Finite-key-size effect in commercial plug-and-play QKD system

TL;DR

This paper evaluates the finite-key-size effect in a commercial plug-and-play QKD system, demonstrating how an eavesdropper can compromise security and deriving bounds that highlight vulnerabilities in the system's key generation process.

Contribution

It introduces a specific key-rate equation for the system and shows how finite-key-size effects can be exploited, providing a new method for security assessment of QKD devices.

Findings

Eavesdropper can force key distillation from smaller sifted-key sizes.

Keys from smaller sifted-keys can fall outside the secure bounds.

Manufacturer's software updates do not fully guarantee security under finite-key analysis.

Abstract

A security evaluation against the finite-key-size effect was performed for a commercial plug-and-play quantum key distribution (QKD) system. We demonstrate the ability of an eavesdropper to force the system to distill key from a smaller length of sifted-key. We also derive a key-rate equation that is specific for this system. This equation provides bounds above the upper bound of secure key under finite-key-size analysis. From this equation and our experimental data, we show that the keys that have been distilled from the smaller sifted-key size fall above our bound. Thus, their security is not covered by finite-key-size analysis. Experimentally, we could consistently force the system to generate the key outside of the bound. We also test manufacturer's software update. Although all the keys after the patch fall under our bound, their security cannot be guaranteed under this analysis. Our methodology can be used for security certification and standardization of QKD systems.