Trojan-horse attacks threaten the security of practical quantum cryptography

TL;DR

This paper demonstrates a practical Trojan-horse attack on quantum key distribution systems, showing how an eavesdropper can extract secret information with high probability, highlighting security vulnerabilities and proposing countermeasures.

Contribution

The authors experimentally demonstrate a Trojan-horse attack on a real QKD system and analyze its effectiveness and potential defenses.

Findings

Eavesdropper can identify Bob's basis choice with over 90% probability.

High detector noise in Clavis2 prevents successful attack, but less-noisy detectors could be vulnerable.

Proposed countermeasures can mitigate the risk of such Trojan-horse attacks.

Abstract

A quantum key distribution system may be probed by an eavesdropper Eve by sending in bright light from the quantum channel and analyzing the back-reflections. We propose and experimentally demonstrate a setup for mounting such a Trojan-horse attack. We show it in operation against the quantum cryptosystem Clavis2 from ID~Quantique, as a proof-of-principle. With just a few back-reflected photons, Eve discerns Bob's secret basis choice, and thus the raw key bit in the Scarani-Ac\'in-Ribordy-Gisin 2004 protocol, with higher than 90% probability. This would clearly breach the security of the cryptosystem. Unfortunately in Clavis2 Eve's bright pulses have a side effect of causing high level of afterpulsing in Bob's single-photon detectors, resulting in a high quantum bit error rate that effectively protects this system from our attack. However, in a Clavis2-like system equipped with detectors with less-noisy but realistic characteristics, an attack strategy with positive leakage of the key would exist. We confirm this by a numerical simulation. Both the eavesdropping setup and strategy can be generalized to attack most of the current QKD systems, especially if they lack proper safeguards. We also propose countermeasures to prevent such attacks.