A Static-Loop-Current Attack against the KLJN Secure Key Exchange System

A new attack against the Kirchhoff-Law-Johnson-Noise (KLJN) key distribution system is explored. The attack is based on utilizing a parasitic dc-voltage-source in the loop. Relevant situations often exist in the low-frequency limit in practical systems, especially when the communication is over a distance, due to a ground loop and/or electromagnetic interference (EMI). Surprisingly, the usual current/voltage comparison based defense method that exposes active attacks or parasitic features (such as wire resistance allowing information leak) does not function here. The attack is successfully demonstrated. Proposed defense methods against it are shown.

The KLJN scheme  utilizes the thermal noise of resistors (or the emulation of that by a specific hardware). In the core scheme Alice and Bob have two identical pairs of resistors R L and R H ( R L < R H ) , respectively, see Fig. 1.
The key exchange protocol of a single secure bit is as follows: Alice and Bob randomly pick one of their resistors ( R L or R H ), connect it to the wire channel, and keep them there during the bit exchange period while they execute voltage and/or current measurements to learn the resistor value at the other end, see below.
The noise voltage generators shown in Fig. 1 with each resistor can be the resistors' own thermal noise, or an external noise generator emulating a much higher, common noise-temperature that is publicly agreed. The power density spectra of the voltage and current in the channel are given by the by the Johnson-Nyquist formulas [11] : where k is the Boltzmann's constant, T is the common temperature, R A and B R are the actually connected resistances at Alice's and Bob's ends, respectively, R A , R B ∈ R L , R H { } . After the measurement and spectral analysis, Equations (1) and (2)   and S i ( f ) , respectively.

On former attacks against the KLJN secure key distribution
Several attacks have been proposed but no attack has been able to compromise the unconditional security of the KLJN scheme because each known attack can efficiently be nullified by a corresponding defense scheme.
The attacks can be categorized into two classes: i) Passive attacks that utilize the non-ideal or parasitic features in a practical KLJN system for information leak. Non-zero wire resistance, see in [37], [38] poses the most known threat and the most efficient attack is power balance measurement (Second Law Attack) [39]. An efficient defense is based on a proper temperature-offset [39,40]. Temperature-inaccuracies [41] and resistance-inaccuracies [42] can also cause information leak. On the other hand, these inaccuracies can compensate each other out [43] if used in a creative way. Non-zero cable capacitance [44] or cable inductance can also yield information leak that can be fixed by specific design including the proper choice of the frequency range and privacy amplification. Transients can also be utilized for attack [45] but there are various ways of defenses [46,47]. The newest KLJN system, the random-resistor-random-temperature (RRRT-KLJN) scheme [48] is robust against the above vulnerabilities; at least, no known attack exists against it yet.
ii) Active attacks, where Eve either modifies the information channel or she injects an extra current into that. Current injection attack [30,49] and the man-in-the-attack [50] are the explored examples [2006]. Due to the current and voltage comparison [50] feature and its more advanced cable-modeling version [49], active attacks are, so far, the least efficient attacks against the KLJN scheme.
iii) Flawed attacks. There are some proposed attack methods that are based on misconceptions and they do not work. See their brief summary and their criticism, for example, in papers [51-55] and book [56].

The situation that Eve's utilizes for the attack
In practical KLJN systems, in order to save a wire, the common end of the resistors (see Fig. 1) is often connected to the ground. At practical situations, there is often an imbalance, a voltage difference between various locations of the ground; for example due to ground loop currents or electromagnetic interference (EMI) [53]. This potential information leak was pointed out in [53] as the potential source of information leak in the case of significant cable resistance. However, it has not been realized in [53] that information leak can exist even at zero cable resistance.
In this paper, we explore this new information leak in the DC parasitic voltage limit. Thus the considerations hold for situations where during the bit exchange period, the relative change of the parasitic voltage is small. For the sake of simplicity but without the limitation of generality, we assume that the imperfection is represented by a positive DC voltage generator located at Alice's end, see Fig. 2.
Due to Kerckhoffs's principle of security, that is, the assumption that the enemy knows everything except momentary key, we must assume that Eve knows the polarity and value of this DC voltage.
(If she does not know it at the beginning, she will be able to extract it by a long-time averaging). The direction of the current I(t) is assumed to point from Alice to Bob. The voltage U(t) and current I(t) in the wire contain the sum of a DC and an AC (stochastic, that is, noise) components. Let us analyze the resulting voltages and currents. The current in the wire is: where I DC is its DC component and I n (t) is its AC (noise) component where An U and Bn U , with U An ∈{U LAn ;U HAn } and U Bn ∈{U LBn ;U HBn } , are the voltage noise sources of the chosen resistors, A R and B R , respectively.
The voltage on the wire is: From Equations 3 and 6 we obtain where U DCw and U ACw (t) represent the DC and AC voltage components in the wire, respectively.
The DC component can be written as: and, in the HL bit situation: Note, as we have been assuming that in the given KLJN setup R H > R L , in this particular situation For later usage, we evaluate the average of U LH and U HL , and call this quantity threshold voltage, The effective (RMS) amplitude U ACw of the noise voltage on the wire is identical in both the LH and HL cases: Note, the voltage and current noises in the wire follow normal distribution since the addition of normally distributed signals result in a signal that has normal (Gaussian) distribution with a corresponding mean (see Equation 10) and variance.
For an illustration of the information leak, see Figure 3. The DC component, that is, the mean value of the resulting (AC+DC) Gaussian depends on the bit situation during secure key exchange. This dependence poses as a source of information for Eve about the secret key. This feature will be exploited below for the new attack scheme.

The attack scheme
The attack consists of three steps: measurement, evaluation, and guessing. ii) Evaluation: She evaluates the fraction γ of these N samples that are above U th : where N + is the number of samples that are above U th .
iii) Guessing (based on Equations 9-14): For 0.5 < γ and γ < 0.5 , Eve's guesses are the LH and HL bit situations, respectively. For γ = 0.5 her decision is undetermined and carries no useful information.
iv) Eve's correct guessing probability p is given as: where n tot is the total number of guess bits and n cor is the number of correctly guessed bits. The situation p = 0.5 indicates perfect security against Eve's attack.
In the next section, we demonstrate the attack method by computer simulations.

Figure 3.
Eves' threshold scheme to guess the bit situation LH vs HL.

Simulation Results
To test Eve's correct guessing probability p for the LH situation. We assumed that Alice and Bob We tested secure key length M =700 bits at different bit exchange durations represented by sample/bit numbers N = 1000, 500 and 200, respectively. Figure 4 shows Eve's correct guessing probability ( p ) of a key bit vs. temperature. With temperature approaching infinity, the effective noise voltage on the wire is also approaching infinity and the Gaussian density function will be symmetrically distributed around the threshold voltage U th . Thus the probabilities of finding the noise amplitude above or below U th are identical (0.5) Then Eve's correct guessing probability of represents the perfect security limit, p = 0.5 . Hz, for key length 700 bits, and duration/bit (number of samples/bit) 200, 500 and 1000, respectively. The limit p=0.5 stands for perfect security.
The observed dependence can be interpreted by the behavior of the error function (see also where ( ) U t is the instantaneous voltage amplitude in the wire and the error function is: The noise in the KLJN scheme is a bandlimited white noise thus, in accordance with the Johnson formula, the effective noise voltage scales as: Therefore, when the temperature T is converging to infinity, p is converging to the perfect security limit of 0.5, see Figure 4.

Some of the possible defense techniques against the attack
Based on the considerations above, the impact of the attack can be eliminated by various means.
The most natural ways are: i) Cancelling the effect of the DC-Voltage sources. For example, Bob can put a variable DC source that compensates its effect. Similarly, eliminating ground loops is also beneficial.
ii) Alice and Bob can increase the effective temperature, that is the amplitudes of their noise generators, see Equation 18 and Figure 4.
iii) Alice and Bob can increase the bandwidth to increase the effective value of the noise, see Equations 18 and 20. However, the bandwidth must stay below the wave limit [54] to avoid information leak due to reflection thus the applicability of this tool is strongly limited.

Conclusion
The KLJN secure key exchange scheme is a statistical physical system that offers unconditional (information-theoretic) security. For a detailed survey and its history, see a recent book [56].
In this paper a novel attack against the KLJN protocol is shown that uses a frequently occurring parasitic feature, namely the imbalance of voltages between the ground points at the two ends.
We showed that such parasite voltages and currents could cause information leak. The attack was demonstrated by computer simulations and proper defense protocols were shown to eliminate the information leak. The considerations in this introductory paper about this new attack type are valid in the limit when the parasitic voltage is static or its (possible) time-dependence is slow compared to the dynamics of the noise. Work is in hand to explore more complex situations, too.