Breaking a quantum key distribution system through a timing side channel

The security of quantum key distribution relies on the validity of quantum mechanics as a description of nature and on the non-existence of leaky degrees of freedom in the practical implementations. We experimentally demonstrate how, in some implementations, timing information revealed during public discussion between the communicating parties can be used by an eavesdropper to undetectably access a significant portion of the ``secret'' key.


Introduction
Theoretical proofs of the security of quantum key distribution (QKD), are a well developed subfield in quantum communication research (see [1]), both in highly idealized [2,3] and more realistic scenarios [4]. By construction, these proofs assume that the legitimate parties measurement results are isolated from the environment and thus from an eavesdropper. Comparatively little work has been done studying the possible physical side channels associated with particularities of the physical devices used [5,6] or possible attacks based on the external manipulation of the expected response of the apparatus [7,8,9,10].
All photon-counting implementations of QKD identify a signal photon from background by measurement of the arrival time at detectors. In an ideal scenario, there can be no correlation between the measurement outcome on the quantum variable (e.g. polarization in the original BB84 proposal), and this publicly exchanged timing information. However, in a recent entanglement based QKD implementation, a pulsed down-conversion source provided photon pairs with a well-defined timing signature [11]. For photon identification, timing information was recorded with a high resolution and communicated to the other side (similar scheme as in [5,12,13,14]). We show that there may be an exploitable correlation between the exchanged timing information and the measurement results in the quantum channel.

Time response analysis
A configuration implementing the detection scheme just described is shown in Fig. 1. An incoming photon is randomly directed by a beam splitter towards two possible polarizing beam splitters each of which performs a measurement in one basis (H/V or 45 • / − 45 • ). Finally, there are four possible outcomes of the measurement (two bits of information) of which one bit will be made public. The remaining bit is the raw material for generating the secret key and must be kept secret. Although the optical distance from the entrance of the module to the four detectors differs by less than 1 mm, there is a measurable difference in the timing of the electronic signal from the different possibilities. In order to determine the timing differences between the four single photon detectors, we used an attenuated fraction of a pulse train emitted by a Ti:Sapphire femtosecond laser as a light source (see Fig. 2). Single photon detectors consisted of Silicon Avalanche Photodiodes (type C30902S, Perkin-Elmer), operated in a passively quenched configuration. The breakdown of the avalanche region was converted into a digital pulse signal by a high speed comparator, registering a voltage drop over the measurement resistor R M = 100 Ω of 150 mV, which has to be compared to a maximal voltage drop across R M of about 700 mV. The distribution of peak amplitudes for the breakdown signal exhibits a spread below 10% for photodetector event rates of 5000-6000 s −1 , and the pulse duration before the comparator is on the order of 2 ns.
We obtained the timing distribution with an oscilloscope sampling at 20 GS/s, by interpolating the time when the comparator output passed through the 50% value between the two logical levels. Time reference is a trigger signal supplied by a MSM Schottky reference photodiode (G7096-03, Hamamatsu) looking at another fraction of the optical pulse train. The timing jitter of 10 ps (FWHM) we observe between consecutive pulses from the mode-locked laser gives an A beam splitter (BS), polarizing beam splitters (PBS) and a half wave plate (λ /2), divert incoming photons onto a set of detectors, which generate a macroscopic timing signal. This timing information and e.g. a projection basis is revealed publicly, while information on which detector out of two absorbed a photon is the secret used to subsequently generate a key. upper bound for the total timing uncertainty. The resulting timing histograms of the different detectors (Fig. 3) show a clearly different centroid location with respect to the trigger pulse. We model the observed distribution with a convolution product of an exponential decay and a Gaussian distribution, The fit values for the temporal offset t 0 and the exponential and Gaussian decay constants τ e , τ G for the four detectors i = 1, 2, 3, 4 are summarized in table 1. While the difference between τ e and τ G differ maximally by 38 ps and 20 ps, respectively, the time offsets t 0 can differ up to 240 ps between detectors 2 and 4. The physical origin of this difference could be attributed to differences in the electrical delays for the different detectors on the order of a few cm on the circuit board layouts, and to different absolute pulse heights of the detected breakdown currents due to different parasitic capacities for the different diodes.

Information extraction
An eavesdropper can exploit these differences in the detector responses d i , and obtain information on the secret key by listening in the publicly communicated detection times. The knowledge in principle attainable by the eavesdropper is quantified by the mutual information I(X; T ) between the time distribution of detector clicks (publicly revealed) and the bits composing the secret key:  Fig. 4. Eavesdropper's information on the secret bit as a function of delay ∆t 0 between detector timing distributions with identical shapes. The three curves represent different levels of discretization of the data. The top curve corresponds to the continuous distribution and the subsequent are for 0.5 ns and 1 ns time bins. As expected, with an increasing time bin there is less information available for the eavesdropper. For ∆t 0 as small as 0.5 ns the eavesdropper will gain access to more than a quarter of the "secret key".
There, X represents the distribution of logical 0 and 1, and T is the distribution of detection times. The entropies and joint entropies of the distributions are given by is the probability of a click occurring at time t for the ensemble of detectors, and d x (t) the probabilities of a click at a particular time t for a detector corresponding to logical value x ∈ {0, 1}. In most protocols, the prior distribution of logical values is balanced such that p 0 (0) = p 0 (1) = 0.5.
If we bin the detector results in the manner most favorable to the eavesdropper by assigning detectors (1,2) to one basis, (3,4) to the other basis, and taking detectors groups (1, 3) and (2,4) to represent 0 and 1, the average extractable information is 3.8 ± 0.38%. It is worth considering in detail how the distinguishability of the distributions comes about, and how quickly the eavesdropper knowledge of the key changes. Figure 4 shows the eavesdropper's knowledge of the secret bit for two distributions d 0 (t), d 1 (t) with the same τ e = 400 ps, τ G = 290 ps, but with different relative delays ∆t 0 . Detectors that are uncompensated by as little as ∆t 0 = 500 ps will give the eavesdropper access to more than 25% of the "secret" key. Since a small relative delay is not visible in the usual experimental setups which employ coincidence windows between 1 and 20 ns [12,13,15,14], it requires an additional effort to make sure that this leakage channel is closed.
The solution to this particular side channel is not complex, the timing information should be characterized and the delays equalized, randomized or the precision truncated such that the potential information leakage is below a certain threshold. Quantum cryptography protocols can then deal with this in the same way they deal with errors, by applying an appropriate amount of privacy amplification [16]. In every real experiment the timing information is communicated with a finite precision that could be adjusted for this purpose. Figure 4 shows the effect of discretizing the time information into 0.5 ns and 1 ns time bins (a typical experimental value of ≈ 150 ps gives a negligible difference with the continuous distribution). As expected, the eavesdropper's information is reduced as the bin width increases. Somewhat counterintuitively there is still a strong leakage even at bin sizes comparable to the width of the distribution d(t); furthermore there is a penalty in the form of increased background. For our particular device, the main distinguishing feature is the time offset. If this is compensated for (i.e. made identical for all detectors), and applying the same procedure as before to obtain the leakage to an eavesdropper given the probability distributions, we find the leakage to be around 0.3%. It is reasonable to ask whether this problem affects "prepare and measure" protocols as well. A typical BB84 QKD system based on weak coherent pulses has a synchronous operation, and the detector side will locally determine whether the detected event falls in the right part of the timing frame to be counted as genuine. This binary decision will not provide information to the eavesdropper from the detector side. However, the problem has just been displaced from the detectors to the emitters: if the states to be sent are prepared by different physical devices, their temporal response needs to be charaterized, and the possible information leakage should be evaluated with a similar analysis.

Conclusions
Quantum cryptography is slowly leaving the purely academic environment and starting to appear in commercial products [17]. The theoretical aspects of its security are a very active research area but comparatively little has been done in terms of scrutinizing the practical systems. However, there is increasing interest in looking at the side channels arising from the physical realization in practical systems (see recent work by Zhao et al. [10] for an attack on a commercial product based on a proposal by Makarov et al. [8]). We have shown here how some of the information publicly revealed by the communicating parties in reasonable mature implementations, may lead to a large proportion of the key becoming insecure.