Table Of ContentExperimental implementation of non-Gaussian attacks
on a continuous-variable quantum key distribution system
J´erˆome Lodewyck,1,2 Thierry Debuisschert,1 Rau´l Garc´ıa-Patro´n,3
Rosa Tualle-Brouri,2 Nicolas J. Cerf,3 and Philippe Grangier2
1Thales Research and Technologies, RD 128, 91767 Palaiseau Cedex, France
2Laboratoire Charles Fabry de l’Institut d’Optique, CNRS UMR 8501,
Campus Universitaire, bˆat 503, 91403 Orsay Cedex, France
3QuIC, E´cole Polytechnique, CP 165, Universit´e Libre de Bruxelles, 1050 Bruxelles, Belgium
Anintercept-resendattackonacontinuous-variablequantumkeydistributionprotocolisinvesti-
gated experimentally. By varying the interception fraction, one can implement a family of attacks
wheretheeavesdroppertotallycontrolsthechannelparameters. Ingeneral,suchattacksaddexcess
7 noise in the channel, and may also result in non-Gaussian output distributions. We implement
0 andcharacterizethemeasurementsneededtodetecttheseattacks,andevaluateexperimentallythe
0 information ratesavailable tothelegitimate usersandtheeavesdropper. Theresults areconsistent
2 with theoptimality of Gaussian attacks resulting from thesecurity proofs.
n
PACSnumbers: 03.67.Dd,42.50.Lc,42.81.-i,03.65.Ud
a
J
1
Quantum key distribution (QKD) enables two distant tions. The experiment confirms and emphasizes that it
3
parties – Alice and Bob – linked by a quantum channel is crucial to properly evaluate the channel excess noise
1 and an authenticated classical channel to share a com- in order to warrantthe security of the present CV-QKD
v mon secret key that is unknown to a potential eaves- protocol [4, 5, 6]. In addition, we explicitly measure the
8 dropper Eve. For this purpose, Alice and Bob have to informationgainedby Evefor a wide rangeof partialIR
3
agree on a proper set of non-commuting quantum vari- attacks,andcheckthatitneverexceedstheboundbased
2
ables, as well as a proper encoding of the key into these on Gaussian attacks (with excess noise). This is in full
1
0 variables. Common QKD setups use so-called discrete agreement with the security proof given in [7].
7 variables (e.g. the polarization of a photon), thereby re- OurCV-QKDprotocolisbasedoncoherentstatesand
0 quiring single-photon sources or detectors [1]. reversereconciliation,asdescribedin[4]. AlicesendsBob
/
h In this Letter, we shall rather follow an alternative a train of coherent states x+ip where the quadratures
| i
p procedure,pioneeredin[2,3],whichconsistsinencoding (x,p)arerandomlychosenfromabivariateGaussiandis-
-
the key into continuous variables (CV). Specifically, we tribution with variance V . Bob randomly measures ei-
t A
n useaCVQKDprotocolwithcoherentstatesintoroduced ther x or p, and publicly announces his choice. A binary
a
in[4]. Theactionofapossibleeavesdropperthenappears secret key is then extracted from the correlatedcontinu-
u
q as added noise on the observed continuous data. More ous data by using a sliced reconciliationalgorithm[8, 9].
: precisely, line losses correspond to a restricted class of This protocolis wellsuited for practicalQKDbecause it
v
attacks, often called beam-splitting attacks, which only only requires conventional fast telecommunication com-
i
X add Gaussian “vacuum” noise. Other attacks typically ponents, such as InGaAs photodiodes or electro-optics
r addmorenoise,called“excessnoise”,whichmaybenon- modulators. A full QKD setup with a typical repeti-
a
Gaussian. It is generally crucial to show that Alice and tionrate of1 MHz canbe assembledwith off-the-shelves
Bobcanmeasurethesenoiseswiththerequiredaccuracy components [10]. The security of the protocol is proven
in order to ensure the security of CV-QKD. againstawiderangeofattacks,namelyGaussianindivid-
Inorderto analysethese noises,wehaveexplicitlyim- ual attacks [4], finite-size non-Gaussian attacks [7], and
plementedseveralnon-trivialactionsoftheeavesdropper Gaussian collective attacks [11, 12]. It will be sufficient
Eve,whicharesimplebutgeneralenoughtoincludeboth for our needs here to focus on the proof of [7], which
Gaussian and non-Gaussian features. These attacks are providesasimple analyticalexpressionfor the secretkey
implemented optically as partial intercept-resend (IR) rates against non-Gaussian attacks.
operations, in which the signal beam is either measured General framework. The processing of a coherent
andsubsequentlyre-prepared,oriseavesdroppedusinga state via a Gaussian quantum channel can be described
beam splitter (BS). These attacks enable Eve to control as follows. Its amplitude is multiplied by √T, where
independently the twomainchannelparameters,namely T 1 is the channel transmission, while its noise vari-
≤
the loss (BS part) and excess noise (IR part), simply ance is increased to (1 + Tǫ)N at the output, where
0
byadjustingthe interceptedfraction. Theyaretherefore N stands for the shot-noise level and ǫ is the so-called
0
muchmorepowerfulthanasimpleBSattackcorrespond- excess noise (referred to the input). Assuming that the
ing to a pure line loss. We examine in detail how well limited efficiencyη <1 ofthe homodyne detector deteri-
Alice and Bob can detect them in real operating condi- orates Bob’s reception but does not contribute to Eve’s
2
information (so-called “realistic mode” in [4, 10]), the
P Source Phase
information rates can be written as RNG
Q
1 ηTVA+1+ηTǫ Source X RNG θ
I = log (1)
AB 2 2 1+ηTǫ Alice Eve Bob
1 ηTV +1+ηTǫ
A
I = log . (2)
BE 2 2 η/ 1 T +Tǫ+ T +1 η FIG. 1: Intercept-resend attack. Alice prepares a random
h − VA+1i − coherent state, and Bob chooses a random quadrature mea-
surement with a random number generator (RNG). In be-
In reverse reconciliation [4], the secret key rate is given tween,Evemakesanheterodynemeasurementofeachincom-
by K = β I I , where β is the efficiency of the ingquantumstate, and displaces anothergenerated coherent
AB BE
− state according to hermeasurement result.
reconciliationalgorithmwith respectto Shannon’s limit.
Allthe quantitiesappearinginthese formulasareknown
or can be measuredby Alice and Bob. In practice, Alice
andBobmustcarefullyevaluateT andǫinordertoinfer Alice Amplitude Phase
Signal modulator modulator
the optimal attack Eve can perform, and therefore to
uonvpoeNnpr-eoGrana-brGuaosnausduniaosdnsmiIaaBnstEutbaa.cstTtkeat,hcoinksfsa.itmshedeLloyrenataewubpsdyaacrsttoatinaa[stl1iids0itn]ei.trcearalceeppvaatr-lturieacsuteilnoandr BolDabsFeHBromodAmymnoedpulilt−autdoer Co9u9p/1ler LO Phase (channel)Attenuation
detector
(IR) attack: Eve detects and resends a fraction µ of the Attenuator 50/50 modulator
coupler
pulses,whilesheperformsastandardbeam-splitter(BS)
attack on the remaining fraction (1 µ). For the IR FIG. 2: Experimental setup. Alice generates modulated sig-
−
step, Eve performs a simultaneous measurement of both nalpulses. Bobmeasuresarandomquadraturewithapulsed,
quadratures (Fig. 1), and resends a coherent state dis- shot noise limited homodyne detector.
placed according to her measurement results. For the
BS step, Eve is assumed to keep the tapped signal in
a quantum memory and to measure it only after Bob
domlychosenfromatwo-dimensionalGaussiandistribu-
has revealed his measurement basis. For given chan-
tionwithvariancesV =36.6N . Thepulsewidthis100
nel parameters (T,ǫ), the optimal attack is known to be A 0
ns. The signal is sent to Bob along with a strong phase
Gaussian [7]. It can be achieved using an “entangling
reference–orlocaloscillator(LO),with109 photonsper
cloner”[5], whichsimply reducesto a BSattack ifǫ=0.
pulse. Bob selects an arbitrary measurement phase with
If ǫ = 0, the partial IR attack that we consider here is
6 a phase modulator placed on the LO path. The selected
not optimal, although it has several advantages for our
quadrature is measured with an all-fiber shot noise lim-
demonstration purposes. First, it gives Eve a very sim-
ited, time-resolved homodyne detector. A key transmis-
ple way to exploit the excess noise of the line in order to
sion is composed of independent blocks of 50000 pulses,
gain more information; second, it provides the opportu-
sentatarateof500kHz,amongwhich10000testpulses
nity to check explicitly the bound on Eve’s information
with agreed amplitude and phase are used to synchro-
for non-Gaussian attacks, deduced from Alice and Bob’s
nize Alice and Bob and to determine the relative phase
noise variance measurements as established in [7].
between the signal and LO (see [10] for more details).
Letusemphasize thatfor afullIRattack(µ=1),one
Knowingthisrelativephase,Bobisabletochooseanab-
hasǫ=2. Thiscorrespondstothe“entanglementbreak-
solute phase measurement, for example one of the field
ing”limitinourprotocol[5,13],attheedgebetweenthe
quadratures x and p, with a software control loop.
classical and quantum regimes. No entanglement can be
transmittedthroughthequantumchannel,andtherefore PracticalQKDrequiresthatonlyapartofthedataset
no secret key can be extracted. For a lossy channel, this is revealed for channel parameters evaluation. This fi-
added noise gets attenuated, so the entanglement break- nite set size introduces statistical fluctuations that can
ing limit may become difficult for Bob to detect. Thus, alter the excess noise estimate. Therefore, security mar-
asanotherchallengetoourexperimentalimplementation, gins have to be considered when computing information
it is interesting to check whether Bob can detect this IR rates. In all the experimental curves shown below, the
attack and properly reject the transmitted key. number of sampling points for channel characterization
Experimental setup. We have realized the IR attack has arbitrarily been chosen to be 5000 (i.e. 13% of the
using the device described Fig. 2. It is a coherent-state 40000available pulses)for illustrationpurpose,and may
QKD setup, working at 1550 nm and exclusively assem- be optimized for each value of the channel transmission.
bled with fiber optics and fast telecom components. It Implementation of full IR attacks. To implement an
displaces a train of pulsed coherent states within the IR attack as in Fig. 1, one would need three homodyne
complexplane,witharbitraryamplitudeandphase,ran- detectors and two modulation setups. To avoidunneces-
3
6 ut 2.5
χ p Theoretical excess noise
nput 5 χ0ε he in 2 Experimental excess noise
e i o ts)
Noise referred to th (SNL units) 1234 ess noise referred tε ( in SNL unit 01 ..155
c
0 x 0
E
0 0.2 0.4 0.6 0.8 1 0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Channel transmission (T) Fraction of IR pulses (µ)
FIG. 3: Variance of the noise measured by Bob that is pro- FIG. 4: Variance of the excess noise in a partial IR attack.
duced by a full IR attack (µ = 1). We define the total Each point results from an average of the measured excess
added noise (referred to the input) as χ = χ0 + ǫ, with noisefor differentchanneltransmissions (seethe ǫvs. T plot
χ0 =1/(ηT)−1denotingtheloss-inducedvacuumnoise and of Fig. 3). The solid line plots the expected excess noise due
ǫdenotingtheexcessnoise. Thetotaladdednoiseχ(stars)is toanIRattackonafractionµofthepulses. Duetotechnical
measured experimentally, while χ0 (crosses) is deduced from noise,theexperimentaldataareabovethisline,typicallyless
themeasuredtransmission (T)andfromBob’shomodyneef- than 0.1N0 (dashed line).
ficiency(η=0.6). Thenǫ(plus)isobtainedfromtheirdiffer-
ence. The uncertainties margins on ǫ represent the standard
deviation of statistical fluctuations when computing over a
finitedata subset (5000 points out of 40000). Implementation of partial IR attacks. Because the
full IR attack reaches the entanglement breaking limit,
it is not the best for Eve to tap information from the
quantum channel. As explained previously, a more sub-
sary hardware duplication, this attack has been split in
tlewayforEvetointeractistointerceptandresendonly
three phases,with the role of Eve being playedeither by
a fraction µ of the pulses, and to implement a BS attack
Alice or by Bob. First, Alice sends coherent states, and
ontherestofthepulses. Inthiscase,Evecanchoosethe
BobsimulatesEvemeasuringthexquadratureofthein-
amountofnoise she wantsto introduce independently of
comingstates. Then,thesameoperationisrepeatedwith
thechanneltransmission. Thisallowsacompletechannel
apmeasurement. TotakeintoaccountEve’sbeamsplit-
parametercontrol, which is not achievable with a simple
tershowninFig.1,the variancemeasuredbyEve(actu-
BSattack(ǫ=0)norwithanIRattackwheretheadded
ally Bob) is adjusted to be exactly half of Alice’s output
noise is fixed for a given channel transmission.
modulation. This calibration also virtually includes the
losseswithinthehomodynedetectorintothe beamsplit- Animportantpointisthattheprobabilitydistribution
ter, thus simulating a perfect heterodyne measurement. ofBob’smeasurementsbecomestheweightedsumoftwo
Both x and p measurement outputs are then communi- Gaussian distributions with different variances, namely
cated to Alice through a classical channel so that she TVA + N0 for the transmitted data (BS) and T(VA +
can simulate Eve resending coherent states that are dis- 2N0)+N0 for the resent data (IR), so the attack is not
placed accordingly. After this sequence, the correlations Gaussianany more. Figure 4 showsthe measuredexcess
between Alice and Bob are measured in order to deter- noise for different interception fractions µ. Ideally, it is
mine the channel parameters. Since Alice and Eve drop given by the weighted sum of the excess noises in the IR
the quadrature not measured by Bob, our two-step im- and BS cases, i.e., ǫTOT = µ ǫIR +(1 µ) ǫBS = 2µ.
−
plementation of the interception is legitimate. In our experiment, we have to add the technical noise of
The excess noise referred to the channel input is mea- variance ǫT =0.1N0, which leads to ǫTOT =2µ+ǫT, in
sured by Bob for different channel transmissions, se- good agreement with the experimental data.
lected with an amplitude modulator. For a full IR at- For such an attack, the achievable secret key rate is
tack (µ = 1), the excess noise is measured to be about lower bounded by the information rate for an equiva-
0.1N above the expected 2N entanglement breaking lent Gaussian attack characterized by the same variance
0 0
bound (Fig. 3). This is due to the various technical andconditionalvarianceofthedatadistribution[7]. The
noisesencounteredthroughouttheIRprocess,whichcan GaussianmutualinformationrateIg betweenAliceand
AB
beindependentlydeterminedfromtheexperimentaldata Bobcanbederivedfromthenoisevariancemeasurements
(mostlylaserphasenoiseandmodulationimperfections). withaGaussianchannelmodelcharacterizedbythesame
Since this technical noise is quite small, we also con- correlations. This can be compared with the actual mu-
clude that the imperfections related to the method used tual information rate Ing computed from the measured
AB
to “simulate” Eve are negligible. data distribution in presence of the partial IR attack.
Theoretical excess noise referred to the input 4
0 0.4 0.8 1.2 1.6 2
2.5 T = 0.9 evenifEvedoesnotimplementthe strongestattack. On
I
AB I
2 BE Fig.5onecanactuallyreadthetolerableexcessnoisefor
agivenchanneltransmissionT,atthe crossingpointbe-
1.5
tween I and I , confirming that Alice and Bob are
AB BE
se) 1 on the “safe side” when using the Gaussian bound [7].
ul 1.5
s/p T = 0.25 In conclusion, we have implemented a family of quan-
n rate (bit 11..34 IAB IBE twmuhomircehagatetlalnocewkrasE,lvtnehaatmoneelsyximpplpoailrtetti“ahbleeieanxmtcee-rsscpselpnittot-iirnseegseanantddtaaacrtketsa”tchkuasss,
o
ati 1.2 considered so far. Our experiment confirms that such
m attacks can be successfully detected and eliminated by
or
nf 0.9 T = 0.1 accuratelymonitoringthevariancesofall(“vacuum”and
I
“excess”) noises of the channel. Therefore, the present
IAB IBE “real-case study” provides both a test and an illustra-
0.8 tion of the workingprinciples of experimental CV-QKD.
It is also particularly important in view of the recent
0 0.2 0.4 0.6 0.8 1 proof[14,15]thattheoptimalcollectiveattackforagiven
Fraction of IR pulses noisevarianceis Gaussian,just asfor individualattacks.
Considering that our family of attacks spans all possible
FIG. 5: Mutual information rates for a non-Gaussian partial
relevanttransmissionsandnoisevariancesofthechannel,
IR attack, for T = 0.1, 0.25 and 0.9, with VA = 36.6N0,
thesecurityofourGaussian-modulatedprotocolremains
η = 0.6 and a technical excess noise of 0.1N0. The mutual
information IBE is plotted for a Gaussian model with equiv- warrantedunder very general conditions.
alent excess noise (solid lines), as well as for a BS attack We acknowledge financial support from the EU under
(dotted lines), and for a partial IR attack (dashed lines). It projects COVAQIAL (FP6-511004)and SECOQC (IST-
is compared with the Gaussian mutual information IAB. As 2002-506813),andfromtheIUAPprogrammeoftheBel-
expected, the IR attack enables to exploit the excess noise,
giangovernmentundergrantV-18. R.G-P.acknowledges
giving Eve extra information above the BS attack. We show
statisticalfluctuations(±1standarddeviation)corresponding support from the Belgian foundation FRIA.
to a data subset of 5000 points perblock, as on Fig. 3.
We find that the Gaussian mutual information Ig is [1] Nicolas Gisin, Gr´egoire Ribordy, Wolfgang Tittel, and
AB
lower than the actual mutual information Ing , with a HugoZbinden.Quantumcryptography.Rev.Mod.Phys.,
AB
very small gap between them ( 0.8% for modulation of 74:145–195, 2002.
≤ [2] Mark Hillery. Quantum cryptography with squeezed
V =36.6N )foranyT andǫ. Therefore,onlythecurve
IgA (noted I0 ) has been represented on Fig. 5. states. Phys. Rev. A, 61:022309, 2000.
AB AB [3] T.C.Ralph.Continuousvariablequantumcryptography.
On Eve’s side, Fig. 5 compares I with three pos-
AB Phys. Rev. A, 61:010303, 2000.
sible values of IBE. The dotted line (IBBES) is obtained [4] Fr´ed´eric Grosshans, Gilles Van Assche, J´erˆome Wenger,
from a BS attack for the given transmission. With this RosaBrouri,NicolasCerf,andPhilippeGrangier. Quan-
attack, Eve only makes use of the channel losses, as if tum keydistribution usinggaussian-modulated coherent
she was not able to exploit the excess noise. The dashed states. Nature, 421:238–241, 2003.
line (Ipartial IR) is obtained when, in addition to the BS [5] Fr´ed´eric Grosshans, Nicolas J. Cerf, J´erˆome Wenger,
BE Rosa Tualle-Brouri, and Philippe Grangier. Virtual
attack, Eve exploits the excess noise for implementing a
entanglement and reconciliation protocols for quantum
partial IR attack. This information therefore reads
cryptography with continuous variable. Quantum Infor-
mationandComputation,3:535–552,2003,SpecialIssue.
Ipartial IR =µIIR +(1 µ)IBS, (3)
BE BE − BE [6] RyoNamikiandTakuyaHirano. Securityofcontinuous-
variable quantum cryptography using coherent states:
The experimental points shown over the dashed line are
Decline of postselection advantage. Phys. Rev. A,
obtainedfromthis formula,usingthe measuredinforma- 72:024301, 2005.
tionacquiredbyEvefromtheIRpartofthe attackIIR, [7] Fr´ed´eric Grosshans and Nicolas J. Cerf. Continuous-
BE
and the evaluated information from the BS attack (dot- variable quantum cryptography is secure against non-
ted line). The solid line (Ig ) is the optimal Gaussian gaussian attacks. Phys. Rev. Lett., 92:047905, 2004.
BE
[8] Gilles Van Assche, Jean Cardinal, and Nicolas J. Cerf.
attackwhereEveexploitstheexcessnoiseforimplement-
Reconciliation of a quantum-distributed gaussian key.
inganentanglingclonerattack. Theexperimentalpoints
IEEE Trans. Inform. Theory, 50(2):394–400, 2004.
shownoverthissolidlinearetheboundsonI deduced
BE [9] Matthieu Bloch, Andrew Thangaraj, and Steven W.
from the measured line parameters, according to eq. 2. McLaughlin. Efficient reconciliation of correlated con-
These curves show the crucial role of the excess noise, tinuous random variables using ldpccodes. 2005.
5
[10] J´erˆome Lodewyck, Thierry Debuisschert, Rosa Tualle- Lu¨tkenhaus. Entanglement verification for quantum-
Brouri, and Philippe Grangier. Controlling excess noise key-distribution systems with an underlying bipartite
infiber-opticscontinuous-variablequantumkeydistribu- qubit-modestructure. Phys. Rev. A,73:012341, 2006.
tion. Phys. Rev. A, 72:050303(R), 2005. [14] R.Garcia-PatronandN.J.Cerf. Unconditionaloptimal-
[11] Fr´ed´ericGrosshans. Collectiveattacksandunconditional ity of gaussian attacks against continuous-variable qkd.
securityincontinuousvariablequantumkeydistribution. Phys. Rev. Lett., 97:190503, 2006.
Phys. Rev. Lett., 94:020504, 2005. [15] M. Navascues, F. Grosshans, and A Ac´ın. Optimality of
[12] Miguel Navascu´es and Antonio Ac´ın. Security bounds gaussian attacks in continuous variable quantum cryp-
forcontinuousvariablesquantumkeydistribution. Phys. tography. Phys. Rev. Lett., 97:190502, 2006.
Rev. Lett., 94:020505, 2005.
[13] Johannes Rigas, Otfried Gu¨hne, and Norbert
