Physicists in the UK have shown how to defend a quantum cryptographic system against Trojan-horse attacks. By targeting the physical hardware used to encode quantum keys, such an attack can bypass the quantum-measurement-based security of the key itself. But the new research shows how three simple optical components can reduce the information obtained in this way to essentially zero.

Quantum key distribution (QKD) involves two parties – a sender, usually known as Alice, and a receiver, called Bob – sharing a secret key to encrypt and decrypt messages. The key is encoded using a string of quantum particles, such as photons, which makes the system immune to attacks by an eavesdropper called Eve. Any attempt by Eve to measure the state of the photons when they are travelling between Alice and Bob will cause a detectable change in those states, thereby revealing Eve’s attempt.

Bright lights

While an ideal QKD system is impenetrable, in practice, Eve can exploit imperfections in the devices used to create, send and receive the key. A Trojan-horse attack involves Eve shining a bright light at either Alice or Bob’s encoder and then measuring the reflection to obtain information about how the photon string has been encoded. In this way, she doesn’t intercept the quantum information itself, and so can remain in the shadows.

In the latest work, Andrew Shields and colleagues at Toshiba’s Cambridge Research Laboratory consider such an attack on a quantum-key distribution system that encodes the key using photons’ phase. Alice uses a phase shifter in one arm of an interferometer to slightly delay a photon pulse travelling through that arm, compared with a pulse travelling through the other, and then sends the resulting pairs of pulses along an optical fibre to Bob, who himself has an interferometer with two output ports. Encryption relies on being able to accurately distinguish a phase shift of 0° from 180° or else 90° from 270°, but not both at the same time.

In this case, Eve’s attack involves shining her light at the phase shifter and then measuring the light that reflects back through the optical fibre. As Shields points out, one way to combat this is to install “active devices” in the system, such as a detector that signals Eve’s presence by registering bright light. However, he says, there is always the chance that Eve could interfere with the detector.

Passive defence

Shields and co-workers instead consider “passive devices”. The idea here is to reduce the intensity of the reflected light to the point where it contains too few photons to convey any useful information – by limiting both the amount of light reaching the phase shifter and the fraction of that light then reflected back. Their scheme involves passing the optical fibre through three kinds of device at the exit of Alice’s transmitter: an attenuator, which reduces each pulse to a single photon; an isolator, which allows only the passage of out-going light; and a filter, which transmits only light with the wavelength of the quantum channel.

To test the efficacy of its scheme, the team calculated whether the addition of the three components is enough to prevent a Trojan-horse attack on existing QKD systems, given that no device in practice ever works perfectly. To do so, the researchers assumed that Eve cannot use light with an intensity greater than that which would burn the fibre, and they also measured the reflectivity of the phase shifter and other components in a real QKD transmitter. “We need to [calculate] the maximum information that Eve can gain from making her measurement,” says Shields. “That is a worst-case scenario. It assumes that she can gain useful information from every photon she measures, but that may be difficult in practice.”

They find that many existing QKD systems operating at very close to their normal bit rate can be protected from Trojan-horse attacks as long as enough isolators are placed in the path of the optical fibre. They say that privacy amplification, which further reduces the amount of information available to Eve simply by shortening the key, only needs to be used when Alice and Bob communicate over significant distances.

Easy to implement

According to Shields, the scheme is easy to put into practice because the necessary attenuators, isolators and filters are all quite cheap and can be bought off the shelf. It will be used in QKD prototypes being developed by Toshiba, he says, but could be incorporated into other existing commercial products.

Vadim Makarov, a “quantum-hacking” expert at the University of Waterloo in Canada, praises the latest research, saying that he is giving the paper describing the work to his students “as an example of how to isolate and treat a security loophole”. But he points out that the Toshiba scheme cannot be used to defend every type of QKD system. Its reliance on isolators, he notes, makes it useless in the case that Alice encodes a beam that has first been sent to her by Bob.

Makarov is also confident that new forms of attack will continue to emerge. “Given that the technology gets updated all of the time to improve performance and offer new functionality,” he says, “its security is not a final state but a continuous process.”

The research is reported in Physical Review X.

• Two team members (Shields and Zhiliang Yuan) have written a feature article for Physics World about quantum cryptography: “Key to the quantum industry“.