A generalized efficiency mismatch attack to bypass detection-scrambling countermeasure

The ability of an eavesdropper to compromise the security of a quantum communication system by changing the angle of the incoming light is well-known. Randomizing the role of the detectors has been proposed to be an efficient countermeasure to this type of attack. Here we show that the proposed countermeasure can be bypassed if the attack is generalized by including more attack variables. Using the experimental data from existing literature, we show how randomization effectively prevents the initial attack but fails to do so when Eve generalizes her attack strategy. Our result and methodology could be used to security-certify a free-space quantum communication receiver against all types of detector-efficiency-mismatch type attacks.


I. INTRODUCTION
Recent trends in quantum technologies suggest a future of quantum computers (QC) having superior computational power [1,2]. Such computational power can efficiently solve hard mathematical problems that are the foundations of security for certain public-key cryptosystems. QCs thus pose a serious threat to our current cryptographic infrastructure. One possible solution can be post-quantum cryptography [3][4][5] -classical algorithms thought to be secure against quantum attacks -but there is no mathematical proof that these algorithms provide information theoretic security. Thus, in an effort to fight quantum with quantum the trend is towards quantum cryptography [6][7][8] -more popularly known as quantum key distribution (QKD). QKD [7,8] uses the laws of quantum mechanics to generate a secret key between two distant parties Alice and Bob. This key then can be used for encryption using one-time-pad and guarantee secure communication. In theory, QKD provides mathematical proof of security by modeling the device behaviors and using the laws of quantum mechanics. However, in practice, devices often behave differently than the assumed model, leaving a gap between theory and practice that can be exploited by an eavesdropper. This gap can be anywhere in the system implementation such as measurement devices [9,10], monitoring systems [11], assumption in the security proofs [12], leakage of information [13][14][15], change of characteristics [16,17], imperfect sources [18,19], imperfect detector characteristics [20][21][22][23] etc. It is essential for QKD security to explore and identify these gaps and characterize them in order to as- * ruhulfatin103@gmail.com † shihan.sajeed@gmail.com sess the threat. In this work we analyze one such gapdetector-efficiency mismatch [20,21,23,24]-and analyze its effects. A fundamental assumption in QKD security proofs is that the measurement outcomes should be independent of the measurement bases and Eve should not have any control over them. In ideal QKD, it is impossible for Eve to control the measurement outcomes without introducing errors called quantum bit error rate (QBER). However, in practice, there might be implementation vulnerabilities that allow Eve to have this control. For example, if there is a sensitivity mismatch among the detectors for a certain degree of freedom of the incoming photons, Eve can modify that degree of freedom so that one detector becomes more sensitive compared to another [21,22,24,25]. This can happen in the time degree of freedom: implementation vulnerability may make one detector more sensitive in a particular time window than the others. In this case, Eve can shift the arrival time of certain pulses to coincide with that window. Thus, detection events occurring in that particular time-window have a higher chance of occurring in the sensitive detector and a bias is achieved. Similarly, if the detector sensitivity varies with spatial-mode of the incoming light [20], Eve can send light at certain angle (φ,θ) to create a bias among the detector sensitivity and achieves a control. The demonstration of exploiting such spatialmode-sensitivity-mismatch was shown in [21,22].
A countermeasure to this loophole, detector scrambling, was proposed in Refs. [26] that involves randomly changing the roles of the detectors to hash out any mismatch in the detection system and reduce efficiency mismatch. In this paper, we scrutinize the effectiveness of this countermeasure. In Sec. II, we introduce and review some necessary details of the spatial-modeefficiency-mismatch attack reported in [21]. In Sec. III, we simulate a detector scrambling countermeasure and show the countermeasure blocks the side-channel. Then in Sec. V, we show how the scrambling countermeasure can be bypassed by resorting to a more general attack strategy. We conclude in Sec. V.

II. REVIEW OF DETECTION EFFICIENCY MISMATCH
We shall assume a polarization-encoded Bennett-Brassard (BB84) QKD scheme with passive basis-choice implementation as shown in Fig. 1a. The beam splitter (BS) is used for selecting the HV or DA bases and the polarization beam splitters (PBSs) followed by two detectors are used to measure the polarization in a basis. Detectors h and v are used for measuring the incoming H and V polarized light while detectors d and a are used for measuring D and A polarized light respectively.
The efficiency-mismatch side-channel is explained with the help of Fig. 1b. Here we show how the sensitivity of the h and v detectors varies in response to the angle of the incoming light. The circle on the left (right) shows the sensitive area of detector h(v). Outside the circle the sensitivity is zero (in practical detectors, sensitivity does not go to zero so abruptly, but this simple assumption serves the purpose to explain the concept). In the overlapping (green) region, both the detectors are equally sensitive. However, if the light is sent towards the red (blue) region, detector v(h) has a higher sensitivity than the h(v) detector. Eve can stage a faked-stage attack to exploit this bias.
The faked-state attack considered in ref [21] is based on the following assumptions. Eve is present outside Alice's lab. She intercepts and measures the signal going towards Bob. Then she reproduces another pulse with the same polarization as her measurement outcome but with different mean photon number, and sends it towards Bob at an angle where the target detector has a higher sensitivity compared to others. More specifically, if Eve's measurement outcome is j, she reproduces j polarized light with mean photon number µ j and sends it at an angle where detector j has a higher sensitivity than the other three detectors. This angle is referred to as the attack angle for detector j. She uses a lossless channel to overcome the channel loss and maximize her target detection probabilities. The sifted key rate and QBER in Eve's presence become In order to remain hidden, Eve's first target would be to match the sifted key rate R e to the expected key rate R ab , i.e., R ab = R e . The next target would be to minimize QBER e to maximize the amount of leaked information. Thus, the problem can be turned into an optimization problem with the goal of minimizing QBER e with the constraints R ab = R e . The parameters to optimize are the four mean photon numbers which Eve can manipulate to minimize the error. A harder constraint can also be chosen. Instead of matching only total key rate, the key rate at each channel can also be matched. Both of these optimizations were done in Ref. [21] and the result is reproduced in Fig. 2.

III. DETECTOR SCRAMBLING COUNTERMEASURE
In this section we discuss the general detector scrambling countermeasure outlined in [26] and investigate its effectiveness in preventing the attack. Let us assume that a half-wave plate (HWP) is placed in front of the BS in  [21]. The blue curve shows the optimized QBERe when Eve matches the Bob compares the total sifted key rate with the expected Alice-Bob sifted key rate R ab . The red curve shows the optimized QBERe when Eve matches the rate for individual channels like In the following, we assume Bob scrambles his detectors with equal a-priori probability. The sifted key rate R e (j|θ B ) and error rate E j|θ B in the presence of Eve given she sends j polarized light -towards attack angle j with mean photon number µ j -and Bob applies θ B rotation, can be derived similar to Eqs. (A3) to (A5) as presented in Appendix B. Thus, the total sifted key rate R s e and QBER s e with Eve's attack and Bob applying scrambling countermeasure become (derived in Appendix B) : As discussed in Sec. II, the terms E j|θ and R e are dependent on mean photon number chosen by Eve. Thus, we perform similar optimization using the four mean photon numbers as the free parameters to minimize QBER s e with the constraint R s e = R ab . Our result is shown with the black curve in Fig. 2. The presence of scrambling makes QBER s e > 25% and no successful key generation is possible. In the simulation, the efficiency of the detectors, the mismatch values, background counts and all other parameters are taken from [21]. This result highlights that as soon as Bob employs detector scrambling technique, Eve cannot manipulate the four mean photon numbers to achieve a QBER less than 25% while satisfying the constraints of matching the rates. This shows the effectiveness of the scrambling countermeasure.

IV. DETECTOR-SCRAMBLING-BYPASS STRATEGY
So far, we have assumed that when Eve sends a j polarized light, it is always sent towards attack angle j with mean photon number µ j . In this section, we discard this assumption to generalize the attack. In particular, we assume, when Eve sends a j polarized light, it can be directed towards any of the four attack angles k ∈ {h, v, d, a} with mean photon number µ k j and probability f k j with k f k j = 1. Let p k i (j|θ B ) be the raw click probability at Bob's detector i, given Eve sent a jpolarized light towards attack angle k with mean photon number µ k j that has been rotated by an angle θ B during scrambling.
Let R k e (j|θ B ) be the sifted key rate when Eve sends j polarized light at k attack angle with Bob rotating the polarization by angle θ B . By deriving R k e (j|θ B ) using similar analysis as Eq. (B5)-B8 we get, The above equation takes into consideration the attack angles for every polarized light sent by Eve. Thus, we now have new variables such as P h hv (V ) (instead of P hv (V )) that indicates the probability -after squashing -that Bob selects an outcome in the hv basis given the incoming light is V -polarized sent at h-attack angle. We can now plug in Eq. (4) in Eq. (2) and calculate the QBER values for this detection-scrambling-bypass strategy. In the attack model in [21], when Eve sent a j polarized light she sent it at j attack angle with mean photon number µ j which left her with only four free parameters to minimize the error while satisfying the constraint. However, in the strategy presented in this section, when Eve decides to send a j polarized light, she can send  FIG. 4. a) Scatter plot of probability f k j at channel loss of 6 dB. In the detection-scrambling-bypass strategy Eve would send a specific polarized light at all attack angles with a specific probability distribution. Each column indicates the attack angles and each row represents the polarization of light sent by Eve. We see that in most of the cases Eve sends Hpolarized light at h attack angle and so on. b) Scatter plot of mean Photon number at a channel loss of 6 dB with same column and row representation. In this case, if Eve wants to manage a successful attack, she needs to send V -polarized light more at H-attack angle than that at V -polarized light. Thus, depending on the window where there is total efficiency mismatch Eve needs to deploy her faked states following a specific blueprint.
towards attack angles k with probability f k j and mean photon number µ k j . So there are 16 different values of µ k j and f k j equipping her with a total of 32 free parameters to perform the optimization. We have solved the optimization problem for this detection-scrambling-bypass strategy with the same efficiency, Fidelity and dark count values taken from Ref. [21]. For matching the total rates, Eve follows the constraint R ab = R e and for individual rates she follows R ab = R e (j) where j ∈ {h, v, d, a}. With these 32 free parameters at hand the optimization program is executed and the result is shown in Fig. 3. We see that by having more free parameters, Eve can indeed adjust their values to keep the QBER less than 5% for a loss up to 17 dB. Figure 4a and Fig. 4b show the optimized probabilities f k j and mean photon number per pulse chosen by Eve for a channel loss of 6 dB respectively. For a certain channel loss, Eve has to follow a specific blueprint to attack the system. For example, the probability plot in Fig. 4a) shows that Eve sends V polarized light at V attack angle with higher probability than others. On the other hand, Eve has to send V polarized light with higher mean photon number than other polarizations as shown in Fig. 4b). For different channel loss the value of the optimized free parameters will be different. Moreover, These scenarios are entirely dependent on the specific mismatch present in the system.

V. CONCLUSION
In this work, we have shown that randomizing the roles of the detectors cannot function as an efficient countermeasure against detector-efficiency-mismatch type attacks. Although it can prevent the original attack proposed in Ref. [21], it fails to do so when a more general strategy is followed. The general strategy works even when Bob uses any non-uniform a priori scrambling probabilities.
We note that no two practical setups will have an exact mismatch, and hence it would not be possible for Eve to acquire one prototype to learn the mismatch of the target system. However, according to Kerckhoff's principle [27] quantum cryptography assumes that except for the key, Eve knows all the system's imperfections. So, to guarantee unconditional security in theory, we need to assume that Eve knows the exact details of the mismatch and Bob's scrambling countermeasure to optimize her attack. From a practical point of view, Eve can listen to Bob's classical communication channel while sending a small fraction of faked states at different spatial angles to get an estimate of the efficiency mismatch [28]. Eve can pursue a similar strategy to estimate Bob's detector scrambling statistics. Thus, unless new techniques are proposed to strengthen the existing detector-scrambling countermeasure strategies, it cannot guarantee security against detector efficiency mismatch based attacks. Our result and methodology could be used to security-certify a free-space quantum communication receiver against all types of detector-efficiency-mismatch type attacks.
The probabilities P hv (V ), P da (D), P da (A) can be calculated similarly. Now we include Alice into the picture. We first assume the case where Alice sends a H-polarized light. The possible scenarios are shown in Fig. 5. It is sufficient to consider only the cases when Bob measures in same basis as Alice (HV in this case) as the other cases will be discarded during sifting. Here we assume, Eve measures Alice's outgoing signal in HV or DA basis with equal a-priory probability using a measurement setup having perfect detection efficiency and no dark count. Thus, with 50% probability she measures in the correct (incorrect) basis and sends the correct (incorrect) state to Bob. Let R e (j) be the sifted key rate with Eve's presence given Alice sent a j polarized light. Following Fig. 5, R e (j) can be given by, The error rate with Eve given Alice sends a H polarized light can also be calculated with the help of Fig. 5. When Eve measures in the same basis as Alice, she introduces no error (assuming perfect fidelity at Bob). However, when she measures in the wrong basis (in this case, DA) there is some probability of error. Let P i (j) be the probability that, after squashing, Bob decides on outcome i given incoming light was j-polarized light. Thus, P v (H) would be, Hence, the error rate during attack given Alice sends a H-polarized light is, In deriving Eqs. (A3) to (A5), we have assumed simplified cases. In a more general scenario, we also need to consider P hv (V ) since the setup may have imperfect fidelity and dark counts in the photodetectors. Let P e c and P e w be the probability that Eve measures Alice's signal in the correct basis and gets a click in the correct and wrong photodetector respectively. Let, P e nc be the probability that Eve measures in the non-compatible or wrong basis. We can then modify equation A3 for the case of sifted key rate when there is incoming H-polarized light. Thus, the sifted key rate can be written from [21] in the following form R e (H) ≈P e c P hv (H) + P e w P hv (V ) + P e nc [P hv (D) + P hv (A)] Sifted key rates and QBERs during attack given Alice sends V , D and A polarized light can be calculated similarly. The total sifted key rate and QBER in Eve's presence become Let p i (j|θ B ) be the raw click probability at Bob's ith detector given Eve sends j polarized light with mean photon number µ j directed towards attack angle j which is rotated by Bob by an angle θ B . The probabilities for θ B = 0 • , 45 • , 90 • and 135 • can be derived similar to Eq. (A1). When θ B = 0 • : When θ B = 45 • the H-polarized light is rotated to a D-polarized light and corresponding raw click probabilities become: For θ B = 90 • : and finally for θ B = 135 • : Let R e (j|θ B ) be the sifted key rate in the presence of Eve given she sends j polarized light -towards attack angle j with mean photon number µ j -and Bob applies θ B rotation on it. Using similar analysis used for deriving Eq. (A6), we can find the rates for different θ B . For example, We assume in our model that Bob is scrambling the role of the photodetectors with equal a-priori probabilities. Thus, modifying equation 1 and averaging Bob's rate for each θ B (that accounts for the extra 1 4 factor), we obtain Bob's total sifted key rate: Here, P i (j|θ B ) is the probability that outcome i is selected by Bob after squashing given that Eve has sent j-polarized light which was rotated by Bob by an angle θ B . So, modifying Eq. (A2) we get, In a plausible scenario, if Bob applies θ B = 45 • and expects an incoming H polarized light from Alice, he will be expecting a click in his d detector. But if the light is coming from Eve, it will be directed towards, the H attack angle where the h detector has the highest efficiency. This increases the error rate. Simulations also verify that, scrambling the role of detectors can smoke out Eve's presence.