Experimental demonstration of phase-remapping attack in a practical quantum key distribution system

Quantum key distribution (QKD) can, in principle, provide unconditional security based on the fundamental laws of physics. Unfortunately, a practical QKD system may contain overlooked imperfections and may thus violate some of the assumptions in the security proofs of QKD. It is important to explore these assumptions. One key assumption is that the sender (Alice) can prepare the required quantum states without errors. However, such an assumption may be violated in a practical QKD system. In this paper, we perform a proof-of-principle experiment to demonstrate a technically feasible 'intercept- and-resend' attack that exploits such a security loophole in a commercial 'plug & play' QKD system. The resulting quantum bit error rate is 19.7%, which is substantially lower than the well-known 25% error rate for an intercept-and-resend attack in BB84. The attack we utilize is the phase-remapping attack (Fung et al 2007 Phys. Rev. A 75 32314) proposed by our group.


I. INTRODUCTION
Quantum key distribution (QKD) [1][2][3] enables an ultimately secure means of distributing secret keys between two parties, the sender (Alice) and the receiver (Bob).In principle, any eavesdropping attempt by a third party (Eve) will unavoidably introduce disturbance and be detected.The unconditional security of the BB84 QKD protocol has been rigorously proved based on the laws of quantum mechanics [4], even when implemented on imperfect practical setups [5].
Unfortunately, a practical QKD system has imperfections.Eve may try to exploit these imperfections and launch specific attacks not covered by the original security proofs.Is it possible that a small unnoticed imperfection spoils the security of the otherwise carefully designed QKD system?This question has drawn a lot of attention.Gisin et al. studied a Trojan-horse attack employing the unwanted internal reflection from a phase modulator [6].Makarov et al. proposed a faked state attack, which exploits the efficiency mismatch of two detectors in a practical QKD system [7].Our group has proposed [8] a simple attacktime-shift attack-that exploits the same imperfection.Moreover, we have experimentally demonstrated [9] our attack against a commercial QKD system.This was the first time that a commercial QKD system had been successfully hacked, thus highlighting the vulnerability of even well-designed commercial QKD systems.Lamas-Linares et al. demonstrated that the information leakage due to public announcement of the timing information can be used by Eve to access part of the sifted keys [10].Recently, the imperfections of some particular single photon detectors, namely those based on passively or actively quenched avalanche photodiodes, and potential security loopholes of practical QKD systems employing such detectors have been studied in [11].For more general discussions, see [12].
A key assumption in QKD is Alice encodes her signals correctly.This seems like a simple assumption.However, it may be violated in practice by, for example the phase-remapping attack [13].In this paper, we experimentally investigate the phase-remapping attack in a commercial QKD system.In contrast with the time-shift attack, the phase-remapping attack is an "intercept-and-resend" attack which allows Eve to gain the full information of the sifted keys.Here, we experimentally find that the phase remapping process in a practical QKD system is much more complicated than the theoretical model in Ref. [13].To adapt to this complexity, we have modified the original phase-remapping attack into type 1 and type 2 practical attacks, where type 2 attack is more practical in QKD systems.It is well known that in the standard BB84 QKD system, a simple "intercept-and-resend" attack will introduce a quantum bit error rate (QBER) of 25% which alarms the users that no secure keys can be generated.Our experimental results show that by performing the phaseremapping attack, Eve can gain the full information at the cost of introducing a QBER of 19.7%, which is lower than the proven security bound of 20.0% for the BB84 protocol [14].
In other words, the security of the commercial QKD system is compromised.This paper is organized as follows: in Section II, we summarize the basic idea of phaseremapping attack and then propose our theoretical model to analyze QBER.In Section III, we describe the phase modulation scheme adopted in a commercial "plug and play" QKD system and discuss two types of practical attacks which could be applied to this specific design.In Section IV, we show the experimental results and analyze the QBER.We finally conclude our paper with some general comments in Section V.

II. PHASE-REMAPPING ATTACK
Practical limitations associated with phase and polarization instabilities over long distance fibers have led to the development of bidirectional QKD schemes, such as the "plugand-play" QKD structure [15] and the Sagnac QKD structure [16].Specially, the "plugand-play" structure is widely used in commercial QKD systems [17].In this system, Bob first sends two strong laser pulses (signal pulse and reference pulse) to Alice.Alice uses the reference pulse as a synchronization signal to activate her phase modulator.Then Alice modulates the phase of the signal pulse only, attenuates the two pulses to single photon level, and sends them back to Bob. Bob randomly chooses his measurement basis by modulating the phase of the returning reference pulse.Since Alice allows signals to go in and go out of her device, this opens a potential back door for Eve to launch various attacks [6].One specific attack is the phase-remapping attack [13].
LiNbO 3 waveguide phase modulator is commonly used to encode random bits in fiber based phase-coding BB84 QKD system.In practice, a phase modulator has finite response time, as shown in Fig. 1.Ideally, Bob's signal pulse passes through Alice's phase modulator in the middle of the modulation signal and undergoes a proper modulation (time t 0 in Fig. 1).However, if Eve changes the time difference between the reference and the signal pulse, the signal pulse will pass through the phase modulator at a different time (time t 1 in Fig. 1), and the encoded phase will be different.Originally, Alice uses {0, π/2, π, 3π/2} to encode {0 1 (bit "0" in base1), 0 2 (bit "0" in base2), 1 1 (bit "1" in base1), 1 2 (bit "1" in base2)}.Now, after Eve's remapping process, Alice's encoded phases {0, π/2, π, 3π/2} will be mapped to {0, φ 1 , φ 1 + φ 2 , φ 1 + φ 2 + φ 3 }, where φ i (i=1,2,3) is the new phase difference between two adjacent states.Ref [13] assumed for simplicity, that the phase modulator has the same rising time and proportional phase modulation for each encoded phase, i.e. φ 1 =φ 2 =φ 3 .Here, we consider a more general setting.The exact value of φ i depends on time displacement introduced by Eve and the actual phase modulation system.This phase remapping process allows Eve to launch a novel "intercept-and-resend" attack: phase-remapping attack.In our experiment, the practical attack strategy is: (1) Eve intercepts Bob's strong pulse and sends a time-shifted pulse to Alice via her own device.Note that Eve can change the actual values of φ i (i=1,2,3) by changing the time displacement.However, she cannot change φ 1 , φ 2 , and φ 3 independently.
(2) Eve's strategy is to either distinguish with minimal errors.To distinguish {0 1 }, Eve introduces a phase shift of {φ 1 + φ 2 } by using her phase modulator on the reference pulse sent back by Alice and performs an interference measurement.If detector1 has a click [18], Eve sends a standard BB84 state {0 1 } to Bob.

III. EXPERIMENTAL PHASE-REMAPPING ATTACK IN A COMMERCIAL "PLUG & PLAY " QKD SYSTEM
We implemented the phase remapping attack in a commercial ID-500 QKD system (manufactured by id Quantique), as shown in Fig. 3. Bob's signal pulse, reference pulse and Alice's phase modulation signal of the original QKD system are shown in Fig. 4. Note that in Fig. 4, since Alice uses the reference pulse as a trigger signal, the time delay ∆t 1 is determined by the internal delay of Alice's system and can't be controlled by Eve.On the other hand, since Alice doesn't monitor the arrival time of the signal pulse, Eve can change the time delay ∆t 3 without being detected.Furthermore, the rising edge of the phase modulation signal is around 8ns, while the width of the laser pulse is about 500ps.Eve can easily place her pulse on the rising edge to get partial phase modulation.This specific QKD design opens a security loophole which allows Eve to launch the phase-remapping attack.
In our experiment, Eve utilized the same setup as Bob to launch her attack.Eve modified the length of the short arm of her Mach-Zehnder interferometer by adding a variable optical delay line (VODL in Fig. 3) to shift the time delay between the reference pulse and the signal pulse.To remap the phase small enough into the low QBER range, the optimal strategy we found is: by using VODL, Eve shifts the forward signal pulse out and only the backward signal pulse in the phase modulation range (see Fig. 5(b)).One important practical challenge in our experiment is polarization control.The phase modulator in Alice's system is polarization dependent and has one principle axis.Photons with polarization aligned with the principle axis will undergo a large phase modulation, while photons with orthogonal polarization state will undergo a small phase modulation [19].In our experiment, we find the relative modulation magnitude ratio of the two polarizations is about 1 : 3 [20].In the original "plug and play" system, the signal pulse will be modulated twice as it passes through Alice's phase modulator back and forth (see Fig. 5(a)).Because of the Faraday mirror, the total phase shift is independent of the polarization state of the signal pulse.However, since Eve's signal pulse will pass through the modulator at a different time and be modulated only once (see Fig. 5(b)), the above auto-compensating method will not work.Eve has to control the polarization direction either aligned with or orthogonal to the principal axis of the phase modulator when her signal pulse is modulated.This is achieved by adding a polarization controller (PC in Fig. 3) in Eve's system and adjusting it carefully.
Here, Eve can assume that the polarization has been aligned properly by maximizing the total counts of D1+D2 (D1 and D2 denote the counts of Det1 and Det2) [21].
By combining variable shifting time and two different polarization directions, Eve can apply two types of practical phase-remapping attack: 1. Type 1 practical attack is shown in Fig. 5(b).Eve shifts the forward signal pulse out of the phase modulation signal and the backward pulse to the rising edge, and adjusts the PC to control the backward pulse's polarization direction aligned with the modulator's principal axis.Here, we remark that if the width of laser pulse is comparable with the rising time of the modulation signal, the type 1 attack will cause an unreasonably high QBER, thus it is easy for Alice and Bob to detect the attack.
2. Type 2 practical attack is shown in Fig. 5(c).Eve shifts the backward pulse to the plateau region of the phase modulation signal, and aligns its polarization direction orthogonal to the principal axis.Since the orthogonal direction has the smallest phase modulation, Eve can successfully remap the phase small enough into the low QBER range.One important advantage of type 2 attack is: even if Alice's phase modulator is good enough with strictly sharp rising and following edge (force type 1 attack noneffective), Eve can still apply type 2 attack in practical QKD systems.
Another challenge is the optimization of VODL.Ref [13] assumed Eve could remap Alice's encoded phase with φ 1 = φ 2 = φ 3 .However, in our experiment, the relation among φ 1 , φ 2 , and φ 3 is more complicated.As shown in Fig. 6, Alice's phase modulation signals {π/2, π, 3π/2} not only start at different times but also have different average rising times {6.12ns, 7.82ns, 9.47ns}.Furthermore, there is also an overshoot after the rising edge, and the time is different from each other.So, if we use different lengths of VODL to shift the pulse either to the rising edge or to the overshooting range, the pulse will not undergo proportional phase modulation.Eve's remapping phase will be φ 1 = φ 2 = φ 3 .These complicated phases will thus cause an effect of QBER as shown in Eqn.(1).The zoomed rising edge of each modulation signal and the approximate time of the optimal VODL used in our attack.
In our experiment, the optimal length of VODL was determined by minimizing the resulting QBER.We finally applied two optimal VODL (see Fig.   QBER is analyzed as follows.First, we calculate QBER from the theoretical model discussed in Section II.The detecting probability of phase-coding BB84 QKD protocol is where N denotes the gating number [22].Here, we subtract the dark counts number NY 0 from each detector's counts number to get the theoretical detecting probability. If Eve introduces phase shift {0} (Base0) on the reference pulse to measure each state, the remapping phase φ E and phase difference φ i (i=1,2,3) are Using data in Table II, from Eqn. ( 4) and ( 1), we can get The phase error fluctuations are mainly due to the imperfections of our experimental QKD system.From the results in Table II, we can see that even though Eve uses Base0 to measure state {0 1 }, it still has about "600 ∼ 700" counts on Det1.These error counts are mostly from the imperfect interference between the signal pulse and the reference pulse.So, Eqn.(5) gives the theoretical QBERs introduced by Eve with perfect detection system.Now, we calculate QBER via our direct experimental results.From Table II, we can see the total counts (D1+D2) are almost identical, so Det1's detecting probability for each state is proportional to D1.The QBERs can be calculated using data in Table II: It is surprising to see that if Eve utilizes the optimal strategy to combine two types of attack together and carefully chooses the the probability of each attack to ensure the distribution of bit "0" and bit "1" received by Bob is balanced, the overall QBER will be Note that we used weak coherent pulse (WCP) source in our experiment.Before calculating the QBERs for single-photon (SP) source, we emphasize two facts: (1) the phase shift introduced by the phase modulator is independent of the source.If the source is a SP, the phase will be also remapped to {0, φ 2 − e −µη Bob P 0 2 + 2Y 0 4 − e −µη Bob P 0 1 − e −µη Bob P 0 2 − e −µη Bob P 1 1 − e −µη Bob P 1 2 + 4Y 0 (10) Using Eqn.(9)(10) and data in Table I and II, the overall QBER difference between SP and WCP for Eve's optimal strategy (combine two types of attack as Eqn.( 8)) is: Therefore, in a practical SP BB84 QKD system, we can expect the QBER is QBER sp =19.8%, which is lower than the tolerate security bound of 20.0% [14].The security of SP BB84 QKD system is compromised.Eve can also combine the phase-remapping attack with a faked state attack together to substantially enhance its power [13].Finally, we remark that even if we have only broken a practical SP BB84 QKD system, the security proofs of both WCP and SP QKD are based on the same assumptions.One key assumption (Alice prepares her states correctly) has been violated in our experimental demonstration.
So the security proofs can not be directly applied to a practical QKD system.

V. CONCLUSION
We conclude this paper with some general comments.First, let us consider countermeasures.In the "plug-and-play" QKD system, one specific countermeasure is the following: Alice carefully checks the arrival time of the reference pulse and the signal pulse by monitoring with her classical detector (CD in Fig. 3).From the time delay between the two pulses, she can find whether the time difference has been shifted by Eve, and thus counter Eve's attack.Moreover, in our attack, Eve only sends two states to Bob.Alice and Bob can detect this attack by estimating the statistics of the four BB84 states.Note that, once a security loophole has been found, it is often easy to develop countermeasures.However, the unanticipated attacks are the most fatal ones.
Second, this paper mainly focuses on one key assumption in unconditional security proofs, i.e.Alice prepares the required states correctly.From a simple experimental demonstration, we show this assumption can be violated by our attack.So, we emphasize that, in a practical QKD system, Alice needs to experimentally verify she is applying the correct modulations on her states.One possible way in a general QKD system is: after encoding her random bits, Alice uses a beam splitter to split part of each strong modulated signal, and then use a classical detector, such as a power meter (rather than a single-photon detector), to implement a local measurement to directly verify whether she has performed the correct modulation.In order to achieve unconditional security with a practical QKD system, it is useful to perform such a verification experimentally.In the long term, it is important to work towards QKD with testable assumptions.
Third, Eve can also maximize her ability to eavesdrop by combining various attacks.
For instance, she may combine the phase-remapping attack with the time-shift attack to exploit both the imperfections of Alice's encoding system and Bob's detection system.If she does so, the QBER might be reduced further.We remark that, it is impossible to remove all imperfections completely in practice.Instead of removing them, what we can do is to quantify them carefully.Once quantified, those imperfections may be taken care of in security proofs [5,23].As an example, mismatch in detection efficiency has been taken into account in the security proof of [24].
Finally, our demonstration of the phase remapping attack was done on a specific implementation of QKD.Notice, however that the implementation is the one widely used in commercial QKD systems [17].Moreover, in a general class of QKD systems and protocols, our work highlights the significance for Alice to verify the correctness of her preparation.
In practice, any QKD is done on a specific implementation and it has imperfections.If we can't trust a specific implementation of QKD, one should never use QKD in the first place.
In summary, we have experimentally demonstrated a technologically feasible attack, where Eve can get full information and only introduces a QBER of 19.7%.A simple "intercept-and-resend" attack will normally cause a QBER of 25% in BB84.So, our re-sult shows clearly an imperfection in the QKD implementation.The security of a single photon BB84 QKD system has been compromised.Specially, this is the first successful "intercept-and-resend" attack on top of a commercial bidirectional QKD system.The success of our attack highlights not only the importance for Alice to verify that she is encoding the right state during the encoding process, but also, more generally, the importance of verification of the correctness of each step of an implementation of a QKD protocol in a practical QKD system.

FIG. 1 :
FIG. 1: Diagram of phase modulation (PM) signal.t 0 is the original time location where Bob's signal pulse is properly modulated to have phase φ 0 .Eve time shifts the signal pulse from t 0 to t 1 .This pulse will undergo a new modulated phase φ 1 .

FIG. 5 :
FIG. 5: Time pattern of practical phase-remapping attack.Sig: signal pulse.Ref: reference pulse.PM: phase modulation signal.(a) Normal QKD operation.(b) Type 1 practical phase-remapping attack.(c) Type 2 practical phase-remapping attack; here, even if we assume Alice has a perfect phase modulator with strictly sharp rising and following edge, Type 2 attack still works.

FIG. 6 :
FIG. 6: (Color online).(a)Alice's phase modulation signals, π/2, π, and 3π/2, respectively.(b) 6(b)) to launch two types of practical phase remapping attack: VODL A: 4.65m and VODL B: 5.8m.Our attack strategy was the one discussed in Section II.Here, we remark two points: (1) from the time pattern graph in Fig.4, the laser pulse is narrow enough to allow us to apply type 1 attack; (2) in type 1 attack, to make the remapping phase small enough, we still control the polarization of backward pulse orthogonal to the principal axis.

TABLE I :
Experimental parameters.We repeated the measurement 10 million times for each state sent by Alice and the experimental results are shown in TableII.
Some experimental parameters of our ID-500 commercial QKD system, including dark count rate Y 0 , detector error rate e det , Bob's overall quantum efficiency η Bob (including the detection efficiency of single photon detector), detection efficiency η and mean photon number µ are listed in Table I.Our transmission distance was a few meters.