The faked-state attack

We have chosen a 'faked-state attack' (Fig. 1a)23. Eve uses a replica of the legitimate receiver unit (Bob′) to intercept and measure all quantum states sent by Alice. She further uses a faked-state generator (FSG) to force Bob to output identical bases and bit values, so that Eve and Bob have the same raw key. Eve also records unencrypted communication in the classical channel, and computes the final secret key (identical to Alice's and Bob's) by repeating the same sifting, error correction and privacy amplification procedures3,6 as Bob. Unlike the traditional intercept-resend attack2,3, the faked-state attack does not introduce errors in the key and therefore is not detected by the QKD protocol.

Figure 1: Eavesdropping experiment. (a) Principle of the faked-state attack. (b) Attack on installed QKD system spanning four buildings at the campus of the National University of Singapore. In Alice, polarization-entangled photon pairs were produced in a type-II spontaneous parametric down-conversion (SPDC) source18,20. One photon was measured locally by Alice; the other one was sent through a 290 m single-mode (SM) fibre line to Bob. Eve was inserted at a mid-way point. All three parties used identical polarization analysers (PA); clicks were registered with timestamp (TS) units. Under attack, Bob's detectors clicked controllably when illuminated by an optical pulse with peak power ≥P th . In the example, to address the target detector for vertically polarized photons, Eve sent a faked state with vertical polarization and peak power 2P th . Each of Bob's detectors in the conjugate (45° rotated) basis received a pulse of peak power P th /2, and thus remained blinded. See also 'Complete Eve's setup' section in Methods. In the diagram: BS, 50/50% beamsplitter; PBS, polarizing beamsplitter; HWP, half-wave plate; FPC, fibre polarization controller; BBO, β-barium-borate crystal. Full size image

Eve's full control of Bob's detection outcomes is crucial to the success of the faked-state attack. Several technological vulnerabilities allow for the needed degree of control12,15,17,23. We have chosen to exploit blindability and controllability of single-photon detectors under strong illumination15,16. The QKD system under attack uses passively quenched single-photon avalanche photodiodes (APDs; Fig. 2a). Ordinarily, the arrival of a single photon generates an electron-hole pair that leads to an avalanche in the APD. The resulting current spike is detected by a comparator and a pulse-shaper as the arrival of a single photon, a 'click'. Spurious capacitances of the device result in a finite recharging time and cause a detector deadtime of ∼1μs. If the illumination level is increased such that no full recharge occurs between individual photons, the avalanche becomes progressively smaller. Under higher illumination conditions, it falls below the comparator threshold and can not be identified as a click; the detector becomes blind (Fig. 2b). Hence, by injecting high light levels into the channel, it is straightforward for Eve to indefinitely blind Bob's detectors. Under these illumination conditions, the APD no longer behaves as a single-photon detector, but as a classical photodiode generating photocurrent proportional to the optical power. A strong light pulse with peak power above a threshold P th generates a current spike that mimics the signal of a legitimate photon (Fig. 2c)16.

Figure 2: Detector blinding and control. (a) Circuit diagram of the custom-built single-photon detectors used in the QKD system under attack18,19,20. An avalanche photodiode (APD, C30902S, PerkinElmer) is biased 15 V above its breakdown voltage from a voltage supply +V bias ≈220 V. The avalanche current is fed by a charge stored in a small stray capacitance (≈1.2 pF) and is detected via a voltage spike at the 100 Ω resistor. The avalanche quickly self-quenches becuse of discharge of the capacitance and concomitant bias voltage drop; its recharge and recovery of single-photon sensitivity takes ∼1μs. (b) Oscillograms show one of the detectors blinded after switching on 38 pW continuous-wave (c.w.) illumination. (c) Oscillograms show the same detector blinded with 17 μW c.w. illumination. A superimposed optical trigger pulse with a peak power of 2.3 mW never causes a click, whereas one with P th =2.6 mW always does. Full size image

Experimental implementation

This QKD implementation has four detectors and uses a four-state protocol with polarization coding and passive basis choice (Fig. 1b). Eve can blind all detectors using a laser diode (LD) emitting continuous-wave circularly polarized light, which splits evenly between Bob's detectors. To selectively make one detector click while keeping the other three blinded, Eve adds a linearly polarized pulse of the same polarization as the target detector, and peak power 2P th . By using four LDs aligned to vertical, horizontal and ±45° polarizations, Eve has the option to deliberately launch a click in any of Bob's detectors. She then executes the faked-state attack.

Before attack, we inserted Eve into the line and manually aligned her polarizations to match Bob's detector settings. Then we characterized fidelity of her control over Bob. During a 5 min session Eve received 8,736,719 clicks and resent an equal number of faked states to Bob. Of the latter, 99.75% caused clicks in Bob, and more importantly those clicks were always produced in the intended detector (Table 1). As the synchronization protocol involves Bob sending to Alice precise timing of every click registered21, Eve can easily identify and discard the few faked states that did not register at Bob, and that will be discarded in the reconciliation between Alice and Bob. After this, she has an identical record with Bob. Owing to small imperfections in tuning Eve's FSG ('Complete Eve's setup' section in Methods), Bob had a probability of 5×10−7 to register simultaneous clicks in two detectors, corresponding to four events in 323 s. In this QKD implementation, such double clicks were treated as noise and discarded (which is obviously insecure but easily patchable by assigning instead random bit values24). We remark that our control scheme could be extended to reproduce arbitrary clicks in several detectors with a more complex FSG, which is, however, not needed in the present experiment.

Table 1 Fidelity of Eve's control over Bob. Full size table

QKD performance and key extraction

After Eve's calibration, we ran multiple 5–10 min QKD sessions over a few hours, some with Eve inserted in the fibre line and some without. We recorded performance statistics, all public communication data between Alice and Bob, and the generated keys. During QKD, the legitimate parties monitor key rates to check the line transmission. Figure 3 shows results from two typical sessions, one eavesdropped and one not. As expected, inserting Eve does not alter the rates. Small differences in rate averages of the two sessions are not caused by eavesdropping but rather are normal medium-term alignment fluctuations in this QKD system. The quantum bit error ratio of 5–6% is typical for this experiment18,19,20, and well below the security limit for the Bennett–Brassard–Mermin 1992 (BBM92) protocol used here6.

Figure 3: QKD performance with and without eavesdropping as measured by Alice and Bob. Session without Eve in the fibre line (left). Eve installed (right). The traces in the top chart correspond to the raw key rate, sifted key rate and final secret key rate after error correction and privacy amplification18,20. The bottom chart shows the quantum bit error ratio (QBER). Full size image

In the sessions in which Eve was connected, she extracted Bob's sifted key from her clicks and the recorded public communication Alice–Bob. Alice and Bob identify photon pairs by time-tagging each detector click and exchanging these times over the public channel21. This allows them to synchronize their clocks and to keep track of what photons were detected. Bob also announces his detection bases, and Alice answers for which Bob's clicks she detected the other photon of the pair in the same basis (these pairs form the sifted key). As no measurement outcomes are revealed, this information can be entirely public. In the present implementation, this channel is established over a transmission control protocol and internet protocol (TCP/IP) wireless connection, and is passively wiretapped by Eve. She watches the discussion, synchronizes her clock with Bob's clock, then sifts her key keeping only those of her clicks which are also kept by Alice and Bob in the sifted key. We ran Eve's processing script on recorded experimental data and verified that in all eavesdropped QKD sessions, Eve's sifted key was identical to Bob's (the script and data sample are available, 'Raw experimental data and Eve's key extraction software' section in Methods).

If the source analysers and transmission medium were perfect, this sifted key would directly constitute the secret key. Under realistic conditions, the sifted keys of Alice and Bob are not identical (the difference being quantified by the quantum bit error ratio). Further steps of error correction and privacy amplification complete the public exchange Alice–Bob to produce the secret key3,6. As Eve has the same sifted key as Bob, she can apply the same processing as Bob to it, and is guaranteed to produce the same secret key.