Reference-Beam Attacks against Twin-Field Quantum Key Distribution using Optical Injection Locking
Sergio Ju\'arez, Alessandro Marcomini, Mikhail Petrov, Robert I. Woodward, Toby J. Dowling, R. Mark Stevenson, Marcos Curty, Davide Rusca

TL;DR
This paper identifies potential side-channel attacks on twin-field quantum key distribution systems using optical injection locking and proposes practical countermeasures to enhance security.
Contribution
It experimentally demonstrates two realistic attack scenarios on TF-QKD and introduces effective countermeasures to mitigate these vulnerabilities.
Findings
Attack scenarios can increase photon number or bypass decoy states.
Experimental validation of intensity modulation and wavelength embedding attacks.
Proposed countermeasures effectively secure TF-QKD without performance loss.
Abstract
Twin-Field Quantum Key Distribution (TF-QKD) has become a leading protocol to bring quantum communications to the national scale. The protocol requires the establishment of a shared phase and frequency reference between distant parties, which is commonly achieved by using an external reference laser in an Optical Injection Locking (OIL) architecture. In this work, we analyze the side channels in OIL-based TF-QKD that may arise from adversarial manipulation of the various degrees of freedom of this untrusted reference beam. We experimentally demonstrate two realistic attack scenarios: fast intensity modulation of the reference laser, and additional signals embedded in the reference light exploiting wavelengths undetectable by conventional monitoring techniques. These attacks can allow a potential eavesdropper to deterministically increase the mean photon number of the sources, or…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
††thanks: These two authors contributed equally to this work.††thanks: These two authors contributed equally to this work.
Reference-Beam Attacks against Twin-Field Quantum Key Distribution using Optical Injection Locking
Sergio Juárez
Toshiba Europe Limited, 208 Cambridge Science Park, Cambridge CB4 0GZ, UK
Escuela de Ingeniería de Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain
Alessandro Marcomini
Vigo Quantum Communication Center, University of Vigo, Vigo E-36310, Spain
Escuela de Ingeniería de Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain
AtlanTTic Research Center, University of Vigo, E-36310, Spain
Mikhail Petrov
Vigo Quantum Communication Center, University of Vigo, Vigo E-36310, Spain
Escuela de Ingeniería de Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain
AtlanTTic Research Center, University of Vigo, E-36310, Spain
Robert I. Woodward
Toshiba Europe Limited, 208 Cambridge Science Park, Cambridge CB4 0GZ, UK
Toby J. Dowling
Toshiba Europe Limited, 208 Cambridge Science Park, Cambridge CB4 0GZ, UK
R. Mark Stevenson
Toshiba Europe Limited, 208 Cambridge Science Park, Cambridge CB4 0GZ, UK
Marcos Curty
Vigo Quantum Communication Center, University of Vigo, Vigo E-36310, Spain
Escuela de Ingeniería de Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain
AtlanTTic Research Center, University of Vigo, E-36310, Spain
Davide Rusca
Vigo Quantum Communication Center, University of Vigo, Vigo E-36310, Spain
Escuela de Ingeniería de Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain
AtlanTTic Research Center, University of Vigo, E-36310, Spain
Abstract
Twin-Field Quantum Key Distribution (TF-QKD) has become a leading protocol to bring quantum communications to the national scale. The protocol requires the establishment of a shared phase and frequency reference between distant parties, which is commonly achieved by using an external reference laser in an Optical Injection Locking (OIL) architecture. In this work, we analyze the side channels in OIL-based TF-QKD that may arise from adversarial manipulation of the various degrees of freedom of this untrusted reference beam. We experimentally demonstrate two realistic attack scenarios: fast intensity modulation of the reference laser, and additional signals embedded in the reference light exploiting wavelengths undetectable by conventional monitoring techniques. These attacks can allow a potential eavesdropper to deterministically increase the mean photon number of the sources, or circumvent the decoy-state technique, respectively. To counter these vulnerabilities, we propose practical and highly effective countermeasures that reinforce the security of TF-QKD systems without significant additional complexity or performance degradation.
Introduction
Quantum key distribution (QKD) enables two legitimate parties, Alice and Bob, to share a symmetric encryption key that can be used to achieve information-theoretically secure communications. In particular, it exploits the laws of quantum mechanics to ensure that any eavesdropping attempt by a malicious external party (Eve) cannot go undetected [1, 2, 3, 4].
To date, QKD has matured into a well-established technology whose application has been demonstrated on the level of inter-city networks [5, 6, 7]. Next-generation protocols such as twin field QKD (TF-QKD), which utilize single-photon interference, offer significantly improved resilience against channel losses [8, 9, 10, 11], effectively doubling the achievable communication distances [12, 13], reaching up to 1000 km point-to-point [14, 15, 16, 17, 18]. These properties make TF-QKD particularly attractive for the realization of nationwide quantum networks [19, 20, 21, 22, 23].
Nevertheless, the broader adoption of QKD still faces some challenges, particularly the need to guarantee the security of practical implementations, since real devices inevitably deviate from the idealized assumptions. These deviations must be accounted for, either through improved security proofs or through enhancements in physical hardware, a domain collectively known as implementation security [24, 25]. Unaddressed device imperfections can lead to unintended side channels, resulting in undetected information leakage which may compromise the overall system security [26, 27, 28].
In this regard, TF-QKD possesses a crucial advantage, as it belongs to the measurement-device-independent (MDI) class of protocols. MDI protocols remove all security assumptions from the receiver, ensuring security even if Eve completely controls the measurement apparatus [29]. Consequently, implementation security efforts can be entirely focused on the transmitter side.
Practical implementations of TF-QKD require a shared phase and frequency reference between Alice’s and Bob’s encoders. Typically, this reference is provided by the untrusted central measurement node (Charlie), which distributes a classical reference beam through a dedicated service channel. The received beam stabilizes the laser sources via optical phase-locked loops (OPLLs) or, more commonly, optical injection locking (OIL) [30, 31, 32]. OIL is particularly favoured due to its inherent stability, practicality, and lack of necessity for active feedback control [19, 33]. However, permitting an external beam, potentially altered by Eve en route, to directly enter the encoders raises critical concerns regarding implementation security [34, 35, 27].
In this work, we provide the first thorough analysis of implementation security specifically tailored to the OIL architecture used in TF-QKD. We investigate potential attack scenarios enabled by manipulation of the reference laser, examining multiple optical degrees of freedom and revealing two new potential side channels. Additionally, we also provide practical countermeasures for them.
The first identified side channel exploits a fast intensity modulation (FIM) of the reference laser, performed on the same timescale as the pulse encoding or faster, which temporarily increases the emitted photon number without detection by conventional monitoring.
The second side channel exploits back-reflections from the laser diode (LD) in the OIL configuration, and the limited spectral response of monitoring devices. The separate channel that goes into the encoders allows Eve to embed an additional signal at a Trojan-wavelength in the reference light (TWIRL). When this undetected light reaches the encoder, it could possibly leak the complete information about the intensity and phase settings used in the quantum signals. Note that this channel cannot be blocked without defeating its purpose.
Our analysis underscores the necessity for careful spectral filtering of the injected reference beam and highlights the importance of employing monitoring systems (“watchdogs”) that track the timing and integrity of the incoming signals with high temporal resolution. Implementing these countermeasures effectively closes these side channels, significantly strengthening the security of OIL TF-QKD implementations.
The remainder of this paper is structured as follows: first, we provide a detailed examination of potential attack vectors originating from Eve’s manipulation of Charlie’s reference signal, identifying FIM and out-of-band TWIRL signals as realistic threats. Next, we experimentally demonstrate the feasibility of these attacks and evaluate suitable countermeasures. Finally, we present our conclusions and broader implications of our findings for the practical security of TF-QKD.
Potential side channels in OIL TF-QKD
In Fig. 1(a), we present a simplified schematic of a typical TF-QKD system consisting of Alice, Bob, and Charlie. The central node (Charlie) provides a coherent optical reference to the transmitters (Alice and Bob) through the service channel. Alice and Bob individually prepare quantum states, which are subsequently sent back to Charlie via the quantum channel for single-photon interference and measurement. Both channels can potentially be manipulated by Eve, and, in the worst case, Charlie himself could be entirely under Eve’s control. Fig. 1(b) details the most important components of an encoder and receiver within an OIL-based TF-QKD architecture. The optical reference received from Charlie first passes through a polarization controller (PC) and a polarizing beam splitter (PBS), ensuring single-polarization injection to optimize the injection-locking efficiency. The optical reference goes then through a circulator and is injected into the encoder’s laser, locking its emission with that of Charlie’s laser. This results in a shared optical frequency and a fixed phase offset, which enables coherent operation across all sources. Subsequently, the locked signal passes through the encoder, which uses intensity and phase modulators to craft the train of pulses through pulse carving and manual (active) phase randomization. Finally, the pulses get attenuated to the single-photon level using a variable optical attenuator (VOA) and are transmitted back to Charlie after passing through an isolator that prevents attacks from the quantum channel against the transmitter.
This architecture simplifies frequency and phase stabilization, ensuring coherent interference at Charlie’s measurement node. However, adversaries might attempt to exploit any of the various degrees of freedom of the injected reference signal, such as polarization, phase, intensity, or wavelength (frequency), to gain information through side-channel attacks.
Polarization-based attacks are mitigated by the PBS at the input of the security perimeter, which transmits a single polarization component while suppressing the orthogonal one with a typical extinction ratio of 30 dB. As a result, polarization attacks relying on rapid fluctuations of the polarization of the reference beam lose one projection, while the remaining accepted component only fluctuates in intensity. Consequently, polarization attacks become equivalent to intensity attacks. Phase manipulation attacks are ineffective due to the active phase randomization in Alice’s and Bob’s encoders after the OIL stage, and any excessive phase fluctuations are detectable as they will increase the quantum bit error rate (QBER), resulting at most in a denial-of-service scenario.
Attacks targeting the reference laser’s intensity could allow Eve to induce transient increases in the output power of Alice’s and Bob’s lasers, implying a threat to the single-photon level encoding of QKD. For instance, increasing the intensity of the coherent state doubles the multi-photon emission probability. A FIM attack that goes undetected would thus enable Eve to circumvent the security provided by the no-cloning theorem and the decoy state method [36, 37, 38, 9].
Spectral attacks encompass two distinct scenarios: manipulating the frequency of the injected reference itself, and injecting additional optical signals at wavelengths far removed from the intended reference wavelength. While the former approach inevitably worsens the interference at the central node, thus enlarging the QBER, the latter exploits vulnerabilities arising from wavelength-dependent responses of the detectors and variations in attenuation across optical components within the system. Importantly for TF-QKD systems, using a service channel to introduce a reference into the system creates an entry point for TWIRL signals that cannot be fully closed.
To mitigate these potential attacks, we recommend the use of monitoring detectors (“watchdogs”) strategically placed within the encoder setup, as illustrated in Fig. 1(b). A first watchdog placed before optical injection ensures the integrity of the incoming reference signal, while a second watchdog positioned immediately after the encoder monitors the output pulse train before attenuation to the single-photon level, enabling classical-level signal processing. These watchdogs should continuously monitor power, timing, and spectral characteristics, triggering alerts upon detecting anomalies indicative of hardware malfunctions or potential eavesdropping attempts.
However, the design of these watchdogs requires careful consideration, as Eve could exploit their intrinsic limitations to evade detection [37]. For instance, slow PDs that integrate optical power over relatively long time intervals, compared to the encoding rate, might be sufficient to treat slow intensity fluctuations, but they will fail to detect FIM. Eve could maintain a constant average optical power, lowering and increasing the power within time windows shorter than the integration period, thus avoiding detection. Similarly, PDs with responsivity optimized for specific wavelengths (typically aligned with the intended communication wavelength) can be vulnerable to wavelength-dependent Trojan-horse attacks (THAs). Eve could impersonate Charlie by injecting anomalous signals at wavelengths outside the PD ’s detection range. In such scenarios, the watchdog would register only minimal increases in optical power, despite the presence of a high-intensity TWIRL signal. This extrinsic signal could then propagate undetected through Alice’s and Bob’s setups, surviving the wavelength-dependent attenuation of critical optical components such as VOA s, intensity modulators, and phase modulators. Consequently, the TWIRL signal could reach deep into the encoders, extracting sensitive information about the encoded quantum states (including intensity setting, basis choice, and even bit choice) and leaking it back to Eve.
To accurately determine the required performance characteristics of these watchdogs and enhance their resilience, we experimentally recreated these attack scenarios under controlled conditions. Using detectors with different temporal and spectral responses, we evaluated the effectiveness of these attacks and established robust design criteria for the watchdogs, as presented in the following section.
Experimental demonstration and countermeasures
Fast intensity modulation attack
In Fig. 2 we present the setup used to investigate the FIM attack, where Eve modulates only the intensity of the reference laser. Such signal is routed into Alice’s (equivalently, Bob’s) station, passing through a PC and a PBS to ensure a single polarization, effectively converting polarization-based attacks into intensity-based ones. A narrowband spectral filter is applied to reroute unwanted spectral components (see below) and isolate the expected reference wavelength, preventing injection of extrinsic light. The spectrally filtered signal is then used to injection-lock Alice’s laser, synchronizing its phase and frequency with the modulated reference. Importantly, all lasers operate in continuous wave (CW) mode, and the encoder and the rest of the components shown in Fig. 1(b) are omitted in the setup shown in Fig. 2. This is because the experiment focuses specifically on assessing how FIM of the reference signal affects the OIL process, potentially compromising transmitter security.
Superconducting nanowire single-photon detectors (SNSPD s) equipped with a time tagger, together with an optical spectrum analyzer (OSA), are used to characterize the properties of the modulated reference signal prior to the locking of Alice’s laser, and also, to study the effects that the attack has on the effective photon numbers and the spectra of the locked laser. Using slow, integrating power meters, we monitor the power levels of both the unfiltered optical signal and, in conjunction with the filters, any contributions from extrinsic or unexpected wavelengths, measured both before and, more importantly, after the locking stage.
The first option we investigate for a potential watchdog consists of two GHz-bandwidth fast-PDs monitoring the high-speed behavior of the system: the Injection PD tracks the temporal profile of the signal arriving at the encoder’s laser via the circulator, while the Locking PD observes the output of the laser after the locking process. To assess both the threat posed by FIM attacks and the effectiveness of these fast-PD as countermeasures, we experimentally characterized an injection-locked laser under attack conditions. Specifically, to resolve a 1 GHz modulation of the reference laser and its impact on the encoding laser, we employed fast-PDs with bandwidths of 10 GHz and 40 GHz, respectively.
The detection results of an injection locked laser under a FIM attack (Fig. 3(a)) are displayed in Figs. 3(b) and 3(c). The SNSPD s data in Fig. 3(b) indicates that Eve’s modulation can produce transient increases in the mean photon number by up to % during the modulated time intervals. This demonstrates that the FIM attack is a credible threat, as it enables a controlled increase in the photon number emitted by Alice or Bob. Conventional power meters register no modulation when integrating in their fastest configuration of s. The results of these measurements are in the Supplemental Material [39]. Although we observe power meters to be oblivious to these modulations, we note that even if they could detect sustained increases or decreases in average power, Eve could strategically time the modulated pulses to dilute the fluctuations, making them indistinguishable from detector noise. Therefore, our analysis shows that slow-integrating power meters alone are insufficient against this type of attack.
The effectiveness of this attack, and the failure of slow-integrating power meters to detect it, can be understood from fundamental physical constraints on Eve’s strategy. First, to affect the photon number of an encoded pulse, Eve’s modulation must occur within the temporal window of that pulse. This confines any effective attack to timescales on the order of the pulse duration, or shorter. Furthermore, to evade detection by slow-integrating power meters, Eve must maintain a constant average optical power. This requirement forces her to employ symmetric modulation patterns such as “Up-to-Down” or “Down-to-Up” (see Fig. 3(a)), where any transient increase in power is compensated by a corresponding decrease. As a consequence, the total excess energy that Eve can redistribute into any given pulse is limited by the product of the nominal reference power and the pulse duration. An extensive overview of the pulse designing phase, together with additional modulation scenarios, can be found in the Methods. Eve is also constrained by the physics of OIL. In fact, Eve does not have direct control over Alice’s laser output: she can only modulate the injected reference signal, and the laser’s output response is mediated by the injection locking dynamics. These dynamics (including the finite locking bandwidth, the cavity photon lifetime, and amplitude-phase coupling in the gain medium) impose a minimum response time that prevents arbitrarily fast modulations of the locked laser output, regardless of how rapidly Eve modulates her input.
Taking into account these constraints on the attack, a fast-PD with bandwidth matching (or exceeding) the system clock rate and with a rise time comparable to (or shorter than) the pulse duration can resolve intensity variations within each pulse period, and will therefore detect Eve’s manipulation. Crucially, if Eve attempts to evade detection by compressing her modulation into shorter timescales, she faces a fundamental trade-off: shorter modulation windows proportionally reduce the energy she can modulate per pulse. In other words, the same strategy that might help Eve avoid detection simultaneously renders her attack ineffective.
As reported in Fig. 3(c), the fast-PDs reliably detect anomalies for every modulation tested, promptly identifying the attack, enabling countermeasures, and limiting Eve’s impact to a denial-of-service scenario since once the attack is detected the protocol must be interrupted.
Furthermore, owing to amplitude–phase coupling in the laser’s gain medium, oscillations in the injected power convert partly into instantaneous frequency shifts, resulting into both intensity modulations and spectral sidebands [32]. This spectral distortion in Alice’s local laser output provides another signature of malicious intervention, which can be detected as a countermeasure. To this end, the combined use of the slow-integrating power meter alongside spectral filters to detect unexpected wavelength components results in a secondary detection venue against FIM attacks.
The measurement results of the power meter aided by the spectral filters are shown in Fig. 4. Comparing an unmodulated spectral baseline (Fig. 4(a)) with an active modulation scenario (Fig. 4(b)), clear sidebands emerge. A narrowband spectral filter directs these otherwise absent spectral sidebands into a power meter, providing a straightforward detection method even with slow integration times. The results of Fig. 4(c) were taken with the s integration of the power meter, but are observable with integration times up to s. This approach enables reliable identification of FIM attacks by monitoring unexpected spectral shifts, enabling Alice and Bob to abort the QKD session for protection, since any increase in power in these wavelengths would be created by an attack on the encoding laser.
For practical implementations, we recommend a calibration procedure in which the injected reference is modulated at various depths while monitoring the out-of-band power through a narrowband filter positioned just outside the unperturbed laser’s spectral range. This establishes, for the specific laser and OIL configuration, the minimum modulation depth producing detectable spectral distortion, ensuring the watchdog threshold is appropriately set.
Crucially, underestimating the actual optical power emitted by Alice and Bob, even if still under the single-photon regime, can lead to an overestimation of the achievable SKR. To illustrate this, we consider the “Sending-or-Not-Sending” TF-QKD protocol, and compute the asymptotic SKR in the presence of the attack (see Ref. [9] for the protocol description and security proof). The results of this analysis are presented in Fig. 5, with details about the simulations provided in Methods. Plots in Fig. 5 demonstrate that, even in the asymptotic limit, there is a noticeable discrepancy in the SKR estimation under attack conditions. Such discrepancies are expected to become more pronounced in finite-key scenarios, since one has to heavily rely on measurements in the control basis to provide meaningful estimates of the phase error rate, and since this procedure is based on studying the interference of the weak coherent pulses sent by Alice and Bob, the FIM-induced amplification of such pulses will result in out-of-ordinary estimates of the protocol’s parameters, potentially severely impacting performance.
While a full protocol-specific security analysis accounting for finite-size effects is beyond the scope of this work, we note that in extreme cases with small data block sizes, the induced discrepancy between the expected and the actual SKR could even lead to the former surpassing the theoretical upper bound on the achievable key rate, yielding a completely insecure [38, 12] estimate. We cannot evaluate such claim for the case at hand, as no explicit upper bound on the SKR for TF-QKD is available, to be best of our knowledge. Although this means that no definitive insecurity claims can be done at present time, it has to be anticipated that a carefully designed attack could increase the emitted intensity beyond the values in Fig. 3(b), and the upper bound on the SKR will thus eventually be violated. Therefore, accurately bounding the emitted states’ intensity is critical to ensure practical security.
Trojan-wavelength in the reference light attack
We now move on to characterize the TWIRL attack in the context of OIL TF-QKD, where we experimentally investigate the spectral response of the laser cavity itself. Critically, any Trojan-wavelength light which bypasses the watchdogs and gets reflected by the laser cavity will be injected into the encoder and undergo the same encoding steps, potentially leaking full information about the intensity and phase settings if not effectively filtered. It should be noted that this component arrangement is unique to TF-QKD, as the reference signal reaches the LD via the circulator connected to the service channel, rather than from the quantum channel.
Previous studies have documented the spectral behavior of common encoder components such as attenuators and modulators [40]. However, the response of a laser cavity under illumination by wavelengths far outside its typical operating band has not yet been characterized, particularly in the context of OIL architectures. As this is the fundamental missing piece to properly compute the total attenuation along the full optical path experienced by light at every wavelength, our setup (depicted in Fig. 6(a)) isolates the laser cavity using only a fiber-optic circulator and a distributed feedback (DFB) laser, deliberately omitting other encoder components in order to specifically analyze cavity interactions at out-of-band wavelengths. In doing so, we aim to reveal any previously unidentified spectral dependencies or unexpected vulnerabilities inherent in OIL-based TF-QKD architectures.
To explore a broad spectral region, we use a supercontinuum wideband fiber laser covering a wavelength range of - nm. While all encoder components are optimized for the telecom C-band centered around nm, we intentionally illuminate the DFB laser with wavelengths far from its nominal injection locking region. Importantly, the laser under test does not have an isolator and is not locking to this out-of-band light. Reflected signals, largely bypassing the cavity due to off-resonance conditions, are collected via the circulator and measured using an OSA. This arrangement allows us to directly measure and characterize how the laser cavity structure affects signals at wavelengths significantly outside its normal operational range, identifying spectral regions where unexpectedly high levels of reflected power could aid Eve’s TWIRL attack.
It is worth noting that while our experimental characterization was performed using a DFB laser (the most commonly used laser type within QKD systems), the TWIRL attack is expected to apply broadly to any laser used in OIL architectures. This generality arises because OIL inherently requires an optical pathway into the laser cavity, and this same pathway is accessible to light at TWIRL wavelengths. Any laser cavity will exhibit some degree of reflectivity at out-of-band wavelengths via interaction with cavity interfaces or facets, particularly since the gain medium provides neither absorption nor amplification far from the operating wavelength. The quantitative reflectivity spectrum will depend on the specific laser design, and therefore a thorough security assessment should include characterization of the laser employed in each implementation.
Figure 6(b) shows the spectral losses observed by comparing spectra from the wideband source alone to those from three different experimental configurations: circulator only (no LD connected), circulator with LD connected but powered off, and circulator with LD actively lasing. Conversely, Fig. 6(c) highlights the effective transmissivity gained through the presence of the LD cavity in the OIL configuration, calculated by comparing configurations with the LD connected and disconnected (LD off only). This approach reveals the ideal wavelengths to use for this attack. That is, those with positive transmissivity gains that are undetectable by typical watchdogs (like InGaAs PDs, which are optimized for nm and sharply lose responsivity beyond nm [41]), thus allowing the injected signals to bypass the cavity unnoticed.
The results in Fig. 6(c) clearly indicate significant cavity-induced reflections within nm to nm. Eve could exploit this broad spectral range to inject a high-power optical signal, with a wavelength significantly above what an InGaAs detector would detect. Under these conditions, the detected optical power would substantially underestimate the actual injected power, allowing Eve’s TWIRL signal to propagate through the encoder at classical power levels, despite the typical attenuation mechanisms implemented within quantum encoding setups.
These results illustrate how the TWIRL attack must be carefully taken into account for the security of any OIL based TF-QKD system, as it allows to completely learn the encoding settings when overlooked. Fortunately, to prevent this attack one only requires an adequate amount of spectral filtering with high enough attenuation at these external wavelengths, thus ensuring that for optical frequencies outside of the locking range, the intensity of the light after the encoder is sufficiently weak to guarantee security.
In order to compute the required amount of attenuation one must understand what is the maximum amount of power that Eve could inject into Alice and Bob’s devices, as well as what is the maximum acceptable output power of the encoders, according to security proofs. For the former is typically considered, as a worse-case scenario, the so-called laser-induced damage threshold (LIDT). For light at telecom wavelengths, Ref. [35] reports a theoretical estimate of the LIDT value of kW, while in a recent certification guideline Ref. [27] considers as a more reasonable conservative assumption that the maximum possible insertion power for a realistic Eve is W. We remark that this power threshold only applies to fiber, and does not take into consideration possible damage to connectors and other components, meaning that in practice it is probably still over-conservative.
Crucially, the value of the LIDT strongly depends on the wavelength [42]. Therefore, by assuming a LIDT of W at nm, the LIDT at an arbitrary wavelength can be found by following the square-root dependence as
[TABLE]
Note that Eq. 1 suggests that the maximum allowed input power for Eve is larger for longer wavelengths, yielding approximately 105 W at 1700 nm. Within the encoder, the VOA typically provides 70–75 dB of attenuation at the operating wavelength to reach single-photon levels; however, this attenuation is wavelength-dependent, and components optimized for 1550 nm may provide substantially less isolation at out-of-band TWIRL signals [40]. When considering the worst case scenario, it is standard to assume that Eve can bypass channel losses entirely, placing herself right outside Alice’s security perimeter. However, for an attacker operating from Charlie’s position, the attack signal would face additional fiber losses at out-of-band wavelengths due to infrared absorption (approximately 0.75 dB/km at 1700 nm versus 0.2 dB/km at 1550 nm [43]). Noting the differences in loss across wavelengths, it is more conservative to provide suppression of unexpected out-of-band wavelengths inside the encoder, assuming the LIDT threshold.
The TWIRL attack is conceptually equivalent to the standard THA coming from the quantum channel. Therefore, to produce a quantitative and theoretically secure upper bound for the maximum tolerable output power a comprehensive analysis against these, specific to TF-QKD, is required. Unfortunately, to date such analysis has yet to be established, meaning that no formal estimation of the induced information leakage is currently available for this scheme. One can get a rough estimate of the required isolation from security proofs for other QKD schemes, under the assumption that the maximum allowed output power of a TF-QKD transmitter in the Trojan mode is comparable to that of prepare-and-measure QKD. For these, an overall input-to-output optical isolation of approximately dB is typically considered necessary to approach the performance of an ideal, leakage-free scenario [35, 44, 45, 46, 47, 48, 49]. Fortunately, such levels of attenuation can be achieved using off-the-shelf spectral filters. When cascaded, multiple units can provide the required out-of-band suppression with less than 10 dB of total in-band loss, while completely suppressing TWIRL signals [40].
In any case, we remark that to properly close this security loophole for a given system, one should consider the maximum tolerable Trojan light intensity established by a dedicated security proof, and design the attenuation scheme accordingly.
Conclusions
In this work, we have performed a detailed analysis of all possible degrees of freedom of the reference laser that could pose a security threat in OIL-based TF-QKD systems. We identified two new viable attack vectors: FIM of the injected reference, and Trojan signals at wavelengths well outside the optimal detection range of usual watchdogs, equipped with sufficient power to pass through the system despite existing attenuation.
To counter external FIM of the generated pulse train, we recommend the use of a fast-PD as a watchdog, ideally as fast as the encoding itself, in order to take advantage of the fact that the reference signal is still at classical power levels before attenuation to the single-photon regime. Additionally, we propose placing a narrowband filter (say e.g. nm wide) centered on the reference wavelength, with all sidebands redirected to a dedicated detector: as we have shown, this allows for detection of spectral fluctuations in the output of the encoder laser that are generated by the manipulation of the OIL.
Moreover, our results reveal that out-of-band reflections from the OIL cavity create a clear pathway for high-power Trojan signals. Fortunately, this vulnerability can be effectively neutralized with straightforward measures. By limiting incoming light exclusively to the spectral range of the watchdog PD, simple and commercially available optical filters can readily suppress any unintended wavelengths. These devices introduce minimal additional optical loss, typically in the order of a few tenths of a decibel, and can be seamlessly integrated into existing setups without substantial redesign. This, coupled with a periodic spectral verification and monitoring of Alice and Bob’s lasers, comprehensively addresses the identified vulnerabilities, significantly reinforcing the practical security of OIL-based TF-QKD systems without compromising their performance.
Although the proposed countermeasures will allow to close the identified security loopholes, we remark that their proper implementation is conditional on an accurate analysis of the system specifics and the application of an adequate security proof, establishing concrete values for the amount of required attenuation and filtering. To the best of our knowledge, to date no such proof exists, and while its derivation is beyond the scope of this paper, our results motivate the inclusion of information leakage induced by reference-beam attacks into future theoretical analyses of TF-QKD.
More broadly, our analysis emphasizes the importance of restricting Eve’s control over the degrees of freedom of the injected optical signals, such as frequency, power, temporal shape, and polarization, to ensure robust security of quantum communication protocols. A rigorous and comprehensive restriction not only addresses currently identified attack vectors but also provides resilience against future, yet-undiscovered, attack strategies. Maintaining tight control over all optical parameters entering the encoder thus forms a foundational element for securing practical quantum communication systems in real-world deployments.
Data and materials availability
All data are available from the corresponding author upon reasonable request.
Correspondence and requests for materials
Should be addressed to S.J. ([email protected]) or A.M. ([email protected]).
Authors contributions
S.J., A.M., R.I.W., and D.R. identified the academic motivation for this research project. S.J. and A.M. built the experimental setups, collected the measurements, and analyzed the results with support and supervision from M.P., R.I.W., T.D., R.M.S., and D.R., and particularly, derived the simulation results under the supervision of M.C.. S.J., A.M., and R.I.W. wrote the manuscript, with all authors contributing to its improvement and the verification of the results.
Acknowledgments
The authors thank S. Morrissey, F. Grünenfelder, O. Crampton, A. Brzosko, Y.S. Lo, G. Shooter, and P.R. Smith, for insightful discussions. We acknowledge support from the European Union’s Horizon Europe Framework Programme under the Marie Skłodowska Curie Grant No.101072637, Project Quantum-Safe Internet (QSI). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them. We also acknowledge support from the Galician Regional Government (consolidation of research units: atlanTTic), the Spanish Ministry of Economy and Competitiveness (MINECO), the Fondo Europeo de Desarrollo Regional (FEDER) through the grant No. PID2024-162270OB-I00, MICIN with funding from the European Union NextGenerationEU (PRTR-C17.I1) and the Galician Regional Government with own funding through the “Planes Complementarios de I+D+I con las Comunidades Autonomas” in Quantum Communication, the “Hub Nacional de Excelencia en Comunicaciones Cuanticas” funded by the Spanish Ministry for Digital Transformation and the Public Service and the European Union NextGenerationEU, the European Union’s Horizon Europe Framework Programme under the project “Quantum Secure Networks Partnership” (QSNP, grant agreement No 101114043) and the European Union via the European Health and Digital Executive Agency (HADEA) under the Project QuTechSpace (grant 101135225).
Competing interests
The authors declare no competing interests.
Methods
Experimental details of the fast intensity modulation attack
In this section we present the details of our investigation on the modulation parameters for Eve, and discuss how for every configuration a sufficiently high repetition rate deceives slowly-integrating power meters, which therefore constitute insecure watchdogs.
Fig. 7 reports an example of input pattern for Eve’s intensity modulator for the case of a “Up” modulation (that is, fast, periodic increases in the optical power of the reference signal), as well as for the “Up-to-Down” modulation introduced in Fig. 3. The vertically mirrored patterns yield the “Down” and the “Down-to-Up” configurations, respectively. For each of the four configurations, we tested input and output statistics by changing the attack repetition rate (corresponding to from Fig. 7) and the modulation width and height . Crucially, as noted in Fig. 3, for both the “Up-to-Down” and “Down-to-Up” modulations of the reference signal, the locked light at Alice’s output always results in a “Down-to-Up” configuration. This phenomenon also occurs for the “Up” and “Down” schemes, but notably in these latter cases the induced peak above the baseline is much smaller than the inflection below the baseline, resulting in a worse quality of the injection and overall reduction of the mean photon density. As this will affect performance rather than security, here we focus on the analysis for the “Up-to-Down” and “Down-to-Up” configurations, which allow instead to induce a significant transient increase in the optical power.
For the repetition rate of the attack we tested values ranging from MHz to GHz, comparable with the operational rate of state-of-the-art QKD schemes. For all these options it holds , meaning that the produced pulse shape is not altered, and no appreciable changes have been observed in the detection statistics. Therefore, in this analysis we consider a modulation rate of GHz. As for the modulation width, we analyzed the produced pulse shapes while sweeping over the range psps. We observed that a short modulation is preferable as it allows for a steeper transient between low and high levels of the photon density, which ultimately results in wider and taller peaks above the baseline. Therefore, results in this section refer to the setting choice ps, corresponding to the minimal resolution of our controls.
Finally, we tested various magnitudes of the modulation height . Increasing this parameter directly impacts the modulation amplitude of the photon density. As this quantity is the most objective and meaningful metric for a device-agnostic analysis, figures in this paper show various experimental results as a function of Eve’s normalized intensity modulation, corresponding to the peak-to-peak amplitude of the SNSPD s results displayed, for example, in Fig. 3(a).
The full experimental results for the slow-integrating power meters are displayed in the Supplemental Material [39], where figures report the normalized average power and normalized power fluctuations detected by the devices, respectively, and compare them with the attack-free scenario.
The results discussed in the main text were obtained with an input power of 5 mW before the intensity modulator shown in Fig. 2.
Statistics are computed over samples for each configuration. We observe that regardless of the attack intensity and integration time, power meters fail to detect anomalies in the observed quantities, thus mistakenly assuming a safe scenario when Alice’s laser is under a modulation attack. This motivates us to introduce novel surveillance procedures, namely the countermeasures introduced in the “Experimental demonstration and countermeasures” section, so to guarantee the implementation security of OIL-based TF-QKD against this novel class of potential threats.
Simulation details
Here we present the details of the SKR simulations displayed in Fig. 5. Our analysis is based on the protocol description and security proof for the “Sending-or-Not-Sending” (SNS) TF-QKD scheme introduced in Ref. [9] and the simulations provided in Ref. [11]. For simplicity, we consider the asymptotic case of infinitely many signals sent and infinitely many decoy intensities: the former implies that we can consider the key basis (basis) to be chosen with probability , while the second implies that all the required yields can be computed exactly. In addition, we consider a standard channel model, where losses are modeled as a beam splitter whose transmittance matches the one of the optical fiber.
Let denote the total channel transmittance for a given distance between Alice and Bob and let be the transmittance of the symmetric channels connecting each of the legitimate parties to Charlie. Here we consider a standard fiber loss coefficient dB/km and detectors with dark count probability and perfect detection efficiency (note that a finite detection efficiency could be incorporated in the definition of ). Following the definition of key events in Ref. [9], the vacuum and single-photon yields are found to be respectively [9, 11]
[TABLE]
Let denote the intensity of the coherent state in the basis and the probability of Alice and Bob sending such coherent state (instead of vacuum) when they select a key round. For the total yield of correct and erroneous bits in the basis, we have
[TABLE]
[TABLE]
where quantifies the polarization misalignment and denotes the modified Bessel function of the first kind and order zero. It follows that for the total basis yield and QBER we have:
[TABLE]
We remark that in the SNS-TF-QKD protocol the notion of a valid basis event, required to estimate the phase error rate using decoy states, is different from that of a basis event. In detail, considering a decoy-state intensity , we have that
[TABLE]
[TABLE]
being the phase misalignment. The total basis yield and QBER follow as
[TABLE]
From these quantities, an upper bound on the phase error rate can be found to be [9]:
[TABLE]
The above bound holds for any value of and one can numerically check that it gets tighter as . Therefore, in our calculations we considered the fixed value of .
Finally, the secret key rate can be obtain as
[TABLE]
where denotes the binary entropy of , and is the error correction inefficiency.
As mentioned in the caption of Fig. 5, before actually running the protocol Alice and Bob establish the optimal key parameters
[TABLE]
for a given set of system parameters and . All curves in Fig. 5 refer to the optimal case , but no significant difference has been observed when comparing to higher misalignment cases.
Due to the attack, although Alice and Bob expect to prepare states with intensity they actually prepare states with intensity , for some ( in our case, from Fig. 3). With a noiseless channel model, the basis statistics that Alice and Bob actually observe are obtained through Eqs. 4, 5 and 6 with . This shows that within this framework the attack has a direct impact on the basis QBER, while its effect on the phase error rate is negligible as .
The actual secret key rate guaranteed by the security proof in this case is obtained by plugging in the actual intensity sent and the actual bit error rate in Eq. 11, together with the sending probability which is unchanged.
Nevertheless, if Alice and Bob are unaware of the attack, they believe they are sending coherent states with the average intensity and observe the actual bit error rate , as determined from Charlie’s announcements. As a result, they compute their expected key rate by substituting and into Eq. 11, which leads to an erroneous overestimation.
Power Meters Measurements
Here we report the power meters measurement data, as discussed in the “Methods” section of the main text. These measurements were performed using slow-integrating power meters (integration times from 25 s to 100 ms) without spectral filtering, demonstrating their vulnerability to fast intensity modulation attacks operating at 1 GHz. Figure S1 shows the deviation of average optical power under attack, while Figure S2 shows the power fluctuations (standard deviation), both normalized to the non-attacked scenario. The results demonstrate that slow-integrating power meters without spectral filtering are insufficient for detecting FIM attacks.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Bennett and Brassard [2014] C. H. Bennett and G. Brassard, Quantum cryptography: Public key distribution and coin tossing, Theoretical Computer Science 560 , 7 (2014).
- 2Ekert [1991] A. K. Ekert, Quantum cryptography based on Bell’s theorem, Physical Review Letters 67 , 661 (1991).
- 3Pirandola et al. [2020] S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ottaviani, J. L. Pereira, M. Razavi, J. Shamsul Shaari, M. Tomamichel, V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden, Advances in quantum cryptography, Advances in Optics and Photonics 12 , 1012 (2020).
- 4Lo et al. [2014] H.-K. Lo, M. Curty, and K. Tamaki, Secure quantum key distribution, Nature Photonics 8 , 595 (2014).
- 5Sasaki et al. [2011] M. Sasaki, M. Fujiwara, H. Ishizuka, W. Klaus, K. Wakui, M. Takeoka, S. Miki, T. Yamashita, Z. Wang, A. Tanaka, et al. , Field test of quantum key distribution in the tokyo qkd network, Optics express 19 , 10387 (2011).
- 6Martin et al. [2024] V. Martin, J. P. Brito, L. Ortíz, R. Méndez, J. Buruaga, R. Vicente, A. Sebastian-Lombrana, D. Rincon, F. Perez, C. Sanchez, et al. , Madqci: a heterogeneous and scalable sdn-qkd network deployed in production facilities, npj Quantum Information 10 , 80 (2024).
- 7Chen et al. [2025] H.-Z. Chen, M.-H. Li, Y. Z. Wang, Z.-G. Zhao, C. Ye, F. L. Li, Z. Chen, S.-L. Han, B. Tang, Y. J. Miao, et al. , Implementation of carrier-grade quantum communication networks over 10000 km, npj Quantum Information 11 , 137 (2025).
- 8Lucamarini et al. [2018] M. Lucamarini, Z. L. Yuan, J. F. Dynes, and A. J. Shields, Overcoming the rate-distance limit of quantum key distribution without quantum repeaters, Nature 557 , 400 (2018).
