Attack with Hong–Ou–Mandel interferometer to quantum key distribution

Current Applied Physics 11 (2011) 1006e1009

Contents lists available at ScienceDirect

Current Applied Physics journal homepage: www.elsevier.com/locate/cap

Attack with HongeOueMandel interferometer to quantum key distribution Chil-Min Kim a, *, Yong-Wan Kim b, Young-Jai Park a a b

Department of Physics, Acceleration Research Center for Quantum Chaos Application, Sogang University, Seoul 121-742, Republic of Korea Institute of Mathematical and School of Computer Aided Science, Inje University, Gimhae 621-749, Republic of Korea

a r t i c l e i n f o

a b s t r a c t

Article history: Received 17 September 2010 Received in revised form 30 December 2010 Accepted 12 January 2011 Available online 22 January 2011

We suggest a sophisticated attack protocol, which can be applied to the two-way deterministic quantum key distribution protocol. When more than two photons are used for a qubit, Eve picks out a photon each from the forward and the backward channel and measures whether the states of the two picked-out photons are orthogonal or the same by using the fourth order quantum interference. We describe the attack protocol, which uses an active arrangement of two HongeOueMandel interferometers combined with further quantum nondemolition measurements, beam splitters, and polarization rotator. Crown Copyright Ó 2011 Published by Elsevier B.V. All rights reserved.

Keywords: Quantum communication Quantum key distribution Quantum optics

1. Introduction Since the seminal work of quantum key distribution (QKD) by Bennett and Brassard (BB84) in 1984 [1], quantum cryptography based on quantum mechanics has attracted much attention because QKD is believed to be extremely secure. Among the various QKD protocols, which have been proposed [2e10] and experimentally realized [5,11,12], the BB84 protocol using the polarization of a single-photon has been an object of extensive study. However, since it was difficult to have a reliable single-photon source and single-photons could be easily lost due to imperfect channel efficiency, the BB84 protocol was proven vulnerable to a photon number splitting (PNS) attack [13]. To solve the problem a modified protocol has been continually proposed [14]. Some QKD protocols use multi-channel to ensure security and to increase the number of photons for a qubit. The first protocol of this type is the deterministic two-way communication protocol proposed by Boström and Felbinger [6], whose scheme is as follows: Bob prepares two photons, which are maximally entangled. He keeps one photon (home qubit), and sends the other (travel qubit) to Alice. Alice decides either to perform an operator s z to the travel qubit or to do nothing. Then she sends the travel qubit back to Bob. Bob having both qubits performs Bell measurement. In this protocol, using the “message mode” and the “control mode,” Bob and Alice check Eve’s presence. However, this protocol was proven to be insecure [15,16]. To block the eavesdropping attack to this protocol,

* Corresponding author. Tel.: þ82 2 705 8428; fax: þ82 2 716 5374. E-mail address: [email protected] (C.-M. Kim).

Lucamarini and Mancini proposed a modified two-way deterministic secure communication protocol, which does not use entangled photons (LM05) [7]. Another QKD protocol using multi-channel was proposed by Kye et al [9]. In the protocol, Alice sends two randomly and independently polarized not-so-weak coherent pulses to Bob. Bob rotates the polarization of pulses by another random angle, shuffles them with
p4 or Hp4, and sends back the pulses to Alice. Alice compensates her random angles, encodes a key bit, and sends one randomly chosen pulse to Bob after blocking the other. Then Bob reads the polarization of the return qubit after compensating his random angle. When Alice publicly announces the blocking factor, Bob recovers the key bit. This protocol, though, was proven insecure either against impersonation attack [17]. The LM05 protocol is another QKD protocols using multichannel. The protocol, which is not attacked yet, is experimentally examined in the presence of controlled noise [18]. In this paper, however, we show that the LM05 protocol is not secure against photon number splitting attack. For the attack, we propose a sophisticated attack method based on the fourth order quantum interference [19].

2. LM05 protocol and HongeOueMandel interferometer The LM05 protocol is as follows. (P.1) The user “Bob” prepares a qubit in one of the four states j0i; j1i (eigenstates of the Pauli operator Z), jþi; ji (eigenstates of the Pauli operator X) and sends it to his counterpart “Alice.”

1567-1739/$ e see front matter Crown Copyright Ó 2011 Published by Elsevier B.V. All rights reserved. doi:10.1016/j.cap.2011.01.012

C.-M. Kim et al. / Current Applied Physics 11 (2011) 1006e1009

(P.2) With the probability c, Alice measures the prepared state (control mode) and sends her meaningless qubit to Bob. With the probability 1  c, Alice encodes a key bit to Bob’s qubit (message mode) and sends it back to Bob. (P.3) After receiving the qubit returned from Alice, Bob deterministically decodes Alice’s message by measuring the qubit on the same basis, on which he prepared it. (P.4) After sending all of the key bits, Alice publicly announces which qubit is on the control mode and on which basis she measured the qubit. For the deterministic decode, Alice uses the identity operator I to encode “0” and the operator iY h ZX to encode “1” (or vice versa). Here iY acts as a spin flip on the qubit state such that iYðj0i; j1iÞ ¼ ðj1i; j0iÞ and iYðjþi; jiÞ ¼ ðji; jþiÞ. Hence Bob can deterministically decode Alice’s message by measuring the qubit state in the same basis he prepared it. This protocol is secure against impersonation attack. In impersonation attack Eve impersonates Bob to Alice and Alice to Bob [20]. To impersonate, Eve keeps the qubit from Bob and sends her qubit to Alice. Since Alice measures the qubit state on the control mode with the probability c, Bob can recognize Eve’s presence when Alice publicly announces to Bob which qubit is on the control mode and the qubit state that she measured. Also the protocol is secure against the known PNS or the intercept-and-resend attack as far as Bob uses a limited number of photons as a qubit since Eve can either perfectly discriminate Bob’s qubit state, and Bob nor Alice communicate the qubit basis on the message mode. The security of the LM05 protocol was also examined against the attack using an ancilla in a noisy channel and the loss-based attack as well. However, we show that the LM05 protocol is insecure against the PNS attack [13] using the fourth order quantum interference [19] as far as the number of the photons in a qubit is more than two. The core characteristic of the LM05 protocol is that when the I operator is applied, the forward and the backward photon states are the same, while when iY operator is applied, the two photon states are orthogonal. Because of this characteristic, when Eve picks out a photon each from the forward and the backward channel, Eve can measure whether the two picked-out photon states are the same or orthogonal by using the fourth order quantum interference. The active arrangement to measure whether the two photon states are the same or orthogonal is two HongeOueMandel Interferometers (HOMI) of 50:50 beam splitters combined with further quantum nondemolition measurements, beam splitters, and a polarization rotator. If the polarization states of the two photons are the same, destructive interference occurs in a HOMI due to the fourth order quantum interference as follows:

i  ay1J ay2J j0i1 j0i2 ¼ pffiffiffiðJi3 jJi3 þjJi4 jJi4 Þ; 2

(1)

1007

Hence, in the case that Eve does not know whether the two photon states are parallel or orthogonal, if each photon comes out from each port, Alice’s operator is definitely iY and the probability is 1/4. But if the two photons come out from the same port together, Eve does not know whether they are parallel or orthogonal. 3. Attack protocol to LM05 protocol The essence of the attack protocol using two HOMIs is as follows: The superior Eve replaces the imperfect channels with perfect ones and counts the number of the photons at the output of Bob’s box with quantum nondemolition (QND) measurement [21]. If Eve finds more than two photons, she picks out one photon and forwards the others to Alice. (If Eve finds less than three photons, she throws them away.) When the qubit returns from Alice, Eve picks out one more photon and stores the others photons in a quantum storage. This type of PNS is affordable with a combination of beam splitters and QND measurement as described in Ref [13]. Then, Eve measures Alice’s operator by comparing the states of the two picked-out photons with an active arrangement of two HOMIs combined with further QND measurements, a beam splitter, and a polarization rotator. The schematic diagram of the measurement of Alice’s operator is shown in Fig. 1. As is shown in Fig. 1(a), Eve injects each picked-out photon into each input port of the first HOMI and measures the number of the photons at each output port with QND measurement. If each photon comes out from each output port, Eve records “1” since the states of the two photons are definitely orthogonal (Alice’s operator is iY); otherwise, as is shown in Fig. 1(b), Eve once more compares the states of the two picked-out photons by using the second HOMI and QND measurement. Eve divides the two photons into two single-photons by using an active arrangement of beam splitters combined with further QND measurements as described in Ref. [13]. Eve applies the iY operator to one of the two singlephotons by using a polarization rotator for spin flip. When the states of the two picked-out photons were orthogonal, the states of the two single-photons become the same, while when they were the same, they become orthogonal. Eve injects each single-photon into each input port of the second HOMI, and measures the number of the photons at each output port with QND measurement. If each photon comes out from each output port, Eve records “0”. Otherwise Eve can not know whether the states of the two picked-out photons are the same or orthogonal. Then Eve gets three outcomes “0”, “1” and “don’t know.” When Eve gets “0” or “1” outcome she forwards the other photons stored in the quantum storage to Bob. In the case that Eve gets a “don’t know” outcome, she throws away the other photons stored in the quantum storage to block the transmission of the qubit. Since Eve gets the key bit “1” or “0” with 1/4 probability each, the total probability of getting the key bit is 1/ 2. The attack method is shown in Fig. 2.

where subscripts 1, 2 are the input ports, 3, 4 are the output ports, and j0i is the vacuum state. This means that the two photons always come out together from the same port. On the other hand, if the polarization states of the two photons are orthogonal, no interference occurs in a HOMI as follows:

ay1J a0y j0i1 j0i2 ¼ 2J

     i   i Ji3 J0 i3 þJi3 J0 i4 J0 i3 Ji4 þ 2    iJi J0 i 4

4

ð2Þ

In this case since the two photons are independent of each other, they come out from the same port together or each photon comes out from each port.

Fig. 1. Schematic diagram of an active arrangement of two HOMIs of 50:50 beam splitters for the 4-th order quantum interference combined with further QND measurements, a beam splitter, and a polarization rotator. (a) is the measurement of the orthogonal state and (b) is that of the parallel state. B.S. is the beam splitter, and P.R. is the polarization rotator.

1008

C.-M. Kim et al. / Current Applied Physics 11 (2011) 1006e1009

respectively, and a is the attenuation constant. In a recent commercial fiber, a w 0.046 km1 for 1.55 mm wavelength [22]. When we consider the Possion statistics of the mean photon number that is given by PðnÞ ¼ em mn =n!, where m is the mean photon number, we can obtain the communication efficiency for the fiber length. For the security of the BB84 protocol against the PNS attack, let us assume the total probability for n  2 be less than P 0.0045, that is n ¼ 2 PðnÞ< 0:0045. Then the mean photon number is about m ¼ 0.098. In case of the LM05 protocol, for P n ¼ 3 PðnÞ< 0:0045, the mean photon number should be m ¼ 0.325. Then we can compare the communication efficiency from the condition l<  1alnðmm1 Þ, where m1 and m2 are the mean photon 2

number of the BB84 and the LM05 protocol, respectively. When the fiber length is less than w26 km, the LM05 protocol is more efficient than the BB84. But for l > 26 km, the BB84 protocol is more efficient than LM05 protocol. Fig. 2. Schematic diagram of a PNS attack with an active arrangement of HOMIs combined with further QND measurements and the beam splitters to the LM05 protocol.

3.1. Attack protocol The detailed attack protocol is as follows: (A.1) Eve replaces the imperfect channels with perfect ones and waits until Bob sends a qubit to Alice. (A.2) Eve counts the number of the photons at the output of Bob’s box with QND measurement. If Eve finds more than two photons, she picks out one photon and forwards the others. If Eve finds less than three photons, she throws them away to block the qubit. (A.3) Eve counts the number of the returning photons from Alice’s box with QND measurement. If Eve finds more than one photon, she picks out one more photon and stores the other photon(s) in a quantum storage. If Eve finds one photon, she throws it away to block the qubit. (A.4) Eve measures whether the two picked-out photons are parallel or orthogonal by using the active arrangement of two HOMIs combined with further QND measurements, a beam splitters, and a polarization rotator. Eve injects each photon into each input port of the first HOMI. When each photon comes out from each output port, Eve records “1”. Otherwise, Eve divides two photons coming out from the same port into two single-photons and applies the iY operator to one of the two single-photons. Eve again injects each photon into each input port of the second HOMI. When each photon comes out from each output port, Eve records “0”. (A.5) If Eve gets “0” or “1”, she forwards the other photons stored in a quantum storage to Bob; otherwise she throws them away to block the transmission of the qubit. (A.6) After the quantum communication between Bob and Alice, when Alice announces the control mode, Eve removes the key bit of the control mode. In this attack protocol, when Eve repeats the protocol form (A.4) to (A.5) n-times with n active arrangements for the “don’t know” outcome, she can obtain the key bit with the probability of 1  (1/ 2)n. Then the LM05 protocol is not secure unless the protocol uses less than three photons for a qubit. When the protocol uses less than three photons, the protocol is less efficient than the BB84 protocol in the long distance communication. The transmission efficiency of a fiber is given by that no ¼ ni exp(al), where no and ni are the number of input and output photons for the fiber length l,

4. Conclusion In conclusion, we have proposed a sophisticated attack protocol based on the fourth order quantum interference, that is, when the polarization of two photons is the same, they always come out together from the same port due to quantum interference. On the other hand, if the polarization states of the two photons are orthogonal, no interference occurs in a HOMI. Hence by using the PNS attack, if we can pick out single-photon at each channel, we can measure the Bob’s key bit by using an active arrangement of two HongeOueMandel interferometers combined with further QND measurements, a beam splitter, and a polarization rotator. This attack protocol is a new type of the PNS attack, which can be applicable to the QKD protocols using multi-channels. The attack protocol is examined in the LM05 protocol, and we have shown that the LM05 is vulnerable to the attack protocol using an active arrangement of two HongeOueMandel interferometers combined with further QND measurements, a beam splitter, and a polarization rotator. Therefore, in the development of QKD using multi-channel, this attack protocol should be seriously considered. Acknowledgment This work was supported by the Acceleration Research (Center for Quantum Chaos Application) MEST/KOSEF. References [1] C.H. Bennett, G. Brassard, Quantum cryptography: public key distribution and coin tossing Proceedings IEEE International Conference on Computers, in: Systems and Signal Processing. IEEE, Bangalore, India, 1984, pp. 175e179 New York. [2] A.K. Ekert, Quantum cryptography based on Bell’s theorem, Phys. Rev. Lett. 67 (1991) 661. [3] C.H. Bennett, Quantum cryptography using any two nonorthogonal states, Phys. Rev. Lett. 68 (1992) 3121. [4] M. Curty, M. Lewenstein, N. Lútkenhaus, Entanglement as a precondition for secure quantum key distribution, Phys. Rev. Lett. 92 (2004) 217903. [5] F. Grosshans, G. Van Assche, J. Wenger, R. Brouri, N.J. Cerf, P. Grangier, Quantum key distribution using Gaussian-modulated coherent states, Nature 421 (2003) 238 (London). [6] K. Boström, T. Felbinger, Deterministic secure direct communication using entanglement, Phys. Rev. Lett. 89 (2002) 187902. [7] M. Lucamarini, S. Mancini, Secure deterministic communication without entanglement, Phys. Rev. Lett. 94 (2005) 140501. [8] F.G. Deng, G.L. Long, Secure direct communication with a quantum one-time pad, Phys. Rev. A 69 (2004) 052319. [9] W.H. Kye, C.M. Kim, M.S. Kim, Y.J. Park, Quantum key distribution with blind polarization bases, Phys. Rev. Lett. 95 (2005) 040501. [10] C.M. Kim, Y.W. Kim, Y.J. Park, Secure quantum key distribution with a single not-so-weak coherent pulse, Opt. Lett. 32 (2007) 888.

C.-M. Kim et al. / Current Applied Physics 11 (2011) 1006e1009 [11] C. Kurtsiefer, P. Zarda, M. Halder, H. Weinfurter, P.M. Gorman, P.R. Tapster, J.G. Rarity, Quantum cryptography: a step towards global key distribution, Nature 419 (2002) 450 (London). [12] E. Waks, K. Inoue, C. Santori, D. Fattal, J. Vuckovic, G.S. Solomon, Y. Yamamoto, Secure communication: quantum cryptography with a photon turnstile, Nature 420 (2002) 762 (London). [13] G. Brassard, N. Lutkenhaus, T. Mor, B.C. Sanders, Limitations on practical quantum cryptography, Phys. Rev. Lett. 85 (2000) 1330. [14] W.Y. Hwang, Quantum key distribution with high loss: toward global secure communication, Phys. Rev. Lett. 91 (2003) 057901. [15] A. Wójcik, Eavesdropping on the “ping-pong” quantum communication protocol, Phys. Rev. Lett. 90 (2003) 157901. [16] Q. Cai, The “ping-pong” protocol can be attacked without eavesdropping, Phys. Rev. Lett. 91 (2003) 109801.

1009

[17] Q. Zhang, X.B. Wang, Y.A. Chen, W.Y. Hwang, T. Yang, J.W. Pan, Comment on quantum key distribution with blind polarization bases, Phys. Rev. Lett. 91 (2003) 057901. [18] A. Ceré, M. Lucamarini, G.D. Giuseppe, P. Tombesi, Experimental test of twoway quantum key distribution in the presence of controlled noise, Phys. Rev. Lett. 96 (2006) 200501. [19] C.K. Hong, Z.Y. Ou, L. Mandel, Measurement of subpicosecond time intervals between two photons by interference, Phys. Rev. Lett. 59 (1987) 2044. [20] M. Dusek, O. Haderka, M. Hendrych, R. Myska, Quantum identification system, Phys. Rev. A 60 (1999) 149. [21] M. Brune, S. Haroche, V. Lefevre, J.M. Raimond, N. Zagury, Quantum nondemolition measurement of a small photon numbers by Rydberg-atom phasesensitive detection, Phys. Rev. Lett. 65 (1990) 976. [22] G.P. Agrawal, Fiber-optic Communication Systems, second ed. John Wiley & Sons, Inc., New York, 1997.