Hacking single-photon avalanche detectors in quantum key distribution via pulse illumination

Zhihao Wu; Anqi Huang; Anqi Huang; Huan Chen; Shi-Hai Sun; Jiangfang Ding; Xiaogang Qiang; Xiaogang Qiang; Xiang Fu; Ping Xu; Junjie Wu; Junjie Wu

doi:10.1364/OE.397962

1. Introduction

Information security is a core of cybersecurity in the digital era. Cryptography provides a vital tool to achieve information security in cyber environment, particularly when untrusted channels are used. Unfortunately, the current widely-used public-key cryptographic infrastructure is threaten by a quantum computer [1]. To defeat the threat from the quantum world, quantum key distribution (QKD) [2] based on the laws of quantum mechanics provides a long-term solution, which has been proved its information-theoretical security. The key generated via QKD can be applied to one-time-pad algorithm, guaranteeing information-theoretically secure communication [3,4]. Due to plenty of efforts, QKD has developed with a fast pace even to be globalized and commercialized, becoming one of the most mature applications in the field of quantum information [5–9]. Owing to such fast development, standardization of QKD is being considered in the European Telecommunications Standards Institute (ETSI) [10], the International Standard Orgnization (ISO) [11], and the International Telecommunication Union (ITU).

However, a practical QKD system may behave differently from its theoretical model which discloses security loopholes that can be exploited by an eavesdropper, Eve, to learn the secret key, compromising the practical security of QKD systems [12–24]. To defeat quantum hacking, an effective countermeasure is to employ an innovative protocol, like measurement-device-independent QKD (MDI QKD) [25] and twin-field QKD (TF QKD) [26,27], to remove the threat from loopholes. However, the high demand of technique and relative low key rate of the innovative protocols limit their application and commercialization. Therefore, to relieve the security threat on the QKD systems in use, it is essential to patch the loopholes in the existing QKD systems [28,29], most of which employ prepare-and-measure QKD protocol.

As countermeasures, patches, instead of ending the hacking story, lead to a new era of quantum hacking – inspire quantum attackers to conduct a new round of hacking investigation on the patched system. Patches motivate Eve to discover the imperfection of the patches themselves and the remaining loopholes that the patches fail to close. Our work proposes a more general blinding attack to bypass the photocurrent monitor. We discover that, for the detector under test, bright pulses can blind APD intermittently and meanwhile bypass the alarm of photocurrent monitor, although reasonable qubit error rate (QBER) is introduced. We call this method as pulse illumination attack.

The pulse illumination attack is a more general type of detector blinding attack than the original one that uses continuous wave (c.w.) light. In this attack, Eve does not only exploit the mode switch between the linear mode and Geiger mode via light shining, but also makes refined use of the hysteresis current after pulse shining to create a period of full blinding and detection control. The deep investigation on the loopholes strengthens Eve’s hacking capability, and thus passes the challenge of protecting the QKD system to countermeasure proposers again. This study emphasizes the significance of further investigating the imperfections of single-photon detector, in order to improve the security property of the standard prepare-and-measure QKD systems that are deployed the most in field [30–32]. Moreover, this study contributes a general testing item to the security certification list of QKD standard, which is being drafted in several international organizations, e.g. ETSI, ISO, and ITU [10,11,33].

2. From c.w. illumination attack to pulse illumination attack

In this section, we briefly review the origin blinding attack, i.e., c.w. illumination attack, and then introduce the countermeasure of the photocurrent monitor that is believed to be effective to blinding attacks. Finally, we propose pulse illumination attack as a new form of blinding attack that can bypass the photocurrent monitor.

For a BB84 QKD system, Eve can apply the c.w. blinding attack on APDs to eavesdrop the information. In the original c.w. blinding attack, Eve injects continuous light to generate a huge photocurrent through APD, which lowers the bias voltage and pulls the APD back to the linear mode that is insensitive to a single photon. Then, she conducts a fake-state attack as follows. She first intercepts and measures each state sent by Alice, and resends a trigger pulse encoded by her measurement result to control Bob’s clicks as the same as hers. For more details about the original c.w. blinding attack, see Appendix A.

To patch the loophole exploited by the blinding attack, some QKD systems including our testing object in this work adopt a photocurrent monitor as a countermeasure against the blinding attack [13,17,34]. This countermeasure bases on an intuitive assumption that a blinding attack will certainly generate a distinguishable low-frequency photocurrent in the circuit of the detector. The monitor extracts the low-frequency photocurrent as an alarm of the blinding attack. Once the extracted photocurrent reaches an alarming threshold, the blinding attack is considered to be launched. Please note that the extracted photocurrent is named as reported photocurrent in the following text.

However, we find that this countermeasure can not completely hinder the pulse illumination attack. This is because the aforementioned assumption about the photocurrent under a blinding attack does not stand when bright optical pulses are sent to blind an APD. In this attack, a group of blinding pulses accumulatively introduces a high photocurrent. This photocurrent is also able to lower the bias voltage across the APD. As a result, the detector is blinded at that time. After the blinding pulses are gone, the detector is still blinded for a certain period, because the photocurrent gradually reduces due to capacitors in the detector. Thus the detector keeps being blinded until the photocurrent becomes fairly weak. Eve can exploit the blinded period to launch the fake-state attack to eavesdrop the information. Theoretically, the length of the blinded period is positively correlated with the energy of the blinding-pulse group.

Unlike the constant high photocurrent introduced by the c.w. illumination attack, here the photocurrent varies over time. The photocurrent monitor takes this current as high-frequency noise and ignores most of it. Therefore, Eve can apply the pulse illumination attack to eavesdrop the information without being noticed by the photocurrent monitor.

3. Experimental demonstration

As a third-party evaluator, we conducted tests about the pulse illumination attack on a APD-based single-photon detector module, provided by an independent party. In the tests, we assume that Eve only knows the public information of the detector as prior knowledge to show a real-life hacking scenario. For the single-photon detector module we tested, the frequency of gate signal is $40\;\textrm {MH}_{\textrm {z}}$, and the photocurrent monitor inside the module first filters the photocurrent in the circuit of the detector via a lowpass filter to avoid high-frequency noise. The alarming threshold is set as $10\; \mu \textrm {A}$ by the independent detector provider, which is an optimum-performance value to safely detect c.w. illumination blinding attack in practice. The threshold is far lower than the illegitimate value ($31 \;\mu \textrm {A}$) when c.w. illumination blinding attack works, as well as leaves a margin to the value of normal working state ($1.4 \;\mathrm{\mu} \textrm {A}$) to avoid false alarms due to occasionally in-field fluctuation. The tested detector works at $-50 \;^{\circ }\textrm {C}$ with dark count rate of $5 \times 10^{-6}$ per gate and 3% after-pulse probability.

Our experiment setup is shown in Fig. 1. A digital signal generator synchronize the whole system. The channel 1 of the waveform generator excites a $1550\; \textrm {nm}$ laser diode to launch a group of blinding pulses with the frequency as the same as that of the SPAD gate, $40\; \textrm {MH}_{\textrm {z}}$. In our experiments, the width of each blinding pulse was set as $4\;\textrm {ns}$, and we kept the energy of each blinding pulse being $13.32\;\textrm {pJ}$. The blinding pulses were applied outside the gate signals to avoid unwanted clicks caused by the blinding pulses. A group of blinding pulses only triggers a click at the beginning of the group, which is followed by $5\; \mathrm{\mu} \textrm {s}$ dead time. After that, the detector is blinded due to the accumulated photocurrent and Eve can launch the fake-state attack in this blinded period during which no dark count exists. Long intervals between groups are necessary for reducing the low-frequency photocurrent and avoiding being noticed by the photocurrent monitor. $2\;\textrm {ms}$ interval can satisfy such requirement in our testing. This experimental result is shown in Fig. 2(a). The detailed analysis about the parameters of blinding pulses are given in Appendix B.

Fig. 1. Experimental setup for the pulse illumination attack. The double-channel arbitrary waveform generator excites $1550\; \textrm {nm}$ lasers to generate the blinding pulses and the trigger pulses. The trigger pulses do not contribute to blind the APD and they are just used for calibrating the blinded period and controlling Bob’s click. The manual variable attenuator and the digital variable attenuator modulate the energy of the blinding pulses and trigger pulses precisely. The 50:50 beam splitter merges the blinding pulses and the trigger pulses. We use a digital signal generator to synchronize our blinding pulses and the trigger pulses with the single-photon detector’s clock. The power meter monitors the total energy of pulses going to the single-photon detector.

Download Full Size | PDF

Fig. 2. Oscillograms where a) the detector is blinded by a group of 500-cycle blinding pulses and b) a trigger pulse with energy $E_{\textrm {never}}$ / $E_{\textrm {always}}$ is sent during the blinded period to get no click/click.

Download Full Size | PDF

The channel 2 of the waveform generator excites another $1550\; \textrm {nm}$ laser diode to launch a trigger pulse to calibrate the length of the blinded period and the fully controllable range inside. The methodology of calibrating a blinded period is shown in Fig. 3. A trigger pulse contains 67 photons, which can trigger a click in Geiger mode but is not strong enough to trigger a click in the linear mode. We first apply the trigger pulse at the gate just after the group of blinding pulses. If the trigger pulse causes no click, the detector is blinded during this gate. The trigger pulse is then moved away from the group of blinding pulses gate-by-gate to repeat the calibration process until the trigger pulse causes a click. The period of no click is the blinded period. The length of the blinded period generated by a group of 250-/300-/350-/400-/450-/500-cycle blinding pulses is shown in 1. As the trigger pulse contains multiple photons, the length of the blinded period here is just conservative estimations.

Fig. 3. The methodology of calibrating the blinded period after a group of blinding pulses. We apply a weak trigger pulse that contains 67 photons as a discriminator of blinding inside the gate after the blinding pulses. We move the trigger pulse to right gate-by-gate and repeat the calibration to probe the boundary of the blinded period.

Download Full Size | PDF

Table 1. The blinded period, the number of fully controllable gates, and the reported photocurrent under pulse illumination with different cycle numbers. The dead time caused by the initial blinding pulse is not included in the blinded period. The interval length between two groups of blinding pulses is set as $2\; \textrm {ms}$. In all these cases, the reported photocurrent is close to that in normal working state, $1.4 \;\mathrm{\mu} \textrm {A}$. The built-in alarming threshold of the photocurrent monitor is $10 \;\mathrm{\mu} \textrm {A}$.

View Table

By a similar methodology but varying the energy of the trigger pulse, we can further calibrate a fully controllable range. As shown in Fig. 2(b), at each gate inside the blinded period, we vary the energy of a trigger pulse to observe the click probability and record the energy that can trigger a click with the probability of 100%/50%/0% as $E_{\textrm {always}}$/$E_{\frac {1}{2}}$/$E_{\textrm {never}}$. If $E_{\textrm {always}} < 2 E_{\textrm {never}}$, the detector at this gate in the blinded period is fully controllable by Eve for a BB84 QKD system (while the rest gates of the blinded period also do not have dark counts and are partly controllable). The experimental data of the fully controllable range in the blinded period generated by a group of 350-/400-/450-/500-cycle blinding pulses are shown in Fig. 4. Note that in all the testing above, the reported photocurrent keeps being far lower than the built-in alarming threshold of the photocurrent monitor ($10 \;\mathrm{\mu} \textrm {A}$), as shown in 1.

Fig. 4. $E_{\textrm {always}}$, $E_{\frac {1}{2}}$ and $E_{\textrm {never}}$ inside the fully controllable range of a blinded period generated by a group of 350/400/450/500-cycle blinding pulses. The data not satisfying the fully controllable condition ($E_{\textrm {always}} < 2 E_{\textrm {never}}$) are not included in this figure. The time origin is the arriving of the first blinding pulse in the group. The inflection points are the moments that the blinding pulses end, where the accumulated photocurrent reaches to the maximum.

Download Full Size | PDF

4. Security analysis for a decoy-state BB84 QKD system

In this section, we analyse Eve’s maximum-profit strategy of attacking a real-life decoy-state BB84 QKD system via pulse illumination, and we further study the threat of this attack to the system. Here the detection parameters are from the Gobby-Yuan-Shields (GYS) experiment [35]. The interval length, the blinded period, and the fully controllable range are from our experimental results as shown in 1.

4.1 Eve’s maximum-profit strategy

The strategy of Eve’s attack is as follows. We assume Eve uses lossless channels to connect Alice and Bob. Without introducing deviation to the normal value of total gain, she launches fake-state attack during the fully controllable range, while blocks or passes the state from Alice during the unblinded time. Therefore, to eavesdrop the maximum information, she needs to optimize the parameters of her attack.

Specifically, three parts constitute the total gain under Eve’s attack – the click trigger by each group’s first blinding pulse, the gain under fake-state attack ($Q_{\omega }^{\textrm {Eve}}$) during the fully controllable range, and the gain that Eve blocks or passes the state from Alice during the unblinded period. Regarding the fake-state attack, Eve first measures Alice’s state with a perfect detector and resends to Bob by a trigger pulse with energy $E_{\textrm {always}}$. Bob’s basis choice matches to Eve’s half of the time, which triggers a click at Bob’s detector with 100% probability. Thus, $Q_{\omega }^{\textrm {Eve}} = \frac {1}{2} (1-e^{-\omega })$, where $\omega \in \{\mathrm{\mu} = 0.6, \nu = 0.2, 0\}$ is the mean photon number of the signal state, the decoy state, and the vacuum state. When Eve blocks Alice’s states, only dark counts, $Y_0 = 1.7 \times 10^{-6}$, happen at Bob’s detector; when Eve passes Alice states via the lossless channel, the corresponding gain is $Q_{\omega }^{\textrm {pass}} = Y_0+1-e^{- \eta _{\textrm {ch}} \eta _{\textrm {Bob}} \omega } = Y_0+1-e^{- \eta _{\textrm {Bob}} \omega }$ (where $\eta _{\textrm {ch}} = 1$ is the transmittance efficiency of Eve’s lossless channel and $\eta _{\textrm {Bob}}$ is the transmittance of Bob’s optical device). Therefore, the total gain under the pulse illumination attack is

(1)$$\begin{aligned} Q_\omega & = \frac{1 + p Q_\omega^{\textrm{Eve}} N_{\textrm{control}}}{N_{\textrm{interval}}} \\ & + \frac{(N_{\textrm{interval}} - N_{\textrm{blind}} - N_{\textrm{dead}}) [\gamma Q_{\omega}^{\textrm{pass}} + (1 - \gamma) Y_0]}{N_{\textrm{interval}}} \\ & = \frac{1}{ N_{\textrm{interval}}}+ p Q_\omega^{\textrm{Eve}} \alpha + (1 - \beta) [\gamma Q_{\omega}^{\textrm{pass}} + (1 - \gamma) Y_0],\\ \end{aligned}$$

where $N_{\textrm {control}}/N_{\textrm {blind}}/N_{\textrm {dead}}/N_{\textrm {interval}}$ is the gate number of the fully controllable range/the blinded period/the dead time/the interval length for a group of blinding pulses. $\alpha = N_{\textrm {control}}/N_{\textrm {interval}}$, representing the controllable proportion of gates under the attack. $1 - \beta = (N_{\textrm {interval}} - N_{\textrm {blind}} - N_{\textrm {dead}})/N_{\textrm {interval}}$, representing the proportion of gates that are not affected by the blinding. $p \in [0, 1]$ is the proportion of $N_{\textrm {control}}$ that Eve launches the fake-state attack. $\gamma \in [0, 1]$ is the ratio that Eve passes the photons from Alice during the unblinded time in each interval. Accordingly, the total QBER is

(2)$$\begin{aligned} E_\omega & = \frac{1}{Q_\omega} \{\frac{e_0}{N_{\textrm{interval}}} + p Q_\omega^{\textrm{Eve}} \alpha e_{\textrm{det}} \\ & + (1-\beta)[\gamma E_{\omega}^{\textrm{pass}} Q_{\omega}^{\textrm{pass}} + (1 - \gamma) Y_0 e_0]\}, \end{aligned}$$

where $E_\omega ^{\textrm {pass}} Q_\omega ^{\textrm {pass}} = e_0 Y_0 + e_{\textrm {det}}(1 - e^{- \eta _{\textrm {Bob}} \omega }).$ $e_0 = 0.5$ is the error rate of the background noise. $e_{\textrm {det}} = 3.3\%$ is the misalignment error rate of the QKD optical system.

According to the principle of the attack, Eve has to keep the total gain being indistinguishable with that in the normal working state ($Q_{\omega }^{\textrm {normal}} = Y_0 + 1 - e^{-\eta _{\textrm {Bob}} \eta _{\textrm {ch}} \omega }$, where $\eta _{\textrm {ch}} = 10^{\frac {-0.21 L}{10}}$ is the transmittance of the quantum channel of the QKD system as a function of the channel length $L$) to hide her existence by modulating $p$ and $\gamma$. Moreover, she will make $p$ ($\gamma$) as high (low) as possible. Consequently, when Eve tries to make $p = 1$ and $\gamma = 0$ initially, she may confront with two cases:

I: $Q_\mathrm{\mu} > Q_\mathrm{\mu} ^{\textrm {normal}}$. In this case, Eve only needs to decrease $p$ to apply less fake-state attack during the fully controllable range to ensure $Q_\mathrm{\mu} = Q_\mathrm{\mu} ^{\textrm {normal}}$. Thus, she can obtain almost all the information as all rounds of communication are either controlled or blocked.
II: $Q_\mathrm{\mu} < Q_\mathrm{\mu} ^{\textrm {normal}}$. In this case, Eve has to increase $\gamma$ to allow some photons pass from Alice to Bob without any intervention during the unblinded time, while keeps $p=1$, and then increase $Q_\mathrm{\mu}$ to hide herself. Therefore, she can just obtain part of the total information in the communication.

Under this strategy, the QKD system cannot be aware of Eve’s attack by checking the total gain. The QBER during the attack is shown in Fig. 5(a).

Fig. 5. The simulation results of the security analysis. a) The QBER with/without Eve’s pulse illumination attack. Here 350-/400-/450-/500-cycle attack introduce the same QBER. b) The $R^L_{\textrm {est}}$ when the system works without pulse illumination attack. The key rate decreases dramatically to almost 0 when the length is longer than $130\; \textrm {km}$. c)/d)/e)/f) The $R^L_{\textrm {est}}$, $R^L_{\textrm {real}}$ and $R^U_{\textrm {real}}$ under Eve’s pulse illumination attack with 350-/400-/450-/500-cycle illumination pulses.

Download Full Size | PDF

4.2 Key rate estimated by Alice and Bob under pulse illumination attack

According to the decoy-state protocol [36,37], Alice and Bob can estimate the yield and the error rate of a single photon, which are given by

(3)$$\begin{aligned} Y_1^L & =\frac{\mathrm{\mu}}{\mathrm{\mu} \nu-\nu^{2}}\left(Q_{\nu} e^{\nu}-Q_{\mathrm{\mu}} e^{\mathrm{\mu}} \frac{\nu^{2}}{\mathrm{\mu}^{2}}-\frac{\mathrm{\mu}^{2}-\nu^{2}}{\mathrm{\mu}^{2}} Y_{0}\right)\\ e_1^U & =\frac{E_{\nu} Q_{\nu} e^{\nu}-e_{0} Y_{0}}{Y_{1}^{L} \nu}. \end{aligned}$$

Submitting Eq. (1), Eq. (2), and Eq. (3) into the GLLP [38], Alice and Bob can estimate the lower bound of the key rate as

(4)$$R^L_{\textrm{est}} = q\left\{-Q_{\mathrm{\mu}} f\left(E_{\mathrm{\mu}}\right) H_{2}\left(E_{\mathrm{\mu}}\right)+ \mathrm{\mu} e^{-\mathrm{\mu}} Y_{1}^L\left[1-H_{2}\left(e_{1}^U\right)\right]\right\}.$$

Here $q=1/2$ for the BB84 protocol, $f(E_\mathrm{\mu} )=1.2$ for error correction, and $H_2(x)$ is Shannon entropy. The $R^L_{\textrm {est}}$ under no/350-/400-/450-/500-cycle pulse illumination attack with Eve’s strategy is shown by the blue line in Figs. 5(b)–(f).

4.3 Real key rate of the QKD system under pulse illumination attack

To judge whether Alice and Bob overestimate the key rate and thus introduce insecurity, we give the real upper bound and the lower bound of the key rate when the pulse illumination attack with Eve’s strategy is applied.

The real yield of a single photon $Y_1^{\textrm {attack}}$ and its error rate $e_1^{\textrm {attack}}$ under Eve’s attack strategy can be calculated as

(5)$$\begin{aligned} Y_1^{\textrm{attack}} & = Y_0 +\eta_{\textrm{Bob}} -Y_0 \eta_{\textrm{Bob}},\\ e_1^{\textrm{attack}} & =\frac{1}{Y_1^{\textrm{attack}}} (e_{\textrm{det}} \eta_{\textrm{Bob}} + e_0Y_0). \end{aligned}$$

Then, the real upper bound and the lower bound of the key rate can be written as

(6)$$R^U_{\textrm{real}} = \frac{1}{2} (1-\beta)\gamma \mathrm{\mu} e^{-\mathrm{\mu}} Y_1^{\textrm{attack}} [1-H_2(e_1^{\textrm{attack}})]$$

and

(7)$$\begin{aligned} R^L_{\textrm{real}} & = \frac{1}{2} (1-\beta)\gamma \{\mathrm{\mu} e^{-\mathrm{\mu}} Y_1^{\textrm{attack}} [1-H_2(e_1^{\textrm{attack}})] \\ & - Q_\omega^{\textrm{pass}} f_{EC} H_2(E_\omega^{\textrm{pass}})\}. \end{aligned}$$

$R^L_{\textrm {real}}$ and $R^U_{\textrm {real}}$ under 350-/400-/450-/500-cycle pulse illumination attack with Eve’s strategy are shown in Figs. 5(c)–(f) as the dashed and dash-dot lines. The results show that Eve can successfully hack the QKD system and learn the secret key under certain communication distance between Alice and Bob for the cases considered here. Take the scenario of 500-cycle pulse illumination attack as an example, we can easily find that when the channel length is between 20 km and 43 km, the estimated key rate by Alice and Bob is higher than the real lower bound but lower than the real upper bound. Thus, Alice and Bob overestimates the key rate. When the length of the quantum channel is longer than $43\;\textrm {km}$, we can ensure that the key rate estimated by Alice and Bob is insecure, because $R^L_{\textrm {est}}$ is higher than $R^U_{\textrm {real}}$. These results are reasonable. When the channel length is short Eve has to pass a large portion of signals from Alice, and thus her threat to the QKD system is weak. The GLLP equation still can estimate a secret key rate in the secure range. However, as the channel length gets longer, Eve can block more signals during the unblinded time to enlarge the proportion of the eavesdropped keys, and thus threaten the security significantly. The GLLP equation then cannot correctly estimate the secret key rate.

5. Discussion

As we described above, the pulse illumination attack can hack the passive quenching single photon detector to eavesdrop secret information while bypass its photocurrent monitor. Here we extend the discussion to the effectiveness of the pulse illumination attack on detectors of other architectures or with other countermeasures. The pulse illumination attack can blind high-speed self-differential detectors [39,40], as this kind of detectors can be blinded by triggering a sequence of detection events [41], which can be achieved by the pulse illumination attack with a low blinding pulse energy. For active-quenching detectors without a bias resistor [42], blinding by bright illumination seems difficult. However, the work of thermal attack shows that this kind of detectors can also be blinded by the thermal effect of the injected bright light [43], which implies that the pulse illumination attack with a higher blinding pulse intensity may hack such detectors. In this case, the pulse illumination attack tends to introduce a relatively higher generated photocurrent which might reveal the existence of Eve. However, Eve can further enlarge the inter-group interval to decrease the low-frequency components of the generated photocurrent and hide herself again. A sophisticated attack-monitoring method shown in Ref. [44] exploits the accumulating statistics of times between consecutive detection events. As the pulse illumination attack has various adjustable parameters, its fingerprint on the statistics might be attenuated. Recently, a countermeasure against detector-control attacks using randomly switching variable attenuators (VA) is proposed [45], where the switching of a VA’s attenuation value under c.w. illumination will introduce random clicks and raise QBER to trigger the alarm. However, the pulse illumination attack does not illuminate constantly, and thus the switching probably does not lead to any abrupt changes on injected light to cause random clicks. The practical effectiveness of these countermeasures under the pulse illumination attack should be analysed in a future testing.

Lowering the alarming threshold of the photocurrent monitor can not effectively detect the pulse illumination attack. In addition to frequent false alarms introduced by this method, Eve can attenuate the reported photocurrent by enlarging the intervals to break this defense, as shown in Appendix B. Improving the stop band of the filter in the photocurrent monitor can reveal more evidences of the pulse illumination attack, depending on the value improved. However, improving the stop band extremely will also make the monitor in trouble with abundant false alarms by noises and lose its functionality. An extreme case is removing the filter to thoroughly expose the uprising caused by the blinding pulses. In this case, the alarm will definitely be triggered with the pulse illumination attack, but frequent false alarms might also be triggered when the detector is working normally. The feasibility of any change of parameters in the photocurent monitor should be tested in a future experiment, and the change itself might introduce some new loopholes. To patch the loophole exploited by the pulse illumination attack and defend this kind of blinding attacks thoroughly, we believe that the valid method is to integrate the loophole into the security proof of QKD protocol.

6. Conclusion

We investigate the effectiveness of a photocurrent monitor as a countermeasure against the detector blinding attack in a single-photon detector module that is provided by an independent party. The testing results show that the single-photon detector with a photocurrent monitor is vulnerable to the pulse illumination attack. Via this attack, Eve can blind the single-photon detector in a certain period and fully control its detection output, keeping the reported photocurrent of the photocurrent monitor similar to that in the normal state and thus without alarming the monitor. We also perform the theoretical security analysis to show that for a real-life QKD system under pulse illumination attack, Alice and Bob may overestimate the secret key rate and leak the key to Eve in a certain distance range. This pulse illumination attack indicates that the security issues in the detection side might be still serious, which should be further investigated. As this attack might seriously threatens the practical security of QKD systems, pulse illumination attack should be a standard testing item for the systematic security evaluation of a QKD system.

We also provide more details on the photocurrent of a detector under the pulse illumination attack obtained from a white-box experiment on our homemade detector (see Appendix C), which may provide some ideas of countermeasures against the pulse illumination attack. However, patching only solves the problem in a short term. A more secure method is to model the practical single-photon detector in the security proof, if the non-MDI-QKD system would like to be immune to various blinding attacks in a long term.

Appendix

A. Recap c.w. illumination blinding attack

Fig. 6. Inner mechanism of the single-photon detector. a) The core part of the circuit of a typical single-photon detector. $R_{\textrm {bias}}$ is a huge resistor for passive quenching while $R_{\textrm {o}}$ is a small resistor for readout. The voltage across $R_{\textrm {o}}$ is $V_{\textrm {o}}$, which is the carrier of the output signals. $V_{\textrm {HV}}$ is the DC source of the single-photon detector’s circuit. $V_{\textrm {bias}}$ is the bias voltage across the APD. Normally, $V_{\textrm {bias}}$ is lower than the breakdown voltage ($V_{\textrm {br}}$) and can be raised to be higher than it by gate signals. b) Schematic diagram of the relationship between the trigger pulse energy and the responding output signal when the APD is in the linear mode. $I_{\textrm {th}}$ is the threshold of a built-in comparator in the circuit of the single-photon detector. $E_{\textrm {never}}$/$E_{\textrm {always}}$ is the trigger pulse’s energy that triggers a click with 0%/100% probability, because the bound of its error bar is totally lower/higher than $I_{\textrm {th}}$. Two different background colors intuitively indicate whether the trigger pulse can trigger a click.

Download Full Size | PDF

The BB84 protocol is typically used in QKD implementation, especially in commercial QKD systems. Under this protocol, a QKD system can provide a information-theoretical secure communication channel to the legitimate users, as the existing of an eavesdropper will introduce 25% or higher QBER and trigger the alarm [46–48].

Note that the above scenario only works well under the assumption that the APDs works in Geiger mode [49], where a single photon leads to huge transient avalanche photocurrent and thus causes a click. However, a real-life QKD system deviates from the ideal model: the APD can be turned into the linear mode (be blinded) and then the clicks are controlled by Eve. One approach to achieve blinding is to illuminate the APD by carefully modulated c.w. light. The principle behind the c.w. illumination blinding is as follows. Bright c.w. light applied on the APD knocks out many electron-hole pairs, and thus a huge photocurrent is generated. According to the circuit shown in Fig. 6(a), the APD is in series with the $R_{\textrm {bias}}$, so the strong photocurrent also goes through the $R_{\textrm {bias}}$. Because the $R_{\textrm {bias}}$ is a huge resistor for passive quenching, the voltage across $R_{\textrm {bias}}$ increases dramatically and thus $V_{\textrm {bias}}$ goes lower than $V_{\textrm {br}}$ as the total voltage is conserved.

Having been blinded, the single-photon detectors of Bob can be controlled secretly by applying trigger pulses. A trigger pulse can always trigger a click when its energy is higher than $E_{\textrm {always}}$, and is impossible to trigger a click when the energy is lower than $E_{\textrm {never}}$, as shown in the Fig. 6(b). More specifically, with the assumptions that the all of Bob’s single-photon detectors are identical and satisfy

(A1)$$E_{\textrm{always}} < 2 \times E_{\textrm{never}},$$

Bob can be fully controlled by the fake-state attack [50] if the energy of the trigger pulse in $[E_{\textrm {always}}, 2 \times E_{\textrm {never}})$. In a round of the communication Eve intercepts the photon and measures it in a randomly chosen basis, and then resends a trigger pulse encoded by the measurement result to Bob. Eve can ensure that when she happens to choose the same basis as both Alice and Bob, the information of this round will be shared among Alice, Bob, and Eve (see Fig. 7(a)), while Bob will get no click and lose the information when Eve unfortunately chooses a wrong basis (see Fig. 7(b)). Afterwards, with the help of basis comparison in the post-processing (which happens in a public classical channel and can be listened by Eve), all of Alice, Bob, and Eve keep the bits that are measured with same basis. As a result, Alice and Bob innocently share the final entire secret key with Eve.

Fig. 7. Faked-state attack on the blinded detectors when Eve chooses the $H$/$V$ basis and the intercepted measurement result is $|{H}\rangle$. Eve resends a trigger pulse of $|{H}\rangle$ in $[E_{\textrm {always}}, 2 \times E_{\textrm {never}})$. Only the situation that Bob chooses matching basis with Alice is discussed here. a) Bob selects the same basis ($H$/$V$) with Eve. Subsequently, the full trigger pulse transmits through the polarizing beam splitter (PBS) and triggers a click that means 0, which is identical with Eve’s measurement result. b) Bob selects the opposite basis ($+$/$-$). Half energy of the trigger pulse, which is less than $E_{\textrm {never}}$, arrives at each single-photon detector as the dashed line shows, and none of them is triggered. In a word, Eve steals an effective bit when she chooses the matching basis, while blocks the bit as her basis mismatches.

Download Full Size | PDF

B. Detailed analysis on the parameters of blinding pulses

Here we first demonstrate the simplest case – 1-cycle blinding pulses in each group. In the experiment, we controlled the interval between each group of blinding pulse and the energy of each single pulse. Then we observed the reported photocurrent. Figure 8 shows the energy of each single blinding pulses versus the reported photocurrent with interval of 500ns/600ns/700ns. Generally, the reported photocurrent increases with the rising of single pulse energy. The reported photocurrent rises slightly at the beginning and then goes up dramatically at about $0.67\;\textrm {pJ}$. Finally, the reported photocurrent ascends linearly after $0.9\;\textrm {pJ}$. In addition, in Fig. 8, the points where the reported photocurrent is higher than $31 \;\mathrm{\mu} \textrm {A}$ means that the low-frequency component is strong enough to blind the APD in the whole time domain (constant blinding).

The orange vertical arrow in Fig. 8 shows that the reported photocurrent reduces as the interval rises. This is because for the same energy of blinding pulse, the larger interval between the groups results in the less generated photocurrent from different blinding pulses that superposes with each other. Consequently, the low-frequency components of the superposed photocurrent are less, which are reported by the photocurrent monitor. Contrarily, to increase the superposed photocurrent to constantly blind the APD when the interval is extended, higher energy of each blinding pulse is needed, as shown in the blue arrow in Fig. 8. From the testing result, we can see that Eve can extend the interval to reduce the reported photocurrent, and thus avoiding the alarm of the photocurrent monitor.

Fig. 8. The reported photocurrent versus the energy of single blinding pulse with interval of $500\;\textrm {ns}$/$600\;\textrm {ns}/$700 ns. Here the blinding pulses are in the simplest case, that is, 1-cycle per group. Reported photocurrent higher than the constant blinded threshold ($31 \;\mathrm{\mu} \textrm {A}$) indicates the APD is blinded in whole time domain.

Download Full Size | PDF

To further analyse the influence introduced by the cycle number in each group, we measured the total energy of each group with 1-/2-/3-cycle blinding pulses when the APD is constantly blinded in the whole time domain (which is defined as constant-blinding energy in the following text) versus the interval length. The measurement results are shown in Fig. 9. Comparing among the three curves in Fig. 9, for the same interval length, the summation energies of each 1-/2-/3-cycle group to constantly blind the APD are quite similar. Thus the equivalence between a single blinding pulse and three smaller blinding pulses is apparent. Moreover, the maximum intervals for the 1-/2-/3-cycle blinding pulses are $6\; \mathrm{\mu} \textrm {s}$/$12\; \mathrm{\mu} \textrm {s}$/$20\; \mathrm{\mu} \textrm {s}$ respectively. Taking the case of 1-cycle for illustration, if the interval is longer than its maximum value, the increased energy of pulses will no longer blind the APD but cause unwanted clicks. However, its equivalent split in 2-/3-cycle can still blind. Therefore, by using this multi-cycle approach, the corresponding blinded period is adjustable in a wider range.

Fig. 9. Constant-blinding energy versus interval length of the blinding pulses. The constant blinding energy is defined as the total energy of each group with 1/2/3-cycle blinding pulses to blind the APD in the whole time domain.

Download Full Size | PDF

C. Waveform of a homemade detector under pulse illumination attack

To acquire some evidences left by a pulse illumination attack, we conducted a white-box test of the pulse illumination attack on our homemade single-photon detector whose APD is produced by Princeton Lightwave. We directly observed the waveform of the voltage $V_{\textrm {o}}$ across the readout resistor $R_{\textrm {o}}$ (for our homemade single-photon detector, $R_{\textrm {o}} =50$Ω) in the circuit of the single-photon detector shown in Fig. 6. The waveform of $V_{\textrm {o}}$ without/after blinding pulses are compared in Fig. 10. The fluctuation ranges of the output signals are indicated by the double-head arrows in the picture. Apparently, as shown in Fig. 10(a), when the blinding pulses are not applied, output signals rise occasionally. These rises are strong enough to reach the comparator threshold to trigger a click because of the avalanche effect in Geiger mode. As a result, dark counts are caused in this case. On the other hand, in the blinded period under the pulse illumination attack, the output signals jump frequently but just in a much narrower range whose upper bound is far lower than the comparator threshold as shown in Fig. 10(b). Thus, dark counts are eliminated in the blinded period.

Another interesting evidence is shown in Fig. 11, where we can clearly see that a blinding pulse causes a huge instantaneous photocurrent hill. A photocurrent monitor might be capable of figuring out this evidence by some engineering modifications, which may be not easy to be realized. Researches on reliable countermeasures against pulse illumination attack are still urgently needed.

Fig. 10. The 10-sample overlaid waveform of $V_{\textrm {o}}$ of our homemade single-photon detector a) without/ b) after blinding pulses. The dashed line indicates the comparator threshold for triggering a click. Here the comparator only works on the timing when the output signals may occur. The fluctuation ranges of the output signals are indicated by the double-head arrows.

Download Full Size | PDF

Fig. 11. The waveform of $V_{\textrm {o}}$ of our homemade single-photon detector when a blinding pulse arrives the APD. A huge instantaneous photocurrent hill is caused by the blinding pulse. The smaller one is caused by the gate signal.

Download Full Size | PDF

Funding

National Natural Science Foundation of China (11674397, 61601476, 61632021, 61901483); National Key Research and Development Program of China (2019QY0702).

Acknowledgments

We thank Vadim Makarov for very useful discussions. Supporting from Greatwall Quantum Laboratory is also acknowledged.

Disclosures

The authors declare no conflicts of interest.

References

1. P. W. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer,” SIAM J. Comput. 26(5), 1484–1509 (1997). [CrossRef]

2. C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in Proc. IEEE International Conference on Computers, Systems, and Signal Processing (Bangalore, India), (IEEE Press, New York, 1984), pp. 175–179.

3. B. Zhao, B. Liu, C. Wu, W. Yu, and I. You, “A tutorial on quantum key distribution,” in 2015 10th International Conference on Broadband and Wireless Computing, Communication and Applications (BWCCA), (2015), pp. 370–374.

4. B. Zhao, B. Liu, C. Wu, W. Yu, J. Su, I. You, and F. Palmieri, “A novel ntt-based authentication scheme for 10-ghz quantum key distribution systems,” IEEE Trans. Ind. Electron. 63, 5101–5108 (2016). [CrossRef]

5. H. Takesue, S. W. Nam, Q. Zhang, R. H. Hadfield, T. Honjo, K. Tamaki, and Y. Yamamoto, “Quantum key distribution over a 40-dB channel loss using superconducting single-photon detectors,” Nat. Photonics 1(6), 343–348 (2007). [CrossRef]

6. T. Scheidl, R. Ursin, A. Fedrizzi, S. Ramelow, X.-S. Ma, T. Herbst, R. Prevedel, L. Ratschbacher, J. Kofler, T. Jennewein, and A. Zeilinger, “Feasibility of 300 km quantum key distribution with entangled states,” New J. Phys. 11(8), 085002 (2009). [CrossRef]

7. P. Sibson, J. E. Kennard, S. Stanisic, C. Erven, J. L. O’Brien, and M. G. Thompson, “Integrated silicon photonics for high-speed quantum key distribution,” Optica 4(2), 172–177 (2017). [CrossRef]

8. Y. Ding, D. Bacco, K. Dalgaard, X. Cai, X. Zhou, K. Rottwitt, and L. K. Oxenløwe, “High-dimensional quantum key distribution based on multicore fiber using silicon photonic integrated circuits,” npj Quantum Inf. 3(1), 25 (2017). [CrossRef]

9. T. A. Eriksson, T. Hirano, B. J. Puttnam, G. Rademacher, R. S. Luís, M. Fujiwara, R. Namiki, Y. Awaji, M. Takeoka, N. Wada, and M. Sasaki, “Wavelength division multiplexing of continuous variable quantum key distribution and 18.3 tbit/s data channels,” Commun. Phys. 2(1), 9 (2019). [CrossRef]

10. Industry Specification Group for quantum key distribution belongs to Telecommunications Standards Institute, http://www.etsi.org/technologies-clusters/technologies/quantum-key-distribution; visited 28 June 2019.

11. “Standards news,” IEEE Commun. Standards Mag. 2, 4–12 (2018).

12. G. Brassard, N. Lütkenhaus, T. Mor, and B. C. Sanders, “Limitations on practical quantum cryptography,” Phys. Rev. Lett. 85(6), 1330–1333 (2000). [CrossRef]

13. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4(10), 686–689 (2010). [CrossRef]

14. F. Xu, B. Qi, and H.-K. Lo, “Experimental demonstration of phase-remapping attack in a practical quantum key distribution system,” New J. Phys. 12(11), 113026 (2010). [CrossRef]

15. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun. 2(1), 349 (2011). [CrossRef]

16. A. N. Bugge, S. Sauge, A. M. M. Ghazali, J. Skaar, L. Lydersen, and V. Makarov, “Laser damage helps the eavesdropper in quantum cryptography,” Phys. Rev. Lett. 112(7), 070503 (2014). [CrossRef]

17. A. Huang, S. Sajeed, P. Chaiwongkhot, M. Soucarros, M. Legré, and V. Makarov, “Testing random-detector-efficiency countermeasure in a commercial system reveals a breakable unrealistic assumption,” IEEE J. Quantum Electron. 52(11), 1–11 (2016). [CrossRef]

18. S. Sajeed, A. Huang, S. Sun, F. Xu, V. Makarov, and M. Curty, “Insecurity of detector-device-independent quantum key distribution,” Phys. Rev. Lett. 117(25), 250505 (2016). [CrossRef]

19. A. Huang, S.-H. Sun, Z. Liu, and V. Makarov, “Quantum key distribution with distinguishable decoy states,” Phys. Rev. A 98(1), 012330 (2018). [CrossRef]

20. A. Huang, A. Navarrete, S.-H. Sun, P. Chaiwongkhot, M. Curty, and V. Makarov, “Laser-seeding attack in quantum key distribution,” Phys. Rev. Appl. 12(6), 064043 (2019). [CrossRef]

21. V. Chistiakov, A. Huang, V. Egorov, and V. Makarov, “Controlling single-photon detector id210 with bright light,” Opt. Express 27(22), 32253–32262 (2019). [CrossRef]

22. G. Gras, N. Sultana, A. Huang, T. Jennewein, F. Bussières, V. Makarov, and H. Zbinden, “Optical control of single-photon negative-feedback avalanche diode detector,” J. Appl. Phys. 127(9), 094502 (2020). [CrossRef]

23. A. Huang, R. Li, V. Egorov, S. Tchouragoulov, K. Kumar, and V. Makarov, “Laser-damage attack against optical attenuators in quantum key distribution,” Phys. Rev. Appl. 13(3), 034017 (2020). [CrossRef]

24. F. Xu, H. Ma, Q. Zhang, H.-K. Lo, and J.-W. Pan, “Secure quantum key distribution with realistic devices,” Rev. Mod. Phys. 92, 025002 (2020). [CrossRef]

25. H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108(13), 130503 (2012). [CrossRef]

26. M. Lucamarini, Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Overcoming the rate–distance limit of quantum key distribution without quantum repeaters,” Nature 557(7705), 400–403 (2018). [CrossRef]

27. M. Curty, K. Azuma, and H.-K. Lo, “Simple security proof of twin-field type quantum key distribution protocol,” npj Quantum Inf. 5(1), 64 (2019). [CrossRef]

28. A. Koehler-Sidki, J. F. Dynes, M. Lucamarini, G. L. Roberts, A. W. Sharpe, Z. L. Yuan, and A. J. Shields, “Best-practice criteria for practical security of self-differencing avalanche photodiode detectors in quantum key distribution,” Phys. Rev. Appl. 9(4), 044027 (2018). [CrossRef]

29. A. Koehler-Sidki, M. Lucamarini, J. F. Dynes, G. L. Roberts, A. W. Sharpe, Z. Yuan, and A. J. Shields, “Intensity modulation as a preemptive measure against blinding of single-photon detectors based on self-differencing cancellation,” Phys. Rev. A 98(2), 022327 (2018). [CrossRef]

30. M. Peev, C. Pacher, R. Alléaume, C. Barreiro, J. Bouda, W. Boxleitner, T. Debuisschert, E. Diamanti, M. Dianati, J. F. Dynes, S. Fasel, S. Fossier, M. Fürst, J.-D. Gautier, O. Gay, N. Gisin, P. Grangier, A. Happe, Y. Hasani, M. Hentschel, H. Hübel, G. Humer, T. Länger, M. Legré, R. Lieger, J. Lodewyck, T. Lorünser, N. Lütkenhaus, A. Marhold, T. Matyus, O. Maurhart, L. Monat, S. Nauerth, J.-B. Page, A. Poppe, E. Querasser, G. Ribordy, S. Robyr, L. Salvail, A. W. Sharpe, A. J. Shields, D. Stucki, M. Suda, C. Tamas, T. Themel, R. T. Thew, Y. Thoma, A. Treiber, P. Trinkler, R. Tualle-Brouri, F. Vannel, N. Walenta, H. Weier, H. Weinfurter, I. Wimberger, Z. L. Yuan, H. Zbinden, and A. Zeilinger, “The SECOQC quantum key distribution network in Vienna,” New J. Phys. 11(7), 075001 (2009). [CrossRef]

31. M. Sasaki, M. Fujiwara, H. Ishizuka, W. Klaus, K. Wakui, M. Takeoka, S. Miki, T. Yamashita, Z. Wang, A. Tanaka, K. Yoshino, Y. Nambu, S. Takahashi, A. Tajima, A. Tomita, T. Domeki, T. Hasegawa, Y. Sakai, H. Kobayashi, T. Asai, K. Shimizu, T. Tokura, T. Tsurumaru, M. Matsui, T. Honjo, K. Tamaki, H. Takesue, Y. Tokura, J. F. Dynes, A. R. Dixon, A. W. Sharpe, Z. L. Yuan, A. J. Shields, S. Uchikoga, M. Legré, S. Robyr, P. Trinkler, L. Monat, J.-B. Page, G. Ribordy, A. Poppe, A. Allacher, O. Maurhart, T. Länger, M. Peev, and A. Zeilinger, “Field test of quantum key distribution in the Tokyo QKD Network,” Opt. Express 19(11), 10387–10409 (2011). [CrossRef]

32. S.-K. Liao, W.-Q. Cai, W.-Y. Liu, L. Zhang, Y. Li, J.-G. Ren, J. Yin, Q. Shen, Y. Cao, Z.-P. Li, F.-Z. Li, X.-W. Chen, L.-H. Sun, J.-J. Jia, J.-C. Wu, X.-J. Jiang, J.-F. Wang, Y.-M. Huang, Q. Wang, Y.-L. Zhou, L. Deng, T. Xi, L. Ma, T. Hu, Q. Zhang, Y.-A. Chen, N.-L. Liu, X.-B. Wang, Z.-C. Zhu, C.-Y. Lu, R. Shu, C.-Z. Peng, J.-Y. Wang, and J.-W. Pan, “Satellite-to-ground quantum key distribution,” Nature 549(7670), 43–47 (2017). [CrossRef]

33. ETSI white paper no. 8: Quantum safe cryptography and security (2015), http://www.etsi.org/images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf.

34. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Avoiding the blinding attack in QKD,” Nat. Photonics 4(12), 800–801 (2010). [CrossRef]

35. C. Gobby, Z. L. Yuan, and A. J. Shields, “Quantum key distribution over 122 km of standard telecom fiber,” Appl. Phys. Lett. 84(19), 3762–3764 (2004). [CrossRef]

36. X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A 72(1), 012326 (2005). [CrossRef]

37. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94(23), 230503 (2005). [CrossRef]

38. D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, “Security of quantum key distribution with imperfect devices,” Quantum Inf. Comput. 4, 325–360 (2004).

39. J. F. Dynes, W. W.-S. Tam, A. Plews, B. Fröhlich, A. W. Sharpe, M. Lucamarini, Z. Yuan, C. Radig, A. Straw, T. Edwards, and A. J. Shields, “Ultra-high bandwidth quantum secured data transmission,” Sci. Rep. 6(1), 35149 (2016). [CrossRef]

40. Z. Yuan, A. Plews, R. Takahashi, K. Doi, W. Tam, A. Sharpe, A. Dixon, E. Lavelle, J. Dynes, A. Murakami, M. Kujiraoka, M. Lucamarini, Y. Tanizawa, H. Sato, and A. J. Shields, “10-mb/s quantum key distribution,” J. Lightwave Technol. 36(16), 3427–3433 (2018). [CrossRef]

41. M.-S. Jiang, S.-H. Sun, G.-Z. Tang, X.-C. Ma, C.-Y. Li, and L.-M. Liang, “Intrinsic imperfection of self-differencing single-photon detectors harms the security of high-speed quantum cryptography systems,” Phys. Rev. A 88(6), 062335 (2013). [CrossRef]

42. L. Zheng, G. Zhang, J. Tian, H. Hu, J. Wu, and W. Sun, “An integrated bias voltage control method for spad arrays,” IEEE Photonics Technol. Lett. 30(19), 1723–1726 (2018). [CrossRef]

43. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Thermal blinding of gated detectors in quantum cryptography,” Opt. Express 18(26), 27938–27954 (2010). [CrossRef]

44. T. F. da Silva, G. B. Xavier, G. P. Temporão, and J. P. von der Weid, “Real-time monitoring of single-photon detectors against eavesdropping in quantum key distribution systems,” Opt. Express 20(17), 18911–18924 (2012). [CrossRef]

45. Y.-J. Qian, D.-Y. He, S. Wang, W. Chen, Z.-Q. Yin, G.-C. Guo, and Z.-F. Han, “Robust countermeasure against detector control attack in a practical quantum key distribution system,” Optica 6(9), 1178 (2019). [CrossRef]

46. D. Mayers, “Advances in cryptology,” in Proceedings of Crypto’96, vol. 1109N. Koblitz, ed. (Springer, New York, 1996), pp. 343–357.

47. H.-K. Lo and H. F. Chau, “Unconditional security of quantum key distribution over arbitrarily long distances,” Science 283(5410), 2050–2056 (1999). [CrossRef]

48. P. W. Shor and J. Preskill, “Simple proof of security of the BB84 quantum key distribution protocol,” Phys. Rev. Lett. 85(2), 441–444 (2000). [CrossRef]

49. S. Cova, M. Ghioni, A. Lotito, I. Rech, and F. Zappa, “Evolution and prospects for single-photon avalanche diodes and quenching circuits,” J. Mod. Opt. 51(9-10), 1267–1288 (2004). [CrossRef]

50. V. Makarov and D. R. Hjelme, “Faked states attack on quantum cryptosystems,” J. Mod. Opt. 52(5), 691–705 (2005). [CrossRef]

Cycle number	Blinded period ( $μ s$ )	Fully controllable gates	Reported photocurrent ( $μ A$ )
250	2.025	No data	1.8
300	20.025	No data	1.8
350	45.025	72	1.9
400	100.05	150	1.9
450	135.05	330	2
500	195.05	690	2.1

Hacking single-photon avalanche detectors in quantum key distribution via pulse illumination

Abstract

1. Introduction

2. From c.w. illumination attack to pulse illumination attack

3. Experimental demonstration

4. Security analysis for a decoy-state BB84 QKD system

4.1 Eve’s maximum-profit strategy

4.2 Key rate estimated by Alice and Bob under pulse illumination attack

4.3 Real key rate of the QKD system under pulse illumination attack

5. Discussion

6. Conclusion

Appendix

A. Recap c.w. illumination blinding attack

B. Detailed analysis on the parameters of blinding pulses

C. Waveform of a homemade detector under pulse illumination attack

Funding

Acknowledgments

Disclosures

References

Cited By

Figures (11)

Tables (1)

Equations (8)

Optics Express