Skip to main content
QUICK REVIEW

[论文解读] Can Eve control PerkinElmer actively-quenched single-photon detector?

Vadim Makarov, A. N. Anisimov|arXiv (Cornell University)|Sep 19, 2008
Quantum Information and Cryptography被引用 2
一句话总结

该论文表明,攻击者(Eve)可利用780 nm波长、1–10 mW的强光脉冲,远程控制PerkinElmer SPCM-AQR主动淬灭单光子探测器,其根源在于电路缺陷使探测器的淬灭机制可被操控。关键发现是,在特定条件下,Eve可触发虚假雪崩信号,并对量子密钥分发系统实施拦截-重发攻击,从而破坏其安全性,即便探测器具备主动淬灭设计。

ABSTRACT

We show how PerkinElmer SPCM-AQR detector module can be controlled by an eavesdropper using bright optical pulses, by exploiting an obscure flaw in the detector electrical circuit. First experimental results are reported. This loophole may make possible an attack against quantum cryptosystems that use these detectors. During the last 19 years, quantum key distribution (QKD) has progressed from a tabletop demonstration to commercially available systems and numerous experiments, some over >100 km distance. As QKD enters the commercial market, it becomes increasingly important to verify the actual security level of its implementations, and search for possible loopholes. Many QKD systems, more than 30 reported experiments, employ Si avalanche photodiodes (APDs) for detection of single photons in the 500–900 nm wavelength range. There are two widely used detector electronic schemes for Si APDs: passive-quenching and active-quenching. Roughly half of these QKD experiments use detectors with one scheme, and the other half use the other. We have previously demonstrated that passively-quenched detectors have a loophole [1]. An eavesdropper Eve can take control of them using moderately bright light, and may be able to successfully attack a QKD system, unless extra countermeasures are implemented. In this paper, we consider an actively-quenched detector model, PerkinElmer SPCM-AQR detector module. Until recently, this has been the only commercially available Si singlephoton detector model. Either this exact model or its quad version (SPCM-AQ4C) are used in most experiments that employ actively-quenched detectors. Our testing has shown that the electrical circuit of the SPCM-AQR module exhibits at least four different “strange behaviors” when the optical input of the module is illuminated by light waveforms with peak optical power between 1 and 10 mW (at 780 nm). We do not see how three of these behaviors could be immediately useful for Eve, and omit their description for brevity. However, the fourth behavior can, under some conditions, be used by Eve to control Bob’s detectors and stage a successful intercept-resend attack. The part of the detector electrical circuit relevant to understanding this control method is shown in Fig. 1. To the left of the APD is a high-voltage power supply. In normal singlephoton regime, it provides stable bias voltage at the cathode of the APD (the two detector samples we tested had bias voltages of 350 V and 410 V). The current limiting circuit does not notably reduce the cathode voltage during normal single-photon avalanches. To the right of the APD, a circuit connected to its anode senses the onset of avalanche. Active quenching is accomplished by connecting the anode of the APD to +30 V, which lowers the voltage across the APD below the breakdown voltage. 20 ns after quenching, the circuit is reset by briefly connecting the Figure 1: PerkinElmer SPCM-AQR module. Equivalent diagram of the high-voltage power supply, avalanche sensing and quenching circuitry (reverse engineered from sample with PCB labeled “EG&G P/N 2580883 rev. G”). U6 EMCO Current limiting APD

研究动机与目标

  • 研究在量子密钥分发(QKD)中使用的主动淬灭单光子探测器可能存在的侧信道漏洞。
  • 确定广泛用于QKD实验的PerkinElmer SPCM-AQR探测器模块在强光照射下是否表现出可被利用的电学行为。
  • 评估攻击者(Eve)操纵探测器运行以破坏QKD安全性的可行性。
  • 识别并表征可能导致探测器淬灭机制远程控制的特定电路级异常行为。

提出的方法

  • 通过物理检查和元器件分析,对PerkinElmer SPCM-AQR探测器模块的内部电路进行逆向工程。
  • 使用峰值功率为1–10 mW、波长为780 nm的光脉冲,对探测器在不同输入条件下的响应进行实验测试。
  • 监测雪崩光电二极管(APD)和淬灭电路中的输出信号及电压波形,以检测异常行为。
  • 识别并隔离出一种特定电学行为:强光脉冲可导致淬灭电路被意外触发,从而实现远程控制。
  • 分析高压电源和限流电路,以理解光输入如何影响APD偏置电压和雪崩恢复过程。
  • 评估探测器淬灭周期可被操纵以模拟虚假单光子事件的条件。

实验结果

研究问题

  • RQ1强光脉冲是否能操控PerkinElmer SPCM-AQR探测器主动淬灭电路的电学行为?
  • RQ2探测器在光照射下是否表现出可被攻击者利用的异常响应?
  • RQ3在何种条件下,攻击者可远程控制探测器输出以模拟单光子事件?
  • RQ4所观察到的行为是否可用于在量子密钥分发系统中实施拦截-重发攻击?
  • RQ5该漏洞是否同时存在于SPCM-AQR的单通道和四通道版本中?

主要发现

  • 当使用780 nm波长、1–10 mW范围的光脉冲照射时,PerkinElmer SPCM-AQR探测器表现出特定的异常行为。
  • 该行为使攻击者能够通过传感电路操控阳极电压,从而远程控制探测器的淬灭周期。
  • 在特定条件下,探测器可被强制进入虚假报告光子探测的状态,即使实际并无单光子存在。
  • 该缺陷使Eve能够模拟有效的探测事件,从而可被用于对QKD系统实施拦截-重发攻击。
  • 该漏洞不仅存在于单通道SPCM-AQR中,也影响其四通道版本(SPCM-AQ4C),后者在QKD实验中被广泛使用。
  • 电路设计未能充分隔离淬灭机制与光输入效应,从而形成持续存在的侧信道攻击向量。

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。