diff --git a/figures/fiber_passthrough_mech_model__8290_small_annotations.svg b/figures/fiber_passthrough_mech_model__8290_small_annotations.svg
new file mode 100644
index 0000000..b7f56a2
--- /dev/null
+++ b/figures/fiber_passthrough_mech_model__8290_small_annotations.svg
@@ -0,0 +1,417 @@
+
+
+
+
diff --git a/figures/fiber_passthrough_mech_model__8290_small_annotations_censored.pdf b/figures/fiber_passthrough_mech_model__8290_small_annotations_censored.pdf
new file mode 100644
index 0000000..ff9256d
Binary files /dev/null and b/figures/fiber_passthrough_mech_model__8290_small_annotations_censored.pdf differ
diff --git a/figures/fiber_passthrough_mech_model__8290_small_annotations_censored.svg b/figures/fiber_passthrough_mech_model__8290_small_annotations_censored.svg
new file mode 100644
index 0000000..5aee4b8
--- /dev/null
+++ b/figures/fiber_passthrough_mech_model__8290_small_annotations_censored.svg
@@ -0,0 +1,354 @@
+
+
+
+
diff --git a/figures/pic_bracket_routing.png b/figures/pic_bracket_routing.png
new file mode 100644
index 0000000..9bf170a
Binary files /dev/null and b/figures/pic_bracket_routing.png differ
diff --git a/figures/pic_bracket_routing_small.png b/figures/pic_bracket_routing_small.png
new file mode 100644
index 0000000..439bc15
Binary files /dev/null and b/figures/pic_bracket_routing_small.png differ
diff --git a/figures/schema_wire.pdf b/figures/schema_wire.pdf
index 0f55188..7237e34 100644
Binary files a/figures/schema_wire.pdf and b/figures/schema_wire.pdf differ
diff --git a/figures/schema_wire.svg b/figures/schema_wire.svg
index 52622a5..dafdcba 100644
--- a/figures/schema_wire.svg
+++ b/figures/schema_wire.svg
@@ -1,628 +1,247 @@
-
-
diff --git a/paper.tex b/paper.tex
index a0bfe53..e3901d5 100644
--- a/paper.tex
+++ b/paper.tex
@@ -40,6 +40,9 @@
Image source: #1, #2 (\underline{\href{#4}{link}}). %
Licensed #3.}
+\hyphenation{da-ta-cen-ter}
+\hyphenation{da-ta-cen-ters}
+
\begin{document}
\author{Jan Sebastian Götte\inst{1} \and Björn Scheuermann\inst{2}}
@@ -54,10 +57,10 @@
Quantum Key Distribution (QKD) is a promising technology for the establishment of shared secret keys at a distance
that relies on quantum physical laws of nature instead of cryptographic computational assumptions. Currently, a
severe trade-off between bit rate and distance limits practical applications of QKD to distances of several hundred
- kilometers and less since physically, QKD signals cannot be amplified. Although in theory, QKD signals can be
- repeated to extend their reach, such repeaters require powerful quantum computing primitives and no practical
- implementations exist yet. Current practice for long-range QKD networks use physically trusted repeater stations
- that convert QKD signals to (insecure) classical signals and back.
+ kilometers and less. Physically, QKD signals cannot be amplified. Although in theory, QKD signals can be repeated to
+ extend their reach, such repeaters require powerful quantum computing primitives that are not yet practical. Current
+ practice for long-range QKD networks use physically trusted repeater stations that convert QKD signals to (insecure)
+ classical signals and back.
In this paper, we outline an application of the IHSM approach first proposed by \textcite{gotteCantTouchThis2022}
bootstrapping a physically secure QKD repeater node. At the core of our proposal is a work-in-progress optical
@@ -70,21 +73,21 @@
Quantum Computing promises efficient solutions to a number of widely used cryptographic computational problems. As a
countermeasure, new \emph{post-quantum} cryptosystems have been developed that are not susceptible to known quantum or
-classical attacks. However, a limitation of these cryptosystems is that they still rely on a hardness assumption that
-cannot be proven - and it cannot be ruled out that in the future, attacks on these cryptosystems will be found. In fact,
+classical attacks. However, a limitation of these cryptosystems is that they still rely on hardness assumptions that
+cannot be proven---and it cannot be ruled out that attacks on these cryptosystems could be found in the future. In fact,
a variant of one of the early contenders for post-quantum cryptography, Supersingular Isogeny Diffie-Hellman Key
-Exchange (SIKE) has unexpectedly been broken in 2022\cite{castryckEfficientKeyRecovery2023}, a decade after its
+Exchange (SIKE) has unexpectedly been broken in 2022~\cite{castryckEfficientKeyRecovery2023}, a decade after its
development, highlighting the risk inherent in these new cryptosystems.
Quantum Key Distribution (QKD) provides an alternative to key exchange protocols based on cryptographic hardness
assumptions. QKD provides a primitive similar to Diffie-Hellman key exchange, establishing a secret key between two
-parties that are only connected through an untrusted channel. In contrast with classical cryptographic protocols, the
+parties that are only connected through an untrusted channel. In contrast to classical cryptographic protocols, the
security of QKD is based on quantum-physical laws of nature, and assuming a correct technical realization, QKD can
provide information-theoretic security.
QKD suffers from a severe range limitation stemming from loss in optical fibers. Since QKD relies on the quantum
properties of single photons, QKD signals inherently cannot be amplified. While classical optical networking signals can
-be efficiently amplified using optical amplifiers, to a QKD signal such amplification would constitute a measurement and
+be efficiently amplified using optical amplifiers, to a QKD signal such amplification would constitute a measurement,
which destroys the signal's quantum information. As a consequence of this, the range of a QKD link is limited to the
span that can be achieved with a single, uninterrupted fiber at an acceptable loss. In practice, this is commonly in the
range of \qtyrange{100}{200}{\kilo\meter} with key exchange rates falling sharply with longer distance.
@@ -93,7 +96,7 @@ The only technique for range extension that is currently feasible is to \emph{re
receiver and a transmitter coupled back-to-back. This practical construction however creates another hard challenge:
Since only the QKD system's photonic signal is secured by the systems' quantum security guarantees, such relays must be
physically trusted as they effectively handle secret key bits in plaintext. Achieving this physical security in a
-large-scale QKD network is difficult due to the remote location of some relays, and due to the QKD nodes' physical size,
+large-scale QKD network is difficult due to the remote location of some relays, the QKD nodes' physical size, and their
power and cooling requirements, and their need for multiple fiber-optic connections to the outside world. In classical
computing, such challenges are often approached using Hardware Security Modules (HSMs) that have tamper sensors that
will destroy the HSM's contents when tampering is detected, but conventional HSM technology cannot be adapted to the
@@ -103,16 +106,19 @@ requirements of a QKD system.
\begin{center}
\includegraphics[width=0.7\textwidth]{fiber_passthrough_mech_model__8290_small_annotations_censored.pdf}
\end{center}
- \caption{Photo of our mechanical prototype. The prototype's two rotating tamper sensing meshes are shown in pink.
- The primary mesh is mechanically attached to and driven by the IHSM's rotating tamper sensing cage, which is
- partially shown here in white. The golden tube is the cage's shaft protruding to the outside of the IHSM, with
- optical fibers and electrical connections fed through. The green and purple parts constitute a bracket that
- mechanically connects the payload on the inside of the IHSM to the shaft, and that holds the secondary rotating
- mesh, which in this prototype is driven using a cooling fan as a motor. Optical fibers and electrical connections
- are fed through from the shaft to the interior of the IHSM cage through channels in the green part of the bracket.
- Only one optical fiber is shown here for clarity. The small tabs on the primary and secondary meshes' protrude
- into the slots in this bracket such that they do not interfere, and leave only \qty{3.4}{\milli\meter} of space in
- the narrowest parts of the bracket below the slots.
+ \caption{Photo of our mechanical prototype.
+ 1 - Bracket connecting payload and shaft with hidden spiral conduit for optical fibers.
+ 2 - Upper tamper sensing mesh PCB.
+ 3 - Outer IHSM tamper sensing mesh cage.
+ 4 - IHSM tamper sensing mesh cage bearing.
+ 5 - Fiber exiting hollow shaft.
+ 6 - Lower bracket holding secondary tamper sensing mesh drive motor.
+ 7 - Cooling fan used as secondary tamper sensing mesh drive motor.
+ 8 - Secondary tamper sensing mesh PCB shielding bottom of bracket 1.
+ 9 - Fiber exiting hidden spiral conduit in bracket 1.
+ 10 - Interleaving tabs sticking out from tamper sensing PCBs, creating a serpentine structure.
+ Distance from tab end to opposing PCB 2 is \qty{3.4}{\milli\meter} of space in
+ 11 - Channels for tabs 10 in bracket 1.
\\\textbf{Note: Institutional logo removed from picture for peer review}}
\label{fig_pic_proto_intro}
\end{figure}
@@ -120,21 +126,22 @@ requirements of a QKD system.
In this paper, we present several designs and a mechanical prototype adapting the Inertial Hardware Security Module
(IHSM) concept first proposed by \textcite{gotteCantTouchThis2022} to a QKD relay node. IHSMs replace the tamper sensing
security mesh foil that is wrapped around the payload in conventional HSMs by a tamper-sensing cage made from
-conventional circuit board material by spinning this cage at a high speed. While circuit board material provides lower
-tamper security than the tamper sensing foils made using bespoke manufacturing processses that are used in conventional
-HSMs, by spinning the tamper sensing cage at high speed while continuously verifying this rotation using an
-accelerometer placed on the cage, IHSMs achieve a similar security level using only inexpensive, commodity components
-and no specialty manufacturing processes. In contrast to conventional HSMs, IHSMs are a natrual fit for the power and
-size requirements of a QKD node, but they suffer from the problem of how to optically connect the (stationary) QKD relay
-payload protected inside the IHSM's spinning tamper sensing cage to the outside world without creating a security
-vulnerability. While fibers can easily be fed through the shaft of the spinning cage, an attacker could feed an attack
-tool through the same opening. In this paper, we propose a family of mechanical designs that use a secondary rotating
-tamper sensing mesh at the entry point of the shaft to protect a fiber-optical passthrough while observing the fiber's
-bending radius limitations. Figure\ \ref{fig_pic_proto_intro} shows a photo of our mechanical prototype. Our prototype
-would require an attacker to feed an attack tool around multiple sharp bends, with only \qty{3.4}{\milli\meter} of space
-available at the narrowest points. In our prototype, the smallest bend radius encountered by the fiber is
-\qty{15}{\milli\meter}. We experimentally measured the optical loss added by our prototype compared to a straight fiber
-to be below our measurement floor of \qty{0.25}{\decibel}.
+conventional circuit board material by spinning this cage at a high speed. On its own, circuit board material provides
+lower tamper security than the tamper sensing foils made using bespoke manufacturing processes that are used in
+conventional HSMs. IHSMs solve this problem by spinning the tamper sensing cage at high speed while continuously
+verifying this rotation using an accelerometer placed on the cage. IHSMs achieve a similar security level to
+conventional HSMs using only inexpensive, commodity components and no specialty manufacturing processes. In contrast to
+conventional HSMs, IHSMs are a natural fit for the high power and size requirements of a QKD node. However, they suffer
+from the problem of how to optically connect the (stationary) QKD relay payload protected inside the IHSM's spinning
+tamper sensing cage to the outside world without creating a security vulnerability. While fibers can easily be fed
+through the shaft of the spinning cage, an attacker could feed an attack tool through the same opening. In this paper,
+we propose a family of mechanical designs that use a secondary rotating tamper sensing mesh at the entry point of the
+shaft to protect a fiber-optical passthrough while observing the fiber's bending radius limitations. Figure\
+\ref{fig_pic_proto_intro} shows a photo of our mechanical prototype. Our prototype would require an attacker to feed an
+attack tool around multiple sharp bends, with only \qty{3.4}{\milli\meter} of space available at the narrowest points.
+In our prototype, the smallest bend radius encountered by the fiber is \qty{15}{\milli\meter}. We experimentally
+measured the optical loss added by our prototype compared to a straight fiber to be below our measurement floor of
+\qty{0.25}{\decibel}.
This paper is organized as follows. In Section\ \ref{sec_qkd_fundamentals}, we give an introduction into Quantum Key
Distribution and its practical realization. In Section\ \ref{sec_related_work}, we provide an overview of related
@@ -150,8 +157,8 @@ parties exchange quantum states, then perform experiments on these quantum state
randomness. This correlated randomness is then refined into identical secrets on both ends by running an error
correction process known as \emph{information reconciliation} using a classical channel for communication. After this
process, an attacker may still possess partial information about the shared secret. To dilute this information, in a
-step named \emph{privacy amplification} a randomness extractor such as a information-theoretic hash function is used to
-create a new, shorter secret over which the attacker possesses effectively no information.
+step named privacy amplification, a randomness extractor such as a information-theoretic hash function is used to create
+a new, shorter secret over which the attacker possesses effectively no information.
\subsection{Range in QKD}
@@ -159,12 +166,11 @@ Regardless of the particular QKD protocol used, common to all QKD protocols, qua
parties. While quantum computers are built from a wide variety of quantum states from trapped ions through
superconducting states up to spin states, all QKD protocols are based on photonic states since they are the only ones
that can easily be transferred across long distances through optical fiber. Even so, QKD protocols face a steep
-trade-off between speed of key generation--called \emph{secret key rate}--and distance since quantum states cannot be
+trade-off between speed of key generation---called \emph{secret key rate}---and distance since quantum states cannot be
amplified. In literature on long-range QKD, secret key rates as low as $10$ milli-bits per second are routinely
-published\cite{wangTwinfieldQuantumKey2022} since they already promise a benefit over classical key exchange or key
-encapsulation methods using asymmetric cryptography in a hypothetical scenario in which symmetric cryptography cannot
-yet be efficiently attacked using Grover's algorithm, but all asymmetric cryptography has fallen to quantum algorithms
-like variants of Shor's algorithm.
+published~\cite{wangTwinfieldQuantumKey2022} since they already promise a benefit in a hypothetical scenario in which
+symmetric cryptography cannot yet be efficiently attacked using Grover's algorithm, but all asymmetric cryptography has
+fallen to quantum algorithms like variants of Shor's algorithm.
\subsection{Loss in optical fibers}
@@ -176,101 +182,36 @@ disturbing the pulse's polarization, or destruction of entanglement between the
Decoherence effects are less relevant for the distance limitation, and mostly limit which fiber-optic technologies can be
utilized in the first place. Due to decoherence, QKD systems usually use Single-Mode (SM) fiber over Multi-Mode (MM)
-fiber\cite{amitonovaQuantumKeyEstablishment2020}, and decoherence makes it more difficult to utilize Wavelength Division
+fiber~\cite{amitonovaQuantumKeyEstablishment2020}, and decoherence makes it more difficult to utilize Wavelength Division
Multiplexing (xWDM) to send multiple either quantum or classical optical signals through a single fiber.
In practice, attenuation is the primary factor limiting the length of an individual fiber run in QKD. Even modern,
ultra-low loss optical fiber has an attenuation in the order of \qty{0.15}{\decibel\per\kilo\meter}, resulting in a loss
-of half the signal's power, equivalent to half of all QKD pulses, in just \qty{20}{\kilo\meter}. For longer reaches,
-these losses ar multiplicative, so after only \qty{200}{\kilo\meter} only one in a thousand photons entering the fiber
-will exit it at the other end \cite{chesnoyUnderseaFiberCommunication2015}.
+of half the signal's power, equivalent to half of all QKD pulses, in just \qty{20}{\kilo\meter}. Since these losses
+compound exponentially with longer reach, after only \qty{200}{\kilo\meter} only one in a thousand photons entering the
+fiber will exit it at the other end~\cite{chesnoyUnderseaFiberCommunication2015}.
\subsection{Relaying}
-A consequence of this range limitation is that at useful bit rates, QKD links can only be realized across ranges less
-than \qty{100}{\kilo\meter} or so. There are some QKD protocols that can be used to effectively double the range of a
+A consequence of this range limitation is that at useful bit rates, QKD links can only be realized up to distances in
+the order of \qty{200}{\kilo\meter}. There are some QKD protocols that can be used to effectively double the range of a
QKD link by placing an untrusted node in the middle of the link, but further extension would require either a trusted
relay or a complex relay operating on the quantum states. As of now, such quantum relays are not practical leaving only
the trusted relay route for achieving useful secret key rates across distances longer than a few hundred kilometers.
If we imagine a continental-scale network of QKD systems with fibers spanning tens of thousands of kilometers, it is
easy to see why the physical security of its relay nodes is such a concern in QKD setups. Such a network would need
-between hundreds and throusands of relay nodes. Making things worse, these relay nodes would have to been spread evenly
+between hundreds and throusands of relay nodes. Making things worse, these relay nodes would have to be spread evenly
across thousands of kilometers of optical links, with many ending up in isolated places in the field, away from
datacenters and other well-protected technical infrastructure. Since the compromise of any one QKD relay could be enough
-for an attacker to carry out a on-path attack, protecting thousands of small relay installations located in equipment
+for an attacker to carry out an on-path attack, protecting thousands of small relay installations located in equipment
sheds spread across sparsely populated areas against adversaries with advanced physical attack capabilites becomes a
-daunting task. Effectively, each quantum relay has to be made into a hardware security module including advanced
-including active tamper sensing.
+daunting task. Effectively, each quantum relay has to be made into a hardware security module including advanced active
+tamper sensing.
\section{Related Work}
\label{sec_related_work}
-\subsection{Inertial Hardware Security Modules}
-
-As of now, QKD nodes are large, rack-mount devices. While miniaturization is ongoing, the processing requirements of
-such systems alone exceed the capabilities of conventional hardware security modules. With a conventional hardware
-security module, protecting an entire QKD relay consisting of two link endpoints and their associated processing systems
-would be infeasible due to their size and power dissipation.
-
-One of the core challenges in the design of active tamper sensors for Hardware Security Modules (HSMs) is protecting the
-device against drilling attacks. In a drilling attack, an attacker accesses internal circuitry of the HSM by drilling a
-hole, allowing a probe to pass through. In HSMs, drilling attacks are commonly monitored by enveloping the payload in a
-security mesh, i.e.\ a foil covered with intentionally fragile conductive traces. The idea is that drilling into the
-device from any angle will damage the conductive traces on this foil, which can easily be electrically detected by the
-payload, allowing it to destroy all secrets before any probe can reach it.
-
-In practice, manufacturing this conductive foil is difficult. Standard flexible circuit processes such as
-lithographic polyimide/copper Flexible Printed Circuits (FPCs) are sometimes used, but their security is limited since
-they are easy to manipulate using standard Printed Circuit Board (PCB) rework techniques. More exotic processes
-industrially used for low-cost keyboard and key pad production using screen-printed silver or carbon conductive inks on
-a polyester substrate are also used, but are limited by a coarse structure size.
-
-The area of foil-based security meshes is primarily limited by the difficulty of manufacturing large foils without
-defects. Not only does total defect rate rise with area, commercial PCB or FPC manufacturing processes have a panel size
-usually in the order of \qtyrange{500}{800}{\milli\meter} side length that cannot be exceeded.
-
-In contrast to conventional HSMs using mesh foils, Inertial HSMs approach envelope tamper sensing by encasting the
-payload in a mesh cage made from using low-cost PCBs, then rotating this cage at high speed to simultaneously cover all
-angles, and prevent manipulation of the mesh. To prevent an attacker from slowing down the rotating mesh cage, an
-accelerometer is placed on the rotating mesh that monitors rotation by measuring centrifugal acceleration.
-
-The main issue in IHSM construction is the construction of the pass-through providing electrical connections between the
-payload and the outside world. In conventional HSMs that use tamper sensing mesh foils, this passthrough is realized by
-folding the mesh foil and a Flexible Flat Cable (FFC) in several layers such that there is no straight path that
-a probe could be inserted through. In IHSMs, electrical connections are passed through a hollow shaft on one end of the
-mesh cage. Similar to the serpentine folds between mesh foil and FFC in conventional HSMs, in IHSMs complex geometry can
-be realized by placing a secondary rotating mesh on the inside of the primary mesh, covering the point where the shaft
-goes through the primary mesh.
-
-Where in conventional HSMs covering larger areas with a patchwork of smaller mesh foils creates the difficulty of
-creating secure seams between the foils, in IHSMs, multiple PCB meshes can easily be joint into a larger mesh by simply
-overlapping them, since the mesh's rotation makes any attack on such a joint exceedingly difficult.
-
-\subsection{Customizable tamper sensing HSMs}
-
-\textcite{immlerSecurePhysicalEnclosures2018} introduce a HSM concept that utilizes a tamper-sensing mesh made from a
-lithographically patterned metallized polyimide foil. They pattern a grid of fine capacitive electrodes onto the foil,
-and demonstrate a simple multi-channel readout circuit that is capable of distinguishing changes in capacitance between
-electrodes down to the femto-Farad range. In contrast to conventional HSMs that require a continuous power supply to
-their tamper-sensing subsystem, their design introduces sufficient measurement fidelity that the tamper-sensing mesh
-foil can be viewed as a Physically Uncloneable Function (PUF) by demonstrating stability and statistical properties of
-its PUF response.
-
-Later publications on their design expand upon the concept, but fundamentally, their design is limited in size by
-manufacturing limitations in the size of its tamper-sensing foil, as well as the poor scalability of the designs
-frontend architecture, which requires a separate charge amplifier for each electrode
-pair\cite{
- garbFORTRESSFORtifiedTamperResistant2021,
- garbWiretapChannelCapacitive2022,
- garbTamperSensitiveDesignPUFBased,
- obermaierMeasurementSystemCapacitive2018}.
-Applying their approach to a QKD relay would be difficult as it would ential not just miniaturizing the QKD relay to the
-size of a smartphone, but it would also require the development of a secure fiber passthrough specific to their design
-and other systems using a folded tamper-sensing mesh foil. Conventionally, electrical pass-throughs in such foils are
-made by folding the mesh and a Flat Flexible Cable (FFC) multiple times. Due to their required beding radius,
-alternative solutions would have to be found for a fiber-optic pass-through.
-
\subsection{Long-range QKD}
\textcite{caoEvolutionQuantumKey2022} give a comprehensive overview of large-scale QKD networking.
@@ -286,6 +227,71 @@ to be untrusted. MDI-QKD can effectively double the reach of a trusted QKD link
the middle. They present a precise problem formulation and introduce an algorithm for the optimization of deployment
cost of a hybrid QKD network.
+\subsection{Customizable tamper sensing HSMs}
+
+\textcite{immlerSecurePhysicalEnclosures2018} introduce a HSM concept that utilizes a tamper-sensing mesh made from a
+lithographically patterned metallized polyimide foil. They pattern a grid of fine capacitive electrodes onto the foil,
+and demonstrate a simple multi-channel readout circuit that is capable of distinguishing changes in capacitance between
+electrodes down to the femto-Farad range. In contrast to conventional HSMs that require a continuous power supply to
+their tamper-sensing subsystem, their design introduces sufficient measurement fidelity that the tamper-sensing mesh
+foil can be viewed as a Physically Uncloneable Function (PUF) by demonstrating stability and statistical properties of
+its PUF response.
+
+Later publications on their design expand upon the concept, but fundamentally, their design is limited in size by
+manufacturing limitations in the size of its tamper-sensing foil, as well as the poor scalability of the designs
+frontend architecture, which requires a separate charge amplifier for each electrode
+pair~\cite{
+ garbFORTRESSFORtifiedTamperResistant2021,
+ garbWiretapChannelCapacitive2022,
+ garbTamperSensitiveDesignPUFBased,
+ obermaierMeasurementSystemCapacitive2018}.
+Applying their approach to a QKD relay would be difficult as it would require not just miniaturizing the QKD relay to
+the size of a smartphone, but it would also require the development of a secure fiber passthrough specific to their
+design and other systems using a folded tamper-sensing mesh foil. Conventionally, electrical pass-throughs in such foils
+are made by folding the mesh and a Flat Flexible Cable (FFC) multiple times. Due to their required beding radius,
+alternative solutions would have to be found for a fiber-optic pass-through.
+
+\subsection{Inertial Hardware Security Modules}
+
+As of now, QKD nodes are large, rack-mount devices. While miniaturization is ongoing, the processing requirements of
+such systems alone exceed the capabilities of conventional HSMs. With a conventional HSM, protecting an entire QKD relay
+consisting of two link endpoints and their associated processing systems would be infeasible due to their size and power
+dissipation.
+
+One of the core challenges in the design of active tamper sensors for HSMs is protecting the device against drilling
+attacks. In a drilling attack, an attacker accesses internal circuitry of the HSM by drilling a hole, allowing a probe
+to pass through. In HSMs, drilling attacks are commonly monitored by enveloping the payload in a security mesh, i.e.\ a
+foil covered with intentionally fragile conductive traces. The idea is that drilling into the device from any angle will
+damage the conductive traces on this foil, which can easily be electrically detected by the payload, allowing it to
+destroy all secrets before any probe can reach it.
+
+In practice, manufacturing this conductive foil is difficult. Standard flexible circuit processes such as
+lithographic polyimide/copper Flexible Printed Circuits (FPCs) are sometimes used, but their security is limited since
+they are easy to manipulate using standard Printed Circuit Board (PCB) rework techniques. More exotic processes
+industrially used for low-cost keyboard and key pad production using screen-printed silver or carbon conductive inks on
+a polyester substrate are also used, but are limited by a coarse structure size.
+
+The area of foil-based security meshes is primarily limited by the difficulty of manufacturing large foils without
+defects. Not only does total defect rate rise with area, commercial PCB or FPC manufacturing processes have a panel size
+usually in the order of \qtyrange{500}{800}{\milli\meter} side length that cannot be exceeded.
+
+In contrast to conventional HSMs using mesh foils, IHSMs approach envelope tamper sensing by encasing the payload in a
+mesh cage made from low-cost PCBs, then rotating this cage at high speed to simultaneously cover all angles, and prevent
+manipulation of the mesh. To prevent an attacker from slowing down the rotating mesh cage, an accelerometer is placed on
+the rotating mesh that monitors rotation by measuring centrifugal acceleration.
+
+The main issue in IHSM construction is the construction of the pass-through providing electrical connections between the
+payload and the outside world. In conventional HSMs that use tamper sensing mesh foils, this passthrough is realized by
+folding the mesh foil and a Flexible Flat Cable (FFC) in several layers such that there is no straight path that
+a probe could be inserted through. In IHSMs, electrical connections are passed through a hollow shaft on one end of the
+mesh cage. Similar to the serpentine folds between mesh foil and FFC in conventional HSMs, in IHSMs complex geometry can
+be realized by placing a secondary rotating mesh on the inside of the primary mesh, covering the point where the shaft
+goes through the primary mesh.
+
+Where in conventional HSMs covering larger areas with a patchwork of smaller mesh foils creates the difficulty of
+creating secure seams between the foils, in IHSMs, multiple PCB meshes can easily be joint into a larger mesh by simply
+overlapping them, since the mesh's rotation makes any attack on such a joint exceedingly difficult.
+
\section{Multi-fiber passthrough with active secondary mesh}
\label{sec_passthrough}
@@ -296,19 +302,20 @@ to the other end of the link, and another fiber is needed for the quantum channe
links, this results in at least five fibers assuming all classical networking can be multiplexed on a single fiber.
Fiber pigtails have an outer diameter of usually about \qty{1}{\milli\meter}, so this amount of fibers can be fed
-through an IHSM's axis of rotation. The mechanical challenge in such a multi-fiber signal and data feedthrough is to
-observe the fiber's minimum bending radius, which for common fibers is usually in the range of
-\qtyrange{5}{15}{\milli\meter}\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}.
+through an IHSM's axis of rotation without increasing its shaft diameter and reducing its security. The mechanical
+challenge in such a multi-fiber signal and data feedthrough is to observe the fiber's minimum bending radius, which for
+common fibers is usually in the range of
+\qtyrange{5}{15}{\milli\meter}~\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}.
\subsection{Multi-fiber passthrough design}
To approach the security of the data and power connections passing through the IHSM's unprotected shaft,
-\textcite{gotteCantTouchThis2022} list some shielding methods that use a independently rotating secondary tamper sensing
-mesh on the inside of the primary mesh, located right next to the primary mesh's axis opening. This secondary mesh
-makes accessing the payload using probes inserted through the shaft much more difficult.
+\textcite{gotteCantTouchThis2022} list some shielding methods that use an independently rotating secondary tamper
+sensing mesh on the inside of the primary mesh, located right next to the primary mesh's axis opening. This secondary
+mesh makes accessing the payload using probes inserted through the shaft much more difficult.
\textcite{gotteCantTouchThis2022} only present conceptual drawings of these schemes, and focus on electrical signals. In
-this paper, building on these concepts, we present mechanical designs of three variations of an IHSM pass through that
-are adapted to the limited bending radius of optical fiber: A simple disc cover, offset labyrinth meshes, and
+this paper, building on these concepts, we present mechanical designs of three variations of a fiber passthrough for
+IHSMs that are adapted to the limited bending radius of optical fiber: A simple disc cover, offset labyrinth meshes, and
interlocking gear meshes. We present a mechanical prototype of our offset labyrinth mesh design.
\subsection{Simple disc cover}
@@ -338,20 +345,20 @@ approximately \qty{90}{\degree} at least twice, once to avoid the SB-IHSM mesh,
towards the payload. The distance between the inside of the primary mesh and the SB-IHSM is limited by the tolerance in
mechanical alignment between the two axes of rotation, by the space necessary for a sufficiently stable mount of the
payload cage to the hollow shaft, and by the minimum bend radius of the power and data wiring that needs to pass through
-the shaft. In QKD applications, the fibers' minimum bend radius is the largest contributing factor. Power and electrical
-data signals can be supplied through flexible flat cables that can be bent in sharp corners without issue. Optical
-fibers on the other hand are limited in their minimum bend radius, as their optical loss rises sharply with decreasing
-bend radius\footnote{Note that the issue here is not that the glass core of the fiber would degrade or break, as one
-might intuitively assume. Being only a few dozen micrometers in diameter, an optical fiber's core is remarkably
-flexible. Instead, the issue is that both multimode as well as singlemode fibers are optical waveguides. Bending them
-distorts the electromagnetic field inside the waveguide, and allows some small portion of it to escape from the fiber's
-core, leading to loss in the form of both attenuation and dispersion\cite{schermerImprovedBendLoss2007}.}. With QKD
-being especially sensitive to even small amounts of loss, care has to be taken to maximize the bend radius of the fiber
-optic connections. A common specification of minimum bend radius in telecom singlemode fibers taking into account not
-just optical loss but also the mechanical stability of the fiber's polymer coating is $10\times$ the coated fiber's
-diameter\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}, which equates to \qty{9}{\milli\meter} for common
+the shaft. Power and electrical data signals can be supplied through flexible flat cables that can be bent in sharp
+corners without issue. In QKD applications, the fibers' minimum bend radius is the largest contributing factor. The
+optical loss of a fiber rises sharply with decreasing bend radius\footnote.{Note that the issue here is not that the
+glass core of the fiber would degrade or break, as one might intuitively assume. Being only a few dozen micrometers in
+diameter, an optical fiber's core is remarkably flexible. Instead, the issue is that both multi-mode as well as
+single-mode fibers are optical waveguides. Bending them distorts the electromagnetic field inside the waveguide, and
+allows some small portion of it to escape from the fiber's core, leading to loss in the form of both attenuation and
+dispersion~\cite{schermerImprovedBendLoss2007}.} With QKD being especially sensitive to even small amounts of loss, care
+has to be taken to maximize the bend radius of the fiber optic connections. A common specification of minimum bend
+radius in telecom single-mode fibers taking into account not just optical loss but also the mechanical stability of the
+fiber's polymer coating is $10\times$ the coated fiber's
+diameter~\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}, which equates to \qty{9}{\milli\meter} for common
\qty{0.9}{\milli\meter} fiber pigtails, corresponding to approximately \qty{1}{\decibel} of loss in the
-\qty{1550}{\nano\meter} band\cite{schermerImprovedBendLoss2007}. Based on these specifications and on a conservative
+\qty{1550}{\nano\meter} band~\cite{schermerImprovedBendLoss2007}. Based on these specifications and on a conservative
estimate of \qty{2.5}{\milli\meter} for the vertical mesh clearance, we arrive at a minimum inter-mesh spacing of
approximately \qty{11}{\milli\meter} when using minimal overlap between tab heights.
@@ -389,7 +396,7 @@ Structural support and cables can easily pass this structure in a series of \qty
probe avoiding both meshes would not be feasible as the probe would have to perform a series of sharp bends. The type of
manipulator that would be necessary for the placement of a probe in this system is conceptually similar to snake-like
robots used in minimally invasive surgery, but state-of-the-art systems from this area are both too thick and don't have
-enough joints to fit even simple labyrinth layouts\cite{
+enough joints to fit even simple labyrinth layouts~\cite{
suhDesignDiscreteBending2017,
schmitzRollingTipFlexibleInstrument2019,
kimAdvancementFlexibleRobot2022,
@@ -460,8 +467,9 @@ feedthrough that improves on the simple helical feedthrough we introduced above.
\begin{figure}
\centering
- \includegraphics[width=0.5\textwidth]{schema_wire.pdf}
- \caption[Offset labyrinth mesh schema with fiber layout]{}
+ \includegraphics[width=0.45\textwidth]{schema_wire.pdf}
+ \includegraphics[width=0.6\textwidth]{figures/pic_bracket_routing_small.png}
+ \caption{Offset labyrinth mesh schema with fiber layout}
\label{qkd_fig_offset_lab_fiber}
\end{figure}
@@ -477,9 +485,9 @@ radii.
\subsection{Experimental Validation}
To prove the mechanical viability of the offset labyrinth mesh concept, we created a mechanical prototype of one such
-mesh. Figure\ \ref{qkd_fig_offset_lab_fiber} shows the dimensions of the meshes' tabs along with the resulting tab rings
-and a 2D projection of our chosen fiber layout. The fiber is laid out in such a way that it crosses each tab ring at
-opposite sides, and traverses the vertical distance in the larger part of the inter-mesh space. Figure\
+mesh. Figure\ \ref{qkd_fig_offset_lab_fiber} shows the proportions of the meshes' tabs along with the resulting tab
+rings and a 2D projection of our chosen fiber layout. The fiber is laid out in such a way that it crosses each tab ring
+at opposite sides, and traverses the vertical distance in the larger part of the inter-mesh space. Figure\
\ref{fig_pic_proto_detail} shows an exploded view of our mechanical prototype.
We threaded a standard \qty{50}{\micro\meter}/\qty{125}{\micro\meter} fiber through the bracket, spliced it to a
@@ -542,7 +550,7 @@ countermeasures.
\subsection{Attacks on the IHSM mesh}
There are two ways an attacker could attack the mesh itself if an adequate speed of rotation such as \qty{1000}{\rpm} is
-used\cite{gotteCantTouchThis2022}: Either, an attacker would have to slow down the mesh so they can perform a manual
+used~\cite{gotteCantTouchThis2022}: Either, an attacker would have to slow down the mesh so they can perform a manual
attack, or they would have to use a robot. The first class of attack would require the attacker to falsify the readings
of the centrifugal accelerometer. MEMS accelerometers are complex devices, and the simplest way to falsify its readings
would be to attach a circuit to the accelrometer's data bus that overrides the measurement result data. Creating such a