE) and P 10(VE) (Fig. 3(a)). Due to the mirror frequencies variations, Eve can only recover 75% of the key bits. In addition, the ratio of mean |VE| to the shot noise equivalent power is reduced to 7 dB, and the ratio of mean |VE| to the optical beat noise is lowered to 6 dB. Eve can try to reduce her error ratio by moving her spectral filters further away from the main lobe, making VE less susceptible to mirror frequency variations. However, in doing so Eve’s measurement SNR would deteriorate even further. Eve’s partial knowledge can be reduced further with cascading several intermediate filters inside the terminals. For example, Eve can only recover 60% of the key if two filters are used (Fig. 3(b)).

Fig. 3. Simulated histograms of the difference between the power in the left hand side lobe and that of the right hand side-lobe, 3 ms following the switch-on of a 25 km long UFL. The terminals include intermediate narrowband filters, with a 3 dB full width of 2.5 GHz and a 20 dB full width of 3.75 GHz. The small signal gain of the EDFAs was reduced to 10log10 G 0=7 dB. In addition, the peak reflectivity frequencies of the mirrors were randomly varied between bits, within a range of 2.5 GHz surrounding the nominal values. (a). One filter included in each terminal. (b). Two filters cascaded in each terminal

In the above numerical study, a bound on Eve’s partial knowledge of the UFL generated secret key is established, for a particular adversary model. In setting this bound, it has been assumed that Eve is only restricted by signal uncertainties introduced by Alice and Bob, and by the fundamental detection noise. Eve’s knowledge is strongly affected by the specific intermediate filter used by Alice and Bob. Perfectly sharp filters with a flat pass-band would reduce Eve’s knowledge of the key to zero. As illustrated in the specific numerical example, Eve’s knowledge can be restricted considerably with use of advanced, real-world achievable optical filters, such as auto-regressive moving-average filters [34

34. C. K. Madsen and J. H. Zhao, “A general planar waveguide autoregressive optical filter,” IEEE J. Lightwave Technol. 14, 437–447 (1996). [CrossRef]

]. Finally, privacy amplification techniques can be introduced to lower Eve’s knowledge of the key even further [35

35. S. Wolf, “Unconditional security in cryptography,” Lectures on data security 1561, 217–250 (1999). [CrossRef]

, 36

36. A. D. Wyner, “The wire-tap channel,” Bell Syst. Tech. J. 54, 1355–1387 (1975).

].

4. Experiment

The experimental setup used in our UFL system demonstration is shown in Fig. 4(a). The spectrally selective mirrors are implemented by fiber Bragg gratings (FBGs). During each bit exchange cycle, the peak reflectivity frequencies of Alice’s and Bob’s FBGs is tension-tuned to either f 0 or f 1. The frequency separation on f 1-f 0 is 3 GHz. The terminals are connected by two 25 km long spans of standard single-mode fiber. Eve’s tapping coupler is placed at the very beginning of the fiber span connected to Alice’s terminal output port. Each terminal is buffered from the fiber spans by a 2X2 voltage controlled optical switch. When the switches are set to reflection mode, the UFL is effectively split into two local loops at the terminals, with no light transmitted outside the terminals. This mode of operation is used for individually tuning the peak reflectivity frequencies of the FBGs to f 0 or f 1, while literally leaving Eve “in the dark”. Once the tuning is completed, the two switches are simultaneously set to transmission mode and the UFL is re-established. Light from a 30 nm wide, external noise source is coupled to the input of each EDFA, and the UFL is set to operate close to the lasing threshold. The peak reflectivity frequencies of both FBGs are randomly varied in between bits, within a range of ±500 MHz around either f 0 or f 1. The small signal gain, saturation power and noise figure of the terminals’ EDFAs are 20 dB, 13 dBm and 4.5 dB, respectively. The nominal peak reflection wavelength, peak power reflectivity and full width at half maximum of the FBG mirrors are 1549.9 nm, 0.75 and 6 GHz, respectively.

Fig. 4. (a). Experimental setup. (b). Detection scheme for calculating Alice, Bob, and Eve’s decision variables. Black solid lines indicate optical signals. Blue dashed lines indicate RF electrical signals. The red line indicated off-line software processing of the sampled data. (c). Measured steady state spectra of the UFL subject to all four combinations of mirror choices.

Figure 4(b) shows the detection scheme used to generate the time dependent decision variables VAB(t) for Alice and Bob, and VE(t) for Eve. The UFL signal, emerging from either the analysis output ports of the terminals or from the eavesdropping coupler, is initially down-converted to the Radio Frequency (RF) domain through heterodyne beating with an external tunable laser of optical frequency f lo. The difference in frequencies flo-fc is set to fall within the bandwidth of a broadband detector. The detected photo-current is observed using an electrical RF spectrum analyzer, or processed further.

Figure 4(c) shows the measured spectra of the UFL at all four possible mirror choices. The spectra for (1,0) and (0,1) choices are indistinguishable. Such a spectral reconstruction, however, requires many seconds. More realistically, Alice, Bob and Eve have to identify the key bit within several round-trip propagation cycles. To that end, the detector output waveform is filtered using an RF spectral window, with a pass-band of 5.6–7.2 GHz (see Fig. 4(b)). This filter eliminates the baseband terms, whose spectral width is of the order of 1 GHz, from the detected signal. The signal at the filter output retains only the heterodyne beating term, the electrical power spectrum of which is proportional to the optical power spectrum of the UFL. That signal is down-converted again, using RF mixing with a voltage-controlled oscillator, of frequency fVCO=6.5 GHz. Finally, the signal is amplified and filtered by a 300 MHz-wide low-pass filter, and sampled by a digitizing oscilloscope. The sequence of spectral down-conversion and filtering stages is equivalent to the application of a 600 MHz wide optical band pass filter, centered at a frequency flo+fVCO. Such a narrow filter is unavailable to us in the optical domain. By tuning flo, different portions of the UFL spectrum are analyzed separately.

For the generation of Alice or Bob’s decision variable VAB(t), flo is tuned to satisfy flo+fVCO=fc. Figure 5(a) shows VAB(t) for two different key bits, one with complementary mirror choices by Alice and Bob, and the other with identical choices. When the mirror choices of Alice and Bob are complementary, the UFL central frequency is close to fc and the magnitude of VAB(t) increases following the UFL switch-on. This build-up of the signal power is an indication of the secure generation of a single key bit. On the other hand, when Alice and Bob choose identical mirrors, the lasing frequency of either f 0 or f 1 is detuned from flo+fVCO by approximately 1.5 GHz, and no build-up is observed in VAB(t). Figure 5(b) shows the histograms of the root-mean-square (RMS) values of VAB(t=3 ms), for 1000 random bits. As seen in the figure, a clear distinction between securely generated bits and those who should be discarded is established. The probability of Alice or Bob making a wrong decision is 0.006.

Eve’s decision variable VE(t) is calculated by detuning the local oscillator from fc-fVCO by a frequency offset Δf, in attempt to recover residual spectral asymmetries. Figure 6 shows the histograms of the RMS value of VE(t=3 ms) for 1000 bits. As seen in the figure, the ranges of Eve’s decision variable for (1,0) and (0,1) choice bits overlap almost entirely. Eve’s error probability was 30–40% for all examined values of Δf and t. The range of Δf was restricted to ±1 GHz by the noise floor of our detection scheme.

Fig. 5. (a). Alice and Bob’s decision variable VAB(t), versus time following switch-on. Significant signal power is observed when Alice and Bob share a secure key bit (blue, complementary mirror choices), no signal is observed when information represented by mirror choices is non-secure (green, identical mirror choices). (b). Histogram of the RMS value of VAB(t), taken 3 ms after the switch-on of the UFL. Blue: the decision variable distribution for secure bits, (1,0) and (0,1) mirror choices. Red: the distribution for non-secure bits, (1,1) and (0,0) choices. Setting a threshold value for VAB(t), 994 out of 1000 bits are properly categorized.
Fig. 6. Histogram of the RMS value of Eve’s decision variable VE(t=3 ms), with a spectral detuning of Δf=600 MHz Blue: 500 different ‘0’ bits. Red: 500 different ‘1’ bits.

5. Summary

In this work, the security analysis of the UFL system is extended to include an attack based on time resolved spectral asymmetries. This specific attack strategy takes advantage of an inherent weak point of the UFL approach - its spectrally asymmetric build up phase. Nonetheless, numerical simulations show that the security of the key generation can be maintained in the presence of this attack strategy through the inclusion of intermediate filters and random mirror frequency variations. Even with his strategy Eve can only marginally increase her knowledge of the key (~10%). The robustness of system against time/frequency domain attacks is also demonstrated in the proof of concept experiment.

Other intrusion strategies are of course possible. For example, Eve may try to actively probe the spectral reflectivity of Alice and Bob’s mirrors, by injecting pulses at the terminal input and observing them at its output (see Fig. 4(a)). In propagation through the terminal, however, Eve’s probe pulses are exposed to Alice and Bob. Due to the presence of intermediate filters and additive noise sources, Alice and Bob’s signal to noise ratio in identifying such pulses will be far superior to that of Eve’s measurements. Note also that the optical circulators prevent Eve from measuring counter-propagating signals (see Fig. 4(a)). In yet another potential approach, Eve may obtain a set of mirrors identical to those of Alice and Bob, and reconstruct a replica of the UFL terminals. Eve can try and direct a tapped portion of Alice’s output signal, for example, into her own terminal, and introduce a secondary cavity. Studying the oscillations in this secondary cavity, Eve may gain information on Alice’s choice of mirror. However, if Eve’s choice of mirror does not match that of Bob, the UFL oscillations in the main cavity will be altered and expose her attack. In this respect, the UFL system is advantageous over chaos synchronization based systems [25

25. J.-P. Goedgebuer, L. Larger, and H. Porte, “Optical cryptosystem based on synchronization of hyperchaos generated by a delayed feedback tunable laser diode,” Phys. Rev. Lett. 80, 2249–2252 (1998). [CrossRef]

]. In addition, the robust UFL signals are unlikely to be affected by neighboring wavelength division multiplexing channels, sharing the same fiber link.

From a theoretical standpoint, the UFL may be viewed as an optical implementation of an imperfect isotropic channel [32

32. B. Alpern and F. B. Schneider, “Key exchange using keyless cryptography,” Info. Proc. Lett. 16, 79–81 (1983). [CrossRef]

, 37

37. M. Anand, E. Cronin, M. Sherr, M. A. Blaze, and S. Kannan, “Security protocols with isotropic channels,” Technical report MS-CIS-06-18, Department of Computer and Information Science, University of Pennsylvania (2006).

]. An intruder into an isotropic channel can identify the sender of a public message with a probability ρ that is bound below 1 [37

37. M. Anand, E. Cronin, M. Sherr, M. A. Blaze, and S. Kannan, “Security protocols with isotropic channels,” Technical report MS-CIS-06-18, Department of Computer and Information Science, University of Pennsylvania (2006).

]. It was theoretically argued that the eavesdropper information gain in an imperfect isotropic channel can be made arbitrarily small [37

37. M. Anand, E. Cronin, M. Sherr, M. A. Blaze, and S. Kannan, “Security protocols with isotropic channels,” Technical report MS-CIS-06-18, Department of Computer and Information Science, University of Pennsylvania (2006).

]. Since the UFL concept is non-quantum based, setting an upper bound on ρ would be adversary model dependent. In this work, it has been demonstrated that ρ can be effectively bound below 1 when facing a time/frequency domain attack. However, the attack strategies surveyed above are by no means exhaustive. The quantitative analysis of substantially different attack approaches may have to start from first principles.

Much further work is required in order to fully quantify the extent of security provided by the UFL concept. Nevertheless, the extended analysis and the first experiment provide a major step in advancing this approach from an idea towards a system. The UFL would be considerably simpler to implement then QKD, and has potential to provide superior security to that of other classical optics approaches.

Acknowledgments

The authors thank Dr. Stephanie Wehner of the California Institute of Technology for her advice in the area of cryptography. A.Z. acknowledges the support of a post-doctoral research fellowship from the Center of Physics in Information (CPI), California Institute of Technology, and the Rothschild post-doctoral research fellowship from Yad-Hanadiv foundation, Jerusalem, Israel. J. Sch. acknowledges the support of the Advanced Communications Center, Tel-Aviv University, and the Horowitz Foundation.

References and links

1.

S. Singh, The Code Book: The science of secrecy from ancient Egypt to quantum cryptography (Fourth Estate, 1999).

2.

G. Vernam, “Cipher printing telegraph systems for secret wire and radio telegraphic communications,” J. Am. Inst. Electr. Eng. 45, 109–116 (1926).

3.

C. H. Bennett and G. Brassard, “Quantum public key distribution system,” IBM Tech. Discl. Bull. 28, 3153– 3163 (1985).

4.

A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett. 67, 661–663 (1991). [CrossRef] [PubMed]

5.

N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74, 145–195 (2002). [CrossRef]

6.

P. W. Shor and J. Preskill, “Simple proof of security of the BB84 quantum key distribution protocol,” Phys. Rev. Lett. 85, 441–444 (2000). [CrossRef] [PubMed]

7.

L.-M. Duan, M. D. Lukin, J. I. Cirac, and P. Zoller, “Long-distance quantum communication with atomic ensembles and linear optics,” Nature 414, 413–424 (2001). [CrossRef] [PubMed]

8.

M. Aspelmeyer, H. R. Bohm, T. Gyasto, T. Jennewein, R. Kaltenbaek, M. Lindenthal, G. Molina-Terriza, A. Poppe, K. Resch, M. Taraba, R. Ursin, P. Walther, and A. Zeilinger, “Long distance free space distribution of quantum entanglement,” Science 301, 621–623 (2003). [CrossRef] [PubMed]

9.

I. Marcikic, H. de Riedmatten, W. Tittel, H. Zbinden, M. Legre, and N. Gisin, “Distribution of time-bin entangled qubits over 50 km of optical fiber,” Phys. Rev. Lett. 93, 180502 (2004). [CrossRef] [PubMed]

10.

R. J. Hughes, G. L. Morgan, and C. G. Peterson, “Quantum key distribution over a 48-km optical fiber network,” J. Mod. Opt. 47, 533–547 (2000).

11.

C. Gobby, Z. L. Yuan, and A. J. Shields, “Quantum key distribution over 122 km of standard telecom fiber,” Appl. Phys. Lett. 84, 3762–3764 (2004). [CrossRef]

12.

W.-Y. Hwang, “Quantum key distribution with high loss: towards global secure communication,” Phys. Rev. Lett. 91, 057901 (2003). [CrossRef] [PubMed]

13.

H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. 94, 230504 (2005). [CrossRef] [PubMed]

14.

X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94, 230503 (2005). [CrossRef] [PubMed]

15.

Z. L. Yuan, A. R. Dixon, J. F. Dynes, A. W. Sharpe, and A. J. Shields, “Gigahertz quantum key distribution with InGaAs avalanche photodiodes,” Appl. Phys. Lett. 92, 201104 (2008). [CrossRef]

16.

N. Lutkenhaus, “Security against individual attacks for realistic quantum key distribution,” Phys. Rev. A 61, 052304 (2000). [CrossRef]

17.

W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, “Long-distance Bell-type tests using energy-time entangled photons,” Phys. Rev. A 59, 4150–4163, (1999). [CrossRef]

18.

P. G. Kwiat, A. M. Steinberg, R. Y. Chiao, P. H. Eberhard, and M. D. Petroff, “High efficiency single photon detectors,” Phys. Rev. A 48, R867–870 (1993). [CrossRef] [PubMed]

19.

A. Tanaka, M. Fujiwara, S. W. Nam, Y. Nambu, S. Takahashi, W. Maeda, K.-I. Yoshino, S. Miki, B. Baek, Z. Wang, A. Tajima, M. Sasaki, and A. Tomita, “Ultra fast quantum key distribution over a 97 km installed telecom fiber with wavelength division multiplexing clock synchronization,” Opt. Express 16, 11354–11360 (2008). [CrossRef] [PubMed]

20.

H. Takesue, S. W. Nam, Q. Zhang, R. H. Hadfield, T. Honjo, K. Tamaki, and Y. Yamamoto, “Quantum key distribution over a 40-dB channel loss using superconducting single photon detectors,” Nat. Photon. 1, 343– 348 (2007). [CrossRef]

21.

L. Tancevski, I. Andonovich, and J. Budin, “Secure optical network architecture utilizing wavelength hopping/time spreading codes,” IEEE Photon. Technol. Lett. 7, 573–575 (1995). [CrossRef]

22.

D. D. Sampson, G. Pendock, and R. A. Griffin, “Photonic code-division multiple-access communications,” Fiber Integr. Opt. 16, 129–157 (1997). [CrossRef]

23.

T. H. Shake, “Security performance of optical CDMA against eavesdropping,” IEEE J. Lightwave Technol. 23, 655–670 (2005). [CrossRef]

24.

T. H. Shake, “Confidentiality performance of spectral-phase-encoded optical CDMA,” IEEE J. Lightwave Technol. 23, 1652–1663 (2005). [CrossRef]

25.

J.-P. Goedgebuer, L. Larger, and H. Porte, “Optical cryptosystem based on synchronization of hyperchaos generated by a delayed feedback tunable laser diode,” Phys. Rev. Lett. 80, 2249–2252 (1998). [CrossRef]

26.

A. Argyris, D. Syvridis, L. Larger, V. Annovazzi-Lodi, P. Colet, I. Fischer, J. Garcia-Ojalvo, C. R. Mirasso, L. Pesquera, and K. A. Shore, “Chaos-based communications at high bit rates using commercial fiber-optic links,” Nature 438, 343–346 (2005). [CrossRef] [PubMed]

27.

R. Pappu, R. Recht, J. Taylor, and N, Gershenfeld, “Physical one way functions,” Science 297, 2026–2030 (2002). [CrossRef] [PubMed]

28.

J. Scheuer and J. and A. Yariv, “Giant fiber lasers: a new paradigm for secure key distribution,” Phys. Rev. Lett. 97, 140502 (2006). [CrossRef] [PubMed]

29.

R. L. Rivest, A. Shamir, and L. M. Adleman, “A method for of obtaining digital signatures and public key cryptosystems,” Commun. ACM 21, 120–126 (1978). [CrossRef]

30.

G. Brassard, “A note on the complexity of cryptography,” IEEE Trans. Inf. Theory -IT25, 232–233 (1979). [CrossRef]

31.

G. A. Barbosa, “Fast and secure key distribution using mesoscopic coherence states of light,” Phys. Rev. A 68, 052307 (2003). [CrossRef]

32.

B. Alpern and F. B. Schneider, “Key exchange using keyless cryptography,” Info. Proc. Lett. 16, 79–81 (1983). [CrossRef]

33.

J. R. Barry, E. A. Lee, and D. G. Messerschmitt, Digital Communication (Kluwer Academic Publisher, 3rd Ed. 2004).

34.

C. K. Madsen and J. H. Zhao, “A general planar waveguide autoregressive optical filter,” IEEE J. Lightwave Technol. 14, 437–447 (1996). [CrossRef]

35.

S. Wolf, “Unconditional security in cryptography,” Lectures on data security 1561, 217–250 (1999). [CrossRef]

36.

A. D. Wyner, “The wire-tap channel,” Bell Syst. Tech. J. 54, 1355–1387 (1975).

37.

M. Anand, E. Cronin, M. Sherr, M. A. Blaze, and S. Kannan, “Security protocols with isotropic channels,” Technical report MS-CIS-06-18, Department of Computer and Information Science, University of Pennsylvania (2006).

OCIS Codes
(060.2330) Fiber optics and optical communications : Fiber optics communications
(140.3510) Lasers and laser optics : Lasers, fiber
(060.4785) Fiber optics and optical communications : Optical security and encryption

ToC Category:
Fiber Optics and Optical Communications

History
Original Manuscript: August 15, 2008
Revised Manuscript: September 15, 2008
Manuscript Accepted: October 1, 2008
Published: October 3, 2008

Citation
Avi Zadok, Jacob Scheuer, Jacob Sendowski, and Amnon Yariv, "Secure key generation using an ultra-long fiber laser: transient analysis and experiment," Opt. Express 16, 16680-16690 (2008)
http://www.opticsinfobase.org/oe/abstract.cfm?URI=oe-16-21-16680


Sort:  Author  |  Year  |  Journal  |  Reset  

References

  1. S. Singh, The Code Book: The science of secrecy from ancient Egypt to quantum cryptography (Fourth Estate, 1999).
  2. G. Vernam, "Cipher printing telegraph systems for secret wire and radio telegraphic communications," J. Am. Inst. Electr. Eng. 45, 109-116 (1926).
  3. C. H. Bennett, and G. Brassard, "Quantum public key distribution system," IBM Tech. Discl. Bull. 28, 3153-3163 (1985).
  4. A. K. Ekert, "Quantum cryptography based on Bell�??s theorem," Phys. Rev. Lett. 67, 661-663 (1991). [CrossRef] [PubMed]
  5. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, "Quantum cryptography," Rev. Mod. Phys. 74, 145-195 (2002). [CrossRef]
  6. P. W. Shor, and J. Preskill, "Simple proof of security of the BB84 quantum key distribution protocol," Phys. Rev. Lett. 85, 441-444 (2000). [CrossRef] [PubMed]
  7. L.-M. Duan, M. D. Lukin, J. I. Cirac, and P. Zoller, "Long-distance quantum communication with atomic ensembles and linear optics," Nature 414, 413-424 (2001). [CrossRef] [PubMed]
  8. M. Aspelmeyer, H. R. Bohm, T. Gyasto, T. Jennewein, R. Kaltenbaek, M. Lindenthal, G. Molina-Terriza, A. Poppe, K. Resch, M. Taraba, R. Ursin, P. Walther, and A. Zeilinger, "Long distance free space distribution of quantum entanglement," Science 301, 621-623 (2003). [CrossRef] [PubMed]
  9. I. Marcikic, H. de Riedmatten, W. Tittel, H. Zbinden, M. Legre, and N. Gisin, "Distribution of time-bin entangled qubits over 50 km of optical fiber," Phys. Rev. Lett. 93, 180502 (2004). [CrossRef] [PubMed]
  10. R. J. Hughes, G. L. Morgan, and C. G. Peterson, "Quantum key distribution over a 48-km optical fiber network," J. Mod. Opt. 47, 533-547 (2000).
  11. C. Gobby, Z. L. Yuan, and A. J. Shields, "Quantum key distribution over 122 km of standard telecom fiber," Appl. Phys. Lett. 84, 3762-3764 (2004). [CrossRef]
  12. W.-Y. Hwang, "Quantum key distribution with high loss: towards global secure communication," Phys. Rev. Lett. 91, 057901 (2003). [CrossRef] [PubMed]
  13. H.-K. Lo, X. Ma, and K. Chen, "Decoy state quantum key distribution," Phys. Rev. Lett. 94, 230504 (2005). [CrossRef] [PubMed]
  14. X.-B. Wang, "Beating the photon-number-splitting attack in practical quantum cryptography," Phys. Rev. Lett. 94, 230503 (2005). [CrossRef] [PubMed]
  15. Z. L. Yuan, A. R. Dixon, J. F. Dynes, A. W. Sharpe, and A. J. Shields, "Gigahertz quantum key distribution with InGaAs avalanche photodiodes," Appl. Phys. Lett. 92, 201104 (2008). [CrossRef]
  16. N. Lutkenhaus, "Security against individual attacks for realistic quantum key distribution," Phys. Rev. A 61, 052304 (2000). [CrossRef]
  17. W. Tittel, J. Brendel, H. Zbinden, and N. Gisin, "Long-distance Bell-type tests using energy-time entangled photons," Phys. Rev. A 59, 4150-4163, (1999). [CrossRef]
  18. P. G. Kwiat, A. M. Steinberg, R. Y. Chiao, P. H. Eberhard, and M. D. Petroff, "High efficiency single photon detectors," Phys. Rev. A 48, R867-870 (1993). [CrossRef] [PubMed]
  19. A. Tanaka, M. Fujiwara, S. W. Nam, Y. Nambu, S. Takahashi, W. Maeda, K.-I. Yoshino, S. Miki, B. Baek, Z. Wang, A. Tajima, M. Sasaki, and A. Tomita, "Ultra fast quantum key distribution over a 97 km installed telecom fiber with wavelength division multiplexing clock synchronization," Opt. Express 16, 11354-11360 (2008). [CrossRef] [PubMed]
  20. H. Takesue, S. W. Nam, Q. Zhang, R. H. Hadfield, T. Honjo, K. Tamaki, and Y. Yamamoto, "Quantum key distribution over a 40-dB channel loss using superconducting single photon detectors," Nat. Photon. 1, 343-348 (2007). [CrossRef]
  21. L. Tancevski, I. Andonovich, and J. Budin, "Secure optical network architecture utilizing wavelength hopping / time spreading codes," IEEE Photon. Technol. Lett. 7, 573-575 (1995). [CrossRef]
  22. D. D. Sampson, G. Pendock, and R. A. Griffin, "Photonic code-division multiple-access communications," Fiber Integr. Opt. 16, 129-157 (1997). [CrossRef]
  23. T. H. Shake, "Security performance of optical CDMA against eavesdropping," IEEE J. Lightwave Technol. 23, 655-670 (2005). [CrossRef]
  24. T. H. Shake, "Confidentiality performance of spectral-phase-encoded optical CDMA," IEEE J. Lightwave Technol. 23, 1652-1663 (2005). [CrossRef]
  25. J.-P. Goedgebuer, L. Larger, and H. Porte, "Optical cryptosystem based on synchronization of hyperchaos generated by a delayed feedback tunable laser diode," Phys. Rev. Lett. 80, 2249-2252 (1998). [CrossRef]
  26. A. Argyris, D. Syvridis, L. Larger, V. Annovazzi-Lodi, P. Colet, I. Fischer, J. Garcia-Ojalvo, C. R. Mirasso, L. Pesquera, and K. A. Shore, "Chaos-based communications at high bit rates using commercial fiber-optic links," Nature 438, 343-346 (2005). [CrossRef] [PubMed]
  27. R. Pappu, R. Recht, J. Taylor, and N , Gershenfeld, "Physical one way functions," Science 297, 2026-2030 (2002). [CrossRef] [PubMed]
  28. J. Scheuer, J. and A. Yariv, "Giant fiber lasers: a new paradigm for secure key distribution," Phys. Rev. Lett. 97, 140502 (2006). [CrossRef] [PubMed]
  29. R. L. Rivest, A. Shamir, and L. M. Adleman, "A method for of obtaining digital signatures and public key cryptosystems," Commun. ACM 21, 120-126 (1978). [CrossRef]
  30. G. Brassard, "A note on the complexity of cryptography," IEEE Trans. Inf. Theory IT-25, 232-233 (1979). [CrossRef]
  31. G. A. Barbosa, "Fast and secure key distribution using mesoscopic coherence states of light," Phys. Rev. A 68, 052307 (2003). [CrossRef]
  32. B. Alpern, ad F. B. Schneider, "Key exchange using keyless cryptography," Info. Proc. Lett. 16, 79-81 (1983). [CrossRef]
  33. J. R. Barry, E. A. Lee, and D. G. Messerschmitt, Digital Communication (Kluwer Academic Publisher, 3rd Ed. 2004).
  34. C. K. Madsen, and J. H. Zhao, "A general planar waveguide autoregressive optical filter," IEEE J. Lightwave Technol. 14, 437-447 (1996). [CrossRef]
  35. S. Wolf, "Unconditional security in cryptography," Lectures on data security 1561, 217-250 (1999). [CrossRef]
  36. A. D. Wyner, "The wire-tap channel," Bell Syst. Tech. J. 54, 1355-1387 (1975).
  37. M. Anand, E. Cronin, M. Sherr, M. A. Blaze, and S. Kannan, "Security protocols with isotropic channels," Technical report MS-CIS-06-18, Department of Computer and Information Science, University of Pennsylvania (2006).

Cited By

Alert me when this paper is cited

OSA is able to provide readers links to articles that cite this paper by participating in CrossRef's Cited-By Linking service. CrossRef includes content from more than 3000 publishers and societies. In addition to listing OSA journal articles that cite this paper, citing articles from other participating publishers will also be listed.


« Previous Article  |  Next Article »

OSA is a member of CrossRef.

CrossCheck Deposited