OSA's Digital Library

Optics Express

Optics Express

  • Editor: C. Martijn de Sterke
  • Vol. 20, Iss. 17 — Aug. 13, 2012
  • pp: 18911–18924
« Show journal navigation

Real-time monitoring of single-photon detectors against eavesdropping in quantum key distribution systems

Thiago Ferreira da Silva, Guilherme B. Xavier, Guilherme P. Temporão, and Jean Pierre von der Weid  »View Author Affiliations


Optics Express, Vol. 20, Issue 17, pp. 18911-18924 (2012)
http://dx.doi.org/10.1364/OE.20.018911


View Full Text Article

Acrobat PDF (2753 KB)





Browse Journals / Lookup Meetings

Browse by Journal and Year


   


Lookup Conference Papers

Close Browse Journals / Lookup Meetings

Article Tools

Share
Citations

Abstract

By employing real-time monitoring of single-photon avalanche photodiodes we demonstrate how two types of practical eavesdropping strategies, the after-gate and time-shift attacks, may be detected. Both attacks are identified with the detectors operating without any special modifications, making this proposal well suited for real-world applications. The monitoring system is based on accumulating statistics of the times between consecutive detection events, and extracting the afterpulse and overall efficiency of the detectors in real-time using mathematical models fit to the measured data. We are able to directly observe changes in the afterpulse probabilities generated from the after-gate and faint after-gate attacks, as well as different timing signatures in the time-shift attack. We also discuss the applicability of our scheme to other general blinding attacks.

© 2012 OSA

1. Introduction

Quantum Key Distribution (QKD) [1

1. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74(1), 145–195 (2002). [CrossRef]

] has gained widespread fame for its ability to reliably share a secret random string of bits between two remotely separated parties, typically known as Alice and Bob. This string can then be used as a key to implement the one-time pad, a cryptographic scheme able to provide unconditional security against an eavesdropper, Eve. The security of QKD has been theoretically proven against a wide class of attacks, even when taking into account the imperfection of the devices [1

1. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74(1), 145–195 (2002). [CrossRef]

4

4. D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, “Security of quantum key distribution with imperfect devices,” Quantum Inf. Comput. 4, 325–360 (2004).

]. The issue, however, rests in the fact that real implementations with current technology presents loopholes that can be exploited by Eve, without her presence being directly revealed to Alice and Bob.

There are many different device imperfections that Eve may base her attacks on, such as a nonzero multi-photon emission probability from the optical source (through a photon-number splitting attack [5

5. S. Felix, N. Gisin, A. Stefanov, and H. Zbinden, “Faint laser quantum key distribution: eavesdropping exploiting multiphoton pulses,” J. Mod. Opt. 48, 2009–2021 (2001).

]), or with an imperfect Faraday mirror in the plug & play system [6

6. S.-H. Sun, M.-S. Jiang, and L.-M. Liang, “Passive Faraday-mirror attack in a practical two-way quantum-key-distribution system,” Phys. Rev. A 83(6), 062331 (2011). [CrossRef]

], thus compromising security. Alternatively, Eve can even act directly probing on the system components, like in the Trojan horse attack [7

7. N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, “Trojan-horse attacks on quantum-key-distribution systems,” Phys. Rev. A 73(2), 022320 (2006). [CrossRef]

], or she can fake the phase encoding of a bidirectional system, as in the phase-remapping strategy [8

8. C.-H. F. Fung, B. Qi, K. Tamaki, and H.-K. Lo, “Phase-remapping attack in practical quantum-key-distribution systems,” Phys. Rev. A 75(3), 032314 (2007). [CrossRef]

,9

9. F. Xu, B. Qi, and H.-K. Lo, “Experimental demonstration of phase-remapping attack in a practical quantum key distribution system,” New J. Phys. 12(11), 113026 (2010). [CrossRef]

]. However, most of the recently proposed “quantum hacking” schemes focus on the single-photon detectors, which have been shown to perform quite differently from the ideal behaviour.

For example, by acting on the system timing, Eve can implement the class of time-shift attacks [10

10. V. Makarov, A. Anisimov, and A. Skaar, “Effects of detector efficiency mismatch on security of quantum cryptosystems,” Phys. Rev. A 74(2), 022313 (2006). [CrossRef]

12

12. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Phys. Rev. A 78(4), 042333 (2008). [CrossRef]

]. The attack is based on the non-uniformity of the detection efficiency throughout the detection gate in real detectors. By shifting the time of arrival of the single photons inside the detector gate window, Eve can implement her attack and infer the results on Bob’s measurements. The attack may include an intercept-resend strategy sending faked states to Bob [10

10. V. Makarov, A. Anisimov, and A. Skaar, “Effects of detector efficiency mismatch on security of quantum cryptosystems,” Phys. Rev. A 74(2), 022313 (2006). [CrossRef]

] or just a random delay applied to the timing of the qubits [11

11. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystem,” Quantum Inf. Comput. 7, 073–082 (2007).

,12

12. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Phys. Rev. A 78(4), 042333 (2008). [CrossRef]

]. In addition, depending on the synchronization protocol performed by Alice and Bob before starting the key distribution, the detector efficiency mismatch can be artificially enhanced by Eve [13

13. N. Jain, C. Wittmann, L. Lydersen, C. Wiechers, D. Elser, C. Marquardt, V. Makarov, and G. Leuchs, “Device calibration impacts security of quantum key distribution,” Phys. Rev. Lett. 107(11), 110501 (2011). [CrossRef] [PubMed]

].

Another class of attacks is based upon the direct control of the detectors at Bob’s station, typically employing classical light to somehow manipulate their response, by forcing/suppressing an avalanche according to Eve’s will. The detectors can be temporarily blinded to single photons due to an optically induced drop in the diode bias voltage [14

14. V. Makarov, “Controlling passively quenched single photon detectors by bright light,” New J. Phys. 11(6), 065003 (2009). [CrossRef]

16

16. C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “After-gate attack on a quantum cryptosystem,” New J. Phys. 13(1), 013043 (2011). [CrossRef]

] or with a thermally induced rise in the breakdown voltage [17

17. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Thermal blinding of gated detectors in quantum cryptography,” Opt. Express 18(26), 27938–27954 (2010). [CrossRef] [PubMed]

]. Eve intercepts the qubits and sends faked states [18

18. V. Makarov and D. R. Hjelme, “Faked states attack on quantum cryptosystems,” J. Mod. Opt. 52, 691–705 (2005). [CrossRef]

] to Bob as bright pulses, allowing her to obtain total control of the detectors without (in principle) being caught. The deadtime of the detectors can also be used by Eve to eavesdrop on the cryptographic key without intercepting the photons sent by Alice [19

19. H. Weier, H. Krauss, M. Rau, M. Fürst, S. Nauerth, and H. Weinfurter, “Quantum eavesdropping without interception: an attack exploiting the dead time of single-photon detectors,” New J. Phys. 13(7), 073024 (2011). [CrossRef]

], through optically blinding the detector due to the induced deadtime.

Attacks aimed on imperfections of the single-photon detector have been demonstrated against commercial systems [20

20. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4(10), 686–689 (2010). [CrossRef]

], in a full-field implementation [21

21. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun. 2, 349 (2011). [CrossRef] [PubMed]

] and have even showed that it is possible to fake the violation of Bell’s inequalities [22

22. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, V. Scarani, V. Makarov, and C. Kurtsiefer, “Experimentally Faking the Violation of Bell’s Inequalities,” Phys. Rev. Lett. 107(17), 170404 (2011). [CrossRef] [PubMed]

]. All these recent attacks are a real issue because they can all be done with current technology. There has been some discussion regarding whether using a low impedance bias voltage source or appropriately setting the detector discrimination levels would avoid blinding attacks [23

23. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Avoiding the blinding attack in QKD,” Nat. Photonics 4(12), 800–801 (2010). [CrossRef]

26

26. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Response to “Comment on “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography”” [Appl. Phys. Lett 99 196101 (2011)],” Appl. Phys. Lett. 99(19), 196102 (2011). [CrossRef]

]. As alternative countermeasures, the usage of optical power meters at the entrance of Bob’s apparatus or even monitoring of the APD current and temperature have been proposed [24

24. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography,” Appl. Phys. Lett. 98(23), 231104 (2011). [CrossRef]

,27

27. L. Lydersen, V. Makarov, and J. Skaar, “Secure gated detection scheme for quantum cryptography,” Phys. Rev. A 83(3), 032306 (2011). [CrossRef]

]. Recently a new idea was proposed in order to render the system immune to all detector side-channel attacks, called measurement-device independent quantum-key distribution (MDI-QKD) [28

28. H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108(13), 130503 (2012). [CrossRef] [PubMed]

]. It requires a Bell-state measurement of two independent remote faint laser sources, thus being experimentally challenging and requires a different topological setup for QKD systems.

In this paper we propose a different approach based on real-time characterization of single-photon detectors [29

29. T. F. da Silva, G. B. Xavier, and J. P. von der Weid, “Real-time characterization of gated-mode single-photon detectors,” IEEE J. Quantum Electron. 47(9), 1251–1256 (2011). [CrossRef]

], which may be readily applied to current QKD setups. We are able to observe the fingerprints left on the detectors nominal characteristics by the after-gate [16

16. C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “After-gate attack on a quantum cryptosystem,” New J. Phys. 13(1), 013043 (2011). [CrossRef]

] and time-shift [11

11. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystem,” Quantum Inf. Comput. 7, 073–082 (2007).

] attacks, thus revealing Eve’s presence. This method does not require any hardware modifications such as optical taps, extra power meters or single-photon detectors [17

17. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Thermal blinding of gated detectors in quantum cryptography,” Opt. Express 18(26), 27938–27954 (2010). [CrossRef] [PubMed]

], nor access to the APD parameters as temperature and current [14

14. V. Makarov, “Controlling passively quenched single photon detectors by bright light,” New J. Phys. 11(6), 065003 (2009). [CrossRef]

,24

24. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography,” Appl. Phys. Lett. 98(23), 231104 (2011). [CrossRef]

]. In fact it can be done only through software real-time processing of the single-photon avalanche photodiodes (SPAD) output signal as long as an accurate timing unit is present in Bob’s detection apparatus, also making it a very attractive and cost-effective countermeasure for eavesdropping in QKD.

2. Real-time SPAD characterization

The method, as depicted in Fig. 1
Fig. 1 Real-time SPAD monitoring system. The decaying exponentials qualitatively illustrate the afterpulse probability in subsequent gate windows.
, works as follows: the times between consecutive detections are accumulated by a computer using an analog-to-digital converter (A/D) acquisition board and a histogram is plot, which is equivalent to the probability distribution of the detection events. Equation (1) is fit to the normalized histogram in real-time and the parameters Pd, P0, τ and the product μη are simultaneously obtained. The method can also determine the detector deadtime (at the A/D resolution) directly from the histogram.

The total afterpulse probability Pafter is obtained from the summation of Pa from m = 1 to infinity, and is calculated from the measured parameters as:

Pafter=P01exp(T/τ)1.
(2)

3. Monitoring the SPAD against blinding attacks

3.1 After-gate attack

In the so-called “after-gate attack” [16

16. C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “After-gate attack on a quantum cryptosystem,” New J. Phys. 13(1), 013043 (2011). [CrossRef]

], the eavesdropper externally takes control over Bob's gated Geiger-mode [1

1. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74(1), 145–195 (2002). [CrossRef]

,35

35. S. Cova, M. Ghioni, A. Lacaita, C. Samori, and F. Zappa, “Avalanche photodiodes and quenching circuits for single-photon detection,” Appl. Opt. 35(12), 1956–1976 (1996). [CrossRef] [PubMed]

] SPADs. Eve sends bright optical pulses to Bob, prepared in the desired basis according to her results on the measurement of the intercepted qubits. The pulse forces an avalanche with 100% probability whenever Bob’s basis choice matches Eve’s. This behaviour is obtained with a correct tuning of the bright pulse intensity and explores the linear regime of the SPAD when outside of the detection time window. If Eve and Bob's bases match, the optical pulse reaching the SPAD has sufficient power to exceed the avalanche breakdown causing a photon count. Otherwise, the pulse’s optical power is split and is not sufficient to trigger an avalanche. Using this strategy, Eve remains (at least in principle) undetected, as no error is introduced.

In a complete BB84 system, Alice individually prepares the single photons in one out of four states, randomly chosen from a pair of non-orthogonal bases [1

1. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74(1), 145–195 (2002). [CrossRef]

]. Bob then randomly chooses one of the two bases to measure each qubit. In the case of polarisation encoding, the basis choice and measurement can be implemented with an active element that performs polarisation rotations followed by a polarising beamsplitter (PBS), which has one SPAD connected to each output port. According to the preparation and measurement sets, one of the SPADs will click.

The eavesdropper detection apparatus is similar to Bob’s, having a basis choice element, a PBS and a pair of SPADs. Eve intercepts the photons sent by Alice, measures them in a random basis, and sends a bright optical pulse to Bob, with polarisation encoded in one out of the four BB84 states, according to the measurement result. After Bob’s basis choice, the pulse will cause the correspondent detector to click (if the bases agree) or the pulse may be split and reach both detectors with half the power (if the bases disagree), not causing an avalanche in neither of them. Even by sending the pulses after the detection gate, the main drawback of this attack is that it will nevertheless increase the afterpulse probability of the detectors [16

16. C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “After-gate attack on a quantum cryptosystem,” New J. Phys. 13(1), 013043 (2011). [CrossRef]

], and this abnormal behaviour is what we look for in our measurement.

For the experimental demonstration a simplified version of a BB84-based QKD system with polarisation encoding was built, together with the eavesdropper apparatus, according to Fig. 2
Fig. 2 Experimental setup for the after-gate attack. Red lines represent optical fibre connections. The trigger source is placed under Alice’s setup indicating that she is providing the synchronization signals for all the parties involved. A/D: Analog-to-digital converter; D: Single-photon detector; LD: Laser diode; PBS: Polarising beam-splitter; PC: Polarisation controller; PM: Polarisation modulator; PRNG: Pseudo-random number generator; VOA: Variable optical attenuator; Δt: delay generator.
. A commercial SPAD was monitored with our method while submitted to the after-gate attack under different conditions.

In our setup, Alice's station is composed of a single-photon source made of a CW (continuous-wave) telecom laser diode (LDAlice) with a variable optical attenuator (VOA). She also has an electrical trigger source, which is used to synchronize the entire QKD system, as in a real setup. The photons sent by Alice are intercepted by Eve, which has one commercial SPAD module (η = 15% and 2.5 ns gate width) with detection gates driven by Alice's trigger pulses. In a realistic QKD setup Alice’s laser would be pulsed, a fact that does not affect the results because every time Eve’s detector is opened (as dictated by Alice’s trigger) there is an average of μ photons on that detection window, with probability of detection η. Through the delay control to Bob, Eve is able to make sure her bright pulses or the bypassed photons (through the bypass control, see below for more details) arrive at Bob with the proper timing. Each detection event at Eve creates a 102.5 ns wide electrical pulse that, after compression to around 1 ns width, directly modulates her laser diode (LDEve) to create a bright optical pulse. An additional simplification is that Eve is simply detecting the single-photons without any polarisation analysis, since Alice is only sending a single state of polarisation from BB84, a fact that does not affect the measurement results. Eve, therefore, prepares the attack pulse’s polarisation state according to a pseudo-random number generator (PRNG), simulating her basis choice that would be dependent on her random measurements on the states sent by Alice. Eve chooses between two maximally non-orthogonal polarisation states, corresponding to states on two different encoding bases. The binary random sequence, read from FPGA-based electronics, is applied as a bi-stable voltage to drive a LiNbO3 polarization modulator (PM) [36

36. G. B. Xavier, N. Walenta, G. Vilela de Faria, G. P. Temporão, N. Gisin, H. Zbinden, and J. P. von der Weid, “Experimental polarization encoded quantum key distribution over optical fibres with real-time continuous birefringence compensation,” New J. Phys. 11(4), 045015 (2009). [CrossRef]

]. We are also assuming that both bases are equally likely to be used by Alice and Bob. The polarisation changes are synchronized with the optical pulses through a delayed version of the main trigger signal (Δt1). The intensity of the bright pulses is adjusted with a variable optical attenuator (VOA) according to the avalanche threshold of Bob's detector outside the detection gate, previously characterized at a low repetition rate by scanning the optical pulse relative to the temporal gate window at different optical powers.

At the receiving station, a PBS is inserted in front of Bob's detector (DBob). We are using a single detector to demonstrate the attack and the application of the real-time monitoring system against eavesdropping. Depending on Eve’s basis choice, hers and Bob’s bases may agree, and the bright pulse causes the detector to click; otherwise, it causes no detection event. A delayed version of the synchronization signal (Δt2) is used to trigger the SPAD under attack. Eve sends the bright pulses such that they arrive just after the end of Bob's detector gate windows, adjusted with the delay line Δt2. The A/D board of our monitoring system is connected to the electrical output of Bob’s detector and to the trigger signal. The statistics of times between consecutive detection events are acquired, using the number of opened gates as the timebase, and analysed in real-time.

Every time Eve’s and Bob's bases disagree, the current flow generated by the absorbed optical pulse through Bob’s detector resets the time-dependent afterpulse exponential probability, but without immediately triggering an avalanche. This process causes the mathematical model that generated Eq. (1) to become intractable (several afterpulse terms with different probabilities of occurring appear in Eq. (1) depending on Alice and Bob’s choices) and we use a different procedure to extract the afterpulse information from the data collected. We obtain the total afterpulse probability from the measured data, by fitting a straight line to the long tail of the logarithm of the normalized histogram of time counts. The final value, calculated in real-time, is taken from the area above this line as compared to the total histogram area normalized to unity [28

28. H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108(13), 130503 (2012). [CrossRef] [PubMed]

]. Note that this method is only used to extract the afterpulse probability. The other parameters (dependent on the slope and offset of the distribution) may still be directly extracted from the measured data using Eq. (1) without the afterpulse contributions.

We have also simulated the fact that Eve may not intercept all the single-photons sent from Alice to Bob, in order to try to mask her presence at the cost of a reduced portion of acquired information. This can be adjusted by Eve at the bypass control shown in Fig. 2. By rotating the polarisation controller (PC) in front of the PBS, Eve can bypass a fraction of the total number of photons to Bob and attack the complementary number. Eve recombines her optical pulses and the single-photons from Bob with a 99:1 splitter such that the lower transmittance arm is used to pass through the bright pulses, whose power is adjusted to overcome this loss. Alice’s laser is attenuated to have 0.4 photons on average per 2.5 ns window, which is also the effective gate width used by Bob. His detector was previously characterized at 400 kHz of gate frequency with 10 μs of dead time and 15% detection efficiency, in order to compare its characterization signature with and without the attack. This dead time was applied since it is typical for Bob to employ one on his detectors in QKD systems to minimize the error rate generated from afterpulses.

The histograms of times for Bob's detector were obtained at different ratios of eavesdropped per transmitted photons and are depicted in Fig. 3
Fig. 3 Comparative histograms with SPAD behaviour under different fractions of eavesdropped photons. Inset highlights the afterpulse contribution, which occurs largely at short time intervals, as a function of the fraction of eavesdropped photons. No counts are generated in the first bins due to the imposed deadtime of 10 μs. In all cases the eavesdropper intervention can be detected with our monitoring system.
, with time represented by number of gates between consecutive detections. The average photon number dependence is reflected mainly by the slope of the long curve tail [28

28. H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108(13), 130503 (2012). [CrossRef] [PubMed]

]. From the figure we see that the average number of photons per pulse detected by Bob does not change (parallel curves). This is important as an attacking strategy for Eve because, on the contrary, an extra fingerprint would be left by her. If the average photon number increases, there is a higher probability that at least one photon is encountered in a gated time window, as can be verified in the Poissonian distribution of a faint laser. This makes the events closer to each other and the slope of the curve increases.

In addition to the fingerprints left by Eve on the detector parameters, another characteristic of the after-gate attack can be monitored. As Eve only sends her signal after Bob’s gate, depending on this delay and on the acquisition board resolution, different time periods between events may be observed in the histogram (in this case, the time bin is given by the sampling rate of the acquisition board). The monitoring of the deviation from the synchronous feature of the gated operation is further explained in section 4, as we employ this principle against the time-shift attack.

Even a small fraction of the attack (1%) remains detectable by the real-time monitoring system, in spite of the 10 μs-deadtime imposed. Since our method is capable of isolating the different sources of detector noise, it is able to pinpoint differences in its expected characteristics, therefore revealing the attack.

3.2 Faint after-gate attack

Recently, a slight variation of the after-gate attack has been proposed, called the faint after-gate attack [30

30. L. Lydersen, N. Jain, C. Wittmann, O. Maroy, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “Superlinear threshold detectors in quantum cryptography,” Phys. Rev. A 84(3), 032320 (2011). [CrossRef]

]. An interesting feature of the new technique is the usage of weaker pulses by Eve. In the paper, the authors define the term “superlinear threshold detector” for explaining the behaviour of SPAD detection efficiency when the detector is subjected to multiple photons arriving bunched in a small time span or spread along the gate. As the average number of photons per pulse increases, the gate efficiency profile tends to extend, especially at the end. The attack operates similarly to the conventional after-gate, as pulses on two different power levels arrive at the end of the gate of Bob’s detectors. For bases agreement between Eve and Bob, the detector exhibits a higher efficiency level due to the pulse’s higher optical power; otherwise it exhibits a lower value. Different from the case of the binary response of the conventional after-gate attack, this strategy intrinsically introduces errors on the system [30

30. L. Lydersen, N. Jain, C. Wittmann, O. Maroy, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “Superlinear threshold detectors in quantum cryptography,” Phys. Rev. A 84(3), 032320 (2011). [CrossRef]

].

We have experimentally simulated the faint after-gate attack by adjusting the power level of the pulses sent by Eve. The operational point, i.e., the temporal position of the optical pulse inside the detection gate was characterized similarly to our preparation of the conventional after-gate attack. Eve’s 1 ns pulses were scanned through Bob’s detector gate at different power levels differing by a factor of 3 dB. We have chosen the gate temporal position that has the highest ratio between the high and low normalized efficiency curves at its falling end. The end of the gate is shown in Fig. 4
Fig. 4 Gate scan with two different average numbers of photons per pulse for the faint after-gate attack (the end of the gate appears on to left). Inset shows the histograms of times between detections at standard operation and under the attack, with the observable difference in the slopes of the curve due to the fact that when the detector is under attach the detection efficiency is lowered because the attack is performed at the end of the gate.
, with the operation point indicated (note that the gate was scanned relative to the optical pulse, so the curves appear mirrored). The efficiencies relative to the gate peak with the optical pulse containing 76 and 38 photons on average at the temporal operation point are 0.0364 and 0.0084, corresponding to a ratio of 4.3 between the higher and the lower efficiencies (max{ηhighlow). The statistical distribution of times between consecutive detection events was once again collected under attack, with Eve intercepting 100% of the photons sent by Alice with detector deadtime removed.

3.3 Discussion on the performance against general blinding techniques

Although we have demonstrated that real-time monitoring is effective against the after-gate attack and its faint variation, we would like to discuss the applicability of the method to catch fingerprints left by more general blinding attacks. These blinding attacks may be used on continuously running detectors with CW light [14

14. V. Makarov, “Controlling passively quenched single photon detectors by bright light,” New J. Phys. 11(6), 065003 (2009). [CrossRef]

] through lowering the bias voltage by physically heating the SPAD with the imposed CW light [17

17. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Thermal blinding of gated detectors in quantum cryptography,” Opt. Express 18(26), 27938–27954 (2010). [CrossRef] [PubMed]

], using a combination of CW and pulsed light [20

20. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4(10), 686–689 (2010). [CrossRef]

,21

21. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun. 2, 349 (2011). [CrossRef] [PubMed]

] and as recently demonstrated, blinding using weak pulses before the detection gate to explore the detector deadtime [19

19. H. Weier, H. Krauss, M. Rau, M. Fürst, S. Nauerth, and H. Weinfurter, “Quantum eavesdropping without interception: an attack exploiting the dead time of single-photon detectors,” New J. Phys. 13(7), 073024 (2011). [CrossRef]

].

From analyzing the results presented in those papers, we infer that our technique seems to be readily applicable in the case with CW blinding light acting on non-gated detectors [14

14. V. Makarov, “Controlling passively quenched single photon detectors by bright light,” New J. Phys. 11(6), 065003 (2009). [CrossRef]

]. In this case, the large gap required on the CW light reaching the blinded detector, before a count is generated, extends the dead time of the detector artificially. As shown in Fig. 5
Fig. 5 Histogram of times between consecutive detections for a Silicon SPAD operating in free-running mode for four different single-photon counting rates, as illuminated by an attenuated CW laser source. The inset highlights the detector deadtime.
, which is a measurement of time intervals between consecutive counts generated by a non-gated commercial Si detector, not only can we fully characterize a continuous running detector, we can also monitor the deadtime in real-time. In this case, the time intervals are multiples of the A/D sampling period. As observed in the inset, we measured a deadtime of ~40 ns (limited in this case by our A/D resolution of 10 ns), which is typical for actively-quenched non-gated detectors and close to the manufacturer’s specification. In [14

14. V. Makarov, “Controlling passively quenched single photon detectors by bright light,” New J. Phys. 11(6), 065003 (2009). [CrossRef]

] the author reports that the gap used is considerably longer than this value (~500 ns for an active-quenched model), which should be caught by the monitoring system.

For the other attacks mentioned it is not clear if the monitoring system would work since they do not leave obvious traces in the detector’s characteristics, such as increased afterpulses, or a different deadtime. They may however leave subtle differences that may be identified, therefore further investigation is needed on these attacks. Nevertheless the monitoring system presents a degree of practical protection for Alice and Bob. Eve needs to replicate the detector’s exact characteristics in terms of afterpulses, detection efficiency, dark counts and deadtime when performing these attacks, otherwise Bob will be suspicious that eavesdropping with optical blinding may be occurring.

One possible countermeasure for Bob against these cases, is for him to change a physical parameter of his detector (efficiency or deadtime for instance), from time to time according to a quantum random number generator [38

38. J. G. Rarity, P. C. M. Owens, and P. R. Tapster, “Quantum random-number generation and key sharing,” J. Mod. Opt. 41(12), 2435–2444 (1994). [CrossRef]

]. Since it is impossible for Eve to know when these parameters have changed, she will not be able to generate a counting distribution that corresponds to the detector with the modified characteristics, and Alice and Bob can be suspicious of an attack. This parameter change can occur fairly often since the monitoring system can reliably characterize the detector with relatively few detections [29

29. T. F. da Silva, G. B. Xavier, and J. P. von der Weid, “Real-time characterization of gated-mode single-photon detectors,” IEEE J. Quantum Electron. 47(9), 1251–1256 (2011). [CrossRef]

]. The main drawbacks of this technique are an increase in QBER due to lower detection efficiency used from time to time and a lower key generation rate when longer dead times are used.

4. Monitoring against the time-shift attack

In the time-shift attack [11

11. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystem,” Quantum Inf. Comput. 7, 073–082 (2007).

,12

12. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Phys. Rev. A 78(4), 042333 (2008). [CrossRef]

], the system timing is changed in order to exploit the time-dependent mismatch between the efficiency curves of the detectors on the receiver station. Consider a two-detector receiving scheme, as in the case of a polarization-encoded BB84-based setup. Bob has an active element to choose his detection basis and projects each qubit on a polarisation state using a PBS, with each output port connected to a SPAD, DA and DB. The system clock is synchronized such that the single photons reach DA at temporal position τ1 relative to the trigger signal and the device exhibits detection efficiency ηA1. However, Eve randomly routes each transmitted photon through one of two paths of an optical delay line, without interception. For the second delay, corresponding to time τ2, the efficiency of the detector will be different and smaller (ηA2). Now assume that the efficiency temporal profile for DB is not matched with DA and, for time τ2, the value is high (ηB2), whereas for time τ1, it is lower (ηB1). This implies in a higher probability that, given a certain basis chosen by Bob, one of the detectors has a greater probability of triggering an avalanche, according to the time-shift imposed by Eve, which will posteriorly provide her with partial information (or full if the mismatch is large enough) about the key after the bases reconciliation.

We performed a proof-of-principle measurement of the times between events recorded on a commercial SPAD when under the time-shift attack. The attenuated signal from a pulsed laser diode (the same one used by Eve in the after-gate attack) is sent to the gated-mode SPAD. The synchronization signal with 100 kHz frequency passes through Eve’s FPGA-based, randomly-activated, electrical delay-line and triggers the gate windows (100 ns) on the detector under attack at Bob’s station, as shown in Fig. 6
Fig. 6 Setup for the proof-of-principle monitoring against the time-shift attack. Here, the synchronization trigger is delayed instead of the optical pulses.
.

The electronics occupied by Eve to time-shift the synchronization pulses has a jitter of ~20 ns on the electrical pulses feeding Bob’s SPAD. We were forced to employ such a wide window of 100 ns at Bob’s detector to ensure that the attack imposed by Eve on her electronic limitations could be successfully implemented. Note that our A/D acquisition hardware is capable of resolving the time differences imposed by the attack up to the order of 10 ns. Many modern QKD setups already employ much faster electronics for high-speed detection and basis choice [39

39. J. F. Dynes, I. Choi, A. W. Sharpe, A. R. Dixon, Z. L. Yuan, M. Fujiwara, M. Sasaki, and A. J. Shields, “Stability of high bit rate quantum key distribution on installed fiber,” Opt. Express 20(15), 16339–16347 (2012). [CrossRef]

] and thus it should be possible to catch attacks imposed on typical QKD gate windows with the same hardware already present, or at most with an upgrade in the detection electronics. For half of the total number of pulses, a relative delay of 60 ns is imposed to the signal, simulating the attack. The normalized temporal profile of the SPAD gate, measured with the bypassed, fully delayed and randomly delayed version of the trigger signal is shown in Fig. 7
Fig. 7 Temporal scan of the detection gate with the delayed optical pulse. The operational point is identified by the traced line.
. The operational point for the attack was set at the position of the traced line.

This point corresponds to a ratio of 50% between the lower and higher efficiency values explored by Eve (red curve). Here we assume that the other detector at Bob’s station (not used here) has a complementary behaviour, for example, similar to the black curve in Fig. 7. This results in a mutual information value between Eve and Bob of 0.082 [11

11. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystem,” Quantum Inf. Comput. 7, 073–082 (2007).

], which tends to unity if the efficiency ratio approaches zero.

The SPAD output signal feeds a 100 MSamples/s A/D board with an internal time base, in order to be able to resolve the different time peaks induced by the attack, and the time elapsed between consecutive detections is recorded (as multiples of the sampling period, 10 ns). The normalized histogram of times is presented in Fig. 8
Fig. 8 Histogram of times between consecutive events when under the time-shift attack (blue lines) and under normal operation. Each time bin is defined by the A/D resolution. Inset zooms in the second bin.
for the case when the detector is under attack and for a total bypass of the random delay (or when all pulses are delayed), with no deadtime.

From Fig. 8, we see the discretized periodic behavior of the detector, due to the gated-mode operation, when the analysis is based on the sampling period. According to the delay values set by Eve, three results are possible for the time between two consecutive events: if any two consecutive detection events are (or not) delayed, the histogram peak corresponds to a multiple of the gate period. If the first event is delayed and the second one is not, the time between them is shortened by the relative time delay. In the opposite situation, the time delay is enlarged by the same time span. This results in a three-peak-per-bin histogram.

The mismatch between the efficiency values at both temporal positions inside the detection gate is the core of the attack strategy. As a consequence, the central peak seen in the figure inset is higher, according to the ratio of efficiencies. In addition, the efficiency mismatch is experienced by Bob as a drop in the net efficiency of his detectors, which can also be visualised as an increase in photon loss. This effect appears on the histogram of times as a slight reduction in the slope of the long curve tail (in log scale). The net efficiency extracted from the histograms presents a drop from 15.0 (for the case of no attack) to 11.8% when under the time-shift attack. From Eve’s viewpoint, differently from the after-gate attack, as the photons are not intercepted and resent, it tends to be more difficult to compensate for this loss. If Eve uses currently available technology, the decreased net efficiency due to the attack, observed by Bob as a reduction in average number of photons, cannot be compensated, unless the optical channel is replaced by a more transparent one. Even in this case, when the attack is not directly identified by the histogram statistics, our method would be capable of resolving the time-shifts, as shown in the Fig. 8 inset, as long as the resolution of the analyzing electronics is sufficient. Eve may of course attempt to use a shorter delay shift in order to avoid being caught, but there is a minimum bound to this, as it is limited by Bob’s detectors jitter. In any case, this result is sufficient to demonstrate that our monitoring method is capable of identifying non-expected timing changes, without tampering on the detector, but only analysing its electric output.

7. Conclusion

We demonstrated that on-line monitoring of the SPADs on a QKD system can be used to detect the after-gate and the time-shift attacks without tampering internally with the single-photon detector. This tool is a countermeasure that Alice and Bob may use, with the advantage that only changes in the detection electronics are needed, thus no increased optical loss at Bob’s station and no extensive hardware modifications required, further motivating its application in real-world scenarios.

The after-gate attack was demonstrated in a simplified QKD polarization-encoded setup and the detector was monitored for different ratios of intercepted per transmitted photons. The histogram of times between consecutive detection events with the SPAD under attack was measured and compared with the standard operational mode. We verified a measurable increase in the afterpulse probability even for a very small (1%) fraction of photons being eavesdropped. The analysis of the characterization results for different statistical sample lengths demonstrated the feasibility of our method detecting the after-gate attack. The faint after-gate attack was similarly detected with the same analysis as in the standard after-gate case when the detector deadtime is removed.

We have also discussed that the monitoring system may offer protection against more general blinding attacks. In this situation the attack also becomes harder for a practical Eve, as she needs to replicate the detector’s counting statistics. A countermeasure becomes possible in such cases if a physical parameter change of Bob’s detectors is performed at random times, such as its efficiency.

A proof-of-principle for our method against the time-shift attack was conducted. For systems working under synchronous gated-mode, the real-time monitoring is capable of providing temporal information about the relative delay imposed by Eve on the photons sent by Alice, if the acquisition sampling rate is adequate.

Quantum hacking is an emerging area and will become more sophisticated as new techniques are developed exploiting the physical properties of the different components of a QKD system. The ability to constantly monitor single-photon detectors in real-time and under operation during a quantum key exchange provides Alice and Bob with an extra tool to detect different types of hacking strategies.

Acknowledgments

This work is supported by Brazilian agencies CAPES, CNPq and FAPERJ. In addition G. B. Xavier acknowledges support from grants Milenio P10-030-F, CONICYT PFB08-024 and FONDECYT no. 11110115. Authors thank G. Amaral for help with the FPGA.

References and links

1.

N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74(1), 145–195 (2002). [CrossRef]

2.

H.-K. Lo and H. F. Chau, “Unconditional security of quantum key distribution over arbitrarily long distances,” Science 283(5410), 2050–2056 (1999). [CrossRef] [PubMed]

3.

V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301–1350 (2009). [CrossRef]

4.

D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, “Security of quantum key distribution with imperfect devices,” Quantum Inf. Comput. 4, 325–360 (2004).

5.

S. Felix, N. Gisin, A. Stefanov, and H. Zbinden, “Faint laser quantum key distribution: eavesdropping exploiting multiphoton pulses,” J. Mod. Opt. 48, 2009–2021 (2001).

6.

S.-H. Sun, M.-S. Jiang, and L.-M. Liang, “Passive Faraday-mirror attack in a practical two-way quantum-key-distribution system,” Phys. Rev. A 83(6), 062331 (2011). [CrossRef]

7.

N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, “Trojan-horse attacks on quantum-key-distribution systems,” Phys. Rev. A 73(2), 022320 (2006). [CrossRef]

8.

C.-H. F. Fung, B. Qi, K. Tamaki, and H.-K. Lo, “Phase-remapping attack in practical quantum-key-distribution systems,” Phys. Rev. A 75(3), 032314 (2007). [CrossRef]

9.

F. Xu, B. Qi, and H.-K. Lo, “Experimental demonstration of phase-remapping attack in a practical quantum key distribution system,” New J. Phys. 12(11), 113026 (2010). [CrossRef]

10.

V. Makarov, A. Anisimov, and A. Skaar, “Effects of detector efficiency mismatch on security of quantum cryptosystems,” Phys. Rev. A 74(2), 022313 (2006). [CrossRef]

11.

B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystem,” Quantum Inf. Comput. 7, 073–082 (2007).

12.

Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Phys. Rev. A 78(4), 042333 (2008). [CrossRef]

13.

N. Jain, C. Wittmann, L. Lydersen, C. Wiechers, D. Elser, C. Marquardt, V. Makarov, and G. Leuchs, “Device calibration impacts security of quantum key distribution,” Phys. Rev. Lett. 107(11), 110501 (2011). [CrossRef] [PubMed]

14.

V. Makarov, “Controlling passively quenched single photon detectors by bright light,” New J. Phys. 11(6), 065003 (2009). [CrossRef]

15.

S. Sauge, L. Lydersen, A. Anisimov, J. Skaar, and V. Makarov, “Controlling an actively-quenched single photon detector with bright light,” Opt. Express 19(23), 23590–23600 (2011). [CrossRef] [PubMed]

16.

C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “After-gate attack on a quantum cryptosystem,” New J. Phys. 13(1), 013043 (2011). [CrossRef]

17.

L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Thermal blinding of gated detectors in quantum cryptography,” Opt. Express 18(26), 27938–27954 (2010). [CrossRef] [PubMed]

18.

V. Makarov and D. R. Hjelme, “Faked states attack on quantum cryptosystems,” J. Mod. Opt. 52, 691–705 (2005). [CrossRef]

19.

H. Weier, H. Krauss, M. Rau, M. Fürst, S. Nauerth, and H. Weinfurter, “Quantum eavesdropping without interception: an attack exploiting the dead time of single-photon detectors,” New J. Phys. 13(7), 073024 (2011). [CrossRef]

20.

L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4(10), 686–689 (2010). [CrossRef]

21.

I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun. 2, 349 (2011). [CrossRef] [PubMed]

22.

I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, V. Scarani, V. Makarov, and C. Kurtsiefer, “Experimentally Faking the Violation of Bell’s Inequalities,” Phys. Rev. Lett. 107(17), 170404 (2011). [CrossRef] [PubMed]

23.

Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Avoiding the blinding attack in QKD,” Nat. Photonics 4(12), 800–801 (2010). [CrossRef]

24.

Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography,” Appl. Phys. Lett. 98(23), 231104 (2011). [CrossRef]

25.

L. Lydersen, V. Makarov, and J. Skaar, “Comment on “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography” [App. Phys. Lett. 98, 231104 (2011)],” Appl. Phys. Lett. 99(19), 196101 (2011). [CrossRef]

26.

Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Response to “Comment on “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography”” [Appl. Phys. Lett 99 196101 (2011)],” Appl. Phys. Lett. 99(19), 196102 (2011). [CrossRef]

27.

L. Lydersen, V. Makarov, and J. Skaar, “Secure gated detection scheme for quantum cryptography,” Phys. Rev. A 83(3), 032306 (2011). [CrossRef]

28.

H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108(13), 130503 (2012). [CrossRef] [PubMed]

29.

T. F. da Silva, G. B. Xavier, and J. P. von der Weid, “Real-time characterization of gated-mode single-photon detectors,” IEEE J. Quantum Electron. 47(9), 1251–1256 (2011). [CrossRef]

30.

L. Lydersen, N. Jain, C. Wittmann, O. Maroy, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “Superlinear threshold detectors in quantum cryptography,” Phys. Rev. A 84(3), 032320 (2011). [CrossRef]

31.

R. H. Hadfield, “Single-photon detectors for optical quantum information applications,” Nat. Photonics 3(12), 696–705 (2009). [CrossRef]

32.

M. D. Eisaman, J. Fan, A. Migdall, and S. V. Polyakov, “Invited review article: single-photon sources and detectors,” Rev. Sci. Instrum. 82(7), 071101 (2011). [CrossRef] [PubMed]

33.

J. Zhang, R. Thew, J. D. Gautier, N. Gisin, and H. Zbinden, “Comprehensive characterization of InGaAs-InP avalanche photodiodes at 1550 nm with an active quenching ASIC,” IEEE J. Quantum Electron. 45(7), 792–799 (2009). [CrossRef]

34.

A. Yoshizawa, R. Kaji, and H. Tsuchida, “Quantum efficiency evaluation method for gated-mode single-photon detector,” Electron. Lett. 38(23), 1468–1469 (2002). [CrossRef]

35.

S. Cova, M. Ghioni, A. Lacaita, C. Samori, and F. Zappa, “Avalanche photodiodes and quenching circuits for single-photon detection,” Appl. Opt. 35(12), 1956–1976 (1996). [CrossRef] [PubMed]

36.

G. B. Xavier, N. Walenta, G. Vilela de Faria, G. P. Temporão, N. Gisin, H. Zbinden, and J. P. von der Weid, “Experimental polarization encoded quantum key distribution over optical fibres with real-time continuous birefringence compensation,” New J. Phys. 11(4), 045015 (2009). [CrossRef]

37.

S. Cova, M. Ghioni, A. Lotito, I. Rech, and F. Zappa, “Evolution and prospects for single-photon avalanche diodes and quenching circuits,” J. Mod. Opt. 51, 1267–1288 (2004).

38.

J. G. Rarity, P. C. M. Owens, and P. R. Tapster, “Quantum random-number generation and key sharing,” J. Mod. Opt. 41(12), 2435–2444 (1994). [CrossRef]

39.

J. F. Dynes, I. Choi, A. W. Sharpe, A. R. Dixon, Z. L. Yuan, M. Fujiwara, M. Sasaki, and A. J. Shields, “Stability of high bit rate quantum key distribution on installed fiber,” Opt. Express 20(15), 16339–16347 (2012). [CrossRef]

OCIS Codes
(270.5570) Quantum optics : Quantum detectors
(040.1345) Detectors : Avalanche photodiodes (APDs)
(270.5565) Quantum optics : Quantum communications
(270.5568) Quantum optics : Quantum cryptography

ToC Category:
Quantum Optics

History
Original Manuscript: May 22, 2012
Revised Manuscript: July 24, 2012
Manuscript Accepted: July 28, 2012
Published: August 2, 2012

Citation
Thiago Ferreira da Silva, Guilherme B. Xavier, Guilherme P. Temporão, and Jean Pierre von der Weid, "Real-time monitoring of single-photon detectors against eavesdropping in quantum key distribution systems," Opt. Express 20, 18911-18924 (2012)
http://www.opticsinfobase.org/oe/abstract.cfm?URI=oe-20-17-18911


Sort:  Author  |  Year  |  Journal  |  Reset  

References

  1. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys.74(1), 145–195 (2002). [CrossRef]
  2. H.-K. Lo and H. F. Chau, “Unconditional security of quantum key distribution over arbitrarily long distances,” Science283(5410), 2050–2056 (1999). [CrossRef] [PubMed]
  3. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys.81(3), 1301–1350 (2009). [CrossRef]
  4. D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, “Security of quantum key distribution with imperfect devices,” Quantum Inf. Comput.4, 325–360 (2004).
  5. S. Felix, N. Gisin, A. Stefanov, and H. Zbinden, “Faint laser quantum key distribution: eavesdropping exploiting multiphoton pulses,” J. Mod. Opt.48, 2009–2021 (2001).
  6. S.-H. Sun, M.-S. Jiang, and L.-M. Liang, “Passive Faraday-mirror attack in a practical two-way quantum-key-distribution system,” Phys. Rev. A83(6), 062331 (2011). [CrossRef]
  7. N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, “Trojan-horse attacks on quantum-key-distribution systems,” Phys. Rev. A73(2), 022320 (2006). [CrossRef]
  8. C.-H. F. Fung, B. Qi, K. Tamaki, and H.-K. Lo, “Phase-remapping attack in practical quantum-key-distribution systems,” Phys. Rev. A75(3), 032314 (2007). [CrossRef]
  9. F. Xu, B. Qi, and H.-K. Lo, “Experimental demonstration of phase-remapping attack in a practical quantum key distribution system,” New J. Phys.12(11), 113026 (2010). [CrossRef]
  10. V. Makarov, A. Anisimov, and A. Skaar, “Effects of detector efficiency mismatch on security of quantum cryptosystems,” Phys. Rev. A74(2), 022313 (2006). [CrossRef]
  11. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystem,” Quantum Inf. Comput.7, 073–082 (2007).
  12. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Phys. Rev. A78(4), 042333 (2008). [CrossRef]
  13. N. Jain, C. Wittmann, L. Lydersen, C. Wiechers, D. Elser, C. Marquardt, V. Makarov, and G. Leuchs, “Device calibration impacts security of quantum key distribution,” Phys. Rev. Lett.107(11), 110501 (2011). [CrossRef] [PubMed]
  14. V. Makarov, “Controlling passively quenched single photon detectors by bright light,” New J. Phys.11(6), 065003 (2009). [CrossRef]
  15. S. Sauge, L. Lydersen, A. Anisimov, J. Skaar, and V. Makarov, “Controlling an actively-quenched single photon detector with bright light,” Opt. Express19(23), 23590–23600 (2011). [CrossRef] [PubMed]
  16. C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “After-gate attack on a quantum cryptosystem,” New J. Phys.13(1), 013043 (2011). [CrossRef]
  17. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Thermal blinding of gated detectors in quantum cryptography,” Opt. Express18(26), 27938–27954 (2010). [CrossRef] [PubMed]
  18. V. Makarov and D. R. Hjelme, “Faked states attack on quantum cryptosystems,” J. Mod. Opt.52, 691–705 (2005). [CrossRef]
  19. H. Weier, H. Krauss, M. Rau, M. Fürst, S. Nauerth, and H. Weinfurter, “Quantum eavesdropping without interception: an attack exploiting the dead time of single-photon detectors,” New J. Phys.13(7), 073024 (2011). [CrossRef]
  20. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics4(10), 686–689 (2010). [CrossRef]
  21. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun.2, 349 (2011). [CrossRef] [PubMed]
  22. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, V. Scarani, V. Makarov, and C. Kurtsiefer, “Experimentally Faking the Violation of Bell’s Inequalities,” Phys. Rev. Lett.107(17), 170404 (2011). [CrossRef] [PubMed]
  23. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Avoiding the blinding attack in QKD,” Nat. Photonics4(12), 800–801 (2010). [CrossRef]
  24. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography,” Appl. Phys. Lett.98(23), 231104 (2011). [CrossRef]
  25. L. Lydersen, V. Makarov, and J. Skaar, “Comment on “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography” [App. Phys. Lett. 98, 231104 (2011)],” Appl. Phys. Lett.99(19), 196101 (2011). [CrossRef]
  26. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Response to “Comment on “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography”” [Appl. Phys. Lett 99 196101 (2011)],” Appl. Phys. Lett.99(19), 196102 (2011). [CrossRef]
  27. L. Lydersen, V. Makarov, and J. Skaar, “Secure gated detection scheme for quantum cryptography,” Phys. Rev. A83(3), 032306 (2011). [CrossRef]
  28. H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett.108(13), 130503 (2012). [CrossRef] [PubMed]
  29. T. F. da Silva, G. B. Xavier, and J. P. von der Weid, “Real-time characterization of gated-mode single-photon detectors,” IEEE J. Quantum Electron.47(9), 1251–1256 (2011). [CrossRef]
  30. L. Lydersen, N. Jain, C. Wittmann, O. Maroy, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “Superlinear threshold detectors in quantum cryptography,” Phys. Rev. A84(3), 032320 (2011). [CrossRef]
  31. R. H. Hadfield, “Single-photon detectors for optical quantum information applications,” Nat. Photonics3(12), 696–705 (2009). [CrossRef]
  32. M. D. Eisaman, J. Fan, A. Migdall, and S. V. Polyakov, “Invited review article: single-photon sources and detectors,” Rev. Sci. Instrum.82(7), 071101 (2011). [CrossRef] [PubMed]
  33. J. Zhang, R. Thew, J. D. Gautier, N. Gisin, and H. Zbinden, “Comprehensive characterization of InGaAs-InP avalanche photodiodes at 1550 nm with an active quenching ASIC,” IEEE J. Quantum Electron.45(7), 792–799 (2009). [CrossRef]
  34. A. Yoshizawa, R. Kaji, and H. Tsuchida, “Quantum efficiency evaluation method for gated-mode single-photon detector,” Electron. Lett.38(23), 1468–1469 (2002). [CrossRef]
  35. S. Cova, M. Ghioni, A. Lacaita, C. Samori, and F. Zappa, “Avalanche photodiodes and quenching circuits for single-photon detection,” Appl. Opt.35(12), 1956–1976 (1996). [CrossRef] [PubMed]
  36. G. B. Xavier, N. Walenta, G. Vilela de Faria, G. P. Temporão, N. Gisin, H. Zbinden, and J. P. von der Weid, “Experimental polarization encoded quantum key distribution over optical fibres with real-time continuous birefringence compensation,” New J. Phys.11(4), 045015 (2009). [CrossRef]
  37. S. Cova, M. Ghioni, A. Lotito, I. Rech, and F. Zappa, “Evolution and prospects for single-photon avalanche diodes and quenching circuits,” J. Mod. Opt.51, 1267–1288 (2004).
  38. J. G. Rarity, P. C. M. Owens, and P. R. Tapster, “Quantum random-number generation and key sharing,” J. Mod. Opt.41(12), 2435–2444 (1994). [CrossRef]
  39. J. F. Dynes, I. Choi, A. W. Sharpe, A. R. Dixon, Z. L. Yuan, M. Fujiwara, M. Sasaki, and A. J. Shields, “Stability of high bit rate quantum key distribution on installed fiber,” Opt. Express20(15), 16339–16347 (2012). [CrossRef]

Cited By

Alert me when this paper is cited

OSA is able to provide readers links to articles that cite this paper by participating in CrossRef's Cited-By Linking service. CrossRef includes content from more than 3000 publishers and societies. In addition to listing OSA journal articles that cite this paper, citing articles from other participating publishers will also be listed.


« Previous Article  |  Next Article »

OSA is a member of CrossRef.

CrossCheck Deposited