Controlling an actively-quenched single photon detector with bright light
Sebastien Sauge, Lars Lydersen, Andrey Anisimov, Johannes Skaar, Vadim Makarov
CControlling an actively-quenched singlephoton detector with bright light
Sebastien Sauge, Lars Lydersen, , Andrey Anisimov, Johannes Skaar , and Vadim Makarov , ∗ School of Information and Communication Technology, Royal Institute of Technology (KTH),Electrum 229, SE-16440 Kista, Sweden Department of Electronics and Telecommunications, Norwegian University of Science andTechnology, NO-7491 Trondheim, Norway University Graduate Center, NO-2027 Kjeller, Norway Radiophysics Department, St. Petersburg State Polytechnical University, Politechnicheskayastreet 29, 195251 St. Petersburg, Russia ∗ [email protected] Abstract:
We control using bright light an actively-quenched avalanchesingle-photon detector. Actively-quenched detectors are commonly usedfor quantum key distribution (QKD) in the visible and near-infrared range.This study shows that these detectors are controllable by the same attackused to hack passively-quenched and gated detectors. This demonstratesthe generality of our attack and its possible applicability to eavsdroppingthe full secret key of all QKD systems using avalanche photodiodes(APDs). Moreover, the commercial detector model we tested (PerkinElmerSPCM-AQR) exhibits two new blinding mechanisms in addition to thepreviously observed thermal blinding of the APD, namely: malfunctioningof the bias voltage control circuit, and overload of the DC/DC converterbiasing the APD. These two new technical loopholes found just in onedetector model suggest that this problem must be solved in general, byincorporating generally imperfect detectors into the security proof for QKD.
OCIS codes: (270.5568) Quantum cryptography; (040.1345) Avalanche photodiodes (APDs);(270.5570) Quantum detectors.
References and links
1. Commercial QKD systems are available from at least two companies: ID Quantique (Switzerland), ; MagiQ Technologies (USA), .2. R. Ursin, F. Tiefenbacher, T. Schmitt-Manderbach, H. Weier, T. Scheidl, M. Lindenthal, B. Blauensteiner, T. Jen-newein, J. Perdigues, P. Trojek, B. ¨Omer, M. F¨urst, M. Meyenburg, J. Rarity, Z. Sodnik, C. Barbieri, H. We-infurter, and A. Zeilinger, “Entanglement-based quantum communication over 144 km,” Nat. Phys. , 481–486(2007).3. D. Stucki, N. Walenta, F. Vannel, R. T. Thew, N. Gisin, H. Zbinden, S. Gray, C. R. Towery, and S. Ten, “High rate,long-distance quantum key distribution over 250 km of ultra low loss fibres,” New J. Phys. , 075003 (2009).4. W. K. Wootters and W. H. Zurek, “A single quantum cannot be cloned,” Nature , 802–803 (1982).5. D. Mayers, “Advances in cryptology,” in “Proceedings of Crypto’96,” vol. 1109, N. Koblitz, ed. (Springer, NewYork, 1996), vol. 1109, pp. 343–357.6. D. Gottesman, H.-K. Lo, N. L¨utkenhaus, and J. Preskill, “Security of quantum key distribution with imperfectdevices,” Quant. Inf. Comp. , 325–360 (2004).7. Ø. Marøy, L. Lydersen, and J. Skaar, “Security of quantum key distribution with arbitrary individual imperfec-tions,” Phys. Rev. A , 032337 (2010).8. M. Koashi, “Simple security proof of quantum key distribution based on complementarity,” New J. Phys. ,045018 (2009). a r X i v : . [ qu a n t - ph ] O c t . L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantumcryptography systems by tailored bright illumination,” Nat. Photonics , 686–689 (2010).10. C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “After-gateattack on a quantum cryptosystem,” New J. Phys. , 013043 (2011).11. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Thermal blinding of gated detectorsin quantum cryptography,” Opt. Express , 27938–27954 (2010).12. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Avoiding the blinding attack in QKD,” Nat. Photonics , 800–801(2010).13. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Reply to ‘Avoiding the blindingattack in QKD’,” Nat. Photonics , 801 (2010).14. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Resilience of gated avalanche photodiodes against bright illuminationattacks in quantum cryptography,” Appl. Phys. Lett. , 231104 (2011).15. L. Lydersen, V. Makarov, and J. Skaar, “Comment on ‘Resilience of gated avalanche photodiodes against brightillumination attacks in quantum cryptography’,” Appl. Phys. Lett. (in press); arXiv:1106.3756 [quant-ph].16. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Reply to “Comment on ‘Resilience of gated avalanche photodiodesagainst bright illumination attacks in quantum cryptography’”,” arXiv:1109.3149 [quant-ph].17. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of aperfect eavesdropper on a quantum cryptography system,” Nat. Commun. , 349 (2011).18. PerkinElmer SPCM-AQR single photon counting module, data sheet, PerkinElmer (2005).19. V. Makarov and D. R. Hjelme, “Faked states attack on quantum cryptosystems,” J. Mod. Opt. , 691–705 (2005).20. C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in “Proceed-ings of IEEE International Conference on Computers, Systems, and Signal Processing,” (IEEE Press, New York,Bangalore, India, 1984), pp. 175–179.21. J. G. Rarity, P. C. M. Owens, and P. R. Tapster, “Quantum random-number generation and key sharing,” J. Mod.Opt. , 2435–2444 (1994).22. M. P. Peloso, I. Gerhardt, C. Ho, A. Lamas-Linares, and C. Kurtsiefer, “Daylight operation of a free space,entanglement-based quantum key distribution system,” New J. Phys. , 045007 (2009).23. R. J. Hughes, J. E. Nordholt, D. Derkacs, and C. G. Peterson, “Practical free-space quantum key distribution over10 km in daylight and at night,” New J. Phys. , 43 (2002).24. C. Erven, C. Couteau, R. Laflamme, and G.Weihs, “Entangled quantum key distribution over two free-spaceoptical links,” Opt. Express , 16840–16853 (2008).25. S. Cova, M. Ghioni, A. Lotito, I. Rech, and F. Zappa, “Evolution and prospects for single-photon avalanchediodes and quenching circuits,” J. Mod. Opt. , 1267–1288 (2004).26. T. C. Ralph, “Continuous variable quantum cryptography,” Phys. Rev. A , 010303 (1999).27. M. Hillery, “Quantum cryptography with squeezed states,” Phys. Rev. A , 022309 (2000).28. M. D. Reid, “Quantum cryptography with a predetermined key, using continuous-variable Einstein-Podolsky-Rosen correlations,” Phys. Rev. A , 062308 (2000).29. M. Heid and N. L¨utkenhaus, “Security of coherent-state quantum cryptography in the presence of Gaussiannoise,” Phys. Rev. A , 022313 (2007).30. S. Fossier, E. Diamanti, T. Debuisschert, A. Villing, R. Tualle-Brouri, and P. Grangier, “Field test of a continuous-variable quantum key distribution prototype,” New J. Phys. , 045023 (2009).31. G. N. Gol’tsman, O. Okunev, G. Chulkova, A. Lipatov, A. Semenov, K. Smirnov, B. Voronov, A. Dzardanov,C. Williams, and R. Sobolewski, “Picosecond superconducting single-photon optical detector,” Appl. Phys. Lett. , 705–707 (2001).32. A. Verevkin, J. Zhang, R. Sobolewski, A. Lipatov, O. Okunev, G. Chulkova, A. Korneev, K. Smirnov, G. N.Gol’tsman, and A. Semenov, “Detection efficiency of large-active-area NbN single-photon superconducting de-tectors in the ultraviolet to near-infrared range,” Appl. Phys. Lett. , 4687–4689 (2002).33. V. Makarov, “Controlling passively quenched single photon detectors by bright light,” New J. Phys. , 065003(2009).34. R. T. Thew, H. Zbinden, and N. Gisin, “Tunable upconversion photon detector,” Appl. Phys. Lett. , 071104(2008).35. R. T. Thew, D. Stucki, J.-D. Gautier, H. Zbinden, and A. Rochas, “Free-running InGaAs/InP avalanche photo-diode with active quenching for single photon counting at telecom wavelengths,” Appl. Phys. Lett. , 201114(2007).36. id210 advanced system for single photon detection, data sheet, ID Quantique (2011), (accessed on 1 August 2011).37. H. Dautet, P. Deschamps, B. Dion, A. D. MacGregor, D. MacSween, R. J. McIntyre, C. Trottier, and P. P. Webb,“Photon counting techniques with silicon avalanche photodiodes,” Appl. Opt. , 3894–3900 (1993).38. PerkinElmer SPCM-AQ4C single photon counting module array, data sheet, PerkinElmer (2005).39. K. J. Gordon, V. Fernandez, P. D. Townsend, and G. S. Buller, “A short wavelength gigahertz clocked fiber-opticquantum key distribution system,” IEEE J. Quantum Electron. , 900–908 (2004).
0. L. Lydersen, V. Makarov, and J. Skaar, “Secure gated detection scheme for quantum cryptography,” Phys. Rev.A , 032306 (2011).41. L. Lydersen, N. Jain, C. Wittmann, Ø. Marøy, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “Superlinearthreshold detectors in quantum cryptography,” Phys. Rev. A , 032320 (2011).42. H.-K. Lo, M. Curty, and B. Qi, “Measurement device independent quantum key distribution,” arXiv:1109.1473[quant-ph].43. S. L. Braunstein and S. Pirandola, “Side-channel free quantum key distribution,” arXiv:1109.2330 [quant-ph].44. L. Lydersen, M. K. Akhlaghi, A. H. Majedi, J. Skaar, and V. Makarov, “Controlling a superconducting nanowiresingle-photon detector using tailored bright illumination,” New J. Phys. (in press); arXiv:1106.2396 [quant-ph].
1. Introduction
Over the past twenty years, quantum key distribution (QKD) has progressed from a tabletopdemonstration to commercially available systems [1], with secure key exchange demonstratedup to 144 km in free-space [2] and 250 km in optical fibers [3]. Security of these cryptosystemsis based on the impossibility, in principle, to reliably copy an a priori unknown quantum state,as accounted for by the no-cloning theorem [4]. However, security also relies on the assumptionthat the optical and electro-optical devices which are part of quantum cryptosystems do notdeviate from model assumptions made to establish security proofs [5, 6, 7, 8].Recently, it has been demonstrated that both commercial QKD systems available on the mar-ket in 2009 could be fully cracked [9, 10, 11]. A tailored bright illumination was employedto remote-control gated avalanche photodiodes (APDs) used to detect single photons in theseQKD systems. Note that these publications raised discussions regarding technique’s applicabil-ity to QKD systems from other developers [12, 13], as well as how such loopholes should betackled [14, 15, 16]. In another work, a full eavesdropper has been implemented on a researchsystem using passively-quenched APDs [17]. The overall purpose of the work reflected in thispaper is two-fold. First, we establish the generality of this attack, by extending its validity toQKD systems employing actively-quenched APDs. Second, we demonstrated two new controlmechanisms in just one detector model (a commonly used commercial module, PerkinElmerSPCM-AQR [18]). The latter finding supports the opinion that efficient countermeasures mustrely on a general security proof based on a sufficiently general detector model, as opposed toincremental ‘intuitive’ technical patches.The paper is organized as follows. In the next section, we recap the general scheme of at-tack which can in principle be implemented using this detector vulnerability. In sections 3–5,we demonstrate that this particular detector, as other models tested before, fulfills the generalconditions proposed for 100% eavesdropping of the cryptographic key. We discuss counter-measures in section 6, and conclude in section 7.
2. Proposed attack
From eavesdropper’s point of view, the intercept-resend attack provides a general frameworkto exploit unaccounted non-idealities or operating modes of components. In this attack, weassume that the eavesdropper Eve owns an exact replica of receiver Bob’s detection apparatus,with which she intercepts and measures the state of each qubit sent by Alice. To successfullyeavesdrop, Eve must resend faked states [19] that will force her detection results onto Bob’sin a transparent way. Ideally, the faked state should make the target detector click controllably(with unity probability and near zero time-jitter) while keeping any other detector blind (noclick). In the Bennett-Brassard 1984 (BB84) [20] and similar four-state protocols, Bob mustdetect two bit values in two bases, which can be implemented with two pairs of detectors. Onepair detects bit values “0” and “1”, and a second pair (not necessary with active basis choice)detects in the conjugate measurement basis, which is randomly selected prior to detection ofeach qubit in order to guarantee security against eavesdropping. Thus in 50% of the cases, the3 ve HWPPBS PBSBS
Bob P th P th /2 P th /2 P th HWPPBS PBSBS
Bob′
Alice
Faked-stategeneratorBlindinggenerator V clicks H A D V clicks
H A DV
Fig. 1. Intercept-resend (faked-state) attack Eve could launch against a QKD system whichruns a four-state protocol with polarization coding and passive choice of basis [21, 22,23, 24]. In the example, Eve targets the detector recording vertically polarized qubits inthe horizontal/vertical (H/V) basis. We assume here that detectors click controllably whenilluminated by an optical pulse with peak power ≥ P th , and that they are blind (or keptblind) at power ≤ P th / P th , thus the V detector receivespower P th after basis choice, and clicks. The detectors recording polarized qubits in theconjugate (45 ◦ -rotated, D/A) basis each receive a pulse of power P th /
2, and thus remainblinded. In the diagram: BS, 50:50% beamsplitter; PBS, polarizing beamsplitter; HWP,half-wave plate rotated 22 . ◦ . qubit resent by Eve will be measured by Bob in the conjugate basis, resulting in a randomoutcome. Similarly, if the photonic qubit is replaced by a classical pulse of peak power P th , anincompatible choice of basis will result in arrival of pulses of power P th / P th / P th . With the latter pulse, Eve can selectively addressthe target detector without causing a click in the conjugate basis. This is illustrated in Fig. 1 inthe case of a QKD system running a four-state protocol with polarization coding and passivechoice of basis at Bob’s side. After Bob reveals in which bit slots he has registered detections,Eve will have the same raw key bit sequence as Bob. Eve thus can extract the final secret keyby listening to the classical public communication between Alice and Bob and doing the samepost-processing operations as Bob [9, 17]. Thus, providing that the above assumption of thedetector threshold behavior is satisfied, QKD systems using such detectors are vulnerable.Let us now explain how this assumption can be fulfilled. Most QKD systems today use avalanche photodiodes (APDs) to detect single photons [25]. (The two notable exceptionsare continuous-variable QKD systems [26, 27, 28, 29, 30] and those using superconductingdetectors [3, 31, 32].) For single-photon sensitivity, APDs are operated in so-called Geigermode, i.e., they are biased above the breakdown voltage so that an absorbed photon triggers anavalanche. (In case of gated-mode operation, the APD is biased above breakdown only duringthe gate time to limit noise [9, 25].) The avalanche current is sensed by a comparator beforethe avalanche is quenched to reset the diode. Quenching is achieved by lowering (passively oractively) the bias voltage below breakdown [25]. In the latter condition, however, the APD isno longer in the single-photon detection mode but behaves as a classical photodiode generatingphotocurrent proportional to the optical illumination. It is thus insensitive to single photons, butalso to noise sources (dark counts, afterpulses). However, it is still possible to make the APDclick controllably since in this classical photodiode mode, the comparator threshold translatesto a classical optical power threshold P th . Providing the threshold is well-defined, no click willever occur at power P th /
2, and Eve has at her disposal a very general attack for breaking thesecurity of most APD-based QKD systems. 4 . Blinding and controlling an actively-quenched single-photon detector
In the case of the two recently-hacked commercial QKD systems operating at telecom wave-lengths [9], transition from Geiger to classical photodiode mode was achieved by usingcontinuous-wave (c.w.) bright illumination to reduce APD bias voltage below breakdown.Equivalently, raising the breakdown voltage above the fixed bias voltage by heating the APDsalso led to blinding and control of the detectors [11].In this paper, we illustrate further the generality of the attack by taking full control of acommercial actively-quenched detector model PerkinElmer SPCM-AQR module [18]). Un-til recently, the SPCM-AQR has been the only commercially available unit among actively-quenched modules. The latter account for about half of the 28 QKD experiments using non-gated detectors reported in the literature (the other half uses passively-quenched detectors) [33].It thus makes the SPCM-AQR an obvious choice for testing. Moreover, such detectors may beused after upconverting telecom-wavelength qubits into the visible and near-infrared range,where Si modules have better detection characteristics [34]. Free-running, actively-quenchedInGaAs/InP APDs for telecom wavelenghts have also recently been introduced [35, 36]. Obvi-ously, one would rather study security and control mechanisms of actively-quenched detectorsbefore (rather than after) they get incorporated into commercial QKD systems.In the case of SPCM-AQR detector model, we achieved transition to classical photodiodemode by applying not c.w. (as for gated detectors) but instead bright pulsed illumination at thelevel of less than 10 mW at ≥
70 kHz repetition rate. Between the pulses, the detector is blind tosingle photons, and does not produce dark counts or afterpulses. However, it clicks controllablyif a classical light pulse ≥ P th is applied, as illustrated in Fig. 2.
4. Blinding mechanisms
Fig. 3(a) shows at which optical pulse frequencies blinding of the detector is achieved, and thecorresponding bias voltage at the APD. We identified three distinct mechanisms responsiblefor blinding. Each mechanism is activated in a different range of control pulse frequencies, as (cid:2) I npu t ill u m i na t i on , m W D e t e c t o r ou t pu t I npu t ill u m i na t i on , m W (cid:2) s D e t e c t o r ou t pu t Fig. 2. Oscillogram at detector output (lower trace) illuminated by bright optical pulses(upper trace) made of control pulses (808nm, 8 mW, 50ns wide, 800kHz repetition rate)to blind the detector, and of weaker trigger pulses (8ns wide). The trigger pulses makethe detector click with unity probability and sub-nanosecond time jitter only above a cer-tain power threshold. In the example, detector always clicks at P th = . ≤ . AP D b i a s v o l t age , V ( a t T ) P control , mW (a) U . i npu t o ff s e t, V AP D b i a sv o l t age , V ( a t T ) −0.5−0.4−0.3−0.2−0.1010 I T E C , A Blinding pulse frequency, Hz10 T he r m i s t o r t e m pe r a t u r e , (cid:2) C −1001020304050TEC currentThermistor temperature320340360380400420 AP D b i a sv o l t age , V ( a t T ) −0.5−0.4−0.3−0.2−0.1010 I T E C , A Blinding pulse frequency, HzOpamp overload Thermal blindingDC/DC converter overload U . i npu t o ff s e t, V (b) Fig. 3. Detector blinding: (a) APD bias voltage vs. frequency and peak optical power P control of rectangular 50 ns wide input optical pulses. Normal bias voltage at low count rate for thisdetector sample is 410V (the other detector sample we tested had bias voltage of 350V).Filled symbols denote pulse parameters at which the detector got completely blind betweenthe control pulses. (b) Parameters in the circuit vs. frequency of optical pulses with peakpower P control = PD Detectoroutput = = = = +5 V U6EMCO 9546 R920k CLC~10 mA
SliK
Buffer Comparator (cid:2)
35 ns ~30 pF?R71MC8 Quenchingcircuit+30 V 14 ns20 nsQ11IRL520 Resetcircuit 20 ns50kR242.61k50k R23 100kC3 adds ≈ T2 10.0MC9 reference +– TLC2262AI
DQC (cid:3)
In normal operation,
C10100n 10nC1110n U7.1
Adjustablevoltage
Fig. 4. Simplified reverse-engineered circuit diagram of PerkinElmer SPCM-AQR mod-ule. In normal operation, the cathode of the APD (superlow-k (SliK) type [37]) is biasedat a constant high voltage, stabilized by a feedback loop containing an opamp U7.1 (TexasInstruments TLC2262), field-effect transistor Q11 and high-voltage DC/DC converter mod-ule U6 (EMCO custom model no. 9546). The anode of the APD is connected to a detectionand quenching circuit (DQC). The DQC senses charge flowing through the APD during theavalanche, then briefly connects the APD anode to +
30V to lower the voltage across theAPD below breakdown and quench the avalanche. The APD anode voltage is subsequentlyreset to 0V, and the detector becomes ready for the next avalanche. (Note: the circuit dia-gram has been greatly simplified for the paper; do not use this figure for attempting detectorrepair or modification.) discussed below.The first blinding mechanism corresponds to transition from Geiger to classical photodiodemode by lowering the APD bias voltage below breakdown. As the frequency of optical pulsesincreases, control first appears when the APD bias voltage drops by 12–15 V (Fig. 3(a)). Tounderstand why it drops, let’s consider the detector electrical circuit depicted in Fig. 4. Whenthe APD is illuminated by a bright optical pulse, the current through it is not interrupted bythe detection and quenching circuit (DQC) and is much larger than during an ordinary single-photon avalanche. A current limiting circuit (CLC) kicks in and limits the current pulse to about10 mA. This current is drawn from the capacitor C9, whose other end is connected to the outputof a low-power opamp U7.1. This opamp has a specified maximum load current significantlysmaller than 10 mA. It gets overloaded by the current pulses, and unexpectedly develops a largestatic voltage offset between its inputs (see Fig. 3(b), middle chart), which may be a behaviorspecific to this particular opamp integrated circuit. Yet, this negative offset effectively adds tothe pre-set reference voltage at the opamp non-inverting input, and the feedback loop lowersthe APD bias voltage proportionally.At higher control pulse frequencies ∼ − ◦ C with a thermo-7
PDThermistorTEC cold plateTEC hot platePackage base 5 mm
Fig. 5. APD package decapsulated: the cover and fibre coupling optics have been cut off.The dark dot in the center of the APD is its photosensitive area. The APD and thermistorare mounted on the cold plate of a two-stage thermoelectric cooler (TEC). In the assem-bled detector, the package base is in thermal contact with an aluminum detector outer caseserving as a heatsink. I T E C , A T he r m i s t o r t e m pe r a t u r e , (cid:2) C I T E C , A C o l dp l a t e t e m pe r a t u r e , (cid:2) C I T E C , A I T E C , A (a) (b) Fig. 6. Comparison of thermal blinding characteristics of the PerkinElmer SPCM-AQRdetector (a) to the ones reported for ID Quantique’s Clavis2 commercial QKD system [11](b). Filled symbols denote regime in which the detector got completely blind between thecontrol pulses. For the SPCM-AQR, characteristics at P control = electric cooler (TEC), see Fig. 5. The TEC heat removal capability and maximum current areinherently limited. As can be seen in the lower chart in Fig. 3(b), after a temperature controllerreaches the maximum TEC current, the APD temperature quickly rises. The raised APD tem-perature in turn raises its breakdown voltage (by ≈ . / ◦ C) above the bias voltage, whichalso leads to blinding. The same thermal blinding behaviour has been observed before [11]: thedetectors in the commercial QKD system Clavis2 operate at a different wavelength (1550 nm)and use gating instead of active quenching. Yet, as seen in Fig. 6, they have a similar response:after reaching the maximum TEC current, the APD temperature starts increasing. Eventually,after a sufficient increase in temperature, the detectors become blind. This temperature-inducedincrease of the breakdown voltage makes thermal blinding an attack generic in principle to allavalanche single-photon detectors.At even higher pulse frequencies, the bias voltage drops again below breakdown, while the8etector is still under control. This is due to load capacity exhaustion of the high-voltage DC/DCconverter U6 biasing the APD.Above, we have demonstrated three distinct blinding modes in the SPCM-AQR detectormodel [18]. Some QKD experiments [24] use a four-channel version of this detector module,PerkinElmer SPCM-AQ4C [38]. Our preliminary analysis indicates that it has a different biascontrol circuit that is not susceptible to the first blinding mechanism (opamp overload). How-ever, it is likely susceptible to both thermal blinding and DC/DC converter overload, because ituses the same APD package and the same model of DC/DC converter.The data sheets of both detector models [18, 38] state that exposure to intense light willreduce the count rate to zero. We could reproduce a similar effect with only one out of thetwo SPCM-AQR samples we tested under up to 8–16 mW peak power, both c.w. and pulsed atvarious duty cycles and repetition rates. In that sample, a power-line monitoring circuit incorpo-rated in the detector module (not shown in Fig. 4) powered down the entire detector for 1–1 . ∼
15 MHz.The detector produced zero counts while it was powered down indeed, then recovered. Anotherpeculiarity of the SPCM-AQR model is that if a weak c.w. illumination is present while it isbeing powered up (when it either recovers as above or being manually powered up by the ex-perimenter), the DQC would latch into a ‘forbidden logic state’ with a permanent logic high atthe detector output. The detector recovers instantly from this state when the c.w. illumination isreduced below a certain level. (The SPCM-AQ4C circuit however seems to have no forbiddenlogic states.) However, we could not get controllable clicks from the detector in these blindedmodes.
5. Side effects
There are many interesting changes that can be monitored in the circuit (Fig. 3), however theonly electrical signal an unmodified detector module currently provides to the QKD system isthe detector output signal (Fig. 4). The only side effect that betrays our attack at the detectoroutput are clicks caused by blinding pulses with a rate of at least 70 kHz (Fig. 2). In a generalcase, these clicks may increase the quantum bit error rate (QBER) observed by the legitimateparties, and a further analysis whether this attack would work is required. However, in manyQKD systems Eve can arrange for these clicks to be always ignored by the legitimate par-ties as falling outside their post-processing gating time window. For instance, when attackingan entanglement-based system [24] where Eve can intercept both photons of a pair, she canarrange timing of the clicks caused by the blinding pulses to never register as coincidences be-tween Alice and Bob. In this case, the control pulses will have zero contribution to the QBER.Similarly, if the system uses a pulsed source [23, 39], the clicks can be timed to fall outsideBob’s qubit time window and thus will not increase the QBER. In free-space systems operatingin daylight [22, 23], the clicks may be masked as a normal background count rate; note that theblinding pulses can be irregularly spaced to make them look more like background counts. Weremark that the blinded state has some inertia (especially in the case of thermal blinding [11])that should in principle allow Eve to apply the blinding pulses in bursts interleaved with quietperiods when only the trigger pulses are applied.Both APDs used in the present study died suddenly, after many days of extensive testingduring which they worked normally and showed no advance signs of the coming failure. Thismay indicate that at least some of these control regimes reduce APD lifetime, although noreliable conclusions can be drawn from our limited testing. A study of failure mechanismscaused by bright light may be interesting, however it is much more challenging and expensive,and thus lies completely outside the scope of this paper. While we have exceeded the absolutemaximum rating on the peak light intensity of the detector module [18], note that Eve is never9imited by manufacturer’s specifications.
6. Countermeasures
The major difference between public-key cryptography and quantum key distribution is thatthere are security proofs for the latter. However, these security proofs are based on models of thedevices used in quantum key distribution. The fact that bright illumination attacks are applicableagainst a detector implementation, shows that this detector implementation is not within thedevice model of any security proof. However, the abovementioned difference from the public-key cryptography also requires loopholes to be closed differently than before. Rather than justavoid the specific attack, one must alter the implementation and/or the security proofs to re-ensure that the devices are within the models of the security proofs. Otherwise, the quantumkey distribution implementation is no longer provably secure, and thus has no advantage overkey distribution based on classical cryptography.Countermeasures have been extensively discussed for gated APD-based detectors [9, 11, 12,13, 40, 14, 15, 16]. That discussion shows clearly that avoiding specific attacks does not nec-essarily re-establish security. The most frequently proposed countermeasure to prevent blind-ing consists of using an optical power meter (or the APD itself as an optical power meter[12, 14, 16]) with a classical threshold at Bob’s entrance [9, 12, 13, 14, 16]. For such a coun-termeasure, the classical threshold for the optical power must originate from a more generalsecurity proof [9], otherwise the provable security is not re-established. In fact, a recent study[41] has shown that for gated APD-based detectors, control can be achieved with faint trig-ger pulses containing less than 120 photons per pulse, already making the attack very difficultto detect with an optical power meter. For gated detectors, the so-called “bit-mapped gating”scheme [40] seems to make the implementation compatible with certain security proofs [7],and may thus re-establish security. One possible way of further development down this pathwould be to test single-photon sensitivity of Bob’s APDs at random times by a calibrated lightsource placed inside Bob [40]. The results from this testing may then be used as an input toa security proof that incorporates detector deficiencies and non-linearities [7]. Alternatively,countermeasures for all detectors considered may also include monitoring the APD bias volt-age, current and temperature [11], with the efficiency of each countermeasure to be assessedin the framework of a general security proof. Although development of countermeasures hasbegun [9, 40, 12, 42, 43], no definite countermeasure has been finalized and tested by hackingat this time [13].If one simply wishes to avoid the specific bright-illumination attacks without re-establishingprovable security, there are numerous options. One could replace the APD with a beamsplitterdistributing photons to two APDs, and to look for coincidences as a signature of eavesdropping.One could also monitor any of the parameters presented in Fig. 3, or any other parameter suchas the background detection rate, revealing detector control attempts. However we don’t seewhy anybody would then prefer this QKD system that is not provably secure, over cheaper andmuch more convenient classical cryptography systems.
7. Conclusion
In view of this study, complemented by the ones made on other APD models [9, 10, 11, 17],we estimate that most of the QKD systems existing today are potentially vulnerable to ourattack. The only ‘detector-dependent’ aspect here is the type of bright illumination (none, c.w.,or pulsed) required to bring a particular APD into the classical photodiode regime. We remarkthat very similar bright-light control method is also applicable to a superconducting nanowirebased single photon detector [44]. While we have not analysed actively-quenched detectors ofmanufacturers other than PerkinElmer, the above experience suggests that there is a chance they10ay be vulnerable to some of the already studied, as well as new yet-to-be-found blinding andcontrol mechanisms.While bright-light detector control is, strictly speaking, not equivalent to the hack of a QKDsystem, we note that for one of the APD models, a full eavesdropper based on bright-lightdetector control has previously been implemented and tested under realistic conditions on a290 m experimental entanglement-based QKD system [17]. In view of this demonstration, weconsider that closing the exposed loopholes in a provable way should take precedence overconfirming that a full eavesdropper can be built for all APD models.Our work emphasizes the need to investigate thoroughly vulnerabilities originating fromunaccounted physical non-idealities of QKD components.