Copy over main part

2025-05-08 16:31:03 +02:00 · 2025-05-08 16:31:03 +02:00 · 372cab3488
commit 372cab3488
parent 56974d2763
2 changed files with 476 additions and 40 deletions
--- a/paper.bib
+++ b/paper.bib
@ -215,7 +215,7 @@
  isbn = {978-1-4503-4139-4}
 }
-@inproceedings{arpPrivacyThreatsUltrasonic2017a,
+@inproceedings{arpPrivacyThreatsUltrasonic2017,
  title = {Privacy {{Threats}} through {{Ultrasonic Side Channels}} on {{Mobile Devices}}},
  booktitle = {2017 {{IEEE European Symposium}} on {{Security}} and {{Privacy}} ({{EuroS}}\&{{P}})},
  author = {Arp, Daniel and Quiring, Erwin and Wressnegger, Christian and Rieck, Konrad},
@ -1200,7 +1200,7 @@
  file = {/home/jaseg/Sync/Research/Zotero/Couteau et al_2021_Silver.pdf}
 }
-@article{cuellarStaticFatigueLifetime1987,
+@article{cuellarStaticFatigueLifetime1987a,
  title = {Static Fatigue Lifetime of Optical Fibers in Bending},
  author = {Cuellar, E. and Roberts, D. and Middleman, L.},
  date = {1987-01-01},
@ -2287,16 +2287,16 @@
@online{IEEEXploreFullTexta,
  title = {{{IEEE Xplore Full-Text PDF}}:},
-  url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6520632},
+  url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8558378},
  urldate = {2024-09-10},
-  file = {/home/jaseg/Zotero/storage/PQYCW7K7/stamp.html}
+  file = {/home/jaseg/Zotero/storage/HJJK32NF/stamp.html}
 }
@online{IEEEXploreFullTextb,
  title = {{{IEEE Xplore Full-Text PDF}}:},
-  url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8558378},
+  url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6520632},
  urldate = {2024-09-10},
-  file = {/home/jaseg/Zotero/storage/HJJK32NF/stamp.html}
+  file = {/home/jaseg/Zotero/storage/PQYCW7K7/stamp.html}
 }
@inproceedings{immlerBTREPIDBatterylessTamperresistant2018,
@ -2849,11 +2849,11 @@
  issn = {2511-9044, 2511-9044},
  doi = {10.1002/qute.201800011},
  url = {http://arxiv.org/abs/1703.09278},
-  urldate = {2024-05-27},
+  urldate = {2024-05-02},
  abstract = {Quantum key distribution using weak coherent states and homodyne detection is a promising candidate for practical quantum-cryptographic implementations due to its compatibility with existing telecom equipment and high detection efficiencies. However, despite the actual simplicity of the protocol, the security analysis of this method is rather involved compared to discrete-variable QKD. In this article we review the theoretical foundations of continuous-variable quantum key distribution (CV-QKD) with Gaussian modulation and rederive the essential relations from scratch in a pedagogical way. The aim of this paper is to be as comprehensive and self-contained as possible in order to be well intelligible even for readers with little pre-knowledge on the subject. Although the present article is a theoretical discussion of CV-QKD, its focus lies on practical implementations, taking into account various kinds of hardware imperfections and suggesting practical methods to perform the security analysis subsequent to the key exchange. Apart from a review of well known results, this manuscript presents a set of new original noise models which are helpful to get an estimate of how well a given set of hardware will perform in practice.},
  langid = {english},
  keywords = {Quantum Physics},
-  file = {/home/jaseg/Zotero/storage/I7UL2SKX/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
+  file = {/home/jaseg/Zotero/storage/A2BQHUUW/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
 }
@article{laudenbachContinuousVariableQuantumKey2018a,
@ -2871,11 +2871,11 @@
  issn = {2511-9044, 2511-9044},
  doi = {10.1002/qute.201800011},
  url = {http://arxiv.org/abs/1703.09278},
-  urldate = {2024-05-02},
+  urldate = {2024-05-27},
  abstract = {Quantum key distribution using weak coherent states and homodyne detection is a promising candidate for practical quantum-cryptographic implementations due to its compatibility with existing telecom equipment and high detection efficiencies. However, despite the actual simplicity of the protocol, the security analysis of this method is rather involved compared to discrete-variable QKD. In this article we review the theoretical foundations of continuous-variable quantum key distribution (CV-QKD) with Gaussian modulation and rederive the essential relations from scratch in a pedagogical way. The aim of this paper is to be as comprehensive and self-contained as possible in order to be well intelligible even for readers with little pre-knowledge on the subject. Although the present article is a theoretical discussion of CV-QKD, its focus lies on practical implementations, taking into account various kinds of hardware imperfections and suggesting practical methods to perform the security analysis subsequent to the key exchange. Apart from a review of well known results, this manuscript presents a set of new original noise models which are helpful to get an estimate of how well a given set of hardware will perform in practice.},
  langid = {english},
  keywords = {Quantum Physics},
-  file = {/home/jaseg/Zotero/storage/A2BQHUUW/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
+  file = {/home/jaseg/Zotero/storage/I7UL2SKX/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
 }
@article{laudenbachContinuousVariableQuantumKey2018b,
@ -2950,7 +2950,7 @@
  file = {/home/jaseg/Zotero/storage/QSDA9K48/Hall - (72) Inventors Alan Henry Leek, Frisco, TX (US);.pdf}
 }
-@article{leePrintedSpiralWinding2011a,
+@article{leePrintedSpiralWinding2011,
  title = {Printed {{Spiral Winding Inductor With Wide Frequency Bandwidth}}},
  author = {Lee, Chi Kwan and Su, Y. P. and Ron Hui, S. Y.},
  date = {2011-10},
@ -3152,7 +3152,7 @@
  file = {/home/jaseg/Zotero/storage/WBSKAYAN/Long et al. - 2024 - EM Eye Characterizing Electromagnetic Side-channe.pdf}
 }
-@article{lopeFirstSelfResonant2021,
+@article{lopeFirstSelfresonantFrequency2021,
  title = {First Self‐resonant Frequency of Power Inductors Based on Approximated Corrected Stray Capacitances},
  author = {Lope, Ignacio and Carretero, Claudio and Acero, Jesus},
  date = {2021-02},
@ -3512,6 +3512,14 @@
  file = {/home/jaseg/Zotero/storage/AM4Q8Y76/Mohan et al. - 1999 - Simple accurate expressions for planar spiral indu.pdf}
 }
@online{molexMolexSilverFlexible,
  title = {Molex {{Silver Flexible Circuit Solutions}}},
  author = {{Molex}},
  url = {https://my.avnet.com/wcm/connect/d5fa4b27-de81-4aac-9bcb-cff3844b9eb3/Silver-Flexible-Circuit-Solutions-Brochure-EN-Brochure.pdf?MOD=AJPERES&CVID=oMyo8ki},
  urldate = {2025-05-07},
  file = {/home/jaseg/Zotero/storage/SY87W3RX/Silver-Flexible-Circuit-Solutions-Brochure-EN-Brochure.pdf}
 }
@inproceedings{monfaredLeakyOhmSecretBits2023,
  title = {{{LeakyOhm}}: {{Secret Bits Extraction}} Using {{Impedance Analysis}}},
  shorttitle = {{{LeakyOhm}}},
@ -4212,18 +4220,7 @@
  file = {/home/jaseg/Zotero/storage/RLBAU32H/Patra et al. - ABY2.0 Improved Mixed-Protocol Secure Two-Party C.pdf}
 }
-@standard{pcisecuritystandardscouncilPaymentCardIndustry2021,
+@misc{pcisecuritystandardscouncilPaymentCardIndustry2021,
  title = {Payment {{Card Industry PIN Transaction Security Hardware Security Module Modular Security Requirements}}},
  author = {{PCI Security Standards Council}},
  date = {2021-12},
  url = {https://docs-prv.pcisecuritystandards.org/PTS/Standard/PCI_HSM_Security_Requirements_v4.pdf},
  urldate = {2025-04-08},
  abstract = {HSMs (Hardware Security Modules) play a critical role in helping to ensure the confidentiality and/or data integrity of financial transactions. Therefore, to help engender trust in the legitimacy of the financial transactions being supported, it is imperative that HSMs are appropriately secure during their entire lifecycle. This includes manufacturing, shipment, use, and decommissioning. The purpose of this document is to provide guidance and direction for appropriately designing HSMs to meet the security needs of the financial payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs involved with financial payments industry. This document provides vendors with a list of all the security requirements against which their products will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) device approval. HSMs may support a variety of payment-processing and cardholder-authentication applications and processes. The processes relevant to the full set of requirements outlined in this document are: ▪ PIN processing ▪ 3-D Secure ▪ Card verification ▪ Card production and personalization ▪ EFTPOS ▪ ATM interchange ▪ Cash-card reloading ▪ Data integrity ▪ Chip-card transaction processing ▪ Key generation ▪ Key injection There are many other applications and processes that may utilize general-purpose HSMs, and which may necessitate the adoption of all or a subset of the requirements listed in this document. However, this document does not aim to develop a standard for general-purpose HSMs for use outside of applications such as those listed above that are in support of a variety of payment-processing and cardholder- authentication applications and processes for the financial payments industry.},
  version = {4.0},
  file = {/home/jaseg/Zotero/storage/CZF34DDM/PCI_HSM_Security_Requirements_v4.pdf}
 }
@misc{pcisecuritystandardscouncilPaymentCardIndustry2021a,
  title = {Payment {{Card Industry PIN Transaction Security Hardware Security Module Modular Derived Test Requirements}}},
  author = {{PCI Security Standards Council}},
  date = {2021-12},
@ -5139,7 +5136,7 @@
  file = {/home/jaseg/Zotero/storage/XURXLX9C/Takeoka et al. - 2014 - Fundamental rate-loss tradeoff for optical quantum.pdf}
 }
-@incollection{TamperResistance2020a,
+@incollection{TamperResistance2020,
  title = {Tamper {{Resistance}}},
  booktitle = {Security {{Engineering}}},
  date = {2020},
@ -5664,6 +5661,26 @@
  file = {/home/jaseg/Zotero/storage/S93U8AF3/Wang et al. - 2020 - Topological optimization of hybrid quantum key dis.pdf}
 }
@article{wangTwinfieldQuantumKey2022,
  title = {Twin-Field Quantum Key Distribution over 830-Km Fibre},
  author = {Wang, Shuang and Yin, Zhen-Qiang and He, De-Yong and Chen, Wei and Wang, Rui-Qiang and Ye, Peng and Zhou, Yao and Fan-Yuan, Guan-Jie and Wang, Fang-Xiang and Chen, Wei and Zhu, Yong-Gang and Morozov, Pavel V. and Divochiy, Alexander V. and Zhou, Zheng and Guo, Guang-Can and Han, Zheng-Fu},
  date = {2022-02},
  journaltitle = {Nature Photonics},
  shortjournal = {Nat. Photon.},
  volume = {16},
  number = {2},
  pages = {154--161},
  publisher = {Nature Publishing Group},
  issn = {1749-4893},
  doi = {10.1038/s41566-021-00928-2},
  url = {https://www.nature.com/articles/s41566-021-00928-2},
  urldate = {2025-05-08},
  abstract = {Quantum key distribution (QKD) provides a promising solution for sharing information-theoretic secure keys between remote peers with physics-based protocols. According to the law of quantum physics, the photons carrying signals cannot be amplified or relayed via classical optical techniques to maintain quantum security. As a result, the transmission loss of the channel limits its achievable distance, and this has been a huge barrier towards building large-scale quantum-secure networks. Here we present an experimental QKD system that could tolerate a channel loss beyond 140\,dB and obtain a secure distance of 833.8\,km, setting a new record for fibre-based QKD. Furthermore, the optimized four-phase twin-field protocol and high-quality set-up make its secure key rate more than two orders of magnitude greater than previous records over similar distances. Our results mark a breakthrough towards building reliable and efficient terrestrial quantum-secure networks over a scale of 1,000\,km.},
  langid = {english},
  keywords = {Quantum information,Single photons and quantum effects},
  file = {/home/jaseg/Zotero/storage/FCHS9D49/Wang et al. - 2022 - Twin-field quantum key distribution over 830-km fi.pdf}
 }
@article{wegmanNewHashFunctions1981,
  title = {New Hash Functions and Their Use in Authentication and Set Equality},
  author = {Wegman, Mark N. and Carter, J.Lawrence},
--- a/paper.tex
+++ b/paper.tex
@ -24,6 +24,8 @@
 \usepackage{hyperref}
 \usepackage{makecell}
 \graphicspath{{figures}}
 \DeclareSIUnit{\baud}{Bd}
 \DeclareSIUnit{\year}{a}
 \DeclareSIUnit{\rpm}{rpm}
@ -34,6 +36,10 @@
 \newcommand{\price}[2]{#1 #2}
 \newcommand{\todo}[1]{\textbf{TODO}\footnote{#1}}
 \newcommand{\imgsource}[4]{\scriptsize%
    Image source: #1, #2 (\underline{\href{#4}{link}}). %
    Licensed #3.}
 \begin{document}
 \author{Jan Sebastian Götte\inst{1} \and Björn Scheuermann\inst{2}}
@ -78,15 +84,69 @@ parties that are only connected through an untrusted channel. In contrast with c
 security of QKD is based on quantum-physical laws of nature, and assuming a correct technical realization, QKD can
 provide information-theoretic security.
 In principle, QKD is a specialized form of photonic quantum computing. The underlying approach in QKD is that two
 parties exchange quantum states, then perform experiments on these quantum states to produce partially correlated
 randomness. This correlated randomness is then refined into identical secrets on both ends by running an error
 correction process known as \emph{information reconciliation} using a classical channel for communication. After this
 process, an attacker may still possess partial information about the shared secret. To dilute this information, in a
 step named \emph{privacy amplification} a randomness extractor such as a information-theoretic hash function is used to
 create a new, shorter secret over which the attacker possesses effectively no information.
 \section{Range in QKD}
 Regardless of the particular QKD protocol used, common to all QKD protocols, quantum states must be exchanged between
 parties. While quantum computers are built from a wide variety of quantum states from trapped ions through
 superconducting states up to spin states, all QKD protocols are based on photonic states since they are the only ones
 that can easily be transferred across long distances through optical fiber. Even so, QKD protocols face a steep
 trade-off between speed of key generation--called \emph{secret key rate}--and distance since quantum states cannot be
 amplified. In literature on long-range QKD, secret key rates as low as $10$ milli-bits per second are routinely
 published\cite{wangTwinfieldQuantumKey2022}.
 \subsection{Loss in optical fibers}
-\subsection{QKD in space}
+
-\subsection{MDI-QKD}
+When transmitted over a fiber, there are multiple effects that degrade the quantum-optical signal of a QKD system, which
 are collectively referred to as \emph{loss}. We can coarsely classify these degrading effects into two categories:
 \emph{decoherence}, and \emph{attenuation}. Decoherence effects result in the quantum state being changed in transit,
 which depending on the QKD implementation may mean destroying information contained within the state such as by
 disturbing the pulse's polarization, or destruction of entanglement between the in-flight state and another local state.
 Decoherence effects are less relevant for the distance limitation, and mostly limit which fiber-optic technologies can be
 utilized in the first place. Due to decoherence, QKD systems usually use Single-Mode (SM) fiber over Multi-Mode (MM)
 fiber\cite{amitonovaQuantumKeyEstablishment2020}, and decoherence makes it more difficult to utilize Wavelength Division
 Multiplexing (xWDM) to send multiple either quantum or classical optical signals through a single fiber.
 In practice, attenuation is the primary factor limiting the length of an individual fiber run in QKD. Even modern,
 ultra-low loss optical fiber has an attenuation in the order of \qty{0.15}{\decibel\per\kilo\meter}, resulting in a loss
 of half the signal's power, equivalent to half of all QKD pulses, in just \qty{20}{\kilo\meter}. For longer reaches,
 these losses ar multiplicative, so after only \qty{200}{\kilo\meter} only one in a thousand photons entering the fiber
 will exit it at the other end \cite{chesnoyUnderseaFiberCommunication2015}.
 \subsection{Relaying}
 A consequence of this range limitation is that at useful bit rates, QKD links can only be realized across ranges less
 than \qty{100}{\kilo\meter} or so. A protocol called twin-field quantum key distribution can be used to effectively
 double the range of a QKD link by placing an untrusted node in the middle of the link, but further extension would
 require either a trusted relay or a complex relay operating on the quantum states. As of now, such quantum relays are
 not practical leaving only the trusted relay route for achieving useful secret key rates across distances longer than a
 few hundred kilometers.
 If we imagine a continental-scale network of QKD systems with fibers spanning tens of thousands of kilometers, it is
 easy to see why the physical security of its relay nodes is such a concern in QKD setups. Such a network would need
 between hundreds and throusands of relay nodes. Making things worse, these relay nodes would have to been spread evenly
 across thousands of kilometers of optical links, with many ending up in isolated places in the field, away from
 datacenters and other well-protected technical infrastructure. Since the compromise of any one QKD relay could be enough
 for an attacker to carry out a on-path attack, protecting thousands of small relay installations located in equipment
 sheds spread across sparsely populated areas against adversaries with advanced physical attack capabilites becomes a
 daunting task. Effectively, each quantum relay has to be made into a hardware security module including advanced
 including active tamper sensing.
 \section{Inertial Hardware Security Modules}
 As of now, QKD nodes are large, rack-mount devices. While miniaturization is ongoing, the processing requirements of
 such systems alone exceed the capabilities of conventional hardware security modules. With a conventional hardware
 security module, protecting an entire QKD relay consisting of two link endpoints and their associated processing systems
 would be infeasible due to their size and power dissipation.
 One of the core challenges in the design of active tamper sensors for Hardware Security Modules (HSMs) is protecting the
 device against drilling attacks. In a drilling attack, an attacker accesses internal circuitry of the HSM by drilling a
 hole, allowing a probe to pass through. In HSMs, drilling attacks are commonly monitored by enveloping the payload in a
@ -100,10 +160,14 @@ they are easy to manipulate using standard Printed Circuit Board (PCB) rework te
 industrially used for low-cost keyboard and key pad production using screen-printed silver or carbon conductive inks on
 a polyester substrate are also used, but are limited by a coarse structure size.
-In contrast to such mesh foils, Inertial HSMs approach envelope tamper sensing by encasting the payload in a mesh cage
+The area of foil-based security meshes is primarily limited by the difficulty of manufacturing large foils without
-made from using low-cost PCBs, then rotating this cage at high speed to simultaneously cover all angles, and prevent
+defects. Not only does total defect rate rise with area, commercial PCB or FPC manufacturing processes have a panel size
-manipulation of the mesh. To prevent an attacker from slowing down the rotating mesh cage, an accelerometer is placed on
+usually in the order of \qtyrange{500}{800}{\milli\meter} side length that cannot be exceeded.
-the rotating mesh that monitors rotation by measuring centrifugal acceleration.
+
 In contrast to conventional HSMs using mesh foils, Inertial HSMs approach envelope tamper sensing by encasting the
 payload in a mesh cage made from using low-cost PCBs, then rotating this cage at high speed to simultaneously cover all
 angles, and prevent manipulation of the mesh. To prevent an attacker from slowing down the rotating mesh cage, an
 accelerometer is placed on the rotating mesh that monitors rotation by measuring centrifugal acceleration.
 The main issue in IHSM construction is the construction of the pass-through providing electrical connections between the
 payload and the outside world. In conventional HSMs that use tamper sensing mesh foils, this passthrough is realized by
@ -111,20 +175,375 @@ folding the mesh foil and a Flexible Flat Cable (FFC) in several layers such tha
 a probe could be inserted through. In IHSMs, electrical connections are passed through a hollow shaft on one end of the
 mesh cage. Similar to the serpentine folds between mesh foil and FFC in conventional HSMs, in IHSMs complex geometry can
 be realized by placing a secondary rotating mesh on the inside of the primary mesh, covering the point where the shaft
-goes through the primary mesh. 
+goes through the primary mesh.
 Where in conventional HSMs covering larger areas with a patchwork of smaller mesh foils creates the difficulty of
 creating secure seams between the foils, in IHSMs, multiple PCB meshes can easily be joint into a larger mesh by simply
 overlapping them, since the mesh's rotation makes any attack on such a joint exceedingly difficult.
 \section{Related Work}
 \section{QKD in an IHSM}
-\subsection{Technical requirements of a QKD node}
+\subsection{Physical requirements of QKD transceivers}
-\subsection{IHSM dimensioning}
+
-\section{An IHSM Optical Passthrough}
+Putting a QKD relay node and associated machinery inside of an IHSM, we first need to answer two key questions. First,
-\subsection{Planar disc case}
+\emph{will it fit?}, and second, \emph{Can we hook it up?}. In the following paragraphs, we will go through several
-\subsection{Interlocking shells}
+aspects of these general questions one by one.
-\subsection{Meshing gear shells}
+
-\subsection{Secondary mesh drive through magnetic coupling}
+\paragraph{Physical dimensions.}
-\subsection{Primary mesh drive through fan wheel design}
+At this point, a number of commercial systems promising QKD exist. Common QKD protocols do not require any particularly
 large or power-hungry components, and so commercial systems have generally adopted the 19 Inch rackmount enclosure
 standard that is common to modern telecommunications equipment, with a width of $\approx\qty{50}{\centi\meter}$, a
 height between $\approx\qtyrange{4}{30}{\centi\meter}$ and a depth below $\approx\qty{100}{\centi\meter}$.\todo{Re-check
 these numbers shortly before submission} While something of this size would be infeasible to protect with the security
 mesh of a traditional hardware security module, placed vertically, even without modifications any of these systems are
 well within an envelope that can be protected with a single IHSM cage.
 \paragraph{Power supply.}
 QKD systems do not contain any particularly power-hungry components. Unlike quantum computers, most of the signal path
 is optical, and as such can be implemented with room-temperature fiber-optic components. Only the single-photon
 detectors may require cooling in some systems, but unlike something like an ion trap quantum computer's processor,
 energy-intensive deep cryogenic cooling is not necessary. Most manufacturers don't quote the power requirements of their
 systems, but we were able to find that IDQuantique specifies their QKD systems to be able to run off a single
 \qty{300}{\watt} power supply\cite{ClavisXGQKD2024}. In an inertial HSM, power up to several \unit{\kilo\watt} can
 easily be transferred to the payload with through-axis cables.
 \paragraph{Cooling.}
 While the few hundred Watt of power that QKD systems require could easily be transported through the mesh of a a
 traditional HSM as well, cooling that amount of thermal load purely by heat conduction through centimeters of epoxy
 resin would make implementation infeasible in traditional HSM. In an IHSM on the other hand, up to several
 \unit{\kilo\watt} can easily be dissipated through forced-air cooling since the rotating security mesh can have an
 arbitrary amount of longitudinal openings.
 \paragraph{Data and signals.}
 A QKD transceiver has a number of ports in addition the port for the fiber optic quantum channel. Depending on the
 system, one or more additional optical links may be necessary for clock distribution, allowing both endpoints to tune
 their lasers into precise alignment. QKD protocols require a classical link used for information reconciliation, which
 along with the key stream output and management links requires one or more classical network ports.
 In a QKD relay node, the key stream never leaves the security envelope. The management and information reconciliation
 links can be combined into a single, classical network link, requiring a single fiber when using a standard wavelength
 division multiplexing transceiver. The QKD link's reference clock channel and the quantum channel require a dedicated
 fiber each, adding up to a total of five fibers for a uni-directional QKD relay, or nine fibers for a bidirectional one.
 Since fiber pigtails have an outer diameter of usually about \qty{1}{\milli\meter}, this amount of fibers can be fed
 through an IHSM's axis of rotation. The mechanical challenge in such a multi-fiber signal and data feedthrough is to
 observe the fiber's minimum bending radius, which for common fibers is usually in the range of
 \qtyrange{5}{15}{\milli\meter}\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}.
 In conclusion, a QKD node is not a particularly challenging payload for an IHSM. The most problematic
 requirement is feeding through a number of fibers for its various input and output signals, but fundamentally it is no
 different from any server or other piece of IT equipment.
 \section{Multi-fiber passthrough with active secondary mesh}
 The primary weak spot of a simple IHSM is its axis of rotation. While the stationary axis allows for wired data and
 power connections to penetrate the mesh, it also provides an easy target for an attacker who wants to insert some sort
 of physical probe into the IHSM's security envelope. While to a certain extent this attack vector can be made more
 difficult though simple construction techniques such as making the shaft as thin as possible, and getting the mesh as
 close to it as possible, as well as using a solid steel shaft on the motor end of the mesh, the level of security that
 these mitigations provide is much below that of the remainder of the mesh. Thus, a better solution is needed.
 \textcite{gotteCantTouchThis2022} list some \emph{shielding} methods that use a independently rotating secondary
 mesh on the inside of the primary mesh, located right next to the primary mesh's axis opening. In this section, we will
 go into some more detail on four variations of this solution. In order of increasing complexity, these variations are a
 simple disc cover, coaxial labyrinth meshes, offset labyrinth meshes, and interlocking gear meshes. We will demonstrate
 a functional prototype of the simple disc cover, present a design and mechanical prototypes of the offset labyrinth
 meshes, and provide details on the design of a interlocking gear mesh.
 \subsection{Simple disc cover}
 \begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=1]{shaft_countermeasures_b.pdf}
    \caption[Coaxial disc mesh schema]{Coaxial disc mesh schema, cross-section and top-down views. The outer mesh is
    shown in red, and the inner mesh in blue. The dashed line indicates the two meshes' shared axis of rotation. The
    gray areas indicate the shape of the volume that remains undisturbed by the mesh, and that is available for
    structural support and cable routing.}
    \label{qkd_fig_disc_mesh}
 \end{figure}
 While IHSMs excel at protecting large payload volumes, even a zero-payload IHSM that has been shrunk to a single,
 disc-shaped PCB is still useful because we can delegate key management functionality to the mesh monitoring circuit's
 microcontroller---or a separate processor sitting next to it---on the rotating mesh PCB, yielding a solution close in
 both its cryptographic capabilities and its security level to commercial traditional HSMs, and exceeding those of a
 smartcard. In the following paragraphs, we will show how we can deploy the same single-board IHSM (SB-IHSM) as a
 mitigation for through-axis attacks, exploiting its mechanical shape and its simple, low-cost implementation.
 By placing an adapted single-board IHSM close to the primary mesh's axis opening as shown in Figure\
 \ref{qkd_fig_disc_mesh}, an attacker is forced to either first circumvent or at least dislodge the single-board IHSM
 through the primary mesh's axis opening without disturbing either mesh to gain direct access to the payload behind it,
 or to conduct their attack through the keyhole-sized opening in the primary mesh while bending their tool by
 approximately \qty{90}{\degree} at least twice, once to avoid the SB-IHSM mesh, and once more to re-orient the tool
 towards the payload. The distance between the inside of the primary mesh and the SB-IHSM is limited by the tolerance in
 mechanical alignment between the two axes of rotation, by the space necessary for a sufficiently stable mount of the
 payload cage to the hollow shaft, and by the minimum bend radius of the power and data wiring that needs to pass through
 the shaft. In QKD applications, the fibers' minimum bend radius is the largest contributing factor. Power and electrical
 data signals can be supplied through flexible flat cables that can be bent in sharp corners without issue. Optical
 fibers on the other hand are limited in their minimum bend radius, as their optical loss rises sharply with decreasing
 bend radius\footnote{Note that the issue here is not that the glass core of the fiber would degrade or break, as one
 might intuitively assume. Being only a few dozen micrometers in diameter, an optical fiber's core is remarkably
 flexible. Instead, the issue is that both multimode as well as singlemode fibers are optical waveguides. Bending them
 distorts the electromagnetic field inside the waveguide, and allows some small portion of it to escape from the fiber's
 core, leading to loss in the form of both attenuation and dispersion\cite{schermerImprovedBendLoss2007}.}. With QKD
 being especially sensitive to even small amounts of loss, care has to be taken to maximize the bend radius of the fiber
 optic connections. A common specification of minimum bend radius in telecom singlemode fibers taking into account not
 just optical loss but also the mechanical stability of the fiber's polymer coating is $10\times$ the coated fiber's
 diameter\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}, which equates to \qty{9}{\milli\meter} for common
 \qty{0.9}{\milli\meter} fiber pigtails, corresponding to approximately \qty{1}{\decibel} of loss in the
 \qty{1550}{\nano\meter} band\cite{schermerImprovedBendLoss2007}. Based on these specifications and on a conservative
 estimate of \qty{2.5}{\milli\meter} for the vertical mesh clearance, we arrive at a minimum inter-mesh spacing of
 approximately \qty{11}{\milli\meter} when using minimal overlap between tab heights. 
 \begin{figure}
    \centering
    \subcaptionbox[Helical transition of single fiber]{Single fiber}{\includegraphics[width=.45\textwidth]{helix_transition.png}}
    \hfill
    \subcaptionbox[Helical transition of fiber bundle]{Fiber bundle}{\includegraphics[width=.45\textwidth]{helix_bundle.png}}
    \caption[Helically coiling fibers inside the axis tube]{
        The necessary mesh spacing can be reduced by coiling the fibers inside of the axis tube. The coiled fibers enter
        the inter-mesh space at an angle equal to the helix lead angle, which reduces the amount of space necessary to
        complete the transition to horizontal along a circular arc. In this example, a \qty{6}{\milli\meter} outer
        diameter tube with a \qty{0.5}{\milli\meter} wall thickness is shown with 6 fibers with \qty{0.9}{\milli\meter}
        outer diameter coiled to a constant bend radius of \qty{9}{\milli\meter}. The lead angle of the resulting helix
        is \qty{61.5}{\degree}, and past the tube exit, only \qty{5.16}{\milli\meter} of inter-mesh space are necessary.
        }
    \label{qkd_fig_fiber_helix}
 \end{figure}
 \subsection{Coaxial labyrinth meshes}
 \begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=4]{shaft_countermeasures_b.pdf}
    \caption[Coaxial labyrinth mesh schema]{Coaxial labyrinth mesh schema, cross-section and top-down views.}
 \end{figure}
 In QKD applications, the simple disc cover design shown above has two main limitations. First, the distance between the
 primary and secondary meshes' tab rings must be large enough to allow for the fibers' minimum bend radius, resulting in
 more than \qty{10}{\milli\meter} of space available to an attacker. Second, the attacker only has to bend their tool in
 a plane to reach the payload.
 To increase the difficulty of inserting a long and flexible tool through the axis shield, \todo{Axis shield might be a
 nice term. Unify terminology for axis/shaft, the shield, the names of the two meshes, and the tabs sticking up from the
 meshes. Also what do we call the space in between? Terminology for the sides with offset meshes?} the shape of the
 interface layer between the two meshes can be made more complex. Introducing small mesh \emph{tabs} that stick out
 into the inter-mesh space from both meshes creates a labyrinth-like structure between the axis opening and the IHSM's
 inside. Structural support and cables can easily pass this structure in a series of \qty{90}{\degree} bends, while
 inserting a probe avoiding both meshes would not be feasible as the probe would have to perform a series of sharp
 bends. The type of manipulator that would be necessary for the placement of a probe in this system is conceptually
 similar to snake-like robots used in minimally invasive surgery, but state-of-the-art systems from this area are both
 too thick and don't have enough joints to fit even simple labyrinth layouts\cite{
    suhDesignDiscreteBending2017,
    schmitzRollingTipFlexibleInstrument2019,
    kimAdvancementFlexibleRobot2022,
    hongDesignCompensationControl2020}.
 For instance, if we assume \qty{3}{\milli\meter} material thickness on the radial bracket connecting the shaft with the
 secondary mesh's mounting frame\todo{conceptual drawing here} along with \qty{10}{\milli\meter} of mesh tab overlap,
 \qty{1.5}{\milli\meter} of clearance between radial bracket and each of the two meshes, and an inter-mesh spacing from
 one tab ring to the next equal to the radial brackets' material thickness of \qty{4}{\milli\meter} plus the clearance
 from bracket to mesh, we arrive at a meander \qty{6}{\milli\meter} in width completing four \qty{180}{\degree} turns
 within less than \qty{40}{\milli\meter} of radial distance.
 Researching the security of nuclear weapons, \textcite{bellovinPermissiveActionLinks} references a quote characterizing
 the tamper security of a Permissive Action Link, a tamper-proof component designed to authorize the use of a nuclar
 weapon through a code, as follows.
 \todo{Get the actual book from ULB, and properly attribute this quote.}
 \begin{quote}
    Bypassinag a PAL should be, as one weapons designer graphically put it, about as complex as performing a
    tonsillectomy while entering the patient from the wrong
    end. \cite{caldwell1989reducing,bellovinPermissiveActionLinks}
 \end{quote}
 With our discussion of surgical robots two paragraphs ago this quote is very on the nose, and it is probably fair to say
 that we have made some progress to achieve this standard. While we are not quite there yet, we shall make it our goal to
 achieve or even exceed this standard with our work in the following sections.
 \begin{figure}
    \centering
    \includegraphics[width=.7\textwidth]{wikimedia_Four_Corners_Bank_Vault_cropped.jpg}
    \caption[Photo of a bank vault door]{Photo of a bank vault door at the Four Corners building in Bowling Green, Ohio,
    USA. The interface between the door and its frame is stepped all around to discourage would-be intruders from
    inserting any sort of tool through the small gap around the closed door. In this instance, because the door's sill
    is stepped, too, a small ramp has been placed over the sill so that people going in and out of the open door don't
    stumble over the steps.\\
    \imgsource{Wikimedia Commons user Mbrickn}{2019}{CC-BY-SA}{https://commons.wikimedia.org/wiki/File:Four_Corners_Bank_Vault.jpg}
    }
    \label{qkd_fig_vault_door}
 \end{figure}
 While long and narrow tabs are desirable for mesh security as they limit the size and mobility of an attacker's probe,
 in QKD application, the need for fiber optic passthrough is the limiting factor. The obvious solution of passing through
 the fibers in a series of in-plane S-bends requires a coarse tab spacing due to the fibers' large minimum bend radius.
 However, we can apply the approach we proposed above for the shaft entrance here, too, and thread the fibers between the
 meshes by helically coiling them, increasing the fibers' bend radius to one half of the distance between both mesh
 discs minus the fibers' diameter and clearances\todo{Formulas here and elsewhere, define variables}. When the resulting
 useable part of the distance is larger than twice the bend radius, the minimum tab spacing is only limited by the
 fiber's diameter and the stability of the star bracket. When the discs are placed closer, and a larger pitch is
 necssary, the resulting pitch of the helix determines the minimum tab spacing.
 Designing a labyrinth mesh for intrusion prevention is similar to the design of the shape of the jamb of a safe door
 such as the one shown in Figure\ \ref{qkd_fig_vault_door}, or of a high end apartment door. In these, the objective is
 to prevent would-be burglars from inserting opening tools through the space between the closed door and its jamb and
 attacking the door's interior handle or locking mechanism, not unlike an IHSM's defense against electrical or
 electromagnetic probes. The one difference between these doors and what we can do in IHSMs is that these doors are
 limited to outwards-facing steps because they must be opened and closed. In IHSM labyrinth meshes, we can use both
 outwards-facing and inwards-facing steps.
 Concentric labyrinth meshes allow for a wide range of different configurations. The pitch from one mesh tab to the
 next is the sum of the required width of the inter-mesh space and the safety margin needed betwween any cables or the
 inter-mesh bracket and the tabs. When the mesh is constructed using rigid PCB tabs that are inserted as-is, without
 bending them, and when all tabs have the same width and thickness, the radial width of the swept area decreases from tab
 to tab going outwards as shown in Figure\ \ref{qkd_fig_mesh_ring_reduction}. A consequence of this is that when the
 design target are constant width inter-mesh spaces, the tabs' pitch decreases going outwards.
 \begin{figure}
    \centering
    \includegraphics[width=\textwidth]{mesh_ring_reduction.pdf}
    \caption[Coaxial labyrinth mesh tab swept area]{Top-down view of a coaxial labyrinth mesh with three tabs, with the
    area swept by each tab highlighted. When rigid, planar tabs of a single width $w$ are used, the radial width of the
    swept areas decreases and approaches the tabs' thickness $t$ as their radius $r$ increases.
    }
    \label{qkd_fig_mesh_ring_reduction}
 \end{figure}
 The safety margin required to avoid collisions between the meshes and the stator\todo{stator is a nice word for the
 entire non-rotating part of the assembly. stator/star bracket?} can be kept low for the primary mesh because this mesh
 has high-quality bearings on both ends, leading to good axis alignment. In contrast, for the secondary mesh considerable
 margins have to be included if the mesh is driven by a cooling fan motor, as the bearings in such fans are not very
 precise. With loose bearings, angular axis misalignment can lead to several millimeters of deflection in both the radial
 and axial dimensions as illustrated in Figure\ \ref{qkd_fig_mesh_ring_bearing_tolerance}.
 \begin{figure}
    \centering
    \includegraphics[width=\textwidth]{mesh_ring_bearing_tolerance.pdf}
    \caption[Coaxial labyrinth mesh axis alignment tolerance illustration]{Illustration of the effect of angular
    misalignment of the axis of rotation caused by tolerances in motor bearings in a coaxial labyrinth mesh with two
    tabs. The area swept by each tab, and its increase due to misalignment are highlighted. The left illustration shows
    the ideal and misaligned meshes, and the right illustration superimposes the area increase from the left
    illustration on the ideally aligned mesh. This illustration is not to scale.}
    \label{qkd_fig_mesh_ring_bearing_tolerance}
 \end{figure}
 \subsection{Offset labyrinth meshes}
 \begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=2]{shaft_countermeasures_b.pdf}
    \caption[Offset labyrinth mesh schema]{Offset labyrinth mesh schema, cross-section and top-down views. The two
    dashed lines indicate the two meshes' offset axes of rotation, shifted in $x$ direction in both views.}
    \label{qkd_fig_offset_lab_schema}
 \end{figure}
 Concentric labyrinth meshes improve upon simple disc meshes in security, but they have two remaining weaknesses. One is
 that in a concentric labyrinth mesh, the part of the inner mesh at the axis is easily accessible through the opening in
 the outer mesh. As the axis of rotation is the most vulnerable spot in a mesh because the tangential velocity of the
 mesh is lowest close to the axis, tampering can be made more difficult by placing the axis of rotation of the inner mesh
 not concentric with that of the outer mesh, but at a radial \emph{offset}.
 A consequence of placing the axis of the inner mesh at an offset is that the inter-mesh rings formed by the tabs of the
 two meshes now no longer form a set of concentric rings, but a set of nested non-concentric annulus shapes whose narrow
 and wide sides alternate along the direction of the offset. We will show below how an optical fiber can still be wound
 through this complex inter-mesh space without much trouble through a variation of the helical spiral trick from above to
 avoid the annular rings' narrow sections. At the same time, the alternating narrow sections of the annular rings make it
 more difficult to feed through the type of surgical robot we cited above, whose joints are designed for in-plane
 operation for most of the manipulator, starting from the high-flexibility joints close to its end and down the neck. In
 this section, we will show a design and a mechanical prototype of an offset labyrinth mesh design that improves on a
 concentric labyrinth mesh on both the shielding of the secondary mesh axis and the feasibility of an attack with a
 surgical robot without increasing mechanical complexity compared to a concentric design. In addition, we show a fiber
 feedthrough that improves on the simple helical feedthrough we introduced above.
 \begin{figure}
    \centering
    \includegraphics[width=\textwidth]{schema_wire.pdf}
    \caption[Offset labyrinth mesh schema with fiber layout]{}
    \label{qkd_fig_offset_lab_fiber}
 \end{figure}
 Our offset labyrinth mesh design combines an offset of the secondary mesh's axis of rotation with the labyrinth mesh
 approach from the previous section, creating wide and narrow inter-mesh spaces on alternating sides of the offset
 direction as shown in in Figure\ \ref{qkd_fig_offset_lab_schema}. Structural support is provided using a CNC machined or
 3D printed part, which also serves as a conduit for electrical connections from the shaft to the payload using Flexible
 Flat Cable (FFC). While the FFC can easily conform to the offset labyrinth's sharp corners, an optical fiber can not.
 Thus, instead of passing it straight through the labyrinth, the payload's fiber optic connections are passed through the
 labyrinth in a three-dimensional spiral shape, avoiding the meshes while simultaneously maximizing the fibers' bend
 radii.
 To prove the mechanical viability of the offset labyrinth mesh concept, we created a mechanical prototype of one such
 mesh. Figure\ \ref{qkd_fig_offset_lab_fiber} shows the dimensions of the meshes' tabs along with the resulting tab rings
 and a 2D projection of our chosen fiber layout. The fiber is laid out in such a way that it crosses each tab ring at
 opposite sides, and traverses the vertical distance in the larger part of the inter-mesh space. Figures\
 \ref{qkd_fig_lab_mesh_exp_1} and \ref{qkd_fig_lab_mesh_exp_2} show an exploded view of our mechanical prototype from two
 perspectives.
 \begin{figure}
    \centering
    \includegraphics[width=\textwidth]{render_exp_1.png}
    \caption[Offset labyrinth mesh assmbly exploded render]{}
    \label{qkd_fig_lab_mesh_exp_1}
 \end{figure}
 \begin{figure}
    \centering
    \includegraphics[width=\textwidth]{render_exp_2.png}
    \caption[Offset labyrinth mesh assmbly exploded render]{}
    \label{qkd_fig_lab_mesh_exp_2}
 \end{figure}
 \subsection{Interlocking gear meshes}
 \begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=3]{shaft_countermeasures_b.pdf}
    \caption[Offset gear labyrinth mesh schema]{Offset gear labyrinth mesh schema, cross-section and top-down views. In
    this example, the axis is shifted by about twice the offset from the previous offset labyrinth mesh schema in
    Figure\ \ref{qkd_fig_offset_lab_schema}.}
 \end{figure}
 The offset labyrinth design already achieves a high level of security through its complex passthrough shape, but only
 small offset distances are feasible since large offsets quickly lead to impractically large mesh sizes. Where the pitch
 from one tab ring to the next is roughly constant in concentric labyrinth meshes, and determined only by clearances and
 the amount of inter-mesh space necessary for power and data feedthroughs as well as mechanical stability. In offset
 meshes, on the other hand, this pitch increases by the offset distance. Even for a small offset this quickly adds up to
 an unwieldy total mesh size.
 In this section, we conceptually introduce a solution to this problem that allows for larger offsets using a design
 where the two meshes interlock like gears. This does mean that the two meshes' rotation must be synchronized, but it
 increases the design space of offset labyrinth meshes. For instance, in a gear setup, the wide sides of the inter-mesh
 zones can be aligned to lie on the same side, so fiber passthrough can be realized more easily even without the need to
 spiral the fiber around the axes of rotation.
 \subsection{Mesh synchronization}
 For geared meshes to work, both speed and phase of the rotation of the two meshes must be synchronized to a small error.
 In this setup, the mesh tabs act like gear teeth. Depending on the ratio between both meshes' tap counts, the two
 meshes do not have to rotate at the same rate of rotation and harmonic ratios are possible. Additionally, unlike actual
 gears which need to constantly maintain an area of contact, both co-rotating and counter-rotating setups are possible.
 \begin{figure}
    \centering
    \subcaptionbox[Offset gear labyrinth mesh assembly render]{}{\includegraphics[width=\textwidth]{render_side_1.png}}
    \subcaptionbox[Offset gear labyrinth mesh assembly render]{}{\includegraphics[width=\textwidth]{render_side_2.png}}
    \caption{
        Renderings of the complete offset labyrinth gear mesh assembly.
    }
 \end{figure}
 \begin{figure}
    \centering
    \includegraphics[width=\textwidth]{gear_plan_1.pdf}
    \caption[Offset gear mesh assmbly schema]{}
 \end{figure}
 \begin{figure}
    \centering
    \includegraphics[width=\textwidth]{gear_plan_2.pdf}
    \caption[Offset gear mesh schedule]{}
 \end{figure}
 \section{Security analysis}
 \subsection{Attacks on the IHSM mesh}