Implementation security of quantum key distribution

Resumo

How to securely and secretly communicate messages between physically distant locations is a pressing concern for governments, companies, and users. With the rise of the Internet, cryptography has become an indispensable technology in many applications for which we require information security, such as online banking, and transmission of national secrets or health data containing sensitive personal information. Using conventional cryptographic algorithms, two users, Alice and Bob, can secretly communicate in the presence of an eavesdropper, Eve, as long as they share a long random string of secret bits, known as the key. By using this secret key to encrypt their messages via the one-time pad scheme, Alice and Bob achieve information-theoretically secure communications. Importantly, this key must have the same size as the message being transmitted and it can only be used once. The question now is: how are these secret keys securely distributed between users? This is known as the key distribution problem. Unfortunately, all classical key distribution schemes are fundamentally insecure because while the key is in transit from Alice to Bob, it can be copied by Eve and used to decrypt the encrypted message, the ciphertext. To go around this problem, public-key cryptographic systems are now widely employed to encrypt and decrypt messages. These systems require the receiver Bob to have two keys, one public and one private. The sender Alice uses Bob's public key to encrypt her message and send the ciphertext to him. Upon reception, Bob simply uses his private key to decrypt the message. In principle, only someone with Bob's private key can decrypt a message encoded with the announced public key. However, problematically, the security of public-key cryptographic systems relies on certain mathematical problems that are thought, but not proven, to be very difficult for current computers to solve in a reasonable period of time. In other words, it is assumed that Eve does not have access to efficient mathematical algorithms that would allow her to decrypt the ciphertext or figure out Bob's private key. For instance, the security of the Rivest-Shamir-Adleman (RSA) scheme, the most used public-key crypto-system, is based on the assumed hardness of finding the prime factors of very large numbers. Consequently, these schemes are vulnerable to rapid advances in hardware or algorithms; in fact, it has already been shown that a large-scale quantum computer could break the security of public-key algorithms whose security relies on prime factorisation or on elliptic curves. With several companies, such as Google, Microsoft and IBM, racing to build the first ever quantum computer, these machines can no longer be considered a pipe dream. Such a technological breakthrough would allow Eve to decrypt any message encrypted using public-key cryptography, including those encoded many years before, completely compromising our current security infrastructure. Therefore, it is of utmost importance to develop new and everlasting alternatives for securing our communications. Fortunately, and in contrast to public-key cryptography, quantum cryptography, or more specifically, quantum key distribution (QKD) promises to achieve information-theoretic security in data communication based only on information theory and the laws of physics, rather than on computational assumptions. That is, through the use of quantum mechanics the secrecy of the distributed key can be guaranteed without making any assumptions on the computational power or technologies that Eve possesses, or might possess in the future. In ideal QKD systems, Alice generates a random key, encodes each bit in the quantum state of a single photon, and sends it to Bob via a quantum channel. While in transit, Eve can perform any operation on these photons. However, the principles of quantum mechanics stipulate that Eve is unable to reliably copy unknown quantum states and if she attempts to measure them she will unavoidably introduce disturbance. In particular, if Eve tries to eavesdrop she will alter the state of the transmitted photons, causing transmission errors that signal her presence to Alice and Bob. This allows them to verify the security of the QKD scheme: if the error rate is too high, the secrecy of the key is compromised and therefore, the users abort the protocol and start again; if the error rate is low, the users can employ classical cryptographic techniques (known as privacy amplification) to distil a shorter secret key in which Eve’s information has been effectively removed. Clearly, QKD offers a much stronger security guarantee than other widely employed forms of cryptography. With such a strong security claim, it is not surprising that QKD has aroused substantial interest. Today, almost four decades after its introduction, QKD has made tremendous progress in both theory and practice. On the theoretical side, rigorous security proofs of QKD have been developed as well as a composable security definition. Many QKD protocols have been proposed, and their practical security in the presence of device imperfections and finite-key effects has been investigated. On the practical side, stable QKD over long distances has been accomplished and field-test QKD networks have been deployed in USA, Europe, China and Japan. Recently, satellite-based quantum communications have taken off, significantly increasing the maximum distance at which QKD can be performed. Also, there are commercial QKD systems currently available from several companies, such as ID Quantique and Toshiba, and great efforts have been made towards the standardisation of QKD systems. All of these developments demonstrate the feasibility of QKD and its potential to become a global technology. Having said that, however, there are still a number of open challenges that need to be addressed before QKD can be widely used for securing everyday communications around the world. Some of these involve improving technical aspects, such as further increasing the maximum distance between users, achieving higher communication rates, reducing its costs and miniaturising the devices. In addition to these technical advances, QKD also needs work on its theoretical front. Here, the most important challenge is to rigorously establish implementation security, rather than theoretical security. Motivation Usually, in a QKD protocol, there is a sending device that Alice uses to encode the optical pulses, a quantum channel in which these pulses are transmitted, and a measurement device that Bob uses to measure the incoming signals. To prove the security of this protocol, one would ideally start from mathematical models of these devices that faithfully capture their physical properties in a real-life implementation. However, since this is very hard to do, typical security proofs are based on idealised device models to describe them, which ignore their inherent flaws. As a result, there is a big gap between the theory and practice of QKD. Problematically, these device imperfections can create security loopholes, or side channels, that may allow Eve to learn some information about the secret key without introducing any disturbance on the emitted signals, thus compromising the security of the scheme. In fact, several hacking attacks have been performed on experimental and commercial QKD systems, and they have succeeded. Therefore, to recover the information-theoretic security offered by QKD, it is crucial to develop security proofs that take into account device imperfections. One possible solution against these hacking attacks is to use security patches. Once a side channel is identified it can be patched by finding a suitable countermeasure, sending Eve back to square one. While this patchwork results in a sequence of increasingly secure protocols, it cannot guarantee the security in the presence of unknown side channels, and thus abandons the information-theoretic security model offered by QKD. Arguably, the best way to bridge the gap between the theory and practice of QKD is device-independent (DI) QKD, since its security does not require any knowledge about the behaviour of the devices, other than the assumption that the measurement devices only interact with the outside world to receive quantum signals from the untrusted source, and to exchange inputs and outputs with the legitimate users. This means that Alice and Bob do not need to accurately model their devices, thereby ruling out all attacks targeting device imperfections in real-life implementations. This QKD protocol relies on another fundamental principle of quantum mechanics, entanglement. Its security is based on the fact that measurements on entangled pulses provide Alice and Bob with non-local quantum correlations that can be verified by the violation of a Bell inequality, an entanglement witness that is independent of the physical details of QKD systems. The intuition being that if Eve interferes with the entangled pulses to learn some secret information she would be detected by Alice and Bob, as this would destroy their shared entanglement and therefore the Bell inequality would not be violated. Despite being a remarkable idea, the drawback of DI-QKD is its impracticality; it is very challenging to implement with current technology and its expected secret-key rate is very low, even at short distances. Moreover, the assumption that there are no leakages of information from the users' devices is very difficult to ensure in practice. Another solution to remove the discrepancy between idealised device models and real devices and guarantee the implementation security of QKD, is to develop realistic security proofs with less demanding assumptions on sources and detectors. A recent breakthrough in this direction was the introduction of measurement-device-independent (MDI) QKD, which allows users to obtain a secret key in the presence of untrusted detectors. In this protocol, both Alice and Bob emit optical pulses to an untrusted third party Charles, who is supposed to perform a Bell-state measurement, and announce its result. To learn whether Charles was honest, the users can then compare a subset of the transmitted data. One fundamental assumption in MDI-QKD is that the sending devices are completely trusted and do not leak any information. Importantly, however, the security of the protocol is guaranteed without making any assumptions on the measurement device and therefore, it is immune to all detection side-channel attacks. Moreover, MDI-QKD can be easily implemented with off-the-shelf devices while providing a secret-key rate that is many orders of magnitude greater than that of DI-QKD. In fact, its feasibility has been demonstrated experimentally and a multi-user MDI-QKD network has already been constructed. Recently, an MDI-type protocol has been proposed, called twin-field (TF) QKD, that inherits MDI-QKD's immunity to detector side channels and provides significantly higher secret-key rates over long distances with current technology. Since these protocols already guarantee the security of QKD with arbitrarily flawed measurement devices while being very practical and providing high performances, the missing step towards achieving implementation security is to relax their assumptions on the source. Ideally, the sending devices are single-photon sources that do not leak any unwanted information about the user's setting choices and that perform the encoding of optical pulses perfectly. However, these requirements are not usually fulfilled in practical implementations of QKD. For instance, suitable deterministic single-photon sources are still not available, hence, the decoy-state method is used to make QKD practical and secure with standard weak coherent pulses. Also, real devices do not always behave as users expect since they might be affected by external conditions, such as temperature changes and fluctuations in power supply, or Eve might perform a hacking attack. Therefore, if the devices are not well isolated, there could be some unwanted information leakage that Eve can exploit to learn information about the secret key. Similarly, due to unavoidable device imperfections, there are often state preparation flaws (SPFs) that may compromise the security of the QKD scheme. These encoding flaws can be incorporated into the security proofs by using the security framework developed by Gottesman-Lo-Lütkenhaus-Preskill (GLLP). Unfortunately, however, the resulting secret-key rate is very poor because the GLLP analysis assumes that Eve can enhance source flaws by exploiting channel loss. To address the limitation of the GLLP analysis, a loss-tolerant (LT) protocol was proposed, making QKD robust against channel loss in the presence of SPFs. This protocol relies on a reject data analysis to bound the amount of information leakage to Eve and importantly, by assuming that the single-photon components of the emitted states are in a qubit space (known as the qubit assumption), Eve is unable to enhance source flaws by exploiting channel loss. The intuition is rather simple; since the users prepare three or more states in a two-dimensional Hilbert space, they must be linearly dependent and therefore Eve cannot perform an unambiguous state discrimination (USD) attack to distinguish them. Remarkably, this results in a secret-key rate that is almost independent of SPFs, that is, it remains almost unchanged as source flaws increase. The LT protocol has been further developed to take into account intensity fluctuations of the laser sources in the state preparation, its security has been proven in the finite-key regime and it has been implemented experimentally, demonstrating its feasibility. Unfortunately, however, the qubit assumption is quite hard to guarantee in practical implementations of the protocol. For example, it can be violated when the optical modes of the emitted signals depend on the users’ setting choices (known as mode dependencies or non-qubit assumption), that is, when the setting choices are encoded in undesired degrees of freedom of the emitted light. It can also be violated if there are classical pulse correlations between the prepared signals, i.e., when the quantum state of the signals depends on the previous encodings, or if Eve performs a Trojan horse attack (THA), in which she sends some bright light into the users' devices and then observers the back-reflected light to learn partial information about the secret key. Clearly, despite these recent and important theoretical advances, there is still a lot to be done in order to bridge the gap between theory and practice of QKD. One should develop better device models that reflect the properties of real devices, continue to reduce the assumptions employed in the security proofs and improve the resulting secret-key rates in the presence of source imperfections. By doing so, an actual implementation of a QKD protocol would be information-theoretically secure even in the presence of different source imperfections, as long as they are sufficiently small. Therefore, the purpose of this thesis is to rigorously consider these issues such that one can achieve implementation security of QKD. Contributions of the thesis Generalised loss-tolerant protocol As mentioned above, the LT protocol requires that the states of the emitted pulses are in a qubit space. Even though some attempts have been made to verify the qubit assumption in practice, one cannot rigorously ensure the emission of such states, compromising the security of the scheme. In this thesis, we remove the unrealistic qubit assumption and generalise the LT protocol to accommodate common source imperfections. More precisely, our security proof incorporates SPFs and multiple optical modes in the emitted signals arising from mode dependencies and THAs. To do so, we exploit the fact that the emitted signals can always be divided into a qubit part that resembles perfect signals emitted from an idealised device, and a non-qubit part that accounts for all the imperfections present in real devices. By exploiting this state structure we can then estimate the desired parameters to achieve secure communications. Importantly, no information is needed about the non-qubit part, or in other words, the side-channel states do not need to be characterised. This is a big advantage of our generalised loss-tolerant (GLT) protocol because these states could, in principle, live in unknown physical modes and therefore their experimental characterisation is highly non-trivial. Additionally, we make a comparison between the GLT protocol and the standard GLLP approach. For this, we follow the GLLP-type analysis in and consider the same device model and the same state structure as in the GLT protocol. We investigate how each security proof is affected by the different imperfections and THAs, and then we directly compare them under the same parameter regime. The results indicate that in the presence of high SPFs the GLT protocol provides better performances, especially when the other imperfections are small. The GLLP-type analyses seem to be more robust to mode dependencies and THAs, but as SPFs increase the secret-key rate decreases quickly. Since there are efficient passive countermeasures against THAs, such as optical isolators, the preferred security proof in the presence of these three device imperfections might be the GLT protocol, especially if SPFs are high. This comparison can be used as a guideline for experimentalists, allowing them to pick the security proof that provides higher performances given their device parameters. Importantly, we have proved the security of QKD in the presence of many common source imperfections. Reference technique Considering all these imperfections in the sending device inevitably reduces the communication rate of QKD. Indeed, both the GLT protocol and the GLLP-type security proofs provide lower secret-key rates than other security analyses in which these imperfections are not considered. To counteract this effect, in this thesis we have proposed a new framework to prove the security of QKD, the reference technique (RT), that is more resilient to source imperfections and that outperforms other security analyses in certain parameter regimes. More precisely, we have developed a simple and analytical parameter estimation technique that incorporates the LT protocol and includes existing security proofs as its special cases, namely, the GLT protocol and the GLLP-type analysis. The key idea of the RT is to consider some reference states that are close to the actual states emitted in a real-life implementation of the protocol and use them to estimate the required parameters in the security proof. Being the intuition that since these reference states are similar to the emitted states, their respective detection probabilities should also be similar. Hence, by bounding the maximum deviation between these probabilities we can obtain a mathematical relationship that allows us to estimate the amount of information leakage to Eve in the actual protocol. Importantly, this framework is very useful to consider many source imperfections simultaneously and only requires the characterisation of a single experimental parameter that describes the quality of the sources, or in other words, that quantifies the deviation of the emitted states from the idealised qubit states. As in the GLT protocol, no information is needed about the side-channel states. Here, we evaluate the secret-key rate for the RT in the presence of source imperfections, which includes a comparison between the RT based on the LT protocol with the RT based on the GLT protocol, and based on the GLLP-type security proofs. The results show that the RT based on the LT protocol outperforms the RT based on the GLT protocol in all parameter regimes investigated. Also, it provides a better performance than the RT based on the GLLP-type security proofs in some parameter regimes, especially when the SPFs are high and the other imperfections are small. We believe that the RT is a crucial step towards proving implementation security of QKD since it allows us to easily incorporate source side channels without drastically compromising the performance of the scheme. QKD with correlated sources As mentioned above, the security analyses introduced in this thesis already take into account many of the most prominent source imperfections simultaneously, namely, SPFs, mode dependencies and THAs. The last imperfection that needs to be considered in order to secure the source is setting-dependent classical pulse correlations. They occur when the information encoded in a particular signal depends on the information encoded in the previous signals. This means that if Eve intercepts this particular signal she can learn some secret information about the previous ones. To model such imperfection mathematically was believed to be the very hard because one needs to deal with many pulses rather than a single pulse, which increases the complexity of the problem. For this reason, pulse correlations have often been neglected in security proofs. Only a few works have considered them, and they have analysed very restricted scenarios in which pulse correlations do not leak any secret-key information or they only occur between nearest neighbour pulses. In this thesis, we present a very simple method for including this imperfection in the security proofs of QKD. The key idea is to treat the information encoded in the subsequent pulses as a side channel to the pulse of interest. By doing so, we have shown for the first time that QKD is secure in the presence of arbitrarily long-range pulse correlations. To evaluate how this imperfection affects the secret-key rate we have employed the RT for different correlation magnitudes and different correlation ranges. The results show that as this imperfection increases the secret-key rate drops. In fact, to obtain high performances using the RT small correlation magnitudes are needed. In this case, the security of the scheme is guaranteed in the presence of long correlation ranges. Importantly, our formalism for pulse correlations is compatible with the security framework developed in this thesis to deal with all the other main source imperfections. Therefore, all source imperfections and hacking attacks against the source by Eve can be incorporated together in the RT, closing all security loopholes on the sending device. Practical QKD secure against side channels Despite this effort to secure the source, the implementation security of QKD is still not guaranteed because the imperfections on the measurement devices also need to be considered. However, by bringing together an MDI-type QKD protocol, that eliminates all detector side channels, and the RT, to deal with any source imperfections and hacking attacks against the source, we can finally ensure the security of our practical implementations. In this thesis, we propose a new MDI-type QKD protocol based on the transmission of coherent light and use the RT to prove its security in the presence of any device imperfection and/or hacking attack by Eve. Unlike DI-QKD, here we need some device characterisation, namely an upper bound on a parameter that describes the quality of the source. The experimental validation and quantification of this parameter is still an important open challenge for experimentalists. Importantly, however, our security proof takes into account information leakage from the users' devices while DI-QKD does not. Moreover, it is practical with current technology and yet, it provides much higher secret-key rates than those offered by the most optimistic DI scenarios. In short, this thesis introduces a completely new approach to guarantee the implementation security of QKD, that is not only simpler and more practical than previous analyses but also provides higher performances, especially if the imperfections are small.