Practical Security Bounds Against the Trojan-Horse Attack in Quantum Key Distribution

In the quantum version of a Trojan-horse attack, photons are injected into the optical modules of a quantum key distribution system in an attempt to read information direct from the encoding devices. To stop the Trojan photons, the use of passive optical components has been suggested. However, to date, there is no quantitative bound that specifies such components in relation to the security of the system. Here, we turn the Trojan-horse attack into an information leakage problem. This allows us to quantify the system security and relate it to the specification of the optical elements. The analysis is supported by the experimental characterization, within the operation regime, of reflectivity and transmission of the optical components most relevant to security.

Popular Summary

Since ancient times, the Trojan-horse attack has been known for penetrating a securely protected space. For modern-day cryptographic applications such as quantum key distribution, the existence of a protected area is a fundamental assumption, and securing this area against a Trojan-horse attack has been a long-standing problem. Even so, no quantitative analysis has been conducted thus far to combat the Trojan-horse attack on quantum systems, and an increasing number of experiments have demonstrated the severity of the attack.

In this work, we propose a quantitative method to counteract the Trojan-horse attack. Our work focuses on characterizing the components of an optical system to limit the information leakage arising from the Trojan photons. These photons are imprinted with secure information that is supposed to remain private but is instead delivered to the attacker. In some cases, the Trojan-horse attack can even proceed without alerting the system that it is under attack. By relating the security of the system to the specific characteristics of its optical components, the Trojan-horse attack can be effectively fended off. The protection architecture that we examine is entirely passive, and we provide security bounds that are easily applicable in practice. Our solution is feasible within existing experimental capabilities.

We believe that our security argument will become a standard tool in all quantum systems that need to secure a private space.

Figure 1

Representation of the Trojan-horse attack against an optical QKD setup. Eve sends a large amount of Trojan photons (thick arrow) against Alice’s defensive structure. Some of the photons reach the encoding device, are encoded with the private information $\phi$, and are reflected back to Eve (thin arrow), who retrieves the information by measuring the photons.

Figure 2

Schematics of the transmitting unit of a unidirectional fiber-based QKD setup and Eve’s THA. LS is a generic light source. The square with ${\phi }_A$ is the encoding device. It writes the phase information ${\phi }_A$ on photons traveling in the short arm of the interferometer. Eve injects a bright light pulse in the coherent state $|\sqrt{{\mu }_{\mathrm{in}}}⟩$ into Alice’s module. A fraction of it is encoded by Alice and back-reflected to Eve, emerging as $|e^{i{\phi }_A}\sqrt{{\mu }_{\mathrm{out}}}⟩$, i.e., attenuated by a factor $\gamma$ (${\mu }_{\mathrm{out}}=\gamma {\mu }_{\mathrm{in}}$) but containing the phase information ${\phi }_A$ (dashed line).

Figure 3

Asymptotic key rate $R$ versus distance for the single-photon efficient BB84 protocol under a THA. The rate is plotted for different values of the output mean photon number ${\mu }_{\mathrm{out}}$. Other parameters in the simulation are as follows: fiber loss coefficient $0.2\mathrm{dB}/\mathrm{km}$, total detection efficiency 12.5%, optical error rate 1%, dark count probability per gate ${10}^{-5}$, and error correction inefficiency 20% above the Shannon limit.

Figure 4

Asymptotic key rate $\tilde{R}$ versus distance for the decoy-state efficient BB84 protocol under a THA, for various values of the output mean photon number ${\mu }_{\mathrm{out}}$. Experimental parameters in the simulation are as in Fig. 3. The average photon number of the signal states in the decoy-state technique is $s=0.5$.

Figure 5

Architecture of a QKD transmitter to mitigate the THA. LS is a generic light source and the square with ${\phi }_A$ is the encoding device. OFL: optical fiber loop determining the LIDT; $F$: optical filter; $I$: optical isolator; $A$: attenuator; $R$: total reflection from all components to the left of the dot-dashed line.

Figure 6

Top panel: Schematics of the QKD transmitter module and of the $\nu$-OTDR setup used for characterizing its reflectivity. Bottom panel: Reflection peaks of the transmitting unit. The distance is measured from the connector J1 placed at the entrance of the module. The traces are acquired for two orthogonal polarizations, aligned to maximize the transmission through the short (blue traces) and long (red traces) arms of the interferometer. The peaks of the reflectivity are added to obtain a worst-case estimation (black). Only the peaks from the components included in the shaded region of the top diagram have to be considered in the estimation of $R$.

Figure 7

Spectral characterization of a dual-stage optical isolator. The isolator shows less than 0.36 dB insertion loss in the forward direction (right axis, empty squares) and more than 65 dB isolation in the backward direction (left axis, filled squares) around the central wavelength of 1550 nm.

Figure 8

Asymptotic key rate $R^{*}$ versus distance for the single-photon efficient BB84 protocol, under a passive THA. The rate is plotted for various values of the parameter ${\mu }_{\mathrm{out}}$. Parameters in the simulation are as in Fig. 3.

Figure 9

Asymptotic key rate ${\tilde{R}}^{*}$ versus distance for the decoy-state efficient BB84 protocol, under a passive THA. The rate is plotted for various values of the parameter ${\mu }_{\mathrm{out}}$. Parameters in the simulation are as in Fig. 4.

Figure 10

Asymptotic key rate $R^{**}$ versus distance for the single-photon efficient BB84 protocol, under a THA with unambiguous state discrimination by Eve. The rate is plotted for various values of the parameter ${\mu }_{\mathrm{out}}$. Parameters in the simulation are as in Fig. 3.

Figure 11

Asymptotic key rate ${\tilde{R}}^{**}$ versus distance for the decoy-state efficient BB84 protocol, under a THA with unambiguous state discrimination by Eve. The rate is plotted for various values of the parameter ${\mu }_{\mathrm{out}}$. Parameters in the simulation are as in Fig. 4.