Laser seeding attack in quantum key distribution
Anqi Huang, \'Alvaro Navarrete, Shi-Hai Sun, Poompong Chaiwongkhot,, Marcos Curty, Vadim Makarov

TL;DR
This paper demonstrates a laser seeding attack on practical quantum key distribution systems, revealing a vulnerability in trusted sources that could compromise the security of quantum cryptography protocols.
Contribution
It experimentally shows a new attack on semiconductor laser sources used in QKD, with a general security analysis applicable to various protocols.
Findings
Laser seeding increases pulse intensity unnoticed
The attack can compromise MDI-QKD security
Security analysis applies broadly to intensity-increasing vulnerabilities
Abstract
Quantum key distribution (QKD) based on the laws of quantum physics allows the secure distribution of secret keys over an insecure channel. Unfortunately, imperfect implementations of QKD compromise its information-theoretical security. Measurement-device-independent quantum key distribution (MDI-QKD) is a promising approach to remove all side channels from the measurement unit, which is regarded as the "Achilles' heel" of QKD. An essential assumption in MDI-QKD is however that the sources are trusted. Here we experimentally demonstrate that a practical source based on a semiconductor laser diode is vulnerable to a laser seeding attack, in which light injected from the communication line into the laser results in an increase of the intensities of the prepared states. The unnoticed increase of intensity may compromise the security of QKD, as we show theoretically for the…
| Channel loss coefficient () | ||
|---|---|---|
| Background rate | ||
| Total misalignment error | 1.5% | |
| Detection efficiency of the SPDs | 30% | |
| Error correction efficiency | 1.12 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Laser seeding attack in quantum key distribution
Anqi Huang
Institute for Quantum Information & State Key Laboratory of High Performance Computing, College of Computer, National University of Defense Technology, Changsha 410073, People’s Republic of China
Institute for Quantum Computing, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Álvaro Navarrete
EI Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain
Shi-Hai Sun
School of Physics and Astronomy, Sun Yat-Sen University, Zhuhai 519082, People’s Republic of China
Poompong Chaiwongkhot
Institute for Quantum Computing, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Department of Physics and Astronomy, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Marcos Curty
EI Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain
Vadim Makarov
Russian Quantum Center, Skolkovo, Moscow 121205, Russia
Shanghai Branch, National Laboratory for Physical Sciences at Microscale and CAS Center for Excellence inQuantum Information, University of Science and Technology of China, Shanghai 201315, People’s Republic of China
NTI Center for Quantum Communications, National University of Science and Technology MISiS, Moscow 119049, Russia
Department of Physics and Astronomy, University of Waterloo, Waterloo, ON, N2L 3G1 Canada
Abstract
Quantum key distribution (QKD) based on the laws of quantum physics allows the secure distribution of secret keys over an insecure channel. Unfortunately, imperfect implementations of QKD compromise its information-theoretical security. Measurement-device-independent quantum key distribution (MDI-QKD) is a promising approach to remove all side channels from the measurement unit, which is regarded as the “Achilles’ heel” of QKD. An essential assumption in MDI-QKD is however that the sources are trusted. Here we experimentally demonstrate that a practical source based on a semiconductor laser diode is vulnerable to a laser seeding attack, in which light injected from the communication line into the laser results in an increase of the intensities of the prepared states. The unnoticed increase of intensity may compromise the security of QKD, as we show theoretically for the prepare-and-measure decoy-state BB84 and MDI-QKD protocols. Our theoretical security analysis is general and can be applied to any vulnerability that increases the intensity of the emitted pulses. Moreover, a laser seeding attack might be launched as well against decoy-state based quantum cryptographic protocols beyond QKD.
I Introduction
The distribution of a secret key between two authorized parties, Alice and Bob, is a fundamental but challenging cryptographic task. Such secret key is the essential resource of the one-time-pad algorithm Vernam (1926), the only known encryption method that can offer unconditionally secure communications. Public-key cryptography solves this problem by resorting to computational assumptions, for instance, the difficulty of factoring large numbers Rivest et al. (1978). This approach is however vulnerable to technological advances in both hardware and software; indeed, it is well-known that factoring is an easy problem on a quantum computer Shor (1997). Quantum key distribution (QKD), on the other hand, provides a solution based on the laws of quantum physics, and thus, in theory, it can guarantee that the distributed keys are information-theoretically secure Gisin et al. (2002); Scarani et al. (2009); Lo et al. (2014).
There is however a big gap between the theory and the practice of QKD because the behaviour of real QKD devices typically deviates from that considered in the security proofs. Such deviation could be exploited by an eavesdropper, Eve, to obtain information about the secret key without being detected in QKD implementations Makarov et al. (2006); Qi et al. (2007); Lamas-Linares and Kurtsiefer (2007); Lydersen et al. (2010a, b); Wiechers et al. (2011); Lydersen et al. (2011a, b); Gerhardt et al. (2011); Sun et al. (2011); Jain et al. (2011); Bugge et al. (2014); Sajeed et al. (2015a); Huang et al. (2016); Sajeed et al. (2016); Makarov et al. (2016); Huang et al. (2018, ); Zheng et al. (2019a, b); Chistiakov et al. (2019). Most of the quantum hacking attacks realized so far exploit imperfections of the single-photon detectors (SPDs) – the “Achilles’ heel” of QKD Makarov et al. (2006); Qi et al. (2007); Lamas-Linares and Kurtsiefer (2007); Lydersen et al. (2010a, b); Wiechers et al. (2011); Lydersen et al. (2011a, b); Gerhardt et al. (2011); Bugge et al. (2014); Sajeed et al. (2015a); Huang et al. (2016); Makarov et al. (2016). Indeed, in recent years there has been an enormous effort to try to close the detectors’ security loopholes and restore the security of QKD realizations. Some solutions are based on hardware and software patches Lim et al. (2015); Dixon et al. (2017), whose drawback is however that each patch typically protects only against a specific loophole, i.e., the system might still be vulnerable to unknown attacks. Moreover, patches might also be hacked Huang et al. (2016); Makarov et al. (2016). A safer and more elegant solution is that of measurement-device-independent QKD (MDI-QKD) Lo et al. (2012); Curty et al. (2014). Remarkably, this latter approach guarantees security independently of the behaviour of the measurement device, which can be treated as a “black box” fully controlled by Eve. This is achieved by turning Bob’s receiver into a transmitter by means of a time-reversed Einstein-Podolsky-Rosen (EPR) protocol Biham et al. (1996); Inamori (2002). MDI-QKD has been successfully demonstrated in several recent experiments Rubenok et al. (2013); da Silva et al. (2013); Liu et al. (2013); Tang et al. (2014); Comandar et al. (2016); Tang et al. (2016) including an implementation over km Yin et al. (2016a).
With the advent of MDI-QKD all security loopholes from the measurement unit are closed, so the focus is now on how to protect the QKD transmitters. For instance, decoy-state QKD Hwang (2003); Wang (2005); Lo et al. (2005a) is a practical solution to defeat the photon-number-splitting attack Huttner et al. (1995); Brassard et al. (2000). More recently, several works have considered other imperfections of the transmitter, and new security proofs that guarantee security in the presence of such imperfections have been developed Tamaki et al. (2014); Mizutani et al. (2015); Lucamarini et al. (2015); Tamaki et al. (2016); Wang et al. (2018); Yoshino et al. (2018); Mizutani et al. (2019); Pereira et al. . For example, Refs. Lucamarini et al. (2015); Tamaki et al. (2016); Wang et al. (2018) quantify the optical isolation that is needed in order to achieve a certain performance (i.e., a certain secret key rate over a given distance) in the presence of a Trojan-horse attack (THA), in which Eve injects bright light into the transmitter and then analyses the back-reflected light to obtain information about the quantum signals emitted. Finally, a type of light injection attack that affects the operation of the laser diode in the transmitter has recently been introduced, allowing Eve to actively de-randomise the source’s phase and even change other parameters Sun et al. (2015). Indeed, the use of non-phase-randomised signals has a severe effect on the security of QKD, as has been shown in the past decade Lo and Preskill (2007); Sun et al. (2012); Tang et al. (2013); Sun et al. (2014).
While the results above are promising, there is still a long way to go to be able to ensure the security of QKD implementations. For instance, a fundamental assumption of QKD is that the intensity of the quantum states prepared by Alice is set at a single-photon level. This assumption is indeed vital for a QKD system. However, no study has investigated whether or not Eve could increase the mean photon number of the prepared states. Here we introduce, and experimentally demonstrate, a quantum hacking attack, which we call “laser seeding attack”, that can increase and control the intensity of the light emitted by the laser diode in the transmitter of a QKD system. This attack has been confirmed experimentally for two types of laser diodes. Different from the THA that analyses the back-reflected light that is originally from an external independent source, the laser seeding attack manipulates the functioning of the transmitter’s laser diode directly. That is, while in a THA Eve tries to correlate her signals with the quantum states prepared by the legitimate users of the system, in a laser seeding attack the goal of Eve is to directly increase the intensity of such quantum states. Most importantly, this attack seriously compromises the security of decoy-state based QKD, which includes MDI-QKD with practical light sources as a prominent example. More precisely, in the presence of this attack, current security analyses overestimate the resulting secret key rate and thus they do not guarantee security.
II Experimental setup
To investigate to which extent Eve can increase the output optical power of a laser diode by injecting light into it, we conduct an experiment whose schematic is illustrated in Fig. 1. On Alice’s side, the laser diode, as a testing target, generates optical pulses. As a hacker, Eve employs a tunable laser (Agilent 8164B) to send continuous-wave (c.w.) bright light to Alice’s laser diode via a single-mode optical fibre. The tunable laser is able to adjust the wavelength and output power of the signals emitted so that Eve can inject photons with a proper wavelength into Alice’s laser. In so doing, the energy of each injected photon can match the energy difference between the excited state and the ground state of the laser, and thus satisfy the condition for stimulated emission.
In order to maximize the injection efficiency, a polarization controller is used to adjust the polarization of Eve’s laser such that it matches that of Alice’s laser. To separate Eve’s injected light from that emitted by Alice, we employ an optical circulator. Eve’s light enters port 1 of the circulator and exits through its port 2, while Alice’s light goes from port 2 of the circulator to its port 3 (see Fig. 1). We record Alice’s output pulses with an optical-to-electrical converter with bandwidth (Picometrix PT-40A) that is connected to a high-speed oscilloscope (Agilent DSOX93304Q) of bandwidth. The average pulse energy is then calculated by integrating the recorded averaged waveform. A cross-check using an optical power meter has confirmed that this method is accurate. We observe the energy of Alice’s laser pulses with and without Eve’s tampering laser. We have tested two ID300 short-pulse laser sources from ID Quantique and one LP1550-SAD2 laser diode (LD) from Thorlabs. They are triggered by an external signal. ID300 contains a factory pre-set pulsed driver electronics and produces – full width at half maximum (FWHM) optical pulses, with their repetition rate controlled by our external electronic pulse generator (PG; Picosecond 12050). LP1550-SAD2’s diode current is driven directly from the PG with pulse parameters set to obtain about FWHM optical pulses from the LD. The pulse repetition rate for all samples is . The electronic pulse generator also acts as the external trigger of the oscilloscope as shown in Fig. 1.
III Experimental results
Both samples of ID300 exhibit controllability of their output power by Eve. We first measure the center wavelength of each laser with a spectrum analyser (Yokogawa AQ6370D). Then, in the experimental setup shown in Fig. 1, we dial the value of Alice’s wavelength in Eve’s laser. As a result, the output power of Alice’s pulse suddenly increases. To obtain the maximum output power under Eve’s control, we finely tune Eve’s wavelength until the largest energy rise is observed, which is for sample 1 and for sample 2. This is the case we focus on. Additionally, we have noted that slightly different seed wavelengths result in different pulse shapes as shown in Appendix A.
When we gradually increase the power of Eve’s c.w. laser, the energy of Alice’s emitted pulses also increases. This is shown in Fig. 2 (a) and (b), which illustrates the waveforms of Alice’s pulses for various tampering light powers. If we compare these results with the original waveform of Alice’s pulses (i.e., that in the absence of Eve’s tampering laser), there are two main effects. First, as already mentioned, we see that the energy of the emitted optical pulses gets larger when we increase the tampering light power. Especially, Eve’s injected light makes Alice’s laser pulses wider with a much longer and higher tail as shown in Fig. 2 (a) and (b). The tail contains more energy when higher power is injected into the diode. Second, under the laser seeding attack, the main peak of Alice’s pulse shifts to be earlier. This is because the injected light triggers the stimulated emission that happens quicker than the spontaneous emission in Alice’s laser diode. Thus, Alice’s pulse reaches the peak power earlier and is followed by a tail with 2–4 secondary oscillations under the attack.
We have measured the energy of Alice’s pulses for different tampering light powers. The results are shown in Fig. 3 as black curves. In particular, we find that when there is no attack, this energy is () for sample 1 (2). Then, we gradually increase the power of Eve’s c.w. laser up to , and obtain that the output energy of Alice’s laser rises up to () for sample 1 (2). That is, the pulse energy increases 3.07 (4.57) times for sample 1 (2).
Under the same experimental procedure done with ID300, a similar effect is observed in the laser LP1550-SAD2. The wavelength of the injected c.w. light is set to the center wavelength of the laser diode first, then tuned slightly to where we observe the maximum increase in Alice’s pulse energy. Figure 2 (c) shows the waveforms of Alice’s pulses for the same tampering light powers as those in Fig. 2 (a) and (b). Similarly to ID300 lasers, here the energy of the pulses increases with the tampering power as well. The rising edge of Alice’s pulse also starts earlier in the presence of the attack. The increase of the pulse energy as a function of Eve’s tampering power is shown in Fig. 3 as a red curve. If there is no attack, the average energy of Alice’s laser pulses is , while it reaches when the tampering power is . That is, in this case the pulse energy increases 1.13 times.
We note that the commercial lasers under test in our experiment (ID300 and LP1550-SAD2) contain an internal optical isolator of the order of –. Thus, a few light that is applied in our experiment is first attenuated at the internal isolator of the laser, which means that only about power actually reaches the laser cavity. This analysis indicates that an injection power in the order of could be enough to control the intensity of Alice’s pulses. Indeed, this value of injection power has been also confirmed recently by the experimental results shown in Ref. Pang et al. , in which Eve’s injection power is in – range. We also note that a real QKD system may use a laser diode without the internal isolator, then the injection power used in our laser seeding attack may be reduced to the above level.
IV Effect on the security of QKD
Now we show theoretically how an unnoticed increase of the optical power emitted by a QKD transmitter, due to the attack described above, could seriously compromise the security of a QKD implementation. We assume that Alice’s photon number statistics is Poissonian and is not influenced by our attack. The former may not necessarily be the case Dynes et al. (2018), and investigating the validity of the latter assumption could be the topic of a future study. Based on this assumption, we shall consider the case of decoy-state based QKD Hwang (2003); Wang (2005); Lo et al. (2005a), which includes the most implemented QKD schemes today. We refer the reader to Appendix B for further details about decoy-state based QKD. For simplicity, in our analysis we shall assume the asymptotic scenario where Alice sends Bob an infinite number of pulses, i.e., we disregard statistical fluctuations due to finite size effects. Also, motivated by the experimental results presented in the previous section, we shall consider that Eve’s attack increases all the intensities by the same factor . That is, we will assume that for all .
Next, we quantitatively evaluate the effect that a laser seeding attack has on the security of the standard decoy-state BB84 protocol and of MDI-QKD for a typical channel model. For concreteness, we will consider first the case of the standard decoy-state BB84 protocol with phase-randomized weak coherent pulses (WCPs); afterward, we will consider the case of MDI-QKD.
IV.1 Standard decoy-state BB84 protocol
Regarding the standard decoy-state BB84 protocol, we evaluate the typical implementation where Alice and Bob use three different intensities, , and that satisfy , and they generate secret key only from those events where they employ the signal intensity in the basis, while they use the basis events for parameter estimation. In the asymptotic limit of an infinite number of transmitted signals, the secret key rate can be lower bounded by Ma et al. (2005); Gottesman et al. (2004)
[TABLE]
where we assume the efficient version of this protocol Lo et al. (2005b). In Eq. (1), () denotes a lower (upper) bound on the single-photon yield (phase error rate ), the parameter is the error correction efficiency, () represents the overall experimentally observed gain (the overall experimentally observed QBER) when Alice send to Bob a WCP of intensity in the basis, and is the binary Shannon entropy function.
To estimate and one can use analytical or numerical tools. Here we use the analytical method proposed in Ref. Ma et al. (2005). In particular, we have that
[TABLE]
with being a lower bound on given by
[TABLE]
and where the parameter represents a lower bound on . This last quantity can be obtained by using Eq. (2) but now referred to the basis.
In the presence of a laser seeding attack, Alice and Bob estimate and using Eqs. (2) and (3) but now with the experimentally observed quantities and , with , and for a certain that depends on the attack.
In our analysis we shall also evaluate an ultimate upper bound on the secret key rate. That is, this upper bound holds for any possible post-processing method that Alice and Bob could apply to their raw data. The only assumption here is that double click events are randomly assigned to single click events. For this, we use the technique introduced in Ref. Curty et al. (2009). More precisely, the upper bound on the key rate is given by
[TABLE]
where is the probability that Alice sends Bob an -photon state with the signal intensity, is the maximum weight of separability among all the bipartite quantum states that are compatible with Alice and Bob’s observables, and is the Shannon mutual information evaluated on the entanglement part of the state that has the maximum weight of separability. See Ref. Curty et al. (2009) and Appendix C for further details.
For simulation purposes we use the experimental parameters listed in Table 1.
The resulting lower and upper bounds on the secret key rate are shown in Fig. 4.
The blue dotted line represents the lower bound given by Eq. (1) in the absence of the attack. Here, for each given value of the distance, we select the optimal values of the intensities , and that maximize . These optimized intensities are then fixed, and we use them to simulate the degradation of the security bounds due to Eve’s laser seeding attack.
More precisely, the red solid line in Fig. 4 shows the value of that Alice and Bob would estimate in the presence of the attack when . That is, as explained above, here Alice and Bob estimate the parameters and with the observed quantities and , with , and , together with the original intensities , and . The red dash-dotted line, on the other hand, illustrates the correct secure value of in the presence of the attack. That is, here and are estimated with the observed quantities and , with , and , together with the modified intensities .
As we can see in Fig. 4, the secure given by the red dash-dotted line is significantly below the actually estimated by Alice and Bob. That is, in the presence of the attack, the security proof introduced in Refs. Ma et al. (2005); Gottesman et al. (2004) cannot guarantee the security of the secret key obtained by Alice and Bob. Finally, the red dashed line illustrates the upper bound given by Eq. (5) in the presence of the attack. Remarkably, this upper bound is below the estimated by Alice and Bob for most of the distances, which demonstrates that the estimated secret key rate is actually insecure no matter what security proof is used.
Finally, in Fig. 5 we show the effect that the multiplicative factor has on the bounds on the secret key rate. For this, we now fix the transmission distance at a certain value, say .
In this case, Fig. 5 shows that the incorrect lower bound that Alice and Bob would estimate is always above its correct value whenever . This is remarkable because it means that in the presence of a laser seeding attack Alice and Bob always overestimate their secret key rate above that provided by the security proof. Moreover, if is large enough (around for the experimental parameters used in Fig. 5), it turns out that the upper bound is below the estimated secret key rate, which confirms that there is no security proof which can make the estimated secret key rate secure.
We remark that in practice Eve might need to throttle the key rate to roughly the original expected level in the absence of the attack. Indeed a human operator of QKD equipment may suspect something abnormal is happening on if the key generation rate rises well above the expected level (blue dotted line in Fig. 4). To reduce the rate, Eve can simply introduce additional optical attenuation in the channel.
IV.2 MDI-QKD
Next we consider the case of MDI-QKD with WCPs Lo et al. (2012). Similar to the previous example, we shall assume that each of Alice and Bob use three different intensities, , and that satisfy , and they generate secret key from those events encoded with the signal intensity in the basis, while they use the basis events for parameter estimation. In the asymptotic limit of an infinite number of transmitted signals (and assuming for simplicity a sifting factor ), the secret key rate is lower bounded by Lo et al. (2012)
[TABLE]
where is the probability that both Alice and Bob emit a single-photon pulse in the basis when they both use the signal intensity setting , is a lower bound on the yield associated to these single-photon events, is an upper bound on the phase error rate of these single-photon pulses, is again the error correction efficiency, and are the gain and the QBER when both Alice and Bob send to the relay Charles WCPs of intensity in the basis, and is the binary Shannon entropy function defined previously.
To evaluate Eq. (6), Alice and Bob need to calculate the parameters and based on the experimentally available data and , with and , and their knowledge on the probability distribution with , where is the set of the non-negative integers. Again, this estimation can be done analytically or numerically, and for simplicity here we use the analytical approach introduced in Ref. Xu et al. (2014). For completeness, below we include the expressions for and :
[TABLE]
and
[TABLE]
where represents a lower bound on the yield associated to those single-photon events emitted by Alice and Bob in the basis. This last quantity can be estimated using Eq. (7) but now referred to the basis.
To evaluate in the presence of a laser seeding attack we follow a methodology similar to that used in the previous subsection, and we omit it here for simplicity.
Also, to evaluate an upper bound on the secret key rate, we extend the technique introduced in Ref. Curty et al. (2009) to the case of MDI-QKD. Here, for simplicity, we consider that Alice and Bob only distill secret key from nonpositive partial transposed entangled states Peres (1996); Horodecki et al. (1996), i.e., we disregard the key material which could be obtained from positive partial transposed entangled states Horodecki et al. (2005). We refer the reader to Appendix D for further details about the upper bound .
For simulation purposes, we use again the experimental parameters given in Table 1. For simplicity, we assume that Eve performs a symmetric attack in which she injects light of the same intensity into both Alice’s and Bob’s transmitter devices, which moreover we assume are identical. The resulting lower and upper bounds on the secret key rate are shown in Fig. 6.
For this example we consider three possible values for the multiplicative factor . The case corresponds to the scenario without attack. The results are analogous to those illustrated in Fig. 4. In particular, the incorrect value of that Alice and Bob would estimate in the presence of the attack is well above the correct value of delivered by a proper application of the security proof (i.e., for the case where one considers the correct values of the output intensities modified by the attack). This is particularly critical for the case where , as the security proof provides no secure key rate in this scenario while Alice and Bob would incorrectly estimate a relatively high value for . Also, in this case, the upper bound is below the estimated for all distances (see Fig. 6).
V Discussion and countermeasure
In this laser seeding attack, the isolation present in a real QKD system may significantly affect Eve’s injection power. Thus, we should analyse this effect in detail. The first factor that contributes to such isolation is the presence of an attenuator to attenuate Alice’s signals to the single-photon level. If we assume that the power of Alice’s laser is similar to the laser we tested, the required attenuation would be in the order of to obtain single-photon-level pulses. This means that Eve’s initial injection laser (before going through the attenuator) should be in the order of (assuming that there is no internal isolator in the laser) such that about power can enter the laser cavity. This value is reasonable and can be safely transmitted through optical fiber, which confirms that the laser seeding attack is practical.
Furthermore, we note that the attenuation provided by optical attenuators can be decreased via a laser damage attack Huang et al. . Specifically, Eve can illuminate Alice’s attenuator with a c.w. laser with power of several watts. The experimental results reported in Huang et al. show that it is possible to permanently decrease the attenuation by more than by the c.w. laser. Importantly, this can be done such that no connector or other components in the experiment are damaged. The attenuator is the only component that responds. Therefore, if Eve applies first the laser damage attack against the attenuators to decrease their attenuation, then the injection power of the laser seeding attack could be even lower than . This strategy of combination attacks makes the laser seeding attack easier to implement thanks to the laser damage attack.
The second factor that could contribute to have more isolation is to include an external isolator. The isolator indeed makes Eve’s attack more difficult. However, according to the working mechanism of an optical isolator, the isolation of the backward injection light is due to the polarization rotation inside the isolator, after which the rotated light is extinguished. The rotation is realized by a magneto-optic effect. It is notable that the magnets used in isolators are temperature-dependent Vojna et al. (2019). That is, the higher temperature, the smaller rotation. Thus, the temperature is an important factor in practice to determine the real isolation value. From Eve’s point of view, she may somehow hack the isolator by increasing the temperature. The quantitative study of the dependence between the optical isolation provided by an optical isolator and the temperature that Eve can achieve is beyond the scope of this paper, but we’ve studied this topic in another manuscript Ponosova et al. .
It is clear that for a given power of Eve’s injected light, the more effective isolation the users’ transmitters have, the smaller the value of the multiplicative factor will be, and thus also the effectiveness of the attack. For example, according to Fig. 3, if the power of Eve’s injected light is say , then an effective isolation would result in a multiplicative factor for ID300 sample 2. Importantly, however, as we have seen in Fig. 5, whenever (which in principle might happen even for very high isolation), Alice and Bob might always overestimate their secret key rate, unless, of course, they modify their security analysis to properly incorporate the effect of the laser seeding attack.
For this, for instance, Alice and Bob could first bound the power of Eve’s injected light to a reasonable value, as done for example in Refs. Lucamarini et al. (2015); Tamaki et al. (2016); Wang et al. (2018); Huang et al. . With this assumption in place, and for a given value of the isolation of their transmitters, as well as the behaviour of their laser sources, Alice and Bob could in principle upper bound the maximum value, , that the parameter can take. In so doing, and for given observed experimental data (i.e., gains and error rates associated to different values of the intensity settings), they could simply minimize their secret key rate by taking into account that now the intensities of the emitted light pulses might lay in an interval , where is the value of the original intensity setting. This way Alice and Bob consider the worst-case scenario and can guarantee that the resulting secret key rate is indeed secure.
Another alternative for Alice to determine the parameter might be to use an incoming-light monitor to detect the injection light. The main drawback of this approach is, however, that the classical monitor that detects the injected light is not a reliable device. For example, in Ref. Sajeed et al. (2015b), it has been shown that the classical monitor can be bypassed by Eve’s pulses with high repetition rate, and thus the classical monitor cannot correctly quantify the amount of injected light. This is due to the limited bandwidth of the classical monitor. Furthermore, the classical monitor may even be damaged by Eve’s light Makarov et al. (2016). According to the experimental results in Ref. Makarov et al. (2016), the classical monitor is the first component in Alice that is damaged by Eve’s laser. Therefore, the classical detector also may not be a reliable countermeasure to prevent Eve’s injection of light.
In practice, it is important to note as well that Eve could in principle combine the laser seeding attack with various attacks to enhance her hacking capability, for example, with the laser damage attack Makarov et al. (2016); Huang et al. as mentioned above, with the THA analysed in Refs. Vakhitov et al. (2001); Gisin et al. (2006); Lucamarini et al. (2015); Tamaki et al. (2016); Wang et al. (2018); Pereira et al. , and/or with the recently introduced injection-locking attack Pang et al. . For instance, Eve could employ the fact that the laser seeding can be affected in real time by the state of Alice’s modulator, changing the laser wavelength depending on the modulator setting Pang et al. and/or modulating the intensity multiplication factor . Besides using her injected light to modify the internal functioning of the transmitter (as done in the laser seeding attack), Eve could also simultaneously perform a THA and measure the back-reflected light to obtain information about the transmitter’s settings for each emitted light pulse. This means that to properly evaluate the security of a QKD system, one should probably combine the techniques described in the previous paragraphs with the security analysis introduced in Refs. Lucamarini et al. (2015); Tamaki et al. (2016); Wang et al. (2018); Pereira et al. .
VI Conclusion
This study has experimentally demonstrated that the laser seeding attack is able to increase the intensity of the light emitted by the laser diode used in a QKD system, breaking the fundamental assumption about the mean photon number of a QKD protocol. Moreover, we have shown theoretically that such increase of the intensity might seriously compromise the security of QKD implementations. For this, we have considered two prominent examples: the standard decoy-state BB84 protocol and MDI-QKD, both implemented with phase-randomized WCPs. In both cases, we have demonstrated that, in the presence of the attack, the legitimate users of the system might significantly overestimate the secret key rate provided by proper security proofs, even well above known upper bounds. This theoretical security analysis can be applied to any attack that increases the intensity of the emitted pulses. For instance, a laser damage attack against the optical attenuators also shows that Eve can increase the intensity of Alice’s pulses by decreasing the attenuation provided by the attenuators Huang et al. .
Although MDI-QKD is immune to all detector side-channel attacks, our work shows Eve’s capability of hacking the source of a QKD system and highlights that further research is needed to protect the system against source side-channel attacks. Moreover, we remark that the laser seeding attack may compromise as well the security of other quantum decoy-state based cryptographic systems beyond QKD, like, for instance, various two-party protocols with practical signals Wehner et al. (2010), quantum digital signatures Yin et al. (2016b); Roberts et al. (2017), and blind quantum computing Xu and Lo ; Zhao and Li (2017).
While preparing this Article for publication, we have learned of another laser seeding experiment that changes the wavelength of Alice’s laser rather than its intensity Pang et al. .
Appendix A Laser seeding by different wavelengths
In the laser seeding attack, we pick the wavelength of the injected light to obtain the maximum energy of Alice’s optical pulses. At this wavelength, we observe the increased energy and the longer tail, as shown in Fig. 2. Moreover, we have tested the injected light with slightly different wavelengths that are still in the wavelength range of the laser diode from the high-speed oscilloscope, see Fig. 7. Sample 1 of ID300 with linewidth is shown as an example. When power is injected into the laser, different wavelengths result in different waveforms. At , Alice’s pulse has the highest energy but relatively lower peak power. When the wavelength is slightly off the center wavelength, at , the peak power becomes higher, however the tail is lower. This trend continues when the wavelength is shifted further to .
Appendix B Decoy-state QKD protocol
In decoy-state QKD, the transmitter emits quantum states that are diagonal in the Fock basis, and whose mean photon number is selected at random, within a predefined set of possible values, for each output signal. These states are typically generated with an attenuated laser diode emitting phase-randomized weak coherent pulses (WCPs) in combination with a variable attenuator to set the intensity of each individual light pulse.
In particular, let () denote the -photon yield (error rate) in the polarization basis . That is, () represents the probability that an -photon state prepared in the basis generates a detection click (a detection click associated to an error in the basis) at Bob’s side. For each intensity setting , these quantities are related to the overall experimentally observed gain, , and to the overall experimentally observed error rate, , in the basis as follows:
[TABLE]
where denotes the probability that Alice emits an -photon state when she selects the intensity setting . In the case of WCPs, these probabilities follow a Poissonian distribution, , that only depends on the mean photon number . That is, () represents the probability that a WCP of intensity prepared in the basis generates a detection click (a detection click associated to an error in the basis) at Bob’s side.
Importantly, Eq. (9) relates the observed quantities and with the unknown parameters and through the known probabilities . This means, in particular, that by solving the set of linear equations given by Eq. (9) for different values of one can obtain tight bounds on the relevant parameters and which are required to determine the resulting secret key rate.
Now suppose that Eve performs a laser seeding attack that increases the output intensity of the emitted pulses from to say . In this scenario, Alice and Bob, who are unaware of the attack, would use the experimentally observed quantities and , which depend on the modified mean photon number , together with the original (but now erroneous) probabilities that depend on the original intensity , to estimate the parameters and . That is, if Eve implements a laser seeding attack, Alice and Bob would use the following set of linear equations to estimate and :
[TABLE]
In so doing, the bounds obtained for and by solving Eq. (10) are not guaranteed to be correct bounds for the single-photon yield in the basis nor for the phase error rate. Indeed, the correct bounds for these two quantities satisfy Eq. (9) after substituting with .
Appendix C Upper bound for decoy-state QKD
Here we briefly summarize the technique introduced in Ref. Curty et al. (2009) to derive an upper bound on the secret key rate for a decoy-state QKD protocol. It basically consists in finding the best separable approximation (BSA) Lewenstein and Sanpera (1998) among all bipartite quantum states that are compatible with the measurement results observed by Alice and Bob in an execution of the protocol. That is, these are the states that Alice and Bob could have shared in a virtual entanglement protocol that is equivalent to the actual protocol. For simplicity, Ref. Curty et al. (2009) considers a decoy-state protocol where Alice and Bob use an infinite number of decoy settings. Note, however, that in the asymptotic limit where Alice sends Bob an infinite number of signals, an upper bound on the secret key rate for this protocol applies as well to a protocol using a finite number of decoy settings. We follow the same procedure here.
In particular, let denote the set of all bipartite quantum states, , which are compatible with Alice and Bob’s measurement results in a virtual entanglement protocol that is equivalent to the actual protocol when Alice sends Bob an -photon signal. That is, this set is defined as
[TABLE]
where and are the measurement operators of Alice and Bob in the virtual entanglement protocol, and represent the measured statistics associated to the -photon signals emitted by Alice. Since we assume that Alice uses an infinite number of decoy intensities, we consider that she can estimate these probabilities precisely.
The states can always be expressed as a convex sum of one separable state, , and one entangled state, , as follows
[TABLE]
for some real parameter . Then, the BSA of the states in corresponds to that state with the maximum value of the parameter , which we shall denote by . That is, for every , we want to find the parameter
[TABLE]
as well as the corresponding entangled state for the BSA.
In standard decoy-state QKD with four sending states, Alice’s measurement operators can be described by a projective measurement in a four-dimensional Hilbert space, i.e., with . Each operator is associated with Alice sending one of the four possible polarization states of the BB84 protocol. On Bob’s side, his measurement operators correspond to a positive-operator valued measurement (POVM) with the following elements
[TABLE]
where , and is the vacuum state. As already mentioned in the main text, here we implicitly assume that double click events are randomly assigned by Bob to single click events.
In addition, we have that in a prepare&measure QKD scheme the reduced density matrix of Alice, , is fixed by her state preparation process. In the scenario considered, it turns out that can be written as Curty et al. (2009)
[TABLE]
[TABLE]
Putting all the conditions together, one can obtain the parameter and the corresponding entangled state , for each , by solving the following semidefinite program (SDP) Curty et al. (2009)
[TABLE]
where the vector is used to parametrize the density operators and denotes partial transposition of one of the subsystems. Note that in Eq. (C) the state represents an unnormalized state, i.e., if we compare this state with that given in Eq. (12) we have that .
From the optimal solution, , of the SDP above we have that
[TABLE]
The upper bound on the secret key rate can then be written as Moroder et al. (2006); Curty et al. (2009)
[TABLE]
where is the probability that Alice sends Bob an -photon state, where is the mean photon number of the signal, and is the Shannon mutual information evaluated on . Note that to calculate Eq. (18) it is typically sufficient to consider only a finite number of terms in the summation, because of the limit imposed by the unambiguous state discrimination attack. See Ref. Curty et al. (2009) for further details.
Appendix D Upper bound for MDI-QKD
Here we extend the results in Ref. Curty et al. (2009) to the MDI-QKD framework to calculate an upper bound on the secure key rate coming, for simplicity, from nonpositive partial transposed entangled states Peres (1996); Horodecki et al. (1996). Like in Ref. Curty et al. (2009), we consider for simplicity that Alice and Bob use an infinite number of decoy settings (see also Appendix C).
In MDI-QKD, both Alice and Bob are transmitters while, in the middle, an untrusted third party Charles is supposed to perform a Bell state measurement on the incoming signals and publicity announce the result. Let denote Charles’ announcement, where is the set of all possible announcements. This set includes the possible Bell states that Charles can obtain with his measurement as well as the inconclusive event. For each announcement , we will denote the set of bipartite quantum states, , that Alice and Bob could have shared in an equivalent virtual entanglement protocol (given that in the actual protocol they sent and photons to Charles, respectively) as . That is, contains all the bipartite quantum states that are compatible with Alice and Bob’s measurement outcomes in the equivalent virtual entanglement protocol,
[TABLE]
where and are the measurement operators of Alice and Bob in the virtual entanglement protocol, and represent the measured statistics associated to Charles’ announcement when Alice (Bob) sends him an -photon (-photon) signal. In the same way as in Appendix C, here it is assumed that Alice and Bob can estimate the probabilities precisely because they use an infinite number of decoy intensities.
Similar to the case of the standard decoy-state BB84 protocol considered previously, we have that the states can always be decomposed as the convex sum of a separable state, , and an entangled state, , as follows
[TABLE]
for some real parameter .
Now we follow the technique introduced in Ref. Curty et al. (2009) (see also Appendix C). In particular, for each pair of values and , we search for the parameter (which we shall call ) and the entangled state which correspond to the BSA of the states . That is,
[TABLE]
Then we have that the secret key rate is upper bounded by
[TABLE]
where is the conditional probability that Charles announces given that Alice (Bob) sends him an -photon (-photon) state, is the probability that Alice and Bob send Charles an -photon state and an -photon state, respectively, where is the mean photon number of their WCPs, and is the Shannon mutual information calculated on the statistics , with being the entanglement part of the BSA of the states .
To calculate and the corresponding entangled state for the BSA we use again SDP. For this, note that Alice’s (Bob’s) measurement operators () can be described by a projective measurement in a four-dimensional Hilbert space, i.e., () with (). Each operator () is associated with Alice (Bob) sending one of the four possible polarization states of the BB84 protocol to Charles.
In addition, and similar to the case of Appendix C, we have that both the reduced density matrices of Alice and Bob are fixed by their state preparation processes. More precisely, and are both equal to Eq. (LABEL:ReducedMatrix), where . In fact, in this case, these conditions can even be generalized to .
Putting all the conditions together, one can obtain the parameter and the corresponding entangled state , for each , and , by solving the following SDP,
[TABLE]
where, as mentioned previously, we disregard for simplicity the secret key coming from positive partial transposed entangled states Horodecki et al. (2005) by neglecting in Eq. (23) the key material provided by those states that satisfy . A general but computationally more demanding method that considers also the key provided by positive partial transposed entangled states has been proposed, for instance, in Ref. Moroder et al. (2006). Let denote the solution given by the SDP in Eq. (23), then
[TABLE]
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Vernam (1926) G. S. Vernam, “Cipher printing telegraph systems for secret wire and radio telegraphic communications,” J. Am. Inst. Electr. Eng. 45 , 295–301 (1926) . · doi ↗
- 2Rivest et al. (1978) R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digital signatures and public-key cryptosystems,” Commun. ACM 21 , 120–126 (1978) . · doi ↗
- 3Shor (1997) P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM J. Comput. 26 , 1484–1509 (1997) . · doi ↗
- 4Gisin et al. (2002) N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74 , 145–195 (2002) . · doi ↗
- 5Scarani et al. (2009) V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81 , 1301 (2009) . · doi ↗
- 6Lo et al. (2014) Hoi-Kwong Lo, Marcos Curty, and Kiyoshi Tamaki, “Secure quantum key distribution,” Nat. Photonics 8 , 595–604 (2014) . · doi ↗
- 7Makarov et al. (2006) V. Makarov, A. Anisimov, and J. Skaar, “Effects of detector efficiency mismatch on security of quantum cryptosystems,” Phys. Rev. A 74 , 022313 (2006) , erratum ibid. 78 , 019905 (2008). · doi ↗
- 8Qi et al. (2007) B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystems,” Quantum Inf. Comput. 7 , 73–82 (2007).
