Problems with Quantum Key Distribution System as

Download PDF
0 downloads 0 Views 238KB Size Report
Comment
This study shows the history of Faked-State Attack and expounds its philosophy whether physical QKD systems really can provide provable security. Keywords:.
SCIS 2014 The 31th Symposium on Cryptography and Information Security Kagoshima, Japan, Jan. 21-24, 2014 The Institute of Electronics, Information and Communication Engineers

Copyright© 2014 The Institute of Electronics, Information and Communication Engineers

Problems with Quantum Key Distribution System as Physical Device Takehisa Iwakoshi*

Osamu Hirota

Abstract: This paper describes a problem that Quantum Key Distribution (QKD) faces. There are three types of problems with QKD. The first one is a problem whether the theoretical security proof really guarantees its security. The second one is its low speed as a communication technology such that 106~109 pulses are required to distribute a 1 bit of the key under realistic conditions. The last one is a problem with its actual system which can be exploited by several physical attacks such as Faked-State Attack proposed by V. Makarov in 2005. It allows the attacker to control the distributed key almost perfectly. This study shows the history of Faked-State Attack and expounds its philosophy whether physical QKD systems really can provide provable security. Keywords: Quantum key distribution, Quantum cryptography, Side channel attack, Active attack

1

imperfections which allow the attacker to control the distributed key remotely [22-31] by Faked State Attack proposed by V. Makarov in 2005 using non-quantum laser light. Even after this attack, a hacker team proposed to make arbitral imperfections in an initially perfect system from outside [32]. This paper focuses on the history of the attacks and what the essential problem for QKD systems was.

Introduction

Since BB84 protocol [1] was proposed by C. H. Bennett in 1984, Quantum Key Distribution (QKD) has been attracting attention for its concept “provable security.” Many protocols and security proofs have been given whenever loopholes were found in these security proofs. For instance, when a photon number splitting attack [2] was proposed, a more sophisticated security proof was proposed [3]. When the time-shift attack [4, 5] was proposed, device imperfections were included in the security proofs [6]. Nowadays, even commercial QKD systems, id3110 Clavis2 and QPN 5505, have been released from the vendors ID Quantique and MagiQ Technologies, respectively. However, there are still three major problems with QKD. The first one is a theoretical argument; several literatures [7-14] claim that the proof does not guarantee the security. There is a reply [15] to the literatures, but the discussion is continuing [16-18]. The second one is the low communication speed which needs to send 106 ~ 109 pulses to share 1 bit of the secret key [19-20], while 1 ~ 10 Gbit/s is requested by Defense Advanced Research Projects Agency [21]. The third one is that the physical devices necessarily have

2

Basics of Quantum Key Distribution

There are several QKD protocols but the main concept is almost the same. Here, a polarizationencoded BB84 protocol is described as an example. Fig. 1 illustrates an example of a setup, and Table 1 lists Alice’s pulses and Bob’s detection events.

BS

PBS

45°

Alice’s photon

HWP -45° 90°

PBS 0°

Bob

Fig. 1: An example of a QKD detector system. Bob detects Alice’s photon using 4 single photon detectors.

* Tamagawa University, 6-1-1 Tamagawa-Gakuen, Machida, Tokyo, Japan (t. [email protected])

1

Table 1: The relation between Alice’s signals and Bob’s detection events. They discard the events when their bases are mismatched since they obtain random bits. Alice's photon Basis Bit θ A 0



1

90°

0

45°

1

-45°

+

×

Bob's detection event

θ B Basis 0° + 90° + 45° × -45° × 0° + 90° + 45° × -45° × 0° + 90° + 45° × -45° × 0° + 90° + 45° × -45° ×

Bit 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

Main Concept of Faked-State Attack

3

As shown in Section 2, Alice sends photons through a quantum channel. On the other hand, in this attack, Eve places herself in the middle of the quantum channel and sends non-quantum continuous laser light through the quantum channel and illuminates Bob’s single photon detectors. During this process, Eve intercepts Alice’s photons and measures their polarizations in the same way as Bob does. Then Eve resends non-quantum brighter pulses of a laser to Bob instead of single photons. In the context of conventional mathematical cipher, this is a side channel attack in the sense that Eve exploits outside of the security model. At the same time, this is also an active attack in the sense that Eve actively resends signals to Bob. The following subsections describe what happen during this process.

Probability

1/2 0 1/4 1/4 0 1/2 1/4 1/4 1/4 1/4 1/2 0 1/4 1/4 0 1/2

3.1

Avalanche photodiode photodiode as Bob’s detector

This subsection describes how Avalanche PhotoDiodes (APD) are used as single photon detectors [23-28] to give better understanding of the attack. To detect a photon, an APD has to be reverse-biased slightly higher than its breakdown voltage. When a photon comes into the depression layer at the p-n junction of the APD, a hole-electron pair is created. The hole and electron are accelerated by the electric field in the depression layer, and hit other electrons around atoms. Then new hole-electron pairs are created and these new pairs hit other electrons. This process exponentially increases the number of holeelectron pairs in the depression layer, therefore the photon is detected as macroscopic current. The APD is insensitive to new photons during the process. Therefore, the above avalanche process has to be quenched quickly. To quench the process, two types of quenching circuits are proposed [33]; a Passively Quenched Circuit (PQC) and an Actively Quenched Circuit (AQC) (Fig. 2).

Alice sends her bit expressed by a polarization of a photon through a quantum channel. The relation between the photon and the raw-key bit are shown in Table 1. For instance, when Alice sends a key bit “0” with a basis “+,” then she chooses the polarization 0°. Her photon’s wave function passes through beam splitters (BS) and polarization beam splitters (PBS). A HWP (Half Wave Plate) rotates the polarization by -45°. If Bob detects a polarization 0°, he assigns a bit 0 and basis “+”. Note that he is not supposed to detect a polarization 90°. If he detects a polarization 45° or -45°, he assigns a basis “×”. After Alice finishes sending photons, they announce their bases and discard bits with mismatched bases since Bob detects random bits with such bases. They assume the remained bit sequences as sifted keys. After they obtain the sifted keys, they disclose the parts of sifted keys to measure Quantum Bit Error Rate (QBER). If QBER is higher than the certain level, they abort the protocol, assuming that the attacker Eve was there, since Eve cannot observe photons without any disturbances. For the security, all disturbances are assumed to be caused by Eve. If QBER is lower than the level, they go on to error correction and privacy amplification to obtain the final key. The key will be used to realize One-Time Pad (OTP) in a public channel, which was proved to be perfectly secure against eavesdropping.

(a) hν

Vbias RB

RS

(b) Quenching driver

VOut



+ Comparator

VOut

-Vbias Fig. 2: Quenching circuits for APDs. (a) Passively quenching circuit, (b) Actively quenching circuit 2

PQC quenches the APD as follows. When macroscopic current caused by a photon flows, the bias voltage drops since the current flows through a resistance RB. In this process, the reversed bias goes lower than the breakdown voltage, which makes the avalanche process stop. On the other hand, AQC quenches the APD as follows. When the current flows, the output pulse of APD is compared to the grand level by a comparator. During this process, the comparator drives the quenching driver to lower the reverse bias.

3.2

4

Section 3 described how Bob’s detection events were controlled by Eve. When the attack was proposed, it was thought that the attack just exploited nonquantum behaviors of the detectors. Therefore, Superconducting Nanowire Single Photon Detectors (SNSPDs) were also tested.

4.1

How Eve controls Bob’s detection events

0° BS

PBS

4.2

45°

-45° 90° 0°

Attack scheme

The attacker team tried to exploit the detector in the same way for APD detectors [30]. However, this was only partially successful. When the detectors were illuminated, the superconductivity of the detector was kept almost broken. Therefore no voltage pulse would be formed in this process. When a bright pulse came into the detector, the superconductivity was completely broken, therefore a voltage pulse was formed. However, the height of the voltage pulse was not as high as the voltage pulse of the single photon detection. Thus, this attack could be avoided by setting a threshold of the voltage pulse appropriately. Then they changed the attack scheme [30, 31]. They illuminated the superconducting detectors continuously, and stopped illuminating the target detector when they wanted a detection event while the other detector was kept illuminated. When the illumination was restarted, a voltage pulse similar to the single photon detection occurred. Therefore, even SNSPDs were successfully hacked.

HWP PBS

Operating principle principle of detectors

The operation principle of the detectors is described as follows [30, 31]. The SNSPDs are cooled to the temperature of 4 K with liquid He or a cryogen-free cooling system. At this phase, superconductivity is kept. A photon to be detected breaks the superconductivity locally, making a hot spot in the detector. Therefore, the resistance of the detector rises from complete zero, making a voltage pulse during the detection. After the detection event, the detector is cooled again and ready for the next event.

Eve locates herself between Alice and Bob during Faked-State Attack. The attack exploits the above non-quantum processes as follows. The bright illumination by a laser keeps the quenching process in Bob’s APDs. When the reverse voltage is lower than the breakdown voltage, the current of the APDs’ are linear to the optical power input to them, which is called linear mode. When Eve sends a bright pulse with its power P such that 4Pth > P > 2Pth, where Pth is the threshold to detect the bright pulse, then Bob detects her pulse deterministically as shown in Fig. 3. For instance, when Eve resends a bright pulse with its polarization 0°, the pulse is split into 3 directions; Bob’s detector “0°” detects the pulse with its power slightly above Pth, causing a detection event. Detectors “45°” and “-45°” see the pulses with their power lower than Pth, causing no detection events. Detector “90°” detects nothing since no pulse comes. The example of the situation is listed in Table 2.

4Pth > P > 2Pth →

Faked-State Attack against Superconducting Nanowire Detectors

Bob

> Pth

Fig. 3: An example of how Eve controls Bob’s detection events. When Eve sends a bright pulse with its polarization 0°, Bob’s detector “0°” detects it.

5

Table 2: How Eve shares the key bit with Alice and Bob in case of the polarizations is 0°.

Current Situation of Faked-State Attack

As described above, Faked-State Attack can be applied to almost of all QKD systems by exploiting the non-quantum behaviors of their detectors. Therefore, many countermeasures to the attacks have been

Alice's signal Eve's receiver Signal Bob's detection Result Basis Bit θ A Basis θ E Bit θ E Basis θ B Bit They share the bit 0° + 0° 0 + 0° 0 + 0 0° × 45° 0 45° × 45° 0 Alice and Bob discard the bit × -45° 1 Alice and Bob discard the bit × -45° 1 -45°

3

proposed. This section describes the history of the discussions between the attacker teams and the QKD teams. 5.1

other vulnerabilities. Therefore, their main claim was that QKD needs to introduce all non-quantum behaviors of devices in the model of QKD security proof. This suggestion was also repeated in [28]. Moreover, they wrote that such frequent updates in physical implementations would just cost too much. They also claimed [29] that Measurement-DeviceIndependent (MDI) QKD protocol [20, 41] would be needed since it would be almost impossible to take the all measurement device imperfections into account.

Proposal Proposal of FakedFaked-State Attack on APDs

The first proposal of Faked-State Attack was described in 2005 by V. Makarov [22]. In 2009, he started an experiment of the attack [23]. His first attack was very simple; he illuminated all of Bob’s detectors. Then he stopped illuminating the target detector, and restarted the illumination to cause a detection event. In 2010, L. Lydersen et al. proposed a better way. In this scheme, illumination and bright pulse were creatively used for more complete detector controls [24]. They also proposed a countermeasure in the same paper that removing the resistance RB described in Subsection 3.1 might help. However, they also noted that this countermeasure would not work since the illumination of the APDs would also raise their temperature, resulting in the drop of their reverse biases. After this concern, L. Lydersen et al. also showed experimentally [25] that the above thermal effect should be in concern. After these works, they also showed even an entanglement-based QKD system can be hacked [27]. 5.2

5.3

Replies to the attacks on SNSPDs

A countermeasure against Faked-State Attack on SNSPDs was also proposed in 2013 [39]. According to the authors, by placing paired detectors at each optical port in the QKD system would detect Faked-State Attack (Fig. 4). When the bright pulse comes, the paired detectors would see a pair of detections. On the other hand, single photons would not cause such paired detections.

(a)

45°

Bob PBS

Bright Pulse

Replies to attacks on APDs

-45°

At the same time, Z. L. Yuan et al. also suggested that removing RB would avoid the attack [34]. However, as L. Lydersen showed, this did not help the situation [25, 35]. In 2011, Z. L. Yuan et al. proposed that measuring abnormal current through the APDs during the illumination would be the countermeasure. They also suggested that setting appropriate threshold of the voltage pulses for the detection events would be also helpful [36]. However, L. Lydersen et al. replied that only 120 photons were enough to illuminate APDs, therefore the abnormal current would not be detected [37]. Z. L. Yuan et al. replied again that such weak pulses would just cause the increase of QBER, thus Eve would be detected [38]. They also pointed out that such weak pulses were detectable. Although Z. L. Yuan and his colleagues’ replies looked useful for countermeasure against Faked-State Attack, L. Lydersen and his colleagues’ main suggestion was that such specific countermeasures would not help the total security of QKD; even if the countermeasure worked, attackers would just exploit

(b)

45°

Bob PBS

Bright Pulse

Detect

-45°

Dead

Fig. 4: A proposed countermeasure. The coupled detectors may detect double counting. Although the attackers did not reply to their countermeasure in [31], V. Makarov directly told the author in SPIE symposium in 2013, (Dresden, Germany), such a countermeasure would not work. His suggestion was that paired detectors would never be the same, therefore, the attacker would exploit such differences; for example, the difference in the detection power thresholds or dead time could be attacked by the carefully adjusted optical power or the timing of the bright pulses. Such an attack on device mismatches is described in [42]. 4

It should be also noted that the study of the security proof for SNSPDs is still continuing in [40], however, all imperfections should be included in the security proof as the attacker teams have claimed to realize “provable secure” QKD.

behaviors of the QKD system. This is very important and challenging work to determine whether macroscopic behaviors can be included in a security proof described in quantum physics. Table 3: Literature [43] points out three parameters should be bounded to guarantee QKD security.

6

Significance of Faked-State Attack

Source of imperfection

The previous section described the brief history of Faked-State Attack. This section describes considerations on the significance of the attack on QKD by referring the new attack and a security proof. 6.1

Detectors

Photon Source

Further attacks on a QKD system

As explained in Subsection 5.3, the attacker team recognizes that MDI-QKD will disable their FakedState Attacks. However, they made an interesting experiment and a claim. The main concept of Faked-State Attack was exploiting the non-quantum behaviors in the single photon detectors. However, this time they proposed to make arbitral imperfections by damaging the initially perfect detectors using a powerful laser [32]. With this attack, they threw doubt whether QKD can really offer provable security. If the main concept of QKD is that the provable security against arbitral attacks allowed under lows of physics, such an attack also has to be taken into the security proof. 6.2

7

Bound Parameter to ensure the security Blinding parameter η Z =infΦ〈Φ|E|Φ〉 Leakage parameter ε Z = minσ maxρ D(σ ,σ 1⊗σ 2) Basis dependence 2∆ = 1 - 〈χ Z|χ X〉

Discussion and Conclusion

Quantum Key Distribution was thought to be a candidate for a provably secure communication if the device implementations were ideal. However, since real devices have imperfections, attackers can exploit such device imperfections to obtain the final key perfectly by Faked-State Attack where the attacker Eve intercepts the legitimate transmitter Alice’s photons and resends the legitimate receiver Bob non-quantum blight light pulses instead of photons. This corresponds to a side channel attack against conventional mathematical ciphers in the sense that Eve exploits outside of the security model. At the same time, this is also an active attack in the sense that Eve actively resends signals to Bob. After the attack, Measurement-Device-Independent Quantum Key Distribution was proposed to avoid the above attack. This would be successful as the attacker team noted. However, the attacker team proposed a new attack which can possibly make arbitral imperfections on any systems which are initially perfect. With this experiment, the attacker team threw a doubt on Quantum Key Distribution systems whether provable security is possible under any attacks allowed by the laws of physics. To avoid this issue, Quantum Key Distribution protocols should treat any non-quantum behaviors in the quantum channels in the security proofs, not proving the security only under quantum physics. Attackers may exploit imperfections in any parts other than detectors of the systems in the future even Measurement-Device-Independent Quantum Key Distribution is successful. Fortunately, there is an example of a proof which treats non-quantum behaviors of a system. It will be

Inclusion of macroscopic behaviors in proof

Even the hacking teams pointed out that the MDIQKD will be a good countermeasure for Faked-State Attack, they picked up one more interesting security proof [43] which treats arbitrary misbehaviors of the system. The proof explains that three parameters are required to be bound; basis dependence of the photon source, a detector-blinding parameter, and a detector leakage parameter which expresses that Eve knows when Bob detects vacuum states. The first parameter indicates the imperfection in the photon source, second and third ones indicate the imperfections in detectors (Table 3). It is worth considering that other parameters in the literature will also be useful to describe the device health even if MDI-QKD is successful; the attacker may exploit other imperfections such as imperfections in photon sources in the future. Therefore, such an approach which the literature tried will be necessary to describe not only quantum but also macroscopic 5

Processing, Vol. 175. No. 0. (1984)

an interesting challenge whether the security proofs can treat any non-quantum behaviors in the systems. While researchers treat non-quantum behaviors in the system, Quantum Key Distribution also needs to tackle remained two problems. One is a theoretical problem that Quantum Key Distribution may not guarantee the security, which is an important role for cryptologists in the field of Information Theoretic Security. Many researchers seem to think that Quantum Key Distribution just needs a theoretical proof with quantum physics. However, as V. Makarov pointed out, non-quantum behaviors should be included in the proof to guarantee the security under any attacks allowed by the laws of physics. Moreover, some researchers claim that the operational meaning of information theoretical security is missing. These suggestions are listed in Table 4. The other is a problem as a communication technology that the key generation rate is very low. The legitimate users need to share 106 ~ 109 photons to generate 1 bit of the final key, while 1 Gbit/s is requested by Defense Advanced Research Projects Agency. To satisfy this requirement, one needs to generate photons at 1015 ~ 1018 pulse/s with the current key generation rates as shown in Table 5. Therefore, one needs better key generation rate. Since high key generation rate sacrifices the security, Quantum Key Distribution protocols needs a better solution to satisfy both.

[2] G. Brassard, N. Lütkenhaus, T. Mor, B. C. Sanders, “Limitations on practical quantum cryptography,” Physical Review Letters, 85. 1330. (2000) [3] D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskil, “Security of quantum key distribution with imperfect devices,” Information Theory, 2004. ISIT

2004. Proceedings. International Symposium on. IEEE (2004) [4] B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystems,” Quant. Inf. Comp., 7. 73. (2007) [5] Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, “Time-shift attack in practical quantum cryptosystems,” Phys. Rev. A, 78, 042333 (2007) [6] C.-H. F. Fung, K. Tamaki, B. Qi, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystems,” Quant. Inf. Comp., 9, 131 (2009) [7] H. P. Yuen, “Universality and The Criterion ‘d’ in Quantum Key Generation,” arXiv:0907.4694 (2009). [8] H. P. Yuen, “Fundamental Quantitative Security In Quantum Key Distribution,” Physical Review A 82, 062304 (2010). [9] H. P. Yuen, “Problems of Existing Unconditional Security Proofs in Quantum Key Distribution,” arXiv:1109.1051 (2011). [10] H. P. Yuen, “Fundamental And Practical Problems of QKD Security— the Actual and the Perceived Situation,” arXiv:1109.1066 (2011). [11] H. P. Yuen, “Security Significance of the Trace Distance Criterion in Quantum Key Distribution,” arXiv:1109.2675 (2011). [12] H. P. Yuen, “Problems of Security Proofs and Fundamental Limit on Key Generation Rate in Quantum Key Distribution,” arXiv:1205.3820 (2012). [13] H. P. Yuen, “Unconditional Security In Quantum Key Distribution,” arXiv:1205.5065 (2012) [14] O. Hirota, “Incompleteness and Limit of Quantum Key Distribution Theory,” arXiv:1208. 2106v2 (2012). [15] R. Renner, “Reply to recent scepticism about the foundations of quantum cryptography,” arXiv:1209. 2423v1 (2012) [16] H. P. Yuen, “On the foundations of quantum key distribution — reply to Renner and beyond,” arXiv: 1210.2804 (2012) [17] O. Hirota, “Misconception in Theory of Quantum Key Distribution - Reply to Renner,” arXiv:1306.1277 (2013) [18] H. P. Yuen, “Essential lack of security proof in quantum key distribution,” arXiv:1310.0842 (2013)

Table 4: Security claims made by researchers. Current Claimed only by Quantum Physics Situation They request to include the effect Makarov's group of non-quantum physics They request to include concept of Ref. [7-14, 16-18] Information Theoretic Security Table 5: An example of required pulse generation rate. Literature [21] requests speed at 1 ~ 10 Gbps. Reqested speed Protocol Key Rate Pulse/s 1Gbps Standard QKD 10-6 1015 -9 18 1Gbps MDI-QKD 10 10

References [1] C. H. Bennett, G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” Proceedings of IEEE International

Conference on Computers, Systems and Signal 6

[19] N. Lütkenhaus, “Security against individual attacks for realistic quantum key distribution,” Phys. Rev. A 61, 052304 (2000) [20] K. Tamaki, H.-K. Lo, C.-H. F. Fung, and B. Qi “Phase encoding schemes for measurement-deviceindependent quantum key distribution with basisdependent flaw,” Phys. Rev. A 85, 042307 (2012) [21] Defense Advanced Research Projects Agency, “Quiness: Macroscopic Quantum Communications,” Solicitation Number:DARPA-BAA-12-42 (2012) [22] V. Makarov and D. R. Hjelme, “Faked states attack on quantum cryptosystems,” J. Mod. Opt. Vol. 52, Issue 5, 691, (2005) [23] V. Makarov, “Controlling passively quenched single photon detectors by bright light,” New J. Phys. 11, 065003, (2009) [24] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nature Photonics 4, 686–689, (2010) [25] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, ”Thermal blinding of gated detectors in quantum cryptography,” arXiv:1009.2663, (2010) [26] C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, Ch. Marquardt, V. Makarov, and G. Leuchs, “After-gate attack on a quantum cryptosystem,” arXiv:1009.2683, (2010) [27] I. Gerhardt, Q. Liu, A. L.-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” arXiv:1011.0105, (2010) [28] S. Sauge, L. Lydersen, A. Anisimov, J. Skaar, and V. Makarov, “Controlling an actively-quenched single photon detector with bright light,” Optics Express, Vol. 19, Issue 23, pp. 23590-23600, (2011) [29] Q. Liu, A. L.-Linares, C. Kurtsiefer, J. Skaar, V. Makarov, and I. Gerhardt, “A universal setup for active control of a single-photon detector,” arXiv:1307.5951v1, (2013) [30] L. Lydersen, M. K. Akhlaghi, A. H. Majedi, J. Skaar, and V. Makarov, “Controlling a superconducting nanowire single-photon detector using tailored bright illumination,” New J. Phys. 13 113042 (2011) [31] M. G. Tanner, V. Makarov, R. H. Hadfield, “Optimised quantum hacking of superconducting nanowire single-photon detectors,” arXiv:1305.5989, (2013) [32] A. N. Bugge, S. Sauge, A. Mardhiyah, M. Ghazali, J. Skaar, L. Lydersen, and V. Makarov, “Laser damage

helps the eavesdropper in quantum cryptography,” arXiv:1310.8384v1 (2013) [33] S. Cova, M. Ghioni, A. Lotito, I. Rech, and F. Zappa, “Evolution and prospects for single-photon avalanche diodes and quenching circuits,” journal of modern optics, vol. 51, no. 9–10, 1267–1288, 15 (2004) [34] Z. L. Yuan, J. F. Dynes and A. J. Shields, “Avoiding the Detector Blinding Attack on Quantum Cryptography,” arXiv:1009.6130, 30 Sep. (2010) [35] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar and V. Makarov, ”Reply to “Avoiding the Detector Blinding Attack on Quantum Cryptography”,” arXiv:1012.0476v1, 2 Dec (2010) [36] Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography,” Applied Physics Letters, Vol. 98, Issue 23, 13 Jun. (2011) [37] L. Lydersen, V. Makarov, and J. Skaar, “Comment on "Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography",” arXiv:1106.3756, 19 Jun. (2011) [38] Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Reply to “Comment on “Resilience of gated avalanche photodiodes against bright illumination attacks in quantum cryptography””,” arXiv:1109.3149v1, 14 Sep. (2011) [39] T. Honjo, M. Fujiwara, K. Shimizu, K. Tamaki, S. Miki, T. Yamashita, H. Terai, Z. Wang, and M. Sasaki, “Countermeasure against tailored bright illumination attack for DPS-QKD,” Optics Express, Vol. 21, Issue 3, pp. 2667-2673, 11 Feb. (2013) [40] M. Fujiwara, T. Honjo, K. Shimizu, K. Tamaki, and M. Sasaki, “Characteristics of superconducting single photon detector in DPS-QKD system under bright illumination blinding attack,” Optics Express, Vol. 21, Issue 5, pp. 6304-6312, 11 Mar (2013) [41] H.-K. Lo, M. Curty, and B. Qi, “MeasurementDevice-Independent Quantum Key Distribution,” Phys. Rev. Lett. 108, 130503 (2012) [42] L. Lydersen, V. Makarov, and J. Skaar, “Secure gated detection scheme for quantum cryptography,” Phys. Rev. A 83, 032306 (2011) [43] Ø. Marøy, L. Lydersen, and J. Skaar, “Security of quantum key distribution with arbitrary individual imperfections,” Phys. Rev. A 82, 032337 (2010)

7