We developed a modified version of a conventional (BB84) quantum key distribution protocol that can be understood and implemented by students at a pre-university level. We intentionally introduce a subtle but critical simplification to the original protocol, allowing the experiment to be assembled at the skill level appropriate for the students, at the cost of creating a security loophole. The security vulnerability is then exploited by student hackers, allowing the participants to think deeper about the underlying physics that makes the protocol secure in its original form.
REFERENCES
The QWP converts linear-polarized light from the laser diode to circular-polarized light, which is subsequently projected into one of the four polarization states (H, V, D, A) with equal intensities using a motorized polarizer.
Visibility measurement: First, Alice chooses an arbitrary rotation angle for her polarizer to fix the orientation of H-polarization. Then, she transmits a macroscopic beam with this polarization to Bob as a reference. To arrive on a common coordinate system with Alice, Bob rotates his polarizer and identifies the position that maximises the transmission of the reference beam with the H-polarization.
Synchronization procedure: Alice transmits a sequence of 16 “qubits.” She precedes each transmission with a prearranged laser pulse sequence—a header—marking the beginning of each “qubit” sequence. Due to the clock-stability of the microcontroller (), the uncertainty of the transmission time for each “qubit” is less than 2.4 ms. The uncertainty is small compared to the duration of each “qubit,” allowing Bob to predict the arrival times of the “qubits” after receiving the header pulse sequence.
We aim to perform the key comparison step in future iterations of the setup, as it allows students to verify that their key was not corrupted by Eve using an intercept-resend attack. In our workshop, Eve intercepts, but does not resend “qubits,” rendering her eavesdropping attempt immune to detection by the key comparison step. Consequently, the impact of her success will be greater on the students who may have considered the key to be private given that they have performed key comparison but might have forgotten about the role that single quanta plays in the security of the protocol.
Each transmission sequence is 16 “qubits” long and generates an 8-bit key K on average. Thus, we repeated the sequence about four times to obtain a key 32-bit long. This process takes about 2.5 min.
Eve could have performed the polarization calibration procedure along with Alice and Bob, which allows her to select the best polarization measurement for distinguishing and identifying the intercepted polarization states. However, given the limited time for the workshop, it was difficult to prepare the students in team Eve in time for the calibration procedure as they would then have to learn calibration, principles of the quantum channel, using two polarization measurements to extract the polarization from the intercepted photons, and the clustering algorithm—the latter two concepts that Alice and Bob did not have to learn.
There are several eavesdropping noise sources. First, the laser intensity fluctuates () with the position of the polarizer sheet, which is sensitive to mechanical disturbances (e.g., wind, students' movements). Moreover, the current to the laser diode was also not feedback-stabilized. These noise sources affect the result if the measurement is only performed in one basis (see, e.g., Photodiode 1 histogram in Fig. 8). To optimally distinguish between the various polarization states, Eve projects each state in two measurement basis, each separated by about from each other, and subsequently measures the corresponding intensity.
The “leaks” of the expanded key can, for example, be obtained by examining the structure of the message. For the ASCII or UTF-8 schemes which are widely used to represent characters in a message, the two leading bits of an English alphabet is 01. This could be used to deduce the leading bits of every byte of the expanded key by sampling the ciphertext.
For any message length m, this operation results in only 232 possible combinations of decoded messages. If the message is much longer than the key (), it is likely that only a few decoded messages are coherent. This contrasts with the scenario where the message is as long as the key (m = 32, one-time pad scenario), as this results in as many coherently decoded messages as possible. Students can perform this brute-force attack with modern computers—if each combination requires to be computed and checked for coherence, it would only take h to exhaust all possibilities.