ihsm-qkd-paper/paper.tex

\documentclass{llncs}

\usepackage[T1]{fontenc}
\usepackage[
    backend=biber,
    style=lncs,
    natbib=true,
    url=false, 
    doi=true,
    eprint=false
    ]{biblatex}
\addbibresource{paper.bib}
\usepackage{amssymb,amsmath}
\usepackage{eurosym}
\usepackage{wasysym}
\usepackage[binary-units]{siunitx}
\usepackage{commath}
\usepackage{graphicx,color}
\usepackage{colortbl}
\usepackage{subcaption}
\usepackage{placeins}
\usepackage{array}
\usepackage{censor}
\usepackage{hyperref}
\usepackage{makecell}

\graphicspath{{figures}}

\DeclareSIUnit{\baud}{Bd}
\DeclareSIUnit{\year}{a}
\DeclareSIUnit{\rpm}{rpm}
\renewcommand{\floatpagefraction}{.8}
\newcommand{\degree}{\ensuremath{^\circ}}
\newcolumntype{P}[1]{>{\centering\arraybackslash}p{#1}}
\newcommand{\partno}[1]{\textsf{\small#1}}
\newcommand{\price}[2]{#1 #2}
\newcommand{\todo}[1]{\textbf{TODO}\footnote{#1}}

\newcommand{\imgsource}[4]{\scriptsize%
    Image source: #1, #2 (\underline{\href{#4}{link}}). %
    Licensed #3.}

\hyphenation{da-ta-cen-ter}
\hyphenation{da-ta-cen-ters}

\begin{document}

\author{Jan Sebastian Götte\inst{1} \and Björn Scheuermann\inst{2}}
\institute{Technical University of Darmstadt, Darmstadt, Germany, \email{research@jaseg.de}\and
    Technical University of Darmstadt, Darmstadt, Germany, \email{bjoern.scheuermann@kom.tu-darmstadt.de}}
\title{Optical Passthrough for a Tamper-Resistant Quantum Key Distribution Relay in a Inertial HSM}
\maketitle
\keywords{Physical Security\and Tamper Resistance\and Hardware Security Module
            (HSM)\and Inertial Hardware Security Module (IHSM)\and Quantum Key Distribution}

\begin{abstract}
    Quantum Key Distribution (QKD) is a promising technology for the establishment of shared secret keys at a distance
    that relies on quantum physical laws of nature instead of cryptographic computational assumptions. Currently, a
    severe trade-off between bit rate and distance limits practical applications of QKD to distances of several hundred
    kilometers and less. Physically, QKD signals cannot be amplified. Although in theory, QKD signals can be repeated to
    extend their reach, such repeaters require powerful quantum computing primitives that are not yet practical. Current
    practice for long-range QKD networks use physically trusted repeater stations that convert QKD signals to (insecure)
    classical signals and back.

    In this paper, we outline an application of the IHSM approach first proposed by \textcite{gotteCantTouchThis2022}
    bootstrapping a physically secure QKD repeater node. At the core of our proposal is a work-in-progress optical
    passthrough connecting multiple optical fibers from the payload through the tamper sensing mesh to the outside
    world. Our design is low-cost, scales to dozens of optical fibers and allows the joint pass-through of electrical
    connections.
\end{abstract}

\section{Introduction}

Quantum Computing promises efficient solutions to a number of widely used cryptographic computational problems. As a
countermeasure, new \emph{post-quantum} cryptosystems have been developed that are not susceptible to known quantum or
classical attacks. However, a limitation of these cryptosystems is that they still rely on hardness assumptions that
cannot be proven---and it cannot be ruled out that attacks on these cryptosystems could be found in the future. In fact,
a variant of one of the early contenders for post-quantum cryptography, Supersingular Isogeny Diffie-Hellman Key
Exchange (SIKE) has unexpectedly been broken in 2022~\cite{castryckEfficientKeyRecovery2023}, a decade after its
development, highlighting the risk inherent in these new cryptosystems.

Quantum Key Distribution (QKD) provides an alternative to key exchange protocols based on cryptographic hardness
assumptions. QKD provides a primitive similar to Diffie-Hellman key exchange, establishing a secret key between two
parties that are only connected through an untrusted channel. In contrast to classical cryptographic protocols, the
security of QKD is based on quantum-physical laws of nature, and assuming a correct technical realization, QKD can
provide information-theoretic security.

QKD suffers from a severe range limitation stemming from loss in optical fibers. Since QKD relies on the quantum
properties of single photons, QKD signals inherently cannot be amplified. While classical optical networking signals can
be efficiently amplified using optical amplifiers, to a QKD signal such amplification would constitute a measurement,
which destroys the signal's quantum information. As a consequence of this, the range of a QKD link is limited to the
span that can be achieved with a single, uninterrupted fiber at an acceptable loss. In practice, this is commonly in the
range of \qtyrange{100}{200}{\kilo\meter} with key exchange rates falling sharply with longer distance.

The only technique for range extension that is currently feasible is to \emph{relay} the QKD signal with a
receiver and a transmitter coupled back-to-back. This practical construction however creates another hard challenge:
Since only the QKD system's photonic signal is secured by the systems' quantum security guarantees, such relays must be
physically trusted as they effectively handle secret key bits in plaintext. Achieving this physical security in a
large-scale QKD network is difficult due to the remote location of some relays, the QKD nodes' physical size, and their
power and cooling requirements, and their need for multiple fiber-optic connections to the outside world. In classical
computing, such challenges are often approached using Hardware Security Modules (HSMs) that have tamper sensors that
will destroy the HSM's contents when tampering is detected, but conventional HSM technology cannot be adapted to the
requirements of a QKD system.

\begin{figure}
    \begin{center}
        \includegraphics[width=0.7\textwidth]{fiber_passthrough_mech_model__8290_small_annotations_censored.pdf}
    \end{center}
    \caption{Photo of our mechanical prototype.
    1 - Bracket connecting payload and shaft with hidden spiral conduit for optical fibers.
    2 - Upper tamper sensing mesh PCB. 
    3 - Outer IHSM tamper sensing mesh cage.
    4 - IHSM tamper sensing mesh cage bearing.
    5 - Fiber exiting hollow shaft.
    6 - Lower bracket holding secondary tamper sensing mesh drive motor.
    7 - Cooling fan used as secondary tamper sensing mesh drive motor.
    8 - Secondary tamper sensing mesh PCB shielding bottom of bracket 1.
    9 - Fiber exiting hidden spiral conduit in bracket 1.
    10 - Interleaving tabs sticking out from tamper sensing PCBs, creating a serpentine structure.
         Distance from tab end to opposing PCB 2 is \qty{3.4}{\milli\meter} of space in
    11 - Channels for tabs 10 in bracket 1.
    \\\textbf{Note: Institutional logo removed from picture for peer review}}
    \label{fig_pic_proto_intro}
\end{figure}

In this paper, we present several designs and a mechanical prototype adapting the Inertial Hardware Security Module
(IHSM) concept first proposed by \textcite{gotteCantTouchThis2022} to a QKD relay node. IHSMs replace the tamper sensing
security mesh foil that is wrapped around the payload in conventional HSMs by a tamper-sensing cage made from
conventional circuit board material by spinning this cage at a high speed. On its own, circuit board material provides
lower tamper security than the tamper sensing foils made using bespoke manufacturing processes that are used in
conventional HSMs. IHSMs solve this problem by spinning the tamper sensing cage at high speed while continuously
verifying this rotation using an accelerometer placed on the cage. IHSMs achieve a similar security level to
conventional HSMs using only inexpensive, commodity components and no specialty manufacturing processes. In contrast to
conventional HSMs, IHSMs are a natural fit for the high power and size requirements of a QKD node. However, they suffer
from the problem of how to optically connect the (stationary) QKD relay payload protected inside the IHSM's spinning
tamper sensing cage to the outside world without creating a security vulnerability. While fibers can easily be fed
through the shaft of the spinning cage, an attacker could feed an attack tool through the same opening. In this paper,
we propose a family of mechanical designs that use a secondary rotating tamper sensing mesh at the entry point of the
shaft to protect a fiber-optical passthrough while observing the fiber's bending radius limitations. Figure\
\ref{fig_pic_proto_intro} shows a photo of our mechanical prototype. Our prototype would require an attacker to feed an
attack tool around multiple sharp bends, with only \qty{3.4}{\milli\meter} of space available at the narrowest points.
In our prototype, the smallest bend radius encountered by the fiber is \qty{15}{\milli\meter}. We experimentally
measured the optical loss added by our prototype compared to a straight fiber to be below our measurement floor of
\qty{0.25}{\decibel}.

This paper is organized as follows. In Section\ \ref{sec_qkd_fundamentals}, we give an introduction into Quantum Key
Distribution and its practical realization. In Section\ \ref{sec_related_work}, we provide an overview of related
academic work. In Section\ \ref{sec_passthrough}, we introduce three variants of our optical passthrough design that lie
along different points of the security/complexity spectrum. In Section\ \ref{sec_attacks} we discuss attacks on our
design before concluding with an outlook of future research directions in Section\ \ref{sec_outlook}.

\section{QKD Fundamentals}
\label{sec_qkd_fundamentals}

In principle, QKD is a specialized form of photonic quantum computing. The underlying approach in QKD is that two
parties exchange quantum states, then perform experiments on these quantum states to produce partially correlated
randomness. This correlated randomness is then refined into identical secrets on both ends by running an error
correction process known as \emph{information reconciliation} using a classical channel for communication. After this
process, an attacker may still possess partial information about the shared secret. To dilute this information, in a
step named privacy amplification, a randomness extractor such as a information-theoretic hash function is used to create
a new, shorter secret over which the attacker possesses effectively no information.

\subsection{Range in QKD}

Regardless of the particular QKD protocol used, common to all QKD protocols, quantum states must be exchanged between
parties. While quantum computers are built from a wide variety of quantum states from trapped ions through
superconducting states up to spin states, all QKD protocols are based on photonic states since they are the only ones
that can easily be transferred across long distances through optical fiber. Even so, QKD protocols face a steep
trade-off between speed of key generation---called \emph{secret key rate}---and distance since quantum states cannot be
amplified. In literature on long-range QKD, secret key rates as low as $10$ milli-bits per second are routinely
published~\cite{wangTwinfieldQuantumKey2022} since they already promise a benefit in a hypothetical scenario in which
symmetric cryptography cannot yet be efficiently attacked using Grover's algorithm, but all asymmetric cryptography has
fallen to quantum algorithms like variants of Shor's algorithm.

\subsection{Loss in optical fibers}

When transmitted over a fiber, there are multiple effects that degrade the quantum-optical signal of a QKD system, which
are collectively referred to as \emph{loss}. We can coarsely classify these degrading effects into two categories:
\emph{decoherence}, and \emph{attenuation}. Decoherence effects result in the quantum state being changed in transit,
which depending on the QKD implementation may mean destroying information contained within the state such as by
disturbing the pulse's polarization, or destruction of entanglement between the in-flight state and another local state.

Decoherence effects are less relevant for the distance limitation, and mostly limit which fiber-optic technologies can be
utilized in the first place. Due to decoherence, QKD systems usually use Single-Mode (SM) fiber over Multi-Mode (MM)
fiber~\cite{amitonovaQuantumKeyEstablishment2020}, and decoherence makes it more difficult to utilize Wavelength Division
Multiplexing (xWDM) to send multiple either quantum or classical optical signals through a single fiber.

In practice, attenuation is the primary factor limiting the length of an individual fiber run in QKD. Even modern,
ultra-low loss optical fiber has an attenuation in the order of \qty{0.15}{\decibel\per\kilo\meter}, resulting in a loss
of half the signal's power, equivalent to half of all QKD pulses, in just \qty{20}{\kilo\meter}. Since these losses
compound exponentially with longer reach, after only \qty{200}{\kilo\meter} only one in a thousand photons entering the
fiber will exit it at the other end~\cite{chesnoyUnderseaFiberCommunication2015}.

\subsection{Relaying}

A consequence of this range limitation is that at useful bit rates, QKD links can only be realized up to distances in
the order of \qty{200}{\kilo\meter}. There are some QKD protocols that can be used to effectively double the range of a
QKD link by placing an untrusted node in the middle of the link, but further extension would require either a trusted
relay or a complex relay operating on the quantum states. As of now, such quantum relays are not practical leaving only
the trusted relay route for achieving useful secret key rates across distances longer than a few hundred kilometers.

If we imagine a continental-scale network of QKD systems with fibers spanning tens of thousands of kilometers, it is
easy to see why the physical security of its relay nodes is such a concern in QKD setups. Such a network would need
between hundreds and throusands of relay nodes. Making things worse, these relay nodes would have to be spread evenly
across thousands of kilometers of optical links, with many ending up in isolated places in the field, away from
datacenters and other well-protected technical infrastructure. Since the compromise of any one QKD relay could be enough
for an attacker to carry out an on-path attack, protecting thousands of small relay installations located in equipment
sheds spread across sparsely populated areas against adversaries with advanced physical attack capabilites becomes a
daunting task. Effectively, each quantum relay has to be made into a hardware security module including advanced active
tamper sensing.

\section{Related Work}
\label{sec_related_work}

\subsection{Long-range QKD}

\textcite{caoEvolutionQuantumKey2022} give a comprehensive overview of large-scale QKD networking.
\textcite{lellaSecurityQuantumKey2023} analyze security threats in quantum key distribution networks and point out that
achieving the information-theoretic security that QKD is often cited for providing is difficult to achieve in practice
since currently, protocols based on cryptographic computational hardness assumptions cannot be avoided in a practical
implementation. \textcite{yangQuantumKeyDistribution2018} approach key routing in a hypothetical quantum key
distribution network and provide a solution based on measurements of each node's local secret key buffer.

\textcite{caoHybridTrustedUntrusted2021} discuss hybrid QKD networks that employ both physically trusted and untrusted
nodes by applying a technique such as Measurement-Device Independent QKD (MDI-QKD) that enables one end of the QKD link
to be untrusted. MDI-QKD can effectively double the reach of a trusted QKD link by placing an untrusted relay node in
the middle. They present a precise problem formulation and introduce an algorithm for the optimization of deployment
cost of a hybrid QKD network.

\subsection{Customizable tamper sensing HSMs}

\textcite{immlerSecurePhysicalEnclosures2018} introduce a HSM concept that utilizes a tamper-sensing mesh made from a
lithographically patterned metallized polyimide foil. They pattern a grid of fine capacitive electrodes onto the foil,
and demonstrate a simple multi-channel readout circuit that is capable of distinguishing changes in capacitance between
electrodes down to the femto-Farad range. In contrast to conventional HSMs that require a continuous power supply to
their tamper-sensing subsystem, their design introduces sufficient measurement fidelity that the tamper-sensing mesh
foil can be viewed as a Physically Uncloneable Function (PUF) by demonstrating stability and statistical properties of
its PUF response.

Later publications on their design expand upon the concept, but fundamentally, their design is limited in size by
manufacturing limitations in the size of its tamper-sensing foil, as well as the poor scalability of the designs
frontend architecture, which requires a separate charge amplifier for each electrode
pair~\cite{
    garbFORTRESSFORtifiedTamperResistant2021,
    garbWiretapChannelCapacitive2022,
    garbTamperSensitiveDesignPUFBased,
    obermaierMeasurementSystemCapacitive2018}.
Applying their approach to a QKD relay would be difficult as it would require not just miniaturizing the QKD relay to
the size of a smartphone, but it would also require the development of a secure fiber passthrough specific to their
design and other systems using a folded tamper-sensing mesh foil. Conventionally, electrical pass-throughs in such foils
are made by folding the mesh and a Flat Flexible Cable (FFC) multiple times. Due to their required beding radius,
alternative solutions would have to be found for a fiber-optic pass-through.

\subsection{Inertial Hardware Security Modules}

As of now, QKD nodes are large, rack-mount devices. While miniaturization is ongoing, the processing requirements of
such systems alone exceed the capabilities of conventional HSMs. With a conventional HSM, protecting an entire QKD relay
consisting of two link endpoints and their associated processing systems would be infeasible due to their size and power
dissipation.

One of the core challenges in the design of active tamper sensors for HSMs is protecting the device against drilling
attacks. In a drilling attack, an attacker accesses internal circuitry of the HSM by drilling a hole, allowing a probe
to pass through. In HSMs, drilling attacks are commonly monitored by enveloping the payload in a security mesh, i.e.\ a
foil covered with intentionally fragile conductive traces. The idea is that drilling into the device from any angle will
damage the conductive traces on this foil, which can easily be electrically detected by the payload, allowing it to
destroy all secrets before any probe can reach it.

In practice, manufacturing this conductive foil is difficult. Standard flexible circuit processes such as
lithographic polyimide/copper Flexible Printed Circuits (FPCs) are sometimes used, but their security is limited since
they are easy to manipulate using standard Printed Circuit Board (PCB) rework techniques. More exotic processes
industrially used for low-cost keyboard and key pad production using screen-printed silver or carbon conductive inks on
a polyester substrate are also used, but are limited by a coarse structure size.

The area of foil-based security meshes is primarily limited by the difficulty of manufacturing large foils without
defects. Not only does total defect rate rise with area, commercial PCB or FPC manufacturing processes have a panel size
usually in the order of \qtyrange{500}{800}{\milli\meter} side length that cannot be exceeded.

In contrast to conventional HSMs using mesh foils, IHSMs approach envelope tamper sensing by encasing the payload in a
mesh cage made from low-cost PCBs, then rotating this cage at high speed to simultaneously cover all angles, and prevent
manipulation of the mesh\cite{gotteCantTouchThis2022}. To prevent an attacker from slowing down the rotating mesh cage,
an accelerometer is placed on the rotating mesh that monitors rotation by measuring centrifugal acceleration.

The main issue in IHSM construction is the construction of the pass-through providing electrical connections between the
payload and the outside world. In conventional HSMs that use tamper sensing mesh foils, this passthrough is realized by
folding the mesh foil and an FFC in several layers such that there is no straight path that a probe could be inserted
through. In IHSMs, electrical connections are passed through a hollow shaft on one end of the mesh cage. Similar to the
serpentine folds between mesh foil and FFC in conventional HSMs, in IHSMs complex geometry can be realized by placing a
secondary rotating mesh on the inside of the primary mesh, covering the point where the shaft goes through the primary
mesh.

Where in conventional HSMs covering larger areas with a patchwork of smaller mesh foils creates the difficulty of
creating secure seams between the foils, in IHSMs, multiple PCB meshes can easily be joint into a larger mesh by simply
overlapping them, since the mesh's rotation makes any attack on such a joint exceedingly difficult.

\section{Multi-fiber passthrough with active secondary mesh}
\label{sec_passthrough}

Since IHSMs are particularly suited to large payloads, fitting the components of a QKD node inside one is
straightforward. However, QKD links have one unique requirement: Many systems require several physical fibers for each
QKD link. Often, in addition to a fiber for classical communication, one fiber is needed to transmit a reference clock
to the other end of the link, and another fiber is needed for the quantum channel. With a QKD relay needing at least two
links, this results in at least five fibers assuming all classical networking can be multiplexed on a single fiber.

Fiber pigtails have an outer diameter of usually about \qty{1}{\milli\meter}, so this amount of fibers can be fed
through an IHSM's axis of rotation without increasing its shaft diameter and reducing its security. The mechanical
challenge in such a multi-fiber signal and data feedthrough is to observe the fiber's minimum bending radius, which for
common fibers is usually in the range of
\qtyrange{5}{15}{\milli\meter}~\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}.

\subsection{Multi-fiber passthrough design}

To approach the security of the data and power connections passing through the IHSM's unprotected shaft,
\textcite{gotteCantTouchThis2022} list some shielding methods that use an independently rotating secondary tamper
sensing mesh on the inside of the primary mesh, located right next to the primary mesh's axis opening. This secondary
mesh makes accessing the payload using probes inserted through the shaft much more difficult.
\textcite{gotteCantTouchThis2022} only present conceptual drawings of these schemes, and focus on electrical signals. In
this paper, building on these concepts, we present a mechanical design of two variations of a fiber passthrough for IHSMs
that are adapted to the limited bending radius of optical fiber: Offset labyrinth meshes, and interlocking gear meshes.
We present a mechanical prototype of our offset labyrinth mesh design.

\subsection{Simple disc cover}

\begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=1]{shaft_countermeasures_b.pdf}
    \caption[Coaxial disc mesh schema]{Coaxial disc mesh schema, cross-section view. The outer mesh is shown in red, and
    the inner mesh in blue. The dashed line indicates the two meshes' shared axis of rotation. The gray areas indicate
    the shape of the volume that remains undisturbed by the mesh, and that is available for structural support and cable
    routing.}
    \label{qkd_fig_disc_mesh}
\end{figure}

Before going into detail on our proposed designs, we will first consider adapting the simple disc cover originally
presented by \textcite{gotteCantTouchThis2022}. While IHSMs excel at protecting large payload volumes, even a
zero-payload IHSM that has been shrunk to a single, disc-shaped PCB is still useful because we can delegate key
management functionality to the mesh monitoring circuit's microcontroller---or a separate processor sitting next to
it---on the rotating mesh PCB, yielding a solution close in both its cryptographic capabilities and its security level
to commercial traditional HSMs, and exceeding those of a smartcard. In the following paragraphs, we will show how we can
deploy the same Single-Board IHSM (SB-IHSM) as a mitigation for through-axis attacks, exploiting its mechanical shape
and its simple, low-cost implementation.

By placing an adapted single-board IHSM close to the primary mesh's axis opening as shown in Figure\
\ref{qkd_fig_disc_mesh}, an attacker is forced to either first circumvent or at least dislodge the single-board IHSM
through the primary mesh's axis opening without disturbing either mesh to gain direct access to the payload behind it,
or to conduct their attack through the keyhole-sized opening in the primary mesh while bending their tool by
approximately \qty{90}{\degree} at least twice, once to avoid the SB-IHSM mesh, and once more to re-orient the tool
towards the payload. Both the primary and the secondary IHSM meshes are spinning and constantly check their speed using
on-board accelerometers. To avoid triggering a tamper alarm, the attacker would have to not only fit an attack tool
through the space between the meshes, but also avoid even touching either mesh too hard since touching could slow down
the mesh.

The distance between the inside of the primary mesh and the SB-IHSM is limited by the tolerance in
mechanical alignment between the two axes of rotation, by the space necessary for a sufficiently stable mount of the
payload cage to the hollow shaft, and by the minimum bend radius of the power and data wiring that needs to pass through
the shaft. Increasing the IHSM's shaft diameter should be avoided because it gives an attacker more space. Instead, the
space between the meshes should be adjusted.

Power and electrical data signals can be supplied through flexible flat cables that can be bent in sharp
corners without issue. In QKD applications, the fibers' minimum bend radius is the largest contributing factor. The
optical loss of a fiber rises sharply with decreasing bend radius\footnote.{Note that the issue here is not that the
glass core of the fiber would degrade or break, as one might intuitively assume. Being only a few dozen micrometers in
diameter, an optical fiber's core is remarkably flexible. Instead, the issue is that both multi-mode as well as
single-mode fibers are optical waveguides. Bending them distorts the electromagnetic field inside the waveguide, and
allows some small portion of it to escape from the fiber's core, leading to loss in the form of both attenuation and
dispersion~\cite{schermerImprovedBendLoss2007}.} With QKD being especially sensitive to even small amounts of loss, care
has to be taken to maximize the bend radius of the fiber optic connections.

A common specification of minimum bend radius in telecom single-mode fibers taking into account not just optical loss
but also the mechanical stability of the fiber's polymer coating is $10\times$ the coated fiber's
diameter~\cite{fs1M12FSC,ProductPageFiber,CorningSMF28Ultra2024}, which equates to \qty{9}{\milli\meter} for common
\qty{0.9}{\milli\meter} fiber pigtails, corresponding to approximately \qty{1}{\decibel} of loss in the
\qty{1550}{\nano\meter} band~\cite{schermerImprovedBendLoss2007}. A technique that allows us to reduce the vertical
space necessary for the fiber's transition from the shaft to a plane parallel to the mesh is helically coiling the fiber
as shown in Figure~\ref{qkd_fig_fiber_helix}, which results in a height of less than \qty{6}{\milli\meter} for the
fiber's transition to horizontal. Adding a clearance of \qty{2.5}{\milli\meter} above and below the fiber passthrough to
account for tolerances in the two meshes' movements, we arrive at a minimum inter-mesh spacing of \qty{11}{\milli\meter}. 

\begin{figure}
    \centering
    \subcaptionbox[Helical transition of single fiber]{Single fiber}{\includegraphics[width=.25\textwidth]{helix_transition.png}}
    \subcaptionbox[Helical transition of fiber bundle]{Fiber bundle}{\includegraphics[width=.25\textwidth]{helix_bundle.png}}
    \caption[Helically coiling fibers inside the axis tube]{
        Minimum mesh spacing can be reduced by coiling the fibers inside of the shaft tube. The coiled fibers enter the
        inter-mesh space at an angle equal to the helix lead angle. Shown here is a \qty{6}{\milli\meter} outer diameter
        tube with a \qty{0.5}{\milli\meter} wall thickness and 6 fibers with \qty{0.9}{\milli\meter} outer diameter
        coiled to a constant bend radius of \qty{9}{\milli\meter}. The lead angle of the helix is \qty{61.5}{\degree}.
        The resulting height below the exit is \qty{5.16}{\milli\meter}.
        }
    \label{qkd_fig_fiber_helix}
\end{figure}

\subsection{Coaxial labyrinth meshes}

\begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=4]{shaft_countermeasures_b.pdf}
    \caption[Coaxial labyrinth mesh schema]{Coaxial labyrinth mesh schema, cross-section and top-down views. The numbers
    indicate the order a fiber traverses the inter-mesh space. With appropriate spacing, the fiber---or an attacker with
    their tool---can traverse the space in a zig-zag line in the cross-section plane.}
\end{figure}

In QKD applications, the simple disc cover design shown above has two main limitations. First, the distance between the
primary and secondary meshes must be large enough to allow for the fibers' minimum bend radius, resulting in more than
\qty{10}{\milli\meter} of space available to an attacker. Second, the attacker only has to bend their tool in a plane to
reach the payload.

To increase the difficulty of inserting a long and flexible tool through the axis shield, the shape of the interface
layer between the two meshes can be made more complex. \textcite{gotteCantTouchThis2022} proposed adding small, vertical
mesh \emph{tabs} to each of the two meshes that stick out into the inter-mesh space. This creates a labyrinth-like
structure between the axis opening and the IHSM's inside. Structural support and cables can easily pass this structure
in a series of \qty{90}{\degree} bends, while inserting a probe avoiding both meshes would not be feasible as the probe
would have to perform a series of sharp bends. The type of manipulator that would be necessary for the placement of a
probe in this system is conceptually similar to snake-like robots used in minimally invasive surgery, but
state-of-the-art systems from this area are too thick, too short, lack joints, or have insufficient maximum bending
angle to fit even simple labyrinth layouts. Common parameters for such parameters are \qty{4}{\milli\meter} diameter,
between two and four joints, up to \qty{50}{\milli\meter} length and \qty{60}{\degree} maximum bend angle for each
joint~\cite{ suhDesignDiscreteBending2017,
    schmitzRollingTipFlexibleInstrument2019,
    kimAdvancementFlexibleRobot2022,
    hongDesignCompensationControl2020}.
A particular limitation for an attack to a labyrinth mesh is the tradeoff between flexibility and length. The number of
joints is limited by space available for tendon cables, and the available joints must be distributed along the length of
the instrument. To insert the instrument through a labyrinth mesh, a tight spacing is necessary, which conflicts with
the length required to reach the payload on the inside of the IHSM.

While long and narrow tabs are desirable for mesh security as they limit the size and mobility of an attacker's probe,
in QKD application, the need for fiber optic passthrough is the limiting factor. The obvious solution of passing through
the fibers in a series of in-plane S-bends requires a coarse tab spacing due to the fibers' large minimum bend radius.
However, we can apply the approach we proposed above for the shaft entrance here, too, and thread the fibers between the
meshes by helically coiling them, increasing the fibers' bend radius to one half of the distance between both mesh
discs minus the fibers' diameter and clearances. When the resulting useable part of the distance is larger than twice
the bend radius, the minimum tab spacing is only limited by the fiber's diameter and the stability of the star bracket.
When the discs are placed closer, and a larger pitch is necssary, the resulting pitch of the helix determines the
minimum tab spacing.

Designing a labyrinth mesh for intrusion prevention is similar to the design of the shape of the jamb of the door of a
safe. In these, the objective is to prevent would-be burglars from inserting opening tools through the space between the
closed door and its jamb and attacking the door's interior handle or locking mechanism, not unlike an IHSM's defense
against electrical or electromagnetic probes. The one difference between these doors and what we can do in IHSMs is that
these doors are limited to outwards-facing steps because they must be opened and closed. In IHSM labyrinth meshes, we
can use both outwards-facing and inwards-facing steps.

Concentric labyrinth meshes allow for a range configurations. The pitch from one mesh tab to the next is the sum of the
required width of the inter-mesh space and the safety margin needed between any cables or the inter-mesh bracket and the
tabs. When the mesh is constructed using rigid PCB tabs that are inserted as-is, without bending them, and when all tabs
have the same width and thickness, the radial width of the swept area decreases from tab to tab going outwards. A
consequence of this is that when the design target are constant-width inter-mesh spaces, the tabs' pitch decreases going
outwards.

\subsection{Offset labyrinth meshes}

\begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=2]{shaft_countermeasures_b.pdf}
    \caption[Offset labyrinth mesh schema]{Offset labyrinth mesh schema, cross-section and top-down views. The two
    dashed lines indicate the two meshes' offset axes of rotation, shifted in $x$ direction in both views. The numbers
    indicate the order a fiber traverses the inter-mesh space.}
    \label{qkd_fig_offset_lab_schema}
\end{figure}

Concentric labyrinth meshes improve upon simple disc meshes in security, but they have two remaining weaknesses. One is
that in a concentric labyrinth mesh, the part of the inner mesh at the axis is easily accessible through the opening in
the outer mesh. As the axis of rotation is the most vulnerable spot in a mesh because the tangential velocity of the
mesh is lowest close to the axis, tampering can be made more difficult by placing the axis of rotation of the inner mesh
not concentric with that of the outer mesh, but at a radial \emph{offset}.

A consequence of placing the axis of the inner mesh at an offset is that the inter-mesh rings formed by the tabs of the
two meshes now no longer form a set of concentric rings, but a set of nested non-concentric annulus shapes whose narrow
and wide sides alternate along the direction of the offset. We will show below how an optical fiber can still be wound
through this complex inter-mesh space without much trouble through a variation of the helical spiral trick from above to
avoid the annular rings' narrow sections. At the same time, the alternating narrow sections of the annular rings make it
more difficult to feed through the type of surgical robot we cited above, whose joints are designed for in-plane
operation for most of the manipulator, starting from the high-flexibility joints close to its end and down the neck. In
this section, we will show a design and a mechanical prototype of an offset labyrinth mesh design that improves on a
concentric labyrinth mesh on both the shielding of the secondary mesh axis and the feasibility of an attack with a
surgical robot without increasing mechanical complexity compared to a concentric design. In addition, we show a fiber
feedthrough that improves on the simple helical feedthrough we introduced above.

\begin{figure}
    \centering
    \includegraphics[width=0.45\textwidth]{schema_wire.pdf}
    \includegraphics[width=0.6\textwidth]{figures/pic_bracket_routing_small.png}
    \caption{Offset labyrinth mesh schema with fiber layout}
    \label{qkd_fig_offset_lab_fiber}
\end{figure}

Our offset labyrinth mesh design combines an offset of the secondary mesh's axis of rotation with the labyrinth mesh
approach from the previous section, creating wide and narrow inter-mesh spaces on alternating sides of the offset
direction as shown in in Figure\ \ref{qkd_fig_offset_lab_schema}. Structural support is provided using a CNC machined or
3D printed part, which also serves as a conduit for electrical connections from the shaft to the payload using an FFC.
The fiber is passed through the labyrinth in a three-dimensional spiral shape, avoiding the meshes while simultaneously
maximizing the fibers' bend radius.

\subsection{Experimental Validation}

To prove the mechanical viability of the offset labyrinth mesh concept, we created a mechanical prototype of one such
mesh. Figure\ \ref{qkd_fig_offset_lab_fiber} shows the proportions of the meshes' tabs along with the resulting tab
rings and a 2D projection of our chosen fiber layout. The fiber is laid out in such a way that it crosses each tab ring
at opposite sides, and traverses the vertical distance in the larger part of the inter-mesh space. Figure\
\ref{fig_pic_proto_detail} shows an exploded view of our mechanical prototype.

We threaded a standard \qty{50}{\micro\meter}/\qty{125}{\micro\meter} fiber through the bracket, spliced it to a
connector pigtail at the remote end, and measured its loss using a NK4000D handheld OTDR/OPM manufactured by Qingdao
Novker Communication Ltd. Comparing measurements of loss between a coiled fiber and a fiber fed through the bracket
resulted in a difference below the measurement floor of approximately \qty{0.25}{\decibel}.

\begin{figure}
    \begin{center}
        \includegraphics[width=0.45\textwidth]{fiber_passthrough_mech_model__8288_small_censored.jpg}
        \hspace*{5mm}
        \includegraphics[width=0.45\textwidth]{fiber_passthrough_mech_model__8292_small_censored.jpg}
    \end{center}
    \caption{A disassembled view of our optical passthrough mechanical prototype. The fiber is passed through from the
    shaft going through the IHSM's primary tamper sensing mesh cage to the outside into the interior of the IHSM through
    a channel in the green bracket. In a field application, the channel would be potted after fiber installation. A
    secondary tamper sensing mesh is located on the inside of the shaft interface and driven separately. In this
    prototype, the secondary mesh is driven by a cooling fan. Both independently rotating meshes have tabs that extend
    into the bracket such that they do not interfere, but reduce the space available to an attacker. The HSM's primary
    mesh cage is partially shown in white.
    \\\textbf{Note: Institutional logo removed from picture for peer review}
    }
    \label{fig_pic_proto_detail}
\end{figure}

\subsection{Interlocking gear meshes}

\begin{figure}[h!]
    \centering
    \includegraphics[width=\textwidth,page=3]{shaft_countermeasures_b.pdf}
    \caption[Offset gear labyrinth mesh schema]{Offset gear labyrinth mesh schema, cross-section and top-down views. In
    this example, the axis is shifted by about twice the offset from the previous offset labyrinth mesh schema in
    Figure\ \ref{qkd_fig_offset_lab_schema}.}
\end{figure}

The offset labyrinth design already achieves a high level of security through its complex passthrough shape, but only
small offset distances are feasible since large offsets quickly lead to impractically large mesh sizes. Where the pitch
from one tab ring to the next is roughly constant in concentric labyrinth meshes, and determined only by clearances and
the amount of inter-mesh space necessary for power and data feedthroughs as well as mechanical stability. In offset
meshes, on the other hand, this pitch increases by the offset distance. Even for a small offset this quickly adds up to
an unwieldy total mesh size.

A solution to this problem that allows for larger offsets is to make the two meshes' tabs interlock like gears. This
does mean that the two meshes' rotation must be synchronized, but it increases the design space of offset labyrinth
meshes. For instance, in a gear setup, the wide sides of the inter-mesh zones can be aligned to lie on the same side, so
fiber passthrough can be realized more easily even without the need to spiral the fiber around the axes of rotation.

For geared meshes to work, both speed and phase of the rotation of the two meshes must be synchronized to a small error.
In this setup, the mesh tabs act like gear teeth. Depending on the ratio between both meshes' tap counts, the two
meshes do not have to rotate at the same rate of rotation and harmonic ratios are possible. Additionally, unlike actual
gears which need to constantly maintain an area of contact, both co-rotating and counter-rotating setups are possible.

\section{Physical attacks and countermeasures}
\label{sec_attacks}
In this section we will consider possible ways to attack an IHSM-secured QKD relay, as well as potential
countermeasures.

\subsection{Attacks on the IHSM mesh}

There are two ways an attacker could attack the mesh itself if an adequate speed of rotation such as \qty{1000}{\rpm} is
used~\cite{gotteCantTouchThis2022}: Either, an attacker would have to slow down the mesh so they can perform a manual
attack, or they would have to use a robot. The first class of attack would require the attacker to falsify the readings
of the centrifugal accelerometer. Such Micro-Electro-Mechanical Systems (MEMS) accelerometers are complex devices, and
the simplest way to falsify its readings would be to attach a circuit to the accelerometer's data bus that overrides the
measurement result data. Creating such a circuit is easy, the challenge the attacker would have to overcome would be to
access this bus and attach this circuit to the mesh in motion without stopping or disturbing it. At high speeds, this
would necessarily require a custom attack robot.

\subsection{Contactless attacks on the payload}

Contactless attacks such as electromagnetic (EM) side-channel attacks or optical fault injection attacks on the payload
could conceivably be conducted from the outside of the mesh. The efficacy of EM side-channel as well as fault injection
attacks decays quickly with increased distance between probe and target, and they can be counteracted by simply placing
the QKD relay's components such that they are spaced apart from the mesh. Optical attacks, on the other hand can be
carried out even at a distance using appropriate focusing optics. The easiest way to prevent such attacks would be to
place the payload into an opaque enclosure inside the mesh.

An additional variant of optical attacks would be using a laser to cut or drill into the payload. Such attacks can be
impeded through several defense-in-depth measures. First, the payload QKD relay should be designed such that destroying
any part of it such as connecting wires or fibers causes it to fail resulting in a secure state. Irrespective of
attacks, this is a reasonable design objective anyway given that components could fail, and a component failure should
never put the device in an insecure state. Further, similar to other optical attacks, a shield can be used to prevent
laser cutting or drilling attacks as well with the only difference being the kind of shield. To prevent laser cutting or
drilling, a thick metal shield can be used. The large thermal mass, high thermal conductivity and reflective surface of
such a shield makes it difficult to cut. There are lasers such as pulsed Nd:YAG lasers that can cut even thick steel,
but these this cutting produces a large amount of metal plasma and debris, which would likely destroy the payload in the
process.

To make sure any active laser attack is quickly detected, as a final line of defense, both mesh and payload should
include wideband optical sensors in their array of environmental tamper sensors. For instace, high-power pulsed lasers
do not deposit much heat into their target because the surface of the target is vaporized by the laser pulse too
quickly, and thus might not trigger a simple temperature alarm inside the payload. In contrast, optical sensors even
outside of the laser's wavelength range would have no trouble detecting the light emitted from the metal plasma created
by the laser's pulses on impact with the payload.

\subsection{Fast, mechanical attacks on the payload}

A final class of attacks are mechanical attacks where an attacker mechanically compromises the IHSM QKD relay so quickly
that the tamper alarm mechanism has no time to act. An instance of such an attack would be using a gun to fire a bullet
at the payload, aiming to selectively destroy parts of it that are involved in tamper alarm response before they can
act. This class of attack can be counteracted in similar ways as the previously mentioned optical attacks. Destruction
of parts of the payload should never let it fall into an insecure state, meaning that such an attack alone should never
be enough to compromise the QKD relay. There is little one can do to prevent destruction of the payload by projectile or
by explosive, but a thick metal shield around the payload would make it more difficult to selectively target part of it
using a projectile.

\section{Outlook}
\label{sec_outlook}

\subsection{Achievable security guarantees}

Like conventional HSMs, Inertial HSMs are only ever an engeineering answer to a security question. In contrast with
cryptographic solutions that can achieve provable, information-theoretic security in some cases, an IHSM's security
rests upon an assumption on the engineering capabilities of an attacker. In contrast to conventional HSMs, which
achieve this engineering assumption through the manufacture of hard-to-manipulate tamper sensing meshes, Inertial HSMs
achieve it by rotating their tamper sensing mesh. In a conventional HSM, increasing the security of the tamper sensing
mesh requires fine-tuning a bespoke manufacturing process. In contrast, increasing the security of an IHSMs simply
requires making the rotor faster.

\subsection{Trust bootstrapping}

A key question in any trusted hardware deployment is how to bootstrap trust in a new device when faced with the
possibility of supply-chain attacks. Conventional HSMs are only manufactured by a single manufacturer, and the common
solution is to just trust that manufacturer. The HSM's manufacturer can factory-provision an identity key to the HSM
that can be used to ascertain the HSM's integrity during shipping to the customer.

One of the key components of IHSM technology is that it does not require specialized components, or potting of the
payload. While an IHSM could be manufactured and sold as a complete unit like a conventional HSM, their more modular
nature makes it possible to place more control in the IHSM's customer's hands. In particular, an IHSM could be sold
without a payload installed, allowing the customer to install their own payload (such as a QKD node) inside the IHSM.
Like a conventional HSM, the IHSM could be run during shipping to detect supply-chain attacks. Going further, since
IHSMs are build from commodity components, the user could directly license the IHSM design and manufacturer it
themselves, given them full control over the hardware supply chain. In a QKD deployment, the manufacturer of the QKD
node could build both the QKD subsystem and the IHSM and integrate both, given that this would not require additional
manufacturing capabilities due to the IHSM's simple construction.

\subsection{Network implementation}

IHSM-secured QKD nodes could be used to build QKD networks. IHSM-secured QKD nodes augment QKD network techniques such
as \textcite{caoHybridTrustedUntrusted2021}, who present a network structure that exploits MDI-QKD to replace some of
the network's nodes by untrusted nodes that do not require physical security.

\subsection{Device Longevity}

In any HSM application, failure of a single HSM must be mitigated through a backup and redundancy strategy that is
carefully chosen such that it does not pose a security risk. Conventional HSMs are often operated in a cluster made from
multiple HSMs. These clusters serve two purposes. First, they can compensate for the failure of a single HSM, which is
crucial given that ideally, the HSM's secrets should never be stored outside the HSM. Second, they improve processing
rate by sharing load across their constituent HSMs. Since conventional HSMs are highly limited in their processing speed
due to size and power dissipation constraints, this capacity is essential for some applications.

A cluster of Inertial HSMs can be set up in much the same way. In a QKD system, one implementation would be to run
multiple QKD links in parallel. The secret key streams of all links could then be combined using a hash function like it
is used in a single QKD link's privacy amplification step. When one QKD link fails, in this construction its secret key
stream can safely be replaced by a stream of zeros as long as the remaining operating links in sum still provide
sufficient entropy.

In an application where the overhead of multiple QKD links each requiring their own dark fiber would be too expensive,
multiple IHSM-protected QKD transceivers could be connected to a single optical fiber through an optical switch.
MEMS-based optical switchs are a well-established technology and can switch optical fibers within milliseconds at an
insertion loss of no more than a decibel or two. In a QKD application, this insertion loss would be tolerable since it
is a constant loss once at each end of the connection, and does not compound with distance. Since QKD secret key rates
stem from a stochastic process and as such are not constant, QKD systems buffer secret key bits. The switchover time of
an optical switch used for failover between two QKD transceivers as well as the link establishment time of the failover
transceiver can be absorbed by simply sizing this buffer appropriately.

\section{Conclusion}
\label{sec_conclusion}

In this paper, we applied the Inertial Hardware Security Module (IHSM) concept to physically trusted relay nodes in a
Quantum Key Distribution network. We note that the hardest challenge in the adoption of IHSMs in QKD relays is the
fiber-optic passthrough between the outside world and the IHSMs QKD relay payload. We show three concepts along the
spectrum trading off security and implementation complexity. All three concepts utilize a secondary rotating mesh on the
inside of the primary mesh's shaft opening. We practically demonstrate one of our concepts, the offset labyrinth mesh,
in a functional mechanical prototype. We experimentally measured the increase in loss of a standard telecommunications
fiber when inserted through our mechanical prototype's fiber passthrough, resulting in an increase in loss compared to a
straight fiber that was below our measurement threshold of approximately \qty{0.25}{\decibel}.

%\begin{credits}
%This is version \texttt{\input{version.tex}\unskip} of this paper, generated on \today. The git repository with the
%\LaTeX source for this paper, all hardware design files, and firmware and analysis source code can be found at:

%\center{Note: URL elided for peer review}
% \center{\url{https://git.jaseg.de/ihsm-sampling-mesh-monitor-hw.git}}
%\end{credits}

\printbibliography[heading=bibintoc]

\end{document}