jaseg/ihsm-qkd-paper
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Copy over main part

Browse source
This commit is contained in:
jaseg 2025-05-08 16:31:03 +02:00
parent 56974d2763
commit 372cab3488
2 changed files with 476 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

67
paper.bib
View file

@ -215,7 +215,7 @@
isbn = {978-1-4503-4139-4}
}
@inproceedings{arpPrivacyThreatsUltrasonic2017a,
@inproceedings{arpPrivacyThreatsUltrasonic2017,
title = {Privacy {{Threats}} through {{Ultrasonic Side Channels}} on {{Mobile Devices}}},
booktitle = {2017 {{IEEE European Symposium}} on {{Security}} and {{Privacy}} ({{EuroS}}\&{{P}})},
author = {Arp, Daniel and Quiring, Erwin and Wressnegger, Christian and Rieck, Konrad},
@ -1200,7 +1200,7 @@
file = {/home/jaseg/Sync/Research/Zotero/Couteau et al_2021_Silver.pdf}
}
@article{cuellarStaticFatigueLifetime1987,
@article{cuellarStaticFatigueLifetime1987a,
title = {Static Fatigue Lifetime of Optical Fibers in Bending},
author = {Cuellar, E. and Roberts, D. and Middleman, L.},
date = {1987-01-01},
@ -2287,16 +2287,16 @@
@online{IEEEXploreFullTexta,
title = {{{IEEE Xplore Full-Text PDF}}:},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6520632},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8558378},
urldate = {2024-09-10},
file = {/home/jaseg/Zotero/storage/PQYCW7K7/stamp.html}
file = {/home/jaseg/Zotero/storage/HJJK32NF/stamp.html}
}
@online{IEEEXploreFullTextb,
title = {{{IEEE Xplore Full-Text PDF}}:},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8558378},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6520632},
urldate = {2024-09-10},
file = {/home/jaseg/Zotero/storage/HJJK32NF/stamp.html}
file = {/home/jaseg/Zotero/storage/PQYCW7K7/stamp.html}
}
@inproceedings{immlerBTREPIDBatterylessTamperresistant2018,
@ -2849,11 +2849,11 @@
issn = {2511-9044, 2511-9044},
doi = {10.1002/qute.201800011},
url = {http://arxiv.org/abs/1703.09278},
urldate = {2024-05-27},
urldate = {2024-05-02},
abstract = {Quantum key distribution using weak coherent states and homodyne detection is a promising candidate for practical quantum-cryptographic implementations due to its compatibility with existing telecom equipment and high detection efficiencies. However, despite the actual simplicity of the protocol, the security analysis of this method is rather involved compared to discrete-variable QKD. In this article we review the theoretical foundations of continuous-variable quantum key distribution (CV-QKD) with Gaussian modulation and rederive the essential relations from scratch in a pedagogical way. The aim of this paper is to be as comprehensive and self-contained as possible in order to be well intelligible even for readers with little pre-knowledge on the subject. Although the present article is a theoretical discussion of CV-QKD, its focus lies on practical implementations, taking into account various kinds of hardware imperfections and suggesting practical methods to perform the security analysis subsequent to the key exchange. Apart from a review of well known results, this manuscript presents a set of new original noise models which are helpful to get an estimate of how well a given set of hardware will perform in practice.},
langid = {english},
keywords = {Quantum Physics},
file = {/home/jaseg/Zotero/storage/I7UL2SKX/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
file = {/home/jaseg/Zotero/storage/A2BQHUUW/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
}
@article{laudenbachContinuousVariableQuantumKey2018a,
@ -2871,11 +2871,11 @@
issn = {2511-9044, 2511-9044},
doi = {10.1002/qute.201800011},
url = {http://arxiv.org/abs/1703.09278},
urldate = {2024-05-02},
urldate = {2024-05-27},
abstract = {Quantum key distribution using weak coherent states and homodyne detection is a promising candidate for practical quantum-cryptographic implementations due to its compatibility with existing telecom equipment and high detection efficiencies. However, despite the actual simplicity of the protocol, the security analysis of this method is rather involved compared to discrete-variable QKD. In this article we review the theoretical foundations of continuous-variable quantum key distribution (CV-QKD) with Gaussian modulation and rederive the essential relations from scratch in a pedagogical way. The aim of this paper is to be as comprehensive and self-contained as possible in order to be well intelligible even for readers with little pre-knowledge on the subject. Although the present article is a theoretical discussion of CV-QKD, its focus lies on practical implementations, taking into account various kinds of hardware imperfections and suggesting practical methods to perform the security analysis subsequent to the key exchange. Apart from a review of well known results, this manuscript presents a set of new original noise models which are helpful to get an estimate of how well a given set of hardware will perform in practice.},
langid = {english},
keywords = {Quantum Physics},
file = {/home/jaseg/Zotero/storage/A2BQHUUW/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
file = {/home/jaseg/Zotero/storage/I7UL2SKX/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
}
@article{laudenbachContinuousVariableQuantumKey2018b,
@ -2950,7 +2950,7 @@
file = {/home/jaseg/Zotero/storage/QSDA9K48/Hall - (72) Inventors Alan Henry Leek, Frisco, TX (US);.pdf}
}
@article{leePrintedSpiralWinding2011a,
@article{leePrintedSpiralWinding2011,
title = {Printed {{Spiral Winding Inductor With Wide Frequency Bandwidth}}},
author = {Lee, Chi Kwan and Su, Y. P. and Ron Hui, S. Y.},
date = {2011-10},
@ -3152,7 +3152,7 @@
file = {/home/jaseg/Zotero/storage/WBSKAYAN/Long et al. - 2024 - EM Eye Characterizing Electromagnetic Side-channe.pdf}
}
@article{lopeFirstSelfResonant2021,
@article{lopeFirstSelfresonantFrequency2021,
title = {First Selfresonant Frequency of Power Inductors Based on Approximated Corrected Stray Capacitances},
author = {Lope, Ignacio and Carretero, Claudio and Acero, Jesus},
date = {2021-02},
@ -3512,6 +3512,14 @@
file = {/home/jaseg/Zotero/storage/AM4Q8Y76/Mohan et al. - 1999 - Simple accurate expressions for planar spiral indu.pdf}
}
@online{molexMolexSilverFlexible,
title = {Molex {{Silver Flexible Circuit Solutions}}},
author = {{Molex}},
url = {https://my.avnet.com/wcm/connect/d5fa4b27-de81-4aac-9bcb-cff3844b9eb3/Silver-Flexible-Circuit-Solutions-Brochure-EN-Brochure.pdf?MOD=AJPERES&CVID=oMyo8ki},
urldate = {2025-05-07},
file = {/home/jaseg/Zotero/storage/SY87W3RX/Silver-Flexible-Circuit-Solutions-Brochure-EN-Brochure.pdf}
}
@inproceedings{monfaredLeakyOhmSecretBits2023,
title = {{{LeakyOhm}}: {{Secret Bits Extraction}} Using {{Impedance Analysis}}},
shorttitle = {{{LeakyOhm}}},
@ -4212,18 +4220,7 @@
file = {/home/jaseg/Zotero/storage/RLBAU32H/Patra et al. - ABY2.0 Improved Mixed-Protocol Secure Two-Party C.pdf}
}
@standard{pcisecuritystandardscouncilPaymentCardIndustry2021,
title = {Payment {{Card Industry PIN Transaction Security Hardware Security Module Modular Security Requirements}}},
author = {{PCI Security Standards Council}},
date = {2021-12},
url = {https://docs-prv.pcisecuritystandards.org/PTS/Standard/PCI_HSM_Security_Requirements_v4.pdf},
urldate = {2025-04-08},
abstract = {HSMs (Hardware Security Modules) play a critical role in helping to ensure the confidentiality and/or data integrity of financial transactions. Therefore, to help engender trust in the legitimacy of the financial transactions being supported, it is imperative that HSMs are appropriately secure during their entire lifecycle. This includes manufacturing, shipment, use, and decommissioning. The purpose of this document is to provide guidance and direction for appropriately designing HSMs to meet the security needs of the financial payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs involved with financial payments industry. This document provides vendors with a list of all the security requirements against which their products will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) device approval. HSMs may support a variety of payment-processing and cardholder-authentication applications and processes. The processes relevant to the full set of requirements outlined in this document are: ▪ PIN processing ▪ 3-D Secure ▪ Card verification ▪ Card production and personalization ▪ EFTPOS ▪ ATM interchange ▪ Cash-card reloading ▪ Data integrity ▪ Chip-card transaction processing ▪ Key generation ▪ Key injection There are many other applications and processes that may utilize general-purpose HSMs, and which may necessitate the adoption of all or a subset of the requirements listed in this document. However, this document does not aim to develop a standard for general-purpose HSMs for use outside of applications such as those listed above that are in support of a variety of payment-processing and cardholder- authentication applications and processes for the financial payments industry.},
version = {4.0},
file = {/home/jaseg/Zotero/storage/CZF34DDM/PCI_HSM_Security_Requirements_v4.pdf}
}
@misc{pcisecuritystandardscouncilPaymentCardIndustry2021a,
@misc{pcisecuritystandardscouncilPaymentCardIndustry2021,
title = {Payment {{Card Industry PIN Transaction Security Hardware Security Module Modular Derived Test Requirements}}},
author = {{PCI Security Standards Council}},
date = {2021-12},
@ -5139,7 +5136,7 @@
file = {/home/jaseg/Zotero/storage/XURXLX9C/Takeoka et al. - 2014 - Fundamental rate-loss tradeoff for optical quantum.pdf}
}
@incollection{TamperResistance2020a,
@incollection{TamperResistance2020,
title = {Tamper {{Resistance}}},
booktitle = {Security {{Engineering}}},
date = {2020},
@ -5664,6 +5661,26 @@
file = {/home/jaseg/Zotero/storage/S93U8AF3/Wang et al. - 2020 - Topological optimization of hybrid quantum key dis.pdf}
}
@article{wangTwinfieldQuantumKey2022,
title = {Twin-Field Quantum Key Distribution over 830-Km Fibre},
author = {Wang, Shuang and Yin, Zhen-Qiang and He, De-Yong and Chen, Wei and Wang, Rui-Qiang and Ye, Peng and Zhou, Yao and Fan-Yuan, Guan-Jie and Wang, Fang-Xiang and Chen, Wei and Zhu, Yong-Gang and Morozov, Pavel V. and Divochiy, Alexander V. and Zhou, Zheng and Guo, Guang-Can and Han, Zheng-Fu},
date = {2022-02},
journaltitle = {Nature Photonics},
shortjournal = {Nat. Photon.},
volume = {16},
number = {2},
pages = {154--161},
publisher = {Nature Publishing Group},
issn = {1749-4893},
doi = {10.1038/s41566-021-00928-2},
url = {https://www.nature.com/articles/s41566-021-00928-2},
urldate = {2025-05-08},
abstract = {Quantum key distribution (QKD) provides a promising solution for sharing information-theoretic secure keys between remote peers with physics-based protocols. According to the law of quantum physics, the photons carrying signals cannot be amplified or relayed via classical optical techniques to maintain quantum security. As a result, the transmission loss of the channel limits its achievable distance, and this has been a huge barrier towards building large-scale quantum-secure networks. Here we present an experimental QKD system that could tolerate a channel loss beyond 140\,dB and obtain a secure distance of 833.8\,km, setting a new record for fibre-based QKD. Furthermore, the optimized four-phase twin-field protocol and high-quality set-up make its secure key rate more than two orders of magnitude greater than previous records over similar distances. Our results mark a breakthrough towards building reliable and efficient terrestrial quantum-secure networks over a scale of 1,000\,km.},
langid = {english},
keywords = {Quantum information,Single photons and quantum effects},
file = {/home/jaseg/Zotero/storage/FCHS9D49/Wang et al. - 2022 - Twin-field quantum key distribution over 830-km fi.pdf}
}
@article{wegmanNewHashFunctions1981,
title = {New Hash Functions and Their Use in Authentication and Set Equality},
author = {Wegman, Mark N. and Carter, J.Lawrence},

449
paper.tex
View file

@ -24,6 +24,8 @@
\usepackage{hyperref}
\usepackage{makecell}
\graphicspath{{figures}}
\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\DeclareSIUnit{\rpm}{rpm}
@ -34,6 +36,10 @@
\newcommand{\price}[2]{#1 #2}
\newcommand{\todo}[1]{\textbf{TODO}\footnote{#1}}
\newcommand{\imgsource}[4]{\scriptsize%
Image source: #1, #2 (\underline{\href{#4}{link}}). %
Licensed #3.}
\begin{document}
\author{Jan Sebastian Götte\inst{1} \and Björn Scheuermann\inst{2}}
@ -78,15 +84,69 @@ parties that are only connected through an untrusted channel. In contrast with c
security of QKD is based on quantum-physical laws of nature, and assuming a correct technical realization, QKD can
provide information-theoretic security.
In principle, QKD is a specialized form of photonic quantum computing. The underlying approach in QKD is that two
parties exchange quantum states, then perform experiments on these quantum states to produce partially correlated
randomness. This correlated randomness is then refined into identical secrets on both ends by running an error
correction process known as \emph{information reconciliation} using a classical channel for communication. After this
process, an attacker may still possess partial information about the shared secret. To dilute this information, in a
step named \emph{privacy amplification} a randomness extractor such as a information-theoretic hash function is used to
create a new, shorter secret over which the attacker possesses effectively no information.
\section{Range in QKD}
Regardless of the particular QKD protocol used, common to all QKD protocols, quantum states must be exchanged between
parties. While quantum computers are built from a wide variety of quantum states from trapped ions through
superconducting states up to spin states, all QKD protocols are based on photonic states since they are the only ones
that can easily be transferred across long distances through optical fiber. Even so, QKD protocols face a steep
trade-off between speed of key generation--called \emph{secret key rate}--and distance since quantum states cannot be
amplified. In literature on long-range QKD, secret key rates as low as $10$ milli-bits per second are routinely
published\cite{wangTwinfieldQuantumKey2022}.
\subsection{Loss in optical fibers}
\subsection{QKD in space}
\subsection{MDI-QKD}
When transmitted over a fiber, there are multiple effects that degrade the quantum-optical signal of a QKD system, which
are collectively referred to as \emph{loss}. We can coarsely classify these degrading effects into two categories:
\emph{decoherence}, and \emph{attenuation}. Decoherence effects result in the quantum state being changed in transit,
which depending on the QKD implementation may mean destroying information contained within the state such as by
disturbing the pulse's polarization, or destruction of entanglement between the in-flight state and another local state.
Decoherence effects are less relevant for the distance limitation, and mostly limit which fiber-optic technologies can be
utilized in the first place. Due to decoherence, QKD systems usually use Single-Mode (SM) fiber over Multi-Mode (MM)
fiber\cite{amitonovaQuantumKeyEstablishment2020}, and decoherence makes it more difficult to utilize Wavelength Division
Multiplexing (xWDM) to send multiple either quantum or classical optical signals through a single fiber.
In practice, attenuation is the primary factor limiting the length of an individual fiber run in QKD. Even modern,
ultra-low loss optical fiber has an attenuation in the order of \qty{0.15}{\decibel\per\kilo\meter}, resulting in a loss
of half the signal's power, equivalent to half of all QKD pulses, in just \qty{20}{\kilo\meter}. For longer reaches,
these losses ar multiplicative, so after only \qty{200}{\kilo\meter} only one in a thousand photons entering the fiber
will exit it at the other end \cite{chesnoyUnderseaFiberCommunication2015}.
\subsection{Relaying}
A consequence of this range limitation is that at useful bit rates, QKD links can only be realized across ranges less
than \qty{100}{\kilo\meter} or so. A protocol called twin-field quantum key distribution can be used to effectively
double the range of a QKD link by placing an untrusted node in the middle of the link, but further extension would
require either a trusted relay or a complex relay operating on the quantum states. As of now, such quantum relays are
not practical leaving only the trusted relay route for achieving useful secret key rates across distances longer than a
few hundred kilometers.
If we imagine a continental-scale network of QKD systems with fibers spanning tens of thousands of kilometers, it is
easy to see why the physical security of its relay nodes is such a concern in QKD setups. Such a network would need
between hundreds and throusands of relay nodes. Making things worse, these relay nodes would have to been spread evenly
across thousands of kilometers of optical links, with many ending up in isolated places in the field, away from
datacenters and other well-protected technical infrastructure. Since the compromise of any one QKD relay could be enough
for an attacker to carry out a on-path attack, protecting thousands of small relay installations located in equipment
sheds spread across sparsely populated areas against adversaries with advanced physical attack capabilites becomes a
daunting task. Effectively, each quantum relay has to be made into a hardware security module including advanced
including active tamper sensing.
\section{Inertial Hardware Security Modules}
As of now, QKD nodes are large, rack-mount devices. While miniaturization is ongoing, the processing requirements of
such systems alone exceed the capabilities of conventional hardware security modules. With a conventional hardware
security module, protecting an entire QKD relay consisting of two link endpoints and their associated processing systems
would be infeasible due to their size and power dissipation.
One of the core challenges in the design of active tamper sensors for Hardware Security Modules (HSMs) is protecting the
device against drilling attacks. In a drilling attack, an attacker accesses internal circuitry of the HSM by drilling a
hole, allowing a probe to pass through. In HSMs, drilling attacks are commonly monitored by enveloping the payload in a
@ -100,10 +160,14 @@ they are easy to manipulate using standard Printed Circuit Board (PCB) rework te
industrially used for low-cost keyboard and key pad production using screen-printed silver or carbon conductive inks on
a polyester substrate are also used, but are limited by a coarse structure size.
In contrast to such mesh foils, Inertial HSMs approach envelope tamper sensing by encasting the payload in a mesh cage
made from using low-cost PCBs, then rotating this cage at high speed to simultaneously cover all angles, and prevent
manipulation of the mesh. To prevent an attacker from slowing down the rotating mesh cage, an accelerometer is placed on
the rotating mesh that monitors rotation by measuring centrifugal acceleration.
The area of foil-based security meshes is primarily limited by the difficulty of manufacturing large foils without
defects. Not only does total defect rate rise with area, commercial PCB or FPC manufacturing processes have a panel size
usually in the order of \qtyrange{500}{800}{\milli\meter} side length that cannot be exceeded.
In contrast to conventional HSMs using mesh foils, Inertial HSMs approach envelope tamper sensing by encasting the
payload in a mesh cage made from using low-cost PCBs, then rotating this cage at high speed to simultaneously cover all
angles, and prevent manipulation of the mesh. To prevent an attacker from slowing down the rotating mesh cage, an
accelerometer is placed on the rotating mesh that monitors rotation by measuring centrifugal acceleration.
The main issue in IHSM construction is the construction of the pass-through providing electrical connections between the
payload and the outside world. In conventional HSMs that use tamper sensing mesh foils, this passthrough is realized by
@ -111,20 +175,375 @@ folding the mesh foil and a Flexible Flat Cable (FFC) in several layers such tha
a probe could be inserted through. In IHSMs, electrical connections are passed through a hollow shaft on one end of the
mesh cage. Similar to the serpentine folds between mesh foil and FFC in conventional HSMs, in IHSMs complex geometry can
be realized by placing a secondary rotating mesh on the inside of the primary mesh, covering the point where the shaft
goes through the primary mesh.
goes through the primary mesh.
Where in conventional HSMs covering larger areas with a patchwork of smaller mesh foils creates the difficulty of
creating secure seams between the foils, in IHSMs, multiple PCB meshes can easily be joint into a larger mesh by simply
overlapping them, since the mesh's rotation makes any attack on such a joint exceedingly difficult.
\section{Related Work}
\section{QKD in an IHSM}
\subsection{Technical requirements of a QKD node}
\subsection{IHSM dimensioning}
\section{An IHSM Optical Passthrough}
\subsection{Planar disc case}
\subsection{Interlocking shells}
\subsection{Meshing gear shells}
\subsection{Secondary mesh drive through magnetic coupling}
\subsection{Primary mesh drive through fan wheel design}
\subsection{Physical requirements of QKD transceivers}
Putting a QKD relay node and associated machinery inside of an IHSM, we first need to answer two key questions. First,
\emph{will it fit?}, and second, \emph{Can we hook it up?}. In the following paragraphs, we will go through several
aspects of these general questions one by one.
\paragraph{Physical dimensions.}
At this point, a number of commercial systems promising QKD exist. Common QKD protocols do not require any particularly
large or power-hungry components, and so commercial systems have generally adopted the 19 Inch rackmount enclosure
standard that is common to modern telecommunications equipment, with a width of $\approx\qty{50}{\centi\meter}$, a
height between $\approx\qtyrange{4}{30}{\centi\meter}$ and a depth below $\approx\qty{100}{\centi\meter}$.\todo{Re-check
these numbers shortly before submission} While something of this size would be infeasible to protect with the security
mesh of a traditional hardware security module, placed vertically, even without modifications any of these systems are
well within an envelope that can be protected with a single IHSM cage.
\paragraph{Power supply.}
QKD systems do not contain any particularly power-hungry components. Unlike quantum computers, most of the signal path
is optical, and as such can be implemented with room-temperature fiber-optic components. Only the single-photon
detectors may require cooling in some systems, but unlike something like an ion trap quantum computer's processor,
energy-intensive deep cryogenic cooling is not necessary. Most manufacturers don't quote the power requirements of their
systems, but we were able to find that IDQuantique specifies their QKD systems to be able to run off a single
\qty{300}{\watt} power supply\cite{ClavisXGQKD2024}. In an inertial HSM, power up to several \unit{\kilo\watt} can
easily be transferred to the payload with through-axis cables.
\paragraph{Cooling.}
While the few hundred Watt of power that QKD systems require could easily be transported through the mesh of a a
traditional HSM as well, cooling that amount of thermal load purely by heat conduction through centimeters of epoxy
resin would make implementation infeasible in traditional HSM. In an IHSM on the other hand, up to several
\unit{\kilo\watt} can easily be dissipated through forced-air cooling since the rotating security mesh can have an
arbitrary amount of longitudinal openings.
\paragraph{Data and signals.}
A QKD transceiver has a number of ports in addition the port for the fiber optic quantum channel. Depending on the
system, one or more additional optical links may be necessary for clock distribution, allowing both endpoints to tune
their lasers into precise alignment. QKD protocols require a classical link used for information reconciliation, which
along with the key stream output and management links requires one or more classical network ports.
In a QKD relay node, the key stream never leaves the security envelope. The management and information reconciliation
links can be combined into a single, classical network link, requiring a single fiber when using a standard wavelength
division multiplexing transceiver. The QKD link's reference clock channel and the quantum channel require a dedicated
fiber each, adding up to a total of five fibers for a uni-directional QKD relay, or nine fibers for a bidirectional one.
Since fiber pigtails have an outer diameter of usually about \qty{1}{\milli\meter}, this amount of fibers can be fed
through an IHSM's axis of rotation. The mechanical challenge in such a multi-fiber signal and data feedthrough is to
observe the fiber's minimum bending radius, which for common fibers is usually in the range of
\qtyrange{5}{15}{\milli\meter}\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}.
In conclusion, a QKD node is not a particularly challenging payload for an IHSM. The most problematic
requirement is feeding through a number of fibers for its various input and output signals, but fundamentally it is no
different from any server or other piece of IT equipment.
\section{Multi-fiber passthrough with active secondary mesh}
The primary weak spot of a simple IHSM is its axis of rotation. While the stationary axis allows for wired data and
power connections to penetrate the mesh, it also provides an easy target for an attacker who wants to insert some sort
of physical probe into the IHSM's security envelope. While to a certain extent this attack vector can be made more
difficult though simple construction techniques such as making the shaft as thin as possible, and getting the mesh as
close to it as possible, as well as using a solid steel shaft on the motor end of the mesh, the level of security that
these mitigations provide is much below that of the remainder of the mesh. Thus, a better solution is needed.
\textcite{gotteCantTouchThis2022} list some \emph{shielding} methods that use a independently rotating secondary
mesh on the inside of the primary mesh, located right next to the primary mesh's axis opening. In this section, we will
go into some more detail on four variations of this solution. In order of increasing complexity, these variations are a
simple disc cover, coaxial labyrinth meshes, offset labyrinth meshes, and interlocking gear meshes. We will demonstrate
a functional prototype of the simple disc cover, present a design and mechanical prototypes of the offset labyrinth
meshes, and provide details on the design of a interlocking gear mesh.
\subsection{Simple disc cover}
\begin{figure}[h!]
\centering
\includegraphics[width=\textwidth,page=1]{shaft_countermeasures_b.pdf}
\caption[Coaxial disc mesh schema]{Coaxial disc mesh schema, cross-section and top-down views. The outer mesh is
shown in red, and the inner mesh in blue. The dashed line indicates the two meshes' shared axis of rotation. The
gray areas indicate the shape of the volume that remains undisturbed by the mesh, and that is available for
structural support and cable routing.}
\label{qkd_fig_disc_mesh}
\end{figure}
While IHSMs excel at protecting large payload volumes, even a zero-payload IHSM that has been shrunk to a single,
disc-shaped PCB is still useful because we can delegate key management functionality to the mesh monitoring circuit's
microcontroller---or a separate processor sitting next to it---on the rotating mesh PCB, yielding a solution close in
both its cryptographic capabilities and its security level to commercial traditional HSMs, and exceeding those of a
smartcard. In the following paragraphs, we will show how we can deploy the same single-board IHSM (SB-IHSM) as a
mitigation for through-axis attacks, exploiting its mechanical shape and its simple, low-cost implementation.
By placing an adapted single-board IHSM close to the primary mesh's axis opening as shown in Figure\
\ref{qkd_fig_disc_mesh}, an attacker is forced to either first circumvent or at least dislodge the single-board IHSM
through the primary mesh's axis opening without disturbing either mesh to gain direct access to the payload behind it,
or to conduct their attack through the keyhole-sized opening in the primary mesh while bending their tool by
approximately \qty{90}{\degree} at least twice, once to avoid the SB-IHSM mesh, and once more to re-orient the tool
towards the payload. The distance between the inside of the primary mesh and the SB-IHSM is limited by the tolerance in
mechanical alignment between the two axes of rotation, by the space necessary for a sufficiently stable mount of the
payload cage to the hollow shaft, and by the minimum bend radius of the power and data wiring that needs to pass through
the shaft. In QKD applications, the fibers' minimum bend radius is the largest contributing factor. Power and electrical
data signals can be supplied through flexible flat cables that can be bent in sharp corners without issue. Optical
fibers on the other hand are limited in their minimum bend radius, as their optical loss rises sharply with decreasing
bend radius\footnote{Note that the issue here is not that the glass core of the fiber would degrade or break, as one
might intuitively assume. Being only a few dozen micrometers in diameter, an optical fiber's core is remarkably
flexible. Instead, the issue is that both multimode as well as singlemode fibers are optical waveguides. Bending them
distorts the electromagnetic field inside the waveguide, and allows some small portion of it to escape from the fiber's
core, leading to loss in the form of both attenuation and dispersion\cite{schermerImprovedBendLoss2007}.}. With QKD
being especially sensitive to even small amounts of loss, care has to be taken to maximize the bend radius of the fiber
optic connections. A common specification of minimum bend radius in telecom singlemode fibers taking into account not
just optical loss but also the mechanical stability of the fiber's polymer coating is $10\times$ the coated fiber's
diameter\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}, which equates to \qty{9}{\milli\meter} for common
\qty{0.9}{\milli\meter} fiber pigtails, corresponding to approximately \qty{1}{\decibel} of loss in the
\qty{1550}{\nano\meter} band\cite{schermerImprovedBendLoss2007}. Based on these specifications and on a conservative
estimate of \qty{2.5}{\milli\meter} for the vertical mesh clearance, we arrive at a minimum inter-mesh spacing of
approximately \qty{11}{\milli\meter} when using minimal overlap between tab heights.
\begin{figure}
\centering
\subcaptionbox[Helical transition of single fiber]{Single fiber}{\includegraphics[width=.45\textwidth]{helix_transition.png}}
\hfill
\subcaptionbox[Helical transition of fiber bundle]{Fiber bundle}{\includegraphics[width=.45\textwidth]{helix_bundle.png}}
\caption[Helically coiling fibers inside the axis tube]{
The necessary mesh spacing can be reduced by coiling the fibers inside of the axis tube. The coiled fibers enter
the inter-mesh space at an angle equal to the helix lead angle, which reduces the amount of space necessary to
complete the transition to horizontal along a circular arc. In this example, a \qty{6}{\milli\meter} outer
diameter tube with a \qty{0.5}{\milli\meter} wall thickness is shown with 6 fibers with \qty{0.9}{\milli\meter}
outer diameter coiled to a constant bend radius of \qty{9}{\milli\meter}. The lead angle of the resulting helix
is \qty{61.5}{\degree}, and past the tube exit, only \qty{5.16}{\milli\meter} of inter-mesh space are necessary.
}
\label{qkd_fig_fiber_helix}
\end{figure}
\subsection{Coaxial labyrinth meshes}
\begin{figure}[h!]
\centering
\includegraphics[width=\textwidth,page=4]{shaft_countermeasures_b.pdf}
\caption[Coaxial labyrinth mesh schema]{Coaxial labyrinth mesh schema, cross-section and top-down views.}
\end{figure}
In QKD applications, the simple disc cover design shown above has two main limitations. First, the distance between the
primary and secondary meshes' tab rings must be large enough to allow for the fibers' minimum bend radius, resulting in
more than \qty{10}{\milli\meter} of space available to an attacker. Second, the attacker only has to bend their tool in
a plane to reach the payload.
To increase the difficulty of inserting a long and flexible tool through the axis shield, \todo{Axis shield might be a
nice term. Unify terminology for axis/shaft, the shield, the names of the two meshes, and the tabs sticking up from the
meshes. Also what do we call the space in between? Terminology for the sides with offset meshes?} the shape of the
interface layer between the two meshes can be made more complex. Introducing small mesh \emph{tabs} that stick out
into the inter-mesh space from both meshes creates a labyrinth-like structure between the axis opening and the IHSM's
inside. Structural support and cables can easily pass this structure in a series of \qty{90}{\degree} bends, while
inserting a probe avoiding both meshes would not be feasible as the probe would have to perform a series of sharp
bends. The type of manipulator that would be necessary for the placement of a probe in this system is conceptually
similar to snake-like robots used in minimally invasive surgery, but state-of-the-art systems from this area are both
too thick and don't have enough joints to fit even simple labyrinth layouts\cite{
suhDesignDiscreteBending2017,
schmitzRollingTipFlexibleInstrument2019,
kimAdvancementFlexibleRobot2022,
hongDesignCompensationControl2020}.
For instance, if we assume \qty{3}{\milli\meter} material thickness on the radial bracket connecting the shaft with the
secondary mesh's mounting frame\todo{conceptual drawing here} along with \qty{10}{\milli\meter} of mesh tab overlap,
\qty{1.5}{\milli\meter} of clearance between radial bracket and each of the two meshes, and an inter-mesh spacing from
one tab ring to the next equal to the radial brackets' material thickness of \qty{4}{\milli\meter} plus the clearance
from bracket to mesh, we arrive at a meander \qty{6}{\milli\meter} in width completing four \qty{180}{\degree} turns
within less than \qty{40}{\milli\meter} of radial distance.
Researching the security of nuclear weapons, \textcite{bellovinPermissiveActionLinks} references a quote characterizing
the tamper security of a Permissive Action Link, a tamper-proof component designed to authorize the use of a nuclar
weapon through a code, as follows.
\todo{Get the actual book from ULB, and properly attribute this quote.}
\begin{quote}
Bypassinag a PAL should be, as one weapons designer graphically put it, about as complex as performing a
tonsillectomy while entering the patient from the wrong
end. \cite{caldwell1989reducing,bellovinPermissiveActionLinks}
\end{quote}
With our discussion of surgical robots two paragraphs ago this quote is very on the nose, and it is probably fair to say
that we have made some progress to achieve this standard. While we are not quite there yet, we shall make it our goal to
achieve or even exceed this standard with our work in the following sections.
\begin{figure}
\centering
\includegraphics[width=.7\textwidth]{wikimedia_Four_Corners_Bank_Vault_cropped.jpg}
\caption[Photo of a bank vault door]{Photo of a bank vault door at the Four Corners building in Bowling Green, Ohio,
USA. The interface between the door and its frame is stepped all around to discourage would-be intruders from
inserting any sort of tool through the small gap around the closed door. In this instance, because the door's sill
is stepped, too, a small ramp has been placed over the sill so that people going in and out of the open door don't
stumble over the steps.\\
\imgsource{Wikimedia Commons user Mbrickn}{2019}{CC-BY-SA}{https://commons.wikimedia.org/wiki/File:Four_Corners_Bank_Vault.jpg}
}
\label{qkd_fig_vault_door}
\end{figure}
While long and narrow tabs are desirable for mesh security as they limit the size and mobility of an attacker's probe,
in QKD application, the need for fiber optic passthrough is the limiting factor. The obvious solution of passing through
the fibers in a series of in-plane S-bends requires a coarse tab spacing due to the fibers' large minimum bend radius.
However, we can apply the approach we proposed above for the shaft entrance here, too, and thread the fibers between the
meshes by helically coiling them, increasing the fibers' bend radius to one half of the distance between both mesh
discs minus the fibers' diameter and clearances\todo{Formulas here and elsewhere, define variables}. When the resulting
useable part of the distance is larger than twice the bend radius, the minimum tab spacing is only limited by the
fiber's diameter and the stability of the star bracket. When the discs are placed closer, and a larger pitch is
necssary, the resulting pitch of the helix determines the minimum tab spacing.
Designing a labyrinth mesh for intrusion prevention is similar to the design of the shape of the jamb of a safe door
such as the one shown in Figure\ \ref{qkd_fig_vault_door}, or of a high end apartment door. In these, the objective is
to prevent would-be burglars from inserting opening tools through the space between the closed door and its jamb and
attacking the door's interior handle or locking mechanism, not unlike an IHSM's defense against electrical or
electromagnetic probes. The one difference between these doors and what we can do in IHSMs is that these doors are
limited to outwards-facing steps because they must be opened and closed. In IHSM labyrinth meshes, we can use both
outwards-facing and inwards-facing steps.
Concentric labyrinth meshes allow for a wide range of different configurations. The pitch from one mesh tab to the
next is the sum of the required width of the inter-mesh space and the safety margin needed betwween any cables or the
inter-mesh bracket and the tabs. When the mesh is constructed using rigid PCB tabs that are inserted as-is, without
bending them, and when all tabs have the same width and thickness, the radial width of the swept area decreases from tab
to tab going outwards as shown in Figure\ \ref{qkd_fig_mesh_ring_reduction}. A consequence of this is that when the
design target are constant width inter-mesh spaces, the tabs' pitch decreases going outwards.
\begin{figure}
\centering
\includegraphics[width=\textwidth]{mesh_ring_reduction.pdf}
\caption[Coaxial labyrinth mesh tab swept area]{Top-down view of a coaxial labyrinth mesh with three tabs, with the
area swept by each tab highlighted. When rigid, planar tabs of a single width $w$ are used, the radial width of the
swept areas decreases and approaches the tabs' thickness $t$ as their radius $r$ increases.
}
\label{qkd_fig_mesh_ring_reduction}
\end{figure}
The safety margin required to avoid collisions between the meshes and the stator\todo{stator is a nice word for the
entire non-rotating part of the assembly. stator/star bracket?} can be kept low for the primary mesh because this mesh
has high-quality bearings on both ends, leading to good axis alignment. In contrast, for the secondary mesh considerable
margins have to be included if the mesh is driven by a cooling fan motor, as the bearings in such fans are not very
precise. With loose bearings, angular axis misalignment can lead to several millimeters of deflection in both the radial
and axial dimensions as illustrated in Figure\ \ref{qkd_fig_mesh_ring_bearing_tolerance}.
\begin{figure}
\centering
\includegraphics[width=\textwidth]{mesh_ring_bearing_tolerance.pdf}
\caption[Coaxial labyrinth mesh axis alignment tolerance illustration]{Illustration of the effect of angular
misalignment of the axis of rotation caused by tolerances in motor bearings in a coaxial labyrinth mesh with two
tabs. The area swept by each tab, and its increase due to misalignment are highlighted. The left illustration shows
the ideal and misaligned meshes, and the right illustration superimposes the area increase from the left
illustration on the ideally aligned mesh. This illustration is not to scale.}
\label{qkd_fig_mesh_ring_bearing_tolerance}
\end{figure}
\subsection{Offset labyrinth meshes}
\begin{figure}[h!]
\centering
\includegraphics[width=\textwidth,page=2]{shaft_countermeasures_b.pdf}
\caption[Offset labyrinth mesh schema]{Offset labyrinth mesh schema, cross-section and top-down views. The two
dashed lines indicate the two meshes' offset axes of rotation, shifted in $x$ direction in both views.}
\label{qkd_fig_offset_lab_schema}
\end{figure}
Concentric labyrinth meshes improve upon simple disc meshes in security, but they have two remaining weaknesses. One is
that in a concentric labyrinth mesh, the part of the inner mesh at the axis is easily accessible through the opening in
the outer mesh. As the axis of rotation is the most vulnerable spot in a mesh because the tangential velocity of the
mesh is lowest close to the axis, tampering can be made more difficult by placing the axis of rotation of the inner mesh
not concentric with that of the outer mesh, but at a radial \emph{offset}.
A consequence of placing the axis of the inner mesh at an offset is that the inter-mesh rings formed by the tabs of the
two meshes now no longer form a set of concentric rings, but a set of nested non-concentric annulus shapes whose narrow
and wide sides alternate along the direction of the offset. We will show below how an optical fiber can still be wound
through this complex inter-mesh space without much trouble through a variation of the helical spiral trick from above to
avoid the annular rings' narrow sections. At the same time, the alternating narrow sections of the annular rings make it
more difficult to feed through the type of surgical robot we cited above, whose joints are designed for in-plane
operation for most of the manipulator, starting from the high-flexibility joints close to its end and down the neck. In
this section, we will show a design and a mechanical prototype of an offset labyrinth mesh design that improves on a
concentric labyrinth mesh on both the shielding of the secondary mesh axis and the feasibility of an attack with a
surgical robot without increasing mechanical complexity compared to a concentric design. In addition, we show a fiber
feedthrough that improves on the simple helical feedthrough we introduced above.
\begin{figure}
\centering
\includegraphics[width=\textwidth]{schema_wire.pdf}
\caption[Offset labyrinth mesh schema with fiber layout]{}
\label{qkd_fig_offset_lab_fiber}
\end{figure}
Our offset labyrinth mesh design combines an offset of the secondary mesh's axis of rotation with the labyrinth mesh
approach from the previous section, creating wide and narrow inter-mesh spaces on alternating sides of the offset
direction as shown in in Figure\ \ref{qkd_fig_offset_lab_schema}. Structural support is provided using a CNC machined or
3D printed part, which also serves as a conduit for electrical connections from the shaft to the payload using Flexible
Flat Cable (FFC). While the FFC can easily conform to the offset labyrinth's sharp corners, an optical fiber can not.
Thus, instead of passing it straight through the labyrinth, the payload's fiber optic connections are passed through the
labyrinth in a three-dimensional spiral shape, avoiding the meshes while simultaneously maximizing the fibers' bend
radii.
To prove the mechanical viability of the offset labyrinth mesh concept, we created a mechanical prototype of one such
mesh. Figure\ \ref{qkd_fig_offset_lab_fiber} shows the dimensions of the meshes' tabs along with the resulting tab rings
and a 2D projection of our chosen fiber layout. The fiber is laid out in such a way that it crosses each tab ring at
opposite sides, and traverses the vertical distance in the larger part of the inter-mesh space. Figures\
\ref{qkd_fig_lab_mesh_exp_1} and \ref{qkd_fig_lab_mesh_exp_2} show an exploded view of our mechanical prototype from two
perspectives.
\begin{figure}
\centering
\includegraphics[width=\textwidth]{render_exp_1.png}
\caption[Offset labyrinth mesh assmbly exploded render]{}
\label{qkd_fig_lab_mesh_exp_1}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=\textwidth]{render_exp_2.png}
\caption[Offset labyrinth mesh assmbly exploded render]{}
\label{qkd_fig_lab_mesh_exp_2}
\end{figure}
\subsection{Interlocking gear meshes}
\begin{figure}[h!]
\centering
\includegraphics[width=\textwidth,page=3]{shaft_countermeasures_b.pdf}
\caption[Offset gear labyrinth mesh schema]{Offset gear labyrinth mesh schema, cross-section and top-down views. In
this example, the axis is shifted by about twice the offset from the previous offset labyrinth mesh schema in
Figure\ \ref{qkd_fig_offset_lab_schema}.}
\end{figure}
The offset labyrinth design already achieves a high level of security through its complex passthrough shape, but only
small offset distances are feasible since large offsets quickly lead to impractically large mesh sizes. Where the pitch
from one tab ring to the next is roughly constant in concentric labyrinth meshes, and determined only by clearances and
the amount of inter-mesh space necessary for power and data feedthroughs as well as mechanical stability. In offset
meshes, on the other hand, this pitch increases by the offset distance. Even for a small offset this quickly adds up to
an unwieldy total mesh size.
In this section, we conceptually introduce a solution to this problem that allows for larger offsets using a design
where the two meshes interlock like gears. This does mean that the two meshes' rotation must be synchronized, but it
increases the design space of offset labyrinth meshes. For instance, in a gear setup, the wide sides of the inter-mesh
zones can be aligned to lie on the same side, so fiber passthrough can be realized more easily even without the need to
spiral the fiber around the axes of rotation.
\subsection{Mesh synchronization}
For geared meshes to work, both speed and phase of the rotation of the two meshes must be synchronized to a small error.
In this setup, the mesh tabs act like gear teeth. Depending on the ratio between both meshes' tap counts, the two
meshes do not have to rotate at the same rate of rotation and harmonic ratios are possible. Additionally, unlike actual
gears which need to constantly maintain an area of contact, both co-rotating and counter-rotating setups are possible.
\begin{figure}
\centering
\subcaptionbox[Offset gear labyrinth mesh assembly render]{}{\includegraphics[width=\textwidth]{render_side_1.png}}
\subcaptionbox[Offset gear labyrinth mesh assembly render]{}{\includegraphics[width=\textwidth]{render_side_2.png}}
\caption{
Renderings of the complete offset labyrinth gear mesh assembly.
}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=\textwidth]{gear_plan_1.pdf}
\caption[Offset gear mesh assmbly schema]{}
\end{figure}
\begin{figure}
\centering
\includegraphics[width=\textwidth]{gear_plan_2.pdf}
\caption[Offset gear mesh schedule]{}
\end{figure}
\section{Security analysis}
\subsection{Attacks on the IHSM mesh}