Invisible Trojan-horse attack
Shihan Sajeed, Carter Minshull, Nitin Jain, Vadim Makarov

TL;DR
This paper demonstrates an experimentally feasible Trojan-horse attack on practical quantum key distribution systems at a specific wavelength, revealing a security vulnerability that was previously considered ineffective at that wavelength.
Contribution
The study provides the first experimental demonstration of an invisible Trojan-horse attack at 1924nm, showing its effectiveness against certain QKD protocols.
Findings
Attack remains nearly invisible at 1924nm due to reduced detector noise.
Numerical comparison shows attack success at 1924nm but not at 1536nm.
Highlights security risks in QKD systems at specific wavelengths.
Abstract
We demonstrate the experimental feasibility of a Trojan-horse attack that remains nearly invisible to the single-photon detectors employed in practical quantum key distribution (QKD) systems, such as Clavis2 from ID Quantique. We perform a detailed numerical comparison of the attack performance against Scarani-Acin-Ribordy-Gisin (SARG04) QKD protocol at 1924nm versus that at 1536nm. The attack strategy was proposed earlier but found to be unsuccessful at the latter wavelength, as reported in N.~Jain et al., New J. Phys. 16, 123030 (2014). However at 1924nm, we show experimentally that the noise response of the detectors to bright pulses is greatly reduced, and show by modeling that the same attack will succeed. The invisible nature of the attack poses a threat to the security of practical QKD if proper countermeasures are not adopted.
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3| Paths & points | Loss at (dB) | Loss at (dB) |
|---|---|---|
| X–Y | ||
| Y–Z | ||
| Z––X |
to
(polarization-dependent) |
|
| X–D0 | (via long arm) | (via short arm) |
| X–C–D1 | (via long arm) | (via short arm) |
| (nm) | |||
|---|---|---|---|
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Invisible Trojan-horse attack
Shihan Sajeed
Institute for Quantum Computing, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Corresponding author: [email protected]
Carter Minshull
Institute for Quantum Computing, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Department of Physics and Astronomy, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Nitin Jain
Department of Physics, Technical University of Denmark, Fysikvej, Kongens Lyngby 2800, Denmark
Vadim Makarov
Department of Physics and Astronomy, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Institute for Quantum Computing, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Abstract
We demonstrate the experimental feasibility of a Trojan-horse attack that remains nearly invisible to the single-photon detectors employed in practical quantum key distribution (QKD) systems, such as Clavis2 from ID Quantique. We perform a detailed numerical comparison of the attack performance against Scarani-Acín-Ribordy-Gisin (SARG04) QKD protocol at versus that at . The attack strategy was proposed earlier but found to be unsuccessful at the latter wavelength, as reported in N. Jain et al., New J. Phys. 16, 123030 (2014). However at , we show experimentally that the noise response of the detectors to bright pulses is greatly reduced, and show by modeling that the same attack will succeed. The invisible nature of the attack poses a threat to the security of practical QKD if proper countermeasures are not adopted.
Executive summary
A previous study in 2014 proposed a Trojan-horse attack against Clavis2 receiver (Bob) module; however the attack fell short of the performance level needed to breach the system security – by a large margin of roughly 100 times. Our present study shows that if an attacker resorts to using a longer wavelength () not ordinarily used in telecommunication, the same attack may breach the security. Although a complete eavesdropping apparatus is still quite challenging to build, it might be possible with today’s or near-future technology. To prevent this, we have recommended the manufacturer to install a wavelength filter, which is a simple fiber-optic component that can be added just outside the installed system without having to recall it to the factory. For customers using ID Quantique’s QKD products for critical data protection, we recommend that they inquire the manufacturer about this upgrade at the next convenient opportunity, such as a scheduled on-site maintenance. Not every installed system requires this upgrade: some systems are using protocols not vulnerable to this attack, and some may already have the wavelength filter included as part of network configuration. Since QKD cannot be attacked retroactively, security of customers’ historical network transmissions is not affected by this study.
Introduction
Quantum cryptography allows two parties, Alice and Bob, to obtain random but correlated sequences of bits by exchanging quantum states [1, 2, 3]. The bit sequences can then be classically processed to get shorter but secret keys. The security of the key relies on the fact that an adversary Eve cannot eavesdrop on the exchange without introducing errors noticeable to Alice and Bob. This constitutes a solution to the problem of key distribution in cryptography, and is better known as quantum key distribution (QKD).
The security of keys distributed over the ‘quantum channel’ connecting Alice and Bob can be validated by a theoretical security proof. If the amount of errors observed by the two parties exceed a certain threshold, they abort the QKD protocol. Conversely, if the incurred quantum bit error rate (QBER) is below the abort threshold , the protocol guarantees that Eve cannot know the secret key, except with a vanishingly small probability [3].
However, due to discrepancies between theory and practice, the operation of the QKD protocol may be manipulated by Eve in order to gain information about the key without introducing too many errors. Such discrepancies can arise due to imperfections in the physical devices used in the implementation and/or incorrect assumptions in the theoretical security proofs [3, 4, 5]. The field of ‘quantum hacking’ investigates practical QKD implementations to find such theory-practice deviations, demonstrate the resultant vulnerability via proof-of-principle attacks, and propose countermeasures to protect Alice and Bob from Eve. Over the years, many vulnerabilities have been discovered and attacks have been proposed and demonstrated on both commercial and laboratory QKD systems; see refs. 6, 7, 8 for reviews. In most cases, it was shown that under attack conditions, the QBER but Eve’s knowledge of the secret key was substantially larger than the predictions of the security proof.
In the so-called Trojan-horse attack [9] (introduced as a ‘large pulse attack’ a few years before [10]), Eve probes the properties of a component inside Alice or Bob by sending in a bright pulse and analyzing a suitable back-reflected pulse. This attack was recently demonstrated [11] with the intention to breach the security of the Scarani-Acín-Ribordy-Gisin QKD protocol (SARG04) [12] running on the commercial QKD system Clavis2 from ID Quantique [13]. SARG04 is a four-state protocol that is equivalent to the Bennett-Brassard QKD protocol (BB84) [1] in the quantum stage. Their difference comes in the classical processing stage: in SARG04, the bases selections of Bob are used for coding the secret bits, unlike in BB84 where they are publicly revealed. Therefore, if Eve surreptitiously gets information about Bob’s bases selections at any time, she can compromise the security of the QKD system running SARG04. (In contrast, a Trojan-horse attack on Bob running the BB84 protocol is normally useless [10], unless it is combined with other attacks [14, 15, 16].)
In the attack demonstration [11], it was shown that getting the bases’ information in a remote manner was indeed possible via homodyne measurement of the back-reflected photons. The path taken by these photons at , as depicted by the green dotted line in Fig. 1, traverses Bob’s phase modulator (PM) twice. The homodyne measurement thus allowed discerning the phase applied by Bob, which is equivalent to knowing his basis selection. This ‘phase readout’ was accurate in cases even when the mean photon number of the back-reflected pulses was .
Despite that, an overall attack on the QKD system did not have a chance to succeed owing to a side effect produced when the bright pulses went on to hit the detectors D0 and D1, as may be visualized in Fig. 1. To elaborate, the bright pulses result in a severe afterpulsing in these InGaAs/InP single-photon detectors (SPDs), which are operated in a gated mode. For a single bright pulse that hits D1, even if well outside a gate, the cumulative probability of a spurious detection event due to afterpulsing crosses (which is times the detection probability of a single photon) in just 5 gate periods [18]. The resulting detection events (clicks) are accidental, i.e., erroneous in half of the cases. Hence, only a handful of Trojan-horse pulses (THPs) suffice to rapidly elevate the number of erroneous clicks and make the QBER surpass , even though Eve’s actual knowledge of the key is still quite small. An elaborate attack strategy to improve was proposed and numerically simulated, however, it could also not simultaneously satisfy together with , where is the estimated (theoretical) security bound on Eve’s knowledge that Clavis2 uses to produce the final secret key [11]. While ref. 11 did not prove that a better attack could not be constructed, the attack proposed failed in practice by a large margin.
In this Article, we provide experimental evidence that this Trojan-horse attack could however succeed if Eve were to craft bright pulses at a wavelength where the afterpulsing experienced by the SPDs is considerably lower. The underlying physics is that photons with energy lower than the bandgap of the SPD absorption layer material (InGaAs) mostly pass the material unabsorbed, thereby causing negligible afterpulsing. Indeed, we confirm experimentally that at a relatively longer wavelength the SPD has much less afterpulsing than at (similar to the wavelength used in ref. 11). We then perform a numerical comparison of the attack conditions and performance at with these at . By means of an optimized simulation that assumes fairly realistic conditions, we show that the actual attack at can break the security of Clavis2. The attack in itself is general enough to be potentially applicable to most discrete-variable QKD systems, and can be categorized with those that exploit vulnerabilities arising from the wavelength-dependence of optical components [19, 20].
Experiment
While using for the attack offers the benefit of reduced afterpulsing, the transmittance and reflectance properties of different optical components inside Bob vary greatly in comparison with those measured at . Most relevant to the attack, the attenuation is generally higher; for instance, the optical loss through the PM at is higher than that at . Furthermore, the modulation itself varies with since the modulator’s half-wave voltage is a function of wavelength. If Eve uses light at to estimate Bob’s randomly modulated phase ( or at ) through the homodyne measurement of a pulse that made a single pass through the PM, the measurement outcomes will not be on orthogonal quadratures.
Altogether, it is thus likely that compared to ref. 11, Eve would not only need to inject a larger mean photon number into Bob, but may also require a higher mean photon number in the back-reflection for successful homodyne measurements. To calculate the efficacy of the attack, we experimentally quantify at (relative to ) the following three aspects: increased attenuation, altered phase modulation, and decreased afterpulsing. Figure 1 shows a schematic of the experimental setup used for various measurements.
Increased attenuation
To gauge the increase in attenuation, we measured the optical loss of various components of Bob at both and . In Fig. 1, the dotted line (path X–Y––Y–X, where ⋆ indicates the source of reflection) shows the attack path used in ref. 11. Relevant loss values are given in the left column of Table 1. With a round trip loss of , Trojan-horse pulses injected with photons yielded photons in the back-reflection from Bob. Here, is the loss during reflection at Z, the fiber connector after Bob’s PM.
For an attack at with Trojan-horse pulses traversing the same path, the round trip loss would be (with the further assumption that is independent of wavelength). The attack pulses at would therefore face more attenuation than at . A major contribution to this large attenuation is from the PM, which even gets doubled since the THPs travel through the PM twice.
However, since a single pass can also yield information about , Eve can opt for a different route where only either the input forward-traveling THP or the back-reflected pulse passes through Bob’s PM. All Eve requires is a reasonably large source of reflection from any component after the 5050 beamsplitter (BS). Indeed, during our loss measurements at we observed a large attenuation through the optical circulator (C), a part of which stems from a rather generous back-reflection. We estimated the loss for the path Z––X (via BS twice and polarizing beamsplitter once) using a photon-counting method, described below.
We temporarily connected the polarization-controlled output of the laser at Z to send light towards the BS. The average power of the pulsed laser, operated at repetition rate, was , corresponding to a mean photon number per pulse . An SPD was connected at X to detect the back-reflections from C. To prevent other back-reflections from contributing to the photon counts, Bob’s laser and detectors D0 and D1 were disconnected, and the patchcords (with open connectors) were coiled on a pencil to strongly attenuate the propagating light.
Two counters (Stanford Research Systems SR620) were used to measure the number of optical pulses sent by the laser and the number of pulses received by the detector maximized over input polarization at Z. The mean photon number per pulse at X was estimated as from the relation,
[TABLE]
where is the number of dark counts and is the single-photon detection efficiency at , which was estimated in a separate experiment similar to the one in ref. 20. The ratio of the mean photon numbers provides the overall loss . The dashed line in Fig. 1 shows the complete attack path. Eve’s THPs from the quantum channel enter the long arm of Bob, pass through the modulator, and after a reflection from the BS, propagate to the circulator. Here, they get back-reflected and then take the short arm to exit Bob, passing through the BS again. Using Table 1, this path can be characterized by a total loss .
As noted above, the value of was polarization-sensitive. For the worst input polarization, decreased by , changing the overall loss to . For the rest of the paper, we shall assume the attack pulses to be in a polarization midway between the best and the worst, leading to a loss figure of used to decide Eve’s photon budget. In terms of photon numbers, this implies that in order to get the same number of photons out from Bob (i.e., ), Eve needs to inject times more photons at than at .
Altered phase modulator response
We now explain an impact of the altered phase modulation experienced by Eve’s THPs at as they travel through Bob’s PM. As mentioned before, Bob randomly chooses between voltages or to apply a phase or on Alice’s incoming quantum signal at (or in the vicinity of) . Eve’s objective is to learn . The double pass through the PM in ref. 11 implied that Eve had to discriminate between a pair of coherent states with angle between them, as illustrated in Fig. 2(a).
At , the phase modulator is expected to lose efficiency and provide less phase shift at the same voltage. Furthermore, Eve’s THP only traverses it once. Assuming a linear response of the PM, one can calculate the angle between the coherent states available to Eve.
Since the half-wave voltage of the PM at was not specified by the manufacturer, we experimentally measured it. We constructed a balanced fiber-optic Mach-Zehnder interferometer, incorporating the path X–Z (Fig. 1) into one of its arms. We applied a square modulation voltage to the PM, and observed interference fringes at the output port of the interferometer. We adjusted the voltage amplitude until it was causing no light modulation at the output port, indicating an exact phase shift. From this, we found that . By the same method with the laser, we found .
From this measurement, we calculated . The increased overlap between the two states and with , as depicted in Fig. 2(b), would make discrimination between Bob’s choices of more difficult. Eve can however increase the brightness of the injected Trojan-horse pulse: this would elicit a higher mean photon number in the back-reflection, effectively translating the states farther from the origin to diminish the overlap. The increment factor that makes the distance between the states at equal to that at is given by
[TABLE]
implying that a mean photon number at would ensure a close-to-unity probability in the phase readout [11].
Decreased afterpulse probability
To quantify the decrease in the afterpulse probabilities in Bob’s detectors, we used the setup shown in Fig. 1. A single THP was synchronized to the first in a series of detection gates [18, 11] of Bob, and the times at which clicks occurred in the onward gates were then recorded. The delay of the THP relative to the first gate was adjusted such that the pulses going through Bob’s long arm hit the detectors just a few nanoseconds after the gate was applied by Bob. Although we did utilize a polarization controller, only a maximum of of the incoming optical power at could be routed through the long arm. The remaining light, after having suffered propagation losses through the short arm, hit D0 and D1 around before the first gate (propagation time through the short arm is faster than the long arm in Clavis2 [17]). These light pulses before the gate were found to be the dominant cause for increased noise in the detectors.
Figure 3 shows the time distribution of counts recorded in detector D0 at the wavelengths and . Each of the histograms was prepared by recording counts. To make the most of the limited number of histogram bins in the counter (SR620), each bin was wide and included counts from two consecutive gates. This allowed us to cover a time range of . THPs with mean photon numbers and were used for wavelengths and respectively. Despite , the data acquisition for the latter took much longer, indicating that most of the clicks were actually (thermal) dark counts. The number of counts per bin settled down at a constant value, representing dark counts, after (right half of the histogram). The total number of thermal dark counts collected could then be calculated by multiplying this value by the total number of bins in the entire histogram. All remaining counts could then be attributed to afterpulsing. Table 2 lists these counts at the two wavelengths. The afterpulse counts () make the bulk of the counts at , while dark counts () are in the majority at .
It can also be observed in Fig. 3 that afterpulsing decay profile at both wavelengths is roughly similar, however the ratio of longer to shorter lifetime components is slightly larger at . Although this would help our modeled attack [11], for simplicity we have conservatively assumed that the decay parameters at are the same as at [18, 21], aside from different overall afterpulse probability.
To compute a numerical factor that compares the afterpulsing noise induced at the two wavelengths, we first take the ratio at each wavelength. Then, assuming the dark count probability per detector gate stayed constant between the two measurements, we take a ratio of these ratios. We assume a linear scaling of the afterpulse probability with the energy of the THP, and further normalise for the dissimilar mean photon numbers and of the THPs. The numerical factor is then
[TABLE]
In other words, a photon at is only times as likely to cause an afterpulse as a photon at .
Attack modeling and discussion
Relative to , an attack at can thus effectively decrease the afterpulsing probability in D0 by
[TABLE]
The factor combines the results discussed previously on the aspects of increased attenuation and altered phase modulation, which required THPs injected into Bob at to be times brighter than at to ensure optimal attack performance.
To calculate the afterpulsing probability for D1, one must also consider different losses from Bob’s entrance to detectors D0 and D1 for the two attack paths (via the long arm at and short arm at , as shown in Fig. 1). We minimised by adjusting input polarisation at X, then measured losses between X and the detectors through the short arm. varied by a factor of 11 over the input polarization, while unexpectedly was independent of the input polarization. Using the measured loss values (listed in the last two rows in Table 1), we calculate the effective decrease in the afterpulsing probability in D1
[TABLE]
With afterpulsing amplitudes reduced by and , we have repeated the simulation of the attack strategy proposed in ref. 11. Let us first recap this strategy, in which Eve manipulates packets or ‘frames’ [13] of quantum signals traveling from Alice to Bob in the quantum channel. For instance, she may simply block the quantum signals for several contiguous time slots in a frame, thereby preventing any detection clicks (except those arising from dark counts) in Bob over a certain period of time. Conversely, she could substitute the quantum channel with a low-loss version to increase the detection probability in another group of slots. Such actions provide Eve some control over when Bob’s SPDs enter deadtime [22] inside the frame, which is used to increase the efficacy of her attack. This is essentially done by attacking in bursts, i.e., probing the phase modulator by sending bright THPs in a group of slots, thus making the SPDs enter deadtime as quickly as possible to let the afterpulses decay harmlessly and contribute as little as possible to the QBER. By balancing the usage of the low-loss line and the number of slots blocked per frame, Eve can also ensure that Bob does not notice any significant deviation of the observed detection rate (typically averaged over a large number of frames).
A numerical simulation modeling the above attack strategy during the operation of the QKD protocol is used to calculate Bob’s incurred QBER and Eve’s actual knowledge of the raw key . This is performed for different attack combinations, i.e., by varying the number of slots that are blocked or simply passed via the low-loss line (with or without accompanying THPs). If for at least one combination, exceeds the estimation from the security proof but , the attack strategy is successful in breaching the security.
For an attack at , we have been able to find several such combinations for the given frame size of slots and a quantum channel transmittance . For instance, in one such combination, a total of slots out of are blocked by Eve. The remaining slots pass from Alice to Bob via a low-loss line with transmittance , and out of them only slots — periodically distributed in bursts of slots each inside the frame — are accompanied by THPs to read the modulation. With this attack combination, we were able to obtain (calculation based on Clavis2 parameters and the attack conditions [11]) and (empirically determined in ref. 23). We remark here that for a similar value of , the best optimized attacks at could not even yield . Furthermore, in contrast to the used in ref. 11, implementing the attack strategy with here makes the attack closer to be feasible in practice.
Note that in the simulation, we have mixed measurement results from two samples of Clavis2 system. The optical loss measurements at and the relative decrease in afterpulsing come from the system installed in Waterloo (Bob module serial number 08020F130), while the decay parameters of trap levels in avalanche photodiodes measured at come from the system in Erlangen (Bob module serial number 08008F130) [21]. We further note that the latter figures vary significantly between D0 and D1, although the two avalanche photodiodes were of the same type and at the same temperature [18]. Therefore our simulation only gives a rough indication of attack performance. Results of the actual attack, if it is performed, will vary from sample to sample. However, also note that we have tested a single long wavelength of ; a different wavelength may well yield better attack performance. Finally, more recent commercial systems deploy SPDs with much better efficiencies and afterpulsing characteristics and, as noted in ref. 11, this benefits the eavesdropping strategy.
We expect homodyne detection at to be easy to implement by using p-i-n diodes with extended infrared response [24, 25]. Based on the published specs, the latter should provide detection performance in our setting similar to that demonstrated at [11]. Separating Eve from Bob by some distance of fiber does not degrade the attack very fast; we have measured loss at in a diameter spool of Corning SMF-28e [26] fiber.
The easiest countermeasure to protect the QKD system from this attack is to properly filter the light entering the system [20, 27]. E.g., adding a narrow-pass filter at Bob’s entrance will force Eve to use the signal wavelength and reduce her attack performance to the original failure, provided poor detector afterpulsing properties are maintained in production [11]. Another countermeasure would be to use a QKD protocol that does not require the receiver’s PM settings to be secret, such as BB84 with decoy states [10, 28, 3]. However, protecting the source’s PM settings will still be required in most QKD protocols [27, 29].
Conclusion
In conclusion, we have shown that despite the increased attenuation and sub-optimal phase modulation experienced around , the Trojan-horse attack performed at this wavelength has a very good chance of being invisible, because the afterpulsing experienced by Bob’s detectors is extremely low. This attack is mostly implementable with commercial off-the-shelf components. Therefore, an urgent need exists to incorporate effective countermeasures into practical QKD systems to thwart such threats.
Acknowledgements
We thank ID Quantique for cooperation, technical assistance, and providing us the QKD hardware. This work was funded by Industry Canada, CFI, NSERC (programs Discovery and CryptoWorks21), Ontario MRI, and the US Office of Naval Research. N.J. acknowledges the warm hospitality of the Institute for Quantum Computing, where this work was carried out.
Author contributions statement
S.S. and C.M. performed the experiments. N.J. performed attack modeling and contributed to the experiments. V.M. supervised the study. All authors performed data analysis and contributed to writing the article.
Additional information
Competing financial interests: The authors declare no competing financial interests.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Bennett, C. H. & Brassard, G. Quantum cryptography: Public key distribution and coin tossing. In Proc. IEEE International Conference on Computers, Systems, and Signal Processing (Bangalore, India) , 175–179 (IEEE Press, New York, 1984).
- 2[2] Gisin, N., Ribordy, G., Tittel, W. & Zbinden, H. Quantum cryptography. Rev. Mod. Phys. 74 , 145–195 (2002).
- 3[3] Scarani, V. et al. The security of practical quantum key distribution. Rev. Mod. Phys. 81 , 1301–1350 (2009).
- 4[4] Makarov, V. Cracking quantum cryptography. In CLEO/Europe and EQEC 2011 Conference Digest , ED 3_1 (Optical Society of America, 2011).
- 5[5] Scarani, V. & Kurtsiefer, C. The black paper of quantum cryptography: real implementation problems. Theor. Comput. Sci. 560 , 27–32 (2014).
- 6[6] Lo, H.-K., Curty, M. & Tamaki, K. Secure quantum key distribution. Nat. Photonics 8 , 595–604 (2014).
- 7[7] Jain, N. et al. Attacks on practical quantum key distribution systems (and how to prevent them). Contemp. Phys. 57 , 366–387 (2016).
- 8[8] Liang, L.-M., Sun, S.-H., Jiang, M.-S. & Li, C.-Y. Security analysis on some experimental quantum key distribution systems with imperfect optical and electrical devices. Front. Phys. 9 , 613–628 (2014).
