Cable Capacitance Attack against the KLJN Secure Key Exchange

The security of the Kirchhoff-law-Johnson-(like)-noise (KLJN) key exchange system is based on the Fluctuation-Dissipation-Theorem of classical statistical physics. Similarly to quantum key distribution, in practical situations, due to the non-idealities of the building elements, there is a small information leak, which can be mitigated by privacy amplification or other techniques so that the unconditional (information theoretic) security is preserved. In this paper, the industrial cable and circuit simulator LTSPICE is used to validate the information leak due to one of the non-idealities in KLJN, the parasitic (cable) capacitance. Simulation results show that privacy amplification and/or capacitor killer (capacitance compensation) arrangements can effectively eliminate the leak.

We will show that one of the most effective attacks against the practical KLJN system is the cable capacitance attack. It was first mentioned in 2006 [36], but it has never been tested. Subsequently, in 2008, a solution was suggested to eliminate this attack by adding a capacitor killer (capacitance compensation) arrangement [39].
In this paper, we use the industrial cable and circuit simulator LTSPICE by Linear Technology to simulate practical realizations of the KLJN system and to evaluate the cable capacitance attack. Solutions to mitigate this attack, such as the capacitor killer arrangement [39], and privacy amplification [44] are also tested. The KLJN secure key exchange system [1][2][3][4] is based on Kirchhoff's Loop Law and the Fluctuation-Dissipation Theorem. The core KLJN system is illustrated in Fig. 1 [2]. It consists of a cable as an information channel, switches, and two identical pairs of resistors, L R and H R ,

The KLJN protocol
where L R represents the Low key bit (0) and H R represents the High key bit (1).
At the beginning of each bit exchange period (BEP), Alice and Bob randomly select L R or H R and connect the corresponding resistor to the cable. The Gaussian voltage noise generators in the figure represent either the Johnson noise sources of the resistors or external voltage noise generators emulating Johnson noise (filters are not shown). The noise is band-limited white noise with publicly agreed common bandwidth noise B and a publicly agreed common noise-temperature eff T [40]. The noises are statistically independent from each other and from the noise samples in the previous BEP [4]. Note, there are many advanced KLJN versions [41,42,56,60] with greater number of resistor values; some with different temperatures [56,60].
Within each BEP, Alice and Bob measure the mean-square channel noise voltage and/or the channel noise currents   I t in the cable. The BEP has to be properly chosen to provide sufficient time for a good statistics of the mean-square noise voltages and currents but not enough time for Eve to effectively utilize possible information leaks due to hardware non-idealities. According to Johnson's noise formula:  [2] the resistor value at the other end and hence they can learn the bit value (0 or 1) there.
With the cable being public, an eavesdropper (Eve) can also measure the channel noise voltages and currents. If Alice and Bob use the same resistance values, so the arrangement is L L R R or H H R R , the resulting noise levels are singular, (see Eqs. 1,2) thus the exchanged bit is non-secure and is discarded [2]. Conversely, the combinations L H R R and H L R R are degenerated because they produce the same noise levels. Thus the bit exchange is secure because Eve cannot differentiate between the two bit alternatives. From the noise levels (see Eqs. 1,2) Eve knows that Alice and Bob have exchanged a secure bit, but she does not know the location of L R and H R .
In reality, the cable is non-ideal. Thus Eve can exploit the non-idealities of the cable, such as parasitic resistance, parasitic inductance and parasitic capacitance to attack the KLJN system.

Cable capacitance attack
In this paper, we assume coaxial cables because, in this case, the cable capacitance attack [36] can effectively be eliminated without the usage of privacy amplification. However, the attack works with any cable. Coaxial cables include two conductors: the inner wire, which is used as the KLJN channel, and the outer shield which is grounded (for the ground, see also Fig. 1). There is a non-zero capacitance between these two conductors that leads to capacitive currents. Part of the channel noise current is diverted by the parasitic capacitance, which causes a greater current at the end of the lower resistance. This gives Eve a chance to guess the value of the resistors with probability of success greater than 0.5.  . This is written as The capacitive current   I t is proportional to the time derivative of the channel noise voltage   x U t and it is given by We define the cross-correlation (x) [34] at position x as the product of the channel noise current and the time derivative of the channel noise voltage: where  means finite time ( ) average. The location-dependence of (x) represents information leak [34].

Realization of the attack
The cable and a circuit simulator LTSPICE by Linear Technology was used to emulate the practical KLJN system with the RG58 coaxial cable from its library. Throughout the simulations, we assumed that Alice selected L R = 1 kohm and Bob H R = 9 kohm, see Fig. 3.

Generating the noise
For the simulations, we generated Gaussian band-limited white noises. According to Johnson's noise formula, the required rms noise voltage th U is where L H  Fig. 4(a) shows the probability density function (histogram) of the noise voltage of L R . In Fig. 4(b) the cumulative distribution as normal probability plot can be seen where a straight line indicates exact normal distribution.

Comparing a lumped and the distributed element models at different wavelengths
First, for enhanced computational speed, we explored the possibility of using lumped element cable model for the simulations because the continuum model simulations are at least 1000 times slower. Our data below proves that lumped elements can be used for high-accuracy simulations at the operational conditions of KLJN.
The quasi-static condition is required for the security of the KLJN system [2,34]. That means where ch L is the cable length,  is the shortest wavelength at the highest frequency component of the noise bandwidth noise B , c is the propagation velocity in the cable, and  is the ratio of the wavelength to the cable length. It has been assumed that  must be at least around 10 to fulfill the KLJN conditions [34,49,50,57,58] (i.e., approximate quasi-static electrodynamics; see [49,50] about the proof that there are no waves in this limit).  . The characteristic impedance of the cable is 50 ohms. Fig. 6 shows the simulation results, where cha,lump U and cha,dist U are the voltage timefunctions of the lumped and distributed element models, respectively. In Fig. 6(a), the two waveforms are significantly different for the shortest wavelength with 0.8

 
. In such a case, the waves can only be simulated with the distributed model. However, this situation is irrelevant for the operation of KLJN, as mentioned above.
In Fig. 6(b), with  =8, the two waveforms are very similar whereas in Fig 6(c), at   800, the two waveforms are indistinguishable. Thus we can conclude that for situations   8, the lumped element 8 simulations are satisfactory. Both cases are fine for the KLJN operation and we will use the   800 condition in the rest of the paper.
For our resistor values L R = 1 kohm and H R = 9 kohm, the cut-off frequency by the cable capacitance is 1.76 kHz and 17.6 kHz for a 1000 and a 100 meters cable, respectively. To avoid that the cable capacitance truncates the effective bandwidth of the noise, we used noise bandwidth B noise  0.25 kHz for the noise generators ( 800   at 1000 meters and   8000 at 100 meters).

The attack protocol
In this section, we discuss the information leak caused by the cable capacitance and evaluate Eve's success probability of guessing the key bits. The fixed bit arrangement is used between Alice and Bob.
When N approaches infinity, the probability of Eve's successful guessing of the bits is equal to the expected value of q and where non-zero  represents an information leak. When 0   the KLJN key exchange system is perfectly secure. We found that the higher the difference between the resistances, higher the bandwidth, or higher the parasitic capacitance (longer the cable), the higher the leak.

Simulation results of the cable capacitance attack
We simulated 6 different attack scenarios with these parameters: L R = 1 kohm, H R = 9 kohm, noise bandwidth noise B = 0.25 kHz, sampling period s t = 1 msec; for 3 different single-bit exchange durations (measured by the unit of the autocorrelation time of the noise), 20, 50, 100; at 2 different cable lengths, 100 and 1000 meters. At each scenario, the key was 1000 bits long.
The simulation results are shown in Table 1. At bit exchange duration = 20 (50 bits per second), with a 100 meters cable, Eve's success rate was 50.9%. However, when the cable length was increased to 1000 meters with the other parameters unchanged, Eve's success rate increased to 62.2%.

Capacitor killer
The parasitic capacitance of the RG58 coaxial cable can be eliminated by the well-known capacitance compensation technique, called capacitor killer arrangement [39], providing the same voltage on the outer shield of the cable as on the inner wire. This can be done by an ideal voltage follower, see Fig. 8.
There is no capacitive current from the inner wire to the outer shield thus the attack is nullified.
We simulated the capacitor killer arrangement at the most effective attack scenario (i.e., when Eve success rate was 76.9%). The simulation results showed that Eve success rate was reduced from 76.9% to 50.1%. This indicated that the capacitor killer is very effective in eliminating the leak due to the parasitic capacitance at the practical cable conditions we tested.

Privacy Amplification
Another method to secure the key exchange and to reduce information leak is by utilizing privacy amplification [44]. Due to the extraordinarily low bit error probability of the KLJN system [51][52][53], privacy amplification (which is basically an error enhancer) can be used to effectively reduce any information leak. The simplest and most secure concept [44] is that Alice and Bob XOR the subsequent pairs of the key bits (i.e., XOR the first and the second bits to get the first bit of the new key, XOR the third and the fourth bits to get the next one, etc.). In this way the length of the new key will be half of the original one but Eve's success probability will get closer to 0.5; that is, it moves toward the limit of zero information. We simulated the effect of this technique by utilizing the most effective attack scenario (see Table 1). The simulation results showed that by XOR-ing once, Eve's success probability was reduced from 76.9% to 64.2%, which was further reduced to 54.4% by XORing a second time resulting a cleaner key with the corresponding significantly higher security and one quarter of its original length.

Conclusions
By utilizing the LTSPICE simulator we have validated the cable capacitance attack. Both the capacitor killer method and privacy amplification have been able to eliminate the attack. The unconditional security of a practical KLJN key exchange system [4] has been preserved against this attack, too.
Note that the temperature compensation method [59] based on the non-equilibrium thermodynamical aspects of KLJN to eliminate the information leak at wire resistance attack, does not reduce the efficiency of the cable capacitance attack.
Finally, we mention that there is a new, advanced protocol, the Random-Resistor-Random-Temperature (RRRT) KLJN scheme [60], where all the former attacks become invalid or incomplete, and currently no known attack works against it. This is true also for the cable capacitance attack presented above: it is invalid against the RRRT-KLJN scheme. Further studies will be needed to find ways for all the former attack schemes to successfully extract information from the RRRT-KLJN system [60] at nonideal conditions where they may leak information.