Attacks on practical quantum key distribution systems(and how to prevent them)

Nitin Jain,1, 2, 3, ∗ Birgit Stiller,1, 2, 4 Imran Khan,1, 2 Dominique Elser,1, 2 Christoph Marquardt,1, 2 and Gerd Leuchs1, 2

1Max Planck Institute for the Science of Light, Erlangen, Germany2Institute of Optics, Information and Photonics, University of Erlangen-Nuremberg, Germany

3EECS Department, Northwestern University, Evanston, USA4Centre for Ultrahigh bandwidth Devices for Optical Systems (CUDOS),

School of Physics, University of Sydney, Australia(Dated: September 20, 2016)

With the emergence of an information society, the idea of protecting sensitive data is steadilygaining importance. Conventional encryption methods may not be sufficient to guarantee dataprotection in the future. Quantum key distribution (QKD) is an emerging technology that exploitsfundamental physical properties to guarantee perfect security in theory. However, it is not easy toensure in practice that the implementations of QKD systems are exactly in line with the theoreticalspecifications. Such theory-practice deviations can open loopholes and compromise security. Severalsuch loopholes have been discovered and investigated in the last decade. These activities havemotivated the proposal and implementation of appropriate countermeasures, thereby preventingfuture attacks and enhancing the practical security of QKD. This article introduces the so-calledfield of quantum hacking by summarizing a variety of attacks and their prevention mechanisms.

I. BACKGROUND

A. The need for security

The art of making and breaking secrets can be tracedto the early civilizations [1]. The word crypto for exam-ple has its origins in ancient Greek and means ‘hidden’or ‘secret’. The seeds of modern cryptology were sownaround 1200 years ago by the Arabs, who invented sys-tematic methods such as frequency analysis to unravelhidden messages. With the advent and rise of informa-tion and telecommunication technologies, most notablythe Internet, the interest in cryptography has shot upexponentially in the last decades. Increasing amounts oftext and voice records, e.g. in emails and phone calls,are being cryptographically secured every day. This im-plies that the contents of the messages are (hopefully)made indecipherable to and unalterable by unauthorizedparties — often called adversaries — and that the identi-ties of the sender and the receiver are mutually attested.In particular, industry, banks, and governments stronglydepend on such confidential communication.

1. Cast of characters

From a communication point of view, the most funda-mental setting to study cryptography involves three enti-ties: the message sender Alice, the message receiver Bob,and an adversary Eve, who is not authorized to know thecontents of these messages but is nonetheless (malevolentand) interested in doing so. Alice and Bob are connectedtogether by one or more communication channels over

∗ nitinj1981@gmail.com

which they exchange — send and receive — these mes-sages. Eve can exert varying amounts of control on thesechannels. She may just passively eavesdrop, i.e. listento the exchange and simply copy it as best as possiblefor analysis. Alternatively, she may actively tamper withthe messages, i.e. modify the existing content and/or in-ject new messages. Finally, a technically-powerful Evemay simultaneously impersonate Alice (and communi-cate with Bob) and Bob (and communicate with Alice)successfully, thus learning all of their secrets.

2. Basic security goals

Cryptographic schemes (also called ciphers) in moderntimes follow the doctrine that an adversary can/will al-ways find out how the system or the algorithm works.The main implication of this doctrine is that all exceptone piece of information — aptly called the private key— must be simply assumed to be known to the adver-sary. In a symmetric cipher, the keys held by Alice andBob are the same, while in an asymmetric cipher, Aliceand Bob each hold a key pair called public and privatekey. Either way, these ciphers fulfill three basic securityrequirements against the aforementioned actions of Eve:

1. Confidentiality: The message can be encrypted— converted to a form from which Eve cannot de-rive any useful information about the original mes-sage — before being sent on the channel. Only en-tities that possess the key(s) can correctly decryptthe encryption, thus ensuring that the message con-tents remain confidential to only Alice and Bob.

2. Integrity: Upon receiving the message, Bob canget evidence if it was altered in transit. This stepreveals any potential tampering by Eve, therebyassuring the integrity of the message. Depending

arX

iv:1

512.

0799

0v2

[qu

ant-

ph]

17

Sep

2016

2

on the desired application, integrity can either beassured in a standalone manner or along with con-fidentiality.

3. Authenticity: During the entire communication,Alice/Bob have the confidence that the entity onthe other end of the channel is Bob/Alice and notEve. Just like for encryption, Alice and Bob canauthenticate themselves using keys that are knownto only them, denying Eve the opportunity to poseas Bob to Alice or vice-versa.

For most communication-based applications these days,the task of authentication usually also addresses the re-quirement of integrity. If Alice’s bit sequence has beenaltered by Eve, both integrity and authenticity will be vi-olated. Authentication combined with encryption, aptlycalled authenticated encryption, forms one of the mostnatural notions of information security [2].

B. Computational vs. Information-theoreticsecurity

An obvious question to ask at this point is, ‘Whatguarantees the security of these ciphers?’ In the mod-ern context, perhaps the most basic requirement is thatthe keys must not be guessable for the adversary. This inturn implies that the keys must be sufficiently long andrandom as otherwise, the adversary may guess the cor-rect key by means of an exhaustive search. Keys are typ-ically realized as random bitstrings of a certain length.For instance, the advanced encryption standard (AES)cipher, which forms the workhorse of cryptographic secu-rity nowadays, typically employs a 256-bit key. To breaka single AES encryption, an exhaustive search would take2256 > 1075 steps, currently requiring billions of yearswith state-of-the-art ultra-massive computing resources.Conversely, a short key, such as in the data encryptionstandard (DES) cipher, which was employed until theearly years of this century, can be guessed in a matter ofdays on a normal computer or hours on a cluster of com-puting devices. This is the reason why DES has officiallybeen declared insecure, as also illustrated in Fig. 1.

AES and DES are examples of symmetric ciphers.Asymmetric ciphers, such as the RSA (named after itsinventors Rivest, Shamir, and Adleman), typically usecomputational hardness to make it difficult for the ad-versary to breach the security [3, 4]. These ciphers arebased on intractable mathematical problems that makethe cryptanalysis — recovery of the inputs from the out-put — very difficult. To elaborate, RSA is based on theprime factorization problem which essentially states thatit is computationally hard to find prime numbers p andq, if only their product N(= p · q) is known. Typicalnumbers involved in RSA problems these days are a fewhundred digits long, translating to key lengths typicallybetween 1024 to 2048 bits.

But surprisingly, many of the mathematical in-tractabilities exist only because no efficient methods ofsolving them (on classical computers) have been foundup to date 1. These include the discrete logarithm andthe prime factorization problems that together form thefoundations of several asymmetric ciphers in use today. Itis clear that the discovery of new algorithms that can beefficiently operated on classical computers to solve theseproblems would put the security of such ciphers in jeop-ardy. Even otherwise, the security is at risk against anadversary in possession of unusually large computationalresources that can run inefficient algorithms, yet solvethe problems in a reasonable amount of time. Finally,efficient algorithms to crack these problems in the quan-tum domain are already known [5]. As soon as quantumcomputers of large enough scale become a reality, manywell-known asymmetric ciphers would be easily broken.Figure 1 depicts these scenarios against a message en-crypted using RSA-2048 bit key.

The security (or lack of it) of DES, AES, and RSAcan thus only be defined in a computational sense. Inother words, given the current state and progress of clas-sical and quantum computing, while DES/RSA are defi-nitely/likely insecure, AES may be considered computa-tionally secure from a practical perspective. There doesexist another encryption mechanism known as the onetime pad (OTP) that does not make any assumptionsabout the computational capabilities of the adversary. Inother words, it guarantees information-theoretic securityas also shown in Fig. 1.

C. The problem of key exchange

The theoretical origins of deploying the one time padas a private key for encryption can be found in Shannon’sseminal work [6] while the first practical ideas for imple-mentation are due to Vernam [7]. Despite these devel-opments being more than half a century old, one rarelyhears of the OTP cipher in cryptographic installationsaround the world. As also shown in Fig. 1, this is due tothe fact that the key/pad length must be at least as longas the message. In addition, the key must be refreshedfor every new message. For typical communication band-widths (of few Mbps) nowadays, these requirements im-ply that Alice and Bob should somehow be able to accessa very large amount of private key material before the ac-tual confidential exchange. This can be quite expensiveto satisfy for just two users; in a multiuser environmentsuch as the Internet, the cost of assuring unique, ran-dom, and trustworthy keys to each user would scale upto prohibitive levels with just a handful of users.

The alternative has been to use computationally-securesymmetric ciphers, such as AES, where just a few hun-

1 In fact, the proof for non-existence of such methods is related toone of the famous millennium problems.

3

MessageWarn Ned Snow.

BIF knows his location.

Adversarialcapabilities

Massive classical computing resources

Large-scale quantum computers

Discovery of novel algorithms

DES

2048-bit key

key length =

message length

256-bit key

56-bit key

AES

RSA

OTP

Encryptionalgorithm

and key size

DefinitelyinsecureSecurity

(from a computational

point of view)

Quite likely secure

Likely insecure

Informationtheoretically

secure

ct D

ES

ct A

ES

ct R

SA

ct O

TP

Generatedciphertexts

FIG. 1. (Color online) Computational versus Information-theoretic security. The four ciphers: data encryption stan-dard (DES), advanced encryption standard (AES), RSA, andone time pad (OTP), can be considered to represent the con-temporary cryptographic era and, possibly, its future. Theyfeature varying key lengths and differ algorithmically. In thisfictitous example, it is assumed that only the legitimate par-ties possess the keys for the four ciphers. An adversary cap-tures the corresponding ciphertexts ctXs, with X denotinga cipher, and performs cryptanalysis with whatever abilitieshe/she has in order to know the original message. Depend-ing on the cipher, the adversary may or may not be able tobreach the cryptographic security today or in (near) future.Note that longer keys do not necessarily imply a higher levelof security.

dreds of bits of the private keys can be used for encrypt-ing Gbits of message data. Nonetheless, the problem ofhow to securely distribute such private keys amongst Al-ice and Bob before they can communicate remains open.The current solution is to use asymmetric ciphers, such asRSA, for only the key exchange. The security premise isbased on the fact that efficient algorithms to break asym-metric ciphers have so far not been found. However, thisis a ticking bomb because as soon as an efficient algo-rithm is discovered, or in some cases, the availability ofadvanced quantum computers becomes a reality, the se-curity provided by asymmetric ciphers will be in a majorcrisis. Compounding the worry is the fact that an adver-sary could simply be collecting and storing all ciphertexts

today to be able to break their security in the future.Some data must remain secret for a long time, and in themodern information society, this includes not just mili-tary or financial secrets, but even data from individuals(for example, genetic codes may require protection formultiple generations).

D. (Post-)Quantum cryptography

There are currently two approaches to tackle theabove problem. The first, called quantum key distribu-tion [8, 9], addresses the problem of key distribution di-rectly using principles of quantum physics. The otherapproach/field, called post-quantum cryptography, looksat the development of novel classical ciphers that wouldbe invulnerable to quantum computers [10, 11]. Notethat even though its definition allows it to be, quantumkey distribution (QKD) was historically not considereda part of post-quantum cryptography (PQC). The Euro-pean Telecommunication Standards Institute (ETSI) hasrecently taken cognizance of this by bringing both QKDand PQC under an umbrella term: quantum-safe cryp-tography [12].

The ideas that led to post-quantum cryptography werefirst conceived in the late 1970s [13, 14]. The first for-mal proposal of QKD was made in 1984 under the namequantum cryptography [15] though the idea of quantummoney [16], dating back to late 1960s, is now recognizedas a precursor of this proposal. Although, as of today,both QKD and PQC are conspicuous by their absencein realistic communication systems/networks (most no-tably the Internet), concerted efforts are being made tofacilitate their integration in the existing infrastructure.In the following, we will concentrate on quantum key dis-tribution.

II. QUANTUM KEY DISTRIBUTION (QKD)

A. Motivation: Optical communication andsecurity

In daily life, we usually deal with macroscopic objectsthat are too large to perceive any quantum effects. Alight bulb switch, for example, can be either in the on-state or in the off-state, but not in both at the same time.These two states of the switch-light bulb system are ofcourse clearly distinguishable as well. In quantum me-chanical terms, they are orthogonal. One can then imag-ine Alice to use this lamp in order to transmit messagesfrom her room to one of her neighbours Bob who livessomewhere in her line of sight. For that purpose, Alicewould encode her message in bits: lamp on would meanBit ‘1’ and lamp off represent the Bit ‘0’. Bob simply hasto write down the sequence of on/off states in order toobtain the message. This way, Alice and Bob effectivelyestablish an optical communication link, resembling the

4

beacon fires used in ancient times for transmitting signalsalong e.g. the Roman Limes or the Great Wall of China.

However, if Alice and Bob want to exchange confiden-tial messages via their line of sight link (formally calleda channel), they are in trouble. Since they have cho-sen orthogonal and therefore easily distinguishable lightstates for encoding their message, they cannot preventEve from also reading and decoding the message.

Nowadays, Alice and Bob of course have more efficientways of optical communication. Alice could use a laserfollowed by a fast modulator and transmit her encodedlight states to Bob via fibre-optic or atmospheric (line ofsight) links. Bob would demodulate the states and de-tect them with fast photodiodes on which the impinginglight states generate current pulses. However, the basicprinciple of using light states that are as orthogonal aspossible remains the same in modern optical communi-cation. This means that anyone else having access to theoptical channel can read the messages. For instance, itrecently became public that the British government com-munication headquarters (GCHQ) has been conductingfibre tapping activities on a large scale. For that purpose,GCHQ has installed intercepts at various landing pointsof undersea cables. Remarkably, fibre tapping itself doesnot actually require a sophisticated device since bendinga fibre is sufficient to have some light leak out of it.

Clearly, not just in the ‘neighbour’ scenario but alsoin the case of modern optical communication, it is fea-sible to eavesdrop on an optical channel and obtain themessage contents. In order to keep their communicationsecret, Alice and Bob must therefore encrypt their mes-sages using a key as explained in subsection I A 2. It turnsout that they can use their optical communication sys-tem to share a random bit sequence known only to them– essentially a secure symmetric key. But how do theyget the key without sharing it with the eavesdropper?

The solution, which consists of distribution of quantumstates between Alice and Bob to generate a shared sym-metric key, is called quantum key distribution (QKD).The optical channel used for the communication is calledquantum channel while the procedure is known as a pro-tocol. Notably, at the end of the protocol, Alice and Bobcan find out whether the key distribution process waseavesdropped. The operation and security of QKD pro-tocols are based on concepts in quantum and classicalinformation processing [8, 9, 17, 18]. We discuss some ofthe key principles of QKD below, followed by a discussionon some common aspects of QKD protocols along witha description of BB84, the first and the most well-knownQKD protocol [15].

B. Main principles

For easier comprehension we choose an example inwhich the polarisation direction of Alice’s linearly polar-ized laser beam is to be determined. An oft-used methodconsists of rotating a polarizer around the beam axis un-

FIG. 2. Role of indistinguishability of non-orthogonal quan-tum states in QKD. a) The quantum states u0 and u1 en-code bits ‘0’ and ‘1’ respectively. Since they are orthogonal,a measurement that can perfectly distinguish between themis possible. b) No such measurement exists for the case ofnon-orthogonal quantum states. The error in distinguishingincreases as the angle between u0 and u1 decreases.

til no intensity is observed on a photodetector placed af-ter the polarizer. This means that the light is polarizedexactly orthogonal to the polarizer axis. (Looking at aliquid crystal display with polarized sunglasses leads tothe same effect). The equation

cos θ =

√I

I0, (1)

also known as Malus’ law, describes this phenomenon.Here I0 and I are the intensities before and after thepolarizer, respectively, and θ is the searched value of thepolarisation direction.

Let us also imagine that Alice reduces the outputpower of her laser to a level where each signal state isa single photon pulse. Actually, attenuating a coherentlaser does not exactly produce single-photon states butphoton number superpositions that follow a Poisson dis-tribution with the mean photon number µ < 1. Suchstates are called weak coherent states and they can alsobe employed for QKD, as we shall elaborate later. Fornow, let us assume that Alice has very weak laser pulseswith no more than one photon per pulse.

1. Non-orthogonality of quantum states

A setup for testing Malus’ law with such single pho-ton pulses is possible since there are photodetectors thatget triggered by only one photon (such events are oftendenoted by the term ‘clicks’ of the detector). However,this photon is also destroyed by the measurement processand therefore can be measured only once. With only onesingle photon, we cannot measure the precise ratio I/I0,because we have only two measurement outcomes: eitherthe detector clicks or it does not. Notably, these discreteevents happen with a cos2 θ probability.

The only possible cases of deterministic measurementsare when the polarisations of all single photons arealigned either exactly along or orthogonal to the polarizeraxis. Figure 2(a) illustrates this situation. Two singlephotons with unknown linear polarisations that are not

5

orthogonal to each other, as depicted in Fig. 2(b) for ex-ample, cannot be precisely discerned [18]. In other words,bits ‘0’ and ‘1’ encoded by these non-orthogonal polar-isations cannot be decoded by any entity including Evewithout making errors. In quantum mechanical parlance,Eve’s interaction disturbs the quantum state and this dis-turbance can both be detected and quantified. For that,Alice and Bob can later exchange some other classicalinformation (about their preparation and measurementmethods for each of the single photons). Crucially, if theamount of disturbance is below a certain level, Alice andBob can classically distill a shorter bit string — the se-cret key — which is identical for Alice and Bob and onwhich Eve has no information.

2. No-cloning theorem

A classical copy machine produces duplicates by scan-ning the original which corresponds to a measurementprocess. As discussed above, such a process is not pos-sible with unknown quantum states since in general, asingle measurement does not reveal the full informationof the actual state. It can also be proven in general thatquantum mechanics allows no other method to produceexact copies of unknown quantum states. This is knownas the no-cloning theorem [19].

For QKD, the no-cloning theorem is essential since itforbids an eavesdropper to exactly copy the quantum sig-nal. Nonetheless, approximate or imperfect copies of theunknown quantum state can be produced by cloning ma-chines [20]. An eavesdropping strategy based on cloningmay therefore allow Eve to gain some information aboutthe key without introducing any significant disturbances.To obtain a perfectly-secure key, Alice and Bob need toerase this partial information of Eve beforehand.

3. Authenticated channel

Apart from the quantum channel, Alice and Bob alsoneed a classical communication channel for distilling asecret key out of their quantum state exchange. In con-trast to the quantum channel, the information exchangeon this classical channel can be public in the sense thatEve can listen to all messages of Alice and Bob. How-ever, Eve must not be able to tamper with these classicalmessages since otherwise, she can perform the so-calledman-in-the-middle attack in which she impersonates Bobfor Alice and vice-versa allowing her to gain knowledgeof the full key. To prevent such an attack, Alice and Bobmust be authenticated to each other. This implies thata fully functioning QKD system provides authenticatedencryption; see subsection I A 2.

There are symmetric algorithms that provideinformation-theoretic security for authentication [21, 22].During the operation of the QKD protocol, Alice andBob can use a small amount of the distilled key from

the previous run for authentication purposes. However,this poses a difficulty for the very first key exchange.To elaborate, Alice and Bob would need a pre-sharedkey before they have initiated the key exchange process.Due to this, QKD is more accurately described as akey growing (instead of generation) process: an initiallysmall key is grown to arbitrary length.

A practical solution to this initial problem, also men-tioned in subsection I C, would be to use asymmetric keyciphers only for the initial step. Notably, if Eve can-not break the asymmetric key during the short momentof the very first quantum key exchange, the system canoperate securely. This is because all further authentica-tion steps would be performed by symmetric algorithmsthat use a part of the secure key obtained from the QKDprotocol [23].

C. QKD protocols

A QKD protocol describes the procedures and oper-ations that Alice and Bob perform in order to generatea secret shared key sequence. A typical QKD protocolconsists of two main steps:

1. Quantum states are generated, transmittedthrough a quantum channel and measured. Atthe end of this exchange, Alice and Bob have bitsequences from which a shorter but correlated bitstring could be extracted. Note that Eve can havepartial knowledge of the extracted string.

2. In order to distill a secret, shared key out of theirbit sequences, Alice and Bob perform classical dataprocessing, typically consisting of sifting, error cor-rection and privacy amplification. We will explainthese terms in the coming pages.

For the quantum states, it is crucial that their quan-tum properties are conserved (at least partially) afterhaving propagated through the quantum channel. Oth-erwise Eve’s attacks could go undiscovered and the se-curity premises of QKD would not be valid anymore.Conservation of quantum properties means that the at-tenuation and noise in the quantum channel may notexceed certain levels. In practice, a variety of quantum-optical states, such as single-photon states, coherent andsqueezed states, as well as entangled states have beentested for suitability in quantum channels implementedby optical fibres and free space links. The quantum in-formation itself can be encoded in physical propertiessuch as polarisation, amplitude and phase quadraturesor time bins. The quantum state measurement strategyis naturally decided by the details of the quantum statepreparation. For instance, polarisation-encoded single-photon states may be decoded using a polarizer followedby single photon detector(s), coherent states encoded inquadratures may be decoded using phase-sensitive homo-dyne detection [8, 9, 24].

6

quantum channel

BS

Alice

pol. mod.

u10 u01u11

φ=45° u00

a)

Roarlabs

Basis 0/1

Bit 0/1SPS

b)

dataprocessing

SPD

c)

BSrot. pol.

Basis 0/1 Bob

0: no click1: click {

FIG. 3. (Color online) Polarisation coding in BB84. a) TheBB84 state alphabet can be represented by two pairs of mu-tually orthogonal vectors; see Fig. 2. In order to relate topolarisation, the mapping u00 ≡ |H〉, u01 ≡ |D〉, u10 ≡ |V 〉,and u11 ≡ |A〉 may be used. b) Alice can prepare the BB84quantum states by modulating the polarisation of single pho-tons. c) Bob can use a fast rotating polariser (rot. pol.) tomeasure the polarisation of the incoming quantum states andobtain the bit of Alice dependent on the detection outcome.SPS/SPD: single photon source/detector.

1. Example of a QKD protocol: BB84

While the details of the quantum state preparationand measurement obviously depend on the specifics ofa QKD protocol, a fairly representative explanation canbe given through the BB84 protocol [15]. This protocolwas proposed at a conference in Bangalore, India in 1984by Charles Bennett and Gilles Brassard. We considerhere a BB84 implementation with quantum informationencoded in one of four different polarisation states of sin-gle photons.

For this purpose, Alice randomly switches between apair of mutually unbiased bases: in the Basis 0, denotedby the orange/second subscript in Fig. 3a, the bit bA = 1is encoded as a vertically polarized photon, bA = 0 asa horizontally polarized photon (bits are denoted by theblue/first subscript). Similarly, in the Basis 1, the bits 0and 1 are encoded as diagonally and anti-diagonally po-larized photons. Alice can generate these different polari-sation states using four differently oriented single photonsources (SPSs) or by modulating the polarisation of asingle SPS, as shown in Fig. 3b.

After propagation through the channel, Bob measureseach quantum state, also by randomly switching betweenone of the two bases followed by detecting the photon. Hecan switch the basis by rotating a polariser to either ver-

tical or 45◦ direction, corresponding to Basis 0 or 1 (seeFig. 3c). In the cases where Bob’s basis choice matcheswith Alice’s, a ‘Yes’ or ‘No’ detector can measure a con-clusive result: when the detector clicks, bit bB = bA = 1(Yes), when there is no click, bit bB = bA = 0 (No). Inthe cases where Bob chooses a different basis to Alice,his measurement results will be random and inconclusive(sometimes Yes, sometimes No).

To begin the classical processing, Alice and Bob runthrough their entire bitstreams, sifting all inconclusiveevents. For this, either of them discloses the bases (butnot the bit values) on the authenticated channel. Bothparties then learn of the slots where their bases hadmatched; the corresponding bits together make the ‘rawkey’. Assuming the (unrealistic) case of a loss-less andnoise-free quantum channel, Alice and Bob should pos-sess identical raw keys after sifting.

2. How to catch the eavesdropper

The non-orthogonality principle and the no-cloningtheorem, explained in subsection II B, ensure that Evecannot obtain information of the raw key without intro-ducing errors in the bits that Alice and Bob obtain atthe end of sifting. In fact, as the next stage of the proto-col, Alice and Bob publicly disclose a small and randomportion of their respective raw keys and check for errors(bA 6= bB in a given slot). Performing this allows themto numerically estimate the rate at which errors actuallyoccur in the raw key. This yields the quantum bit errorrate (QBER) [25], which is one of the most importantparameters for gauging the extent of eavesdropping.

The QBER also determines the course of the rest ofthe protocol; for instance, the next step of error cor-rection, which is necessary to remove the mismatches inthe raw keys, is strongly dependent on the value of theQBER. More importantly and as we shall explain below(see also subsection III C), if the QBER is above somecritical value, no secure key can be distilled. In such acase, Alice and Bob must either resort to another quan-tum channel or try again later. Although no doubt anundesirable situation, the fact that Alice and Bob realizethat the communication channels are not safe providesthem the chance to protect their secrets. At present, noclassical cryptographic mechanism that provides such afunctionality is known.

The error correction is followed by a distillation pro-cedure in which a shorter but highly secure key is dis-tilled from the longer but perhaps insecure raw key. Thisstage is known as privacy amplification [26, 27] since itincreases the confidentiality of the key that Alice and Bobshared. At the end of this stage, the probability that Evehas any information of the secret key is reduced to belowsome requisite threshold value.

7

D. Security proofs

In theory, quantum key distribution can guaranteeinformation-theoretic security of the message encryptedby the exchanged key — employed as one time pad — un-der certain conditions. These conditions are elaboratedin quantum-mechanical security proofs that theoreticallymodel the actions of all the involved parties (Alice, Bob,and Eve) and evaluate limits under which privacy am-plification is successful in nullifying Eve’s information ofthe secret key.

Several different approaches for constructing securityproofs (for even the same QKD protocol) are known as oftoday [28–34] but at the heart of the majority is a limitingvalue QL of the QBER. As also explained before, this isbecause the eavesdropper’s actions perturb the quantumstates, causing errors in the measurement stage. Theamount of errors can be quantified by Alice and Bob toobtain bounds on Eve’s information gain. Consequently,these proofs also provide a security assurance — in theform of bounds on the obtainable secret key rates — atthe end of the protocol. Roughly speaking, if the incurredQBER value q > QL the security of the distilled key mayno longer be guaranteed.

The process of theorizing a security proof for numeri-cally evaluating QL involves making assumptions aboutthe physical devices of Alice and Bob, the quantum chan-nel connecting them, the optimal actions of Eve, etc. Asan example, many well-established security proofs cal-culate a value of QL ≈ 11.0% for the BB84 protocol.In these proofs, the state preparation in Alice and statemeasurement in Bob are assumed to be ideal. To elabo-rate, pure single photons are perfectly encoded by Alicewhile Bob decodes each of the arriving single photonswith noiseless detectors. The subsystems of Alice andBob are also assumed to be perfectly aligned. Eve is as-sumed to have no physical access to Alice and Bob butthe channels that connect them are her territories. Onthe quantum channel, she can interact with the quantumsignals traversing from Alice to Bob. On the authenti-cated channel, Eve cannot modify the exchanged mes-sages but may read them without paying any penalty.

Classification of attacks

There are an inexhaustible number of strategies thatEve may employ to attack the QKD system. The finalobjective is to obtain information about the secret keywithout alerting Alice and Bob. Let us explain one ofthe most well-known strategies called the intercept andresend attack (IRA). Eve intercepts and measures eachof the signals herself and according to the measurementresult, re-prepares new signals to send to Bob. AssumingAlice and Bob operate the BB84 protocol, Eve’s measure-ments (and hence the re-prepared states) can be correctin only half the total number of instances. Out of theremaining half, Bob’s measurements would be erroneous

with a probability of 1/2 since Eve’s choice of bases didnot coincide with that of Bob and Alice. In other words,Alice and Bob would notice errors in around a fourth ofall the cases pointing to q ∼ 25.0% which is clearly muchhigher than the tolerable limit of QL ≈ 11.0%. How-ever, if Eve performs IRA only on a fraction f < 11/25of all the quantum signals, the QBER incurred by Al-ice and Bob may not cross the abort threshold; albeitEve’s knowledge of the raw key is also reduced from afactor of 0.5 to (f ∗ 0.5 =)0.22. Alice and Bob must thenmake sure that this partial information is removed in theprivacy amplification step.

The intercept and resend attack strategy belongs tothe class of so-called individual attacks [8]. This classcaters to attacks in which Eve individually interactswith the quantum signals that are enroute from Aliceto Bob. Individual attacks that perform better than anIRA are already known explicitly for many QKD proto-cols [31, 33, 35, 36]. This implies that at some q < QL,Eve’s knowledge of the raw key can be higher than thatobtained via IRA.

The amount of privacy amplification is usually evalu-ated in the so-called collective attacks scenario by mostsecurity proofs [9, 27, 37]. This class of attacks im-poses less restrictions on Eve’s actions than individualattacks, thus making the security proof more general andstronger. To make things more precise, the security of aQKD protocol calculated under the assumption of collec-tive attacks automatically insures the QKD system (op-erating that QKD protocol) against the best individualattacks. Nonetheless, collective attacks are still limited tospecific attack strategies, in contrast to coherent attacksthat account for any possible attack strategies limitedonly by quantum mechanics. However, and quite remark-ably so, security against collective attacks also impliessecurity against coherent attacks under some reasonableassumptions [27].

III. QUANTUM HACKING

So far we discussed various aspects of quantum keydistribution assuming an ideal world. In real life, theoperation of a QKD protocol deviates from the ideal dueto imperfect components that make up the physical QKDsystem. Such deviations can have major implications notjust for the design and performance of the system but alsothe security guarantees against attacks [38].

The field of quantum hacking investigates theory-practice deviations that specifically result in securityloopholes. Given a potential deviation, e.g. due to thebehaviour of a specific set of components, the first stepis to experimentally confirm the existence of the loop-hole in the QKD implementation. This is followed byquantifying the impact of the loophole through attacksimulations or further experiments. One tests the designof a new QKD system by engineering practical attacksbased on known weaknesses and existing loopholes.

8

Despite being a fairly young field, quantum hackinghas caught the interest of both the research communityand (scientific) media: more than half-a-dozen researchlabs across the world are known to be actively engagedin this area, the number of publications in peer-reviewedjournals and respectable magazines on this topic has sky-rocketed, and ‘live hacking’ demonstrations have beenperformed at international conferences. Nonetheless, itmust be emphasized that the intention of quantum hack-ing activities is to improve the security obtainable bypractical QKD implementations. In fact, a complete im-plementation of the eavesdropping system — demonstra-tion of the attack on fully-functional Alice and Bob con-nected by ‘proper’ quantum and authenticated channels— is rarely performed: most quantum hacking attemptsdisplay the insecurity of the QKD system only in a proof-of-principle manner. The belief is that bugs and loop-holes are a part and parcel of any developing technologyand practical QKD is no different in that regard. A tightscrutiny can therefore ensure the removal of vulnerabil-ities and patching of loopholes to guarantee reasonableand acceptable level of security of messages encrypted byQKD systems in the future.

A. Realistic QKD

We first discuss different aspects of physical QKD sys-tems to gain an insight into the causes and effects ofproblems associated with the field of realistic QKD. Wedo so by considering the state preparation and measure-ment example from subsection II C in presence of chan-nels, sources, and detectors that are employed in practi-cal QKD systems.

1. Realistic channels

Absorption and scattering in the channel lead to pho-ton loss due to which not all quantum states from Alicereach Bob in practice. Furthermore, the ones that doarrive may be decoded incorrectly because of the noiseinduced by the channel. (Note that Eve’s actions on thequantum channel can also certainly lead to losses apartfrom an increase in the noise, however, here we focus onan implementation without Eve). This calls for a charac-terization of the loss and noise properties of the channel.A frequently-used parameter in that regard is the trans-mittance T which may be understood as the fraction ofthe number of photons from Alice that are received byBob. Any realistic channel would have T < 1.

2. Realistic sources and detectors

Apart from the problems with realistic channels, realis-tic sources and detectors also do not generate and detectphotons in a perfect manner. Most single photon sources

PBS

BS

dataprocessing

a)

b)

pol. mod.

D0

D1

D0

D1

D0

D1

Basis selector

dataprocessing

PBS

PBS

HWP

Basi

s 0

Basi

s 1

FIG. 4. Two practical measurement setups for polarisation-coded BB84. a) Two detectors are used in order to reduceinconclusive measurement outcomes due to losses and noise.b) Using four detectors makes the polarisation modulator dis-pensable. The basis choice is then mediated passively by anon-polarising beam splitter (BS). HWP: half wave plate, pol.mod.: polarisation modulator, PBS: polarising beam splitter,D0 and D1: detectors

(SPSs) show a probability distribution in their photonnumber n, featuring non-zero values at n = 0 and n ≥ 2.In fact, the most popular source used for mimicking SPSin typical QKD implementations are attenuated lasers.As mentioned before, the corresponding quantum states(called weak coherent states) are characterized by a Pois-sonian distribution with the mean photon number µ. Dueto security reasons that will be explained later, attenu-ated lasers in Alice employ µ < 1 implying the outputquantum signal is mostly |n = 0〉. The single detectorconfiguration, shown in Fig. 3c, is therefore completelyimpractical because the absence of a click (that wouldsuggest bit 0) may actually have occurred because nophoton was generated by Alice or the generated photonwas lost in the channel due to attenuation.

A common practice is therefore to employ two detec-tors (labeled D0 and D1; see Fig. 4a) to measure or-thogonal polarisations. Inconclusive events when neitherof the two detectors clicks can now be discarded safely.Note that the basis choice can be done actively, such as byusing a polarisation modulator. Alternatively, the choice

9

between Basis 0 or Basis 1 is passively mediated by a50/50 beam splitter with the quadruple detector assem-bly, as depicted in Fig. 4b. (The half wave plate rotatesone orthogonal polarisation pair into the other). Due tothe beam splitter, this methods leads to 50% of addi-tional loss as compared to the scheme with polarisationmodulator.

Just like channels, the loss and noise properties of thedetectors must also be characterized. The probabilityof detecting a single photon is given by a detection effi-ciency η < 1. Many realistic detectors also suffer fromthe so-called dark noise (usually denoted by a dark clickprobability d > 0) which means that they sometimes pro-duce clicks even in the absence of photons.

Single photon avalanche diodes (SPADs)

To explain these concepts further, we take up the ex-ample of single photon avalanche diodes (SPADs) thatare the workhorse detectors for quantum states contain-ing single/few photons [39]. This minor detour is also ne-cessitated by the fact that a major part of the discussionpresented in section IV requires a basic understanding ofSPADs.

Figure 5 shows the working principle of an SPAD via itscurrent-voltage relationship. One can observe a bifurca-tion in the current-voltage diagram above the breakdownvoltage Vbr of the diode. The rising current in the upperbranch of the bifurcation stems from an avalanche that,in the nominal case, has been triggered by a single pho-ton. However, in most SPADs, this event only happenswith a non-unity probability η < 1. In other words, itmight happen that the impinging photon fails to excitean electron-hole pair. On the other hand, these carri-ers may be generated due to thermal excitations insidethe SPAD. In the event they result in an avalanche, theSPAD can register a dark click (denoted by a probabil-ity d > 0) which cannot be distinguished from photonclicks. Values such as η ≈ 0.2 − 0.3 and d < 10−5 aretypically obtained for SPADs used in QKD systems thesedays [9, 39, 40].

3. Finite QBER without Eve

In addition to dark noise, wrong detection events canalso be caused by imperfect alignment of some opticalcomponents. A misaligned modulator in Fig. 4a, for ex-ample, would lead to erroneous detections (also see Equa-tion 1). Furthermore, stray light can lead to false clickssince SPDs cannot distinguish between signal photonsand stray light.

To sum up, errors — apart from stemming from Eve’sactions — in the shared key can also happen because ofchannel noise, dark click probability, optical misalign-ment within Bob and Alice, etc. Therefore, a finite

QBER is obtained even without the actions of the ad-versary. Furthermore, channel losses and noise generallygrow as the distance between Alice and Bob increases.Due to this, after a certain channel length, the QBERarising from these various imperfections and inefficien-cies may easily exceed the critical value QL (see subsec-tion II D).

4. Industrial implementations

Many renowned institutes and corporate establish-ments actively pursue research in quantum technologiestoday. Startup firms such as ID Quantique [41], one ofthe pioneers of practical QKD systems, have been sellingcommercial equipment for a decade now. Their approachblends conventional and quantum encryption: keys ob-tained independently via RSA and QKD are combinedtogether for 256-bit AES encryption; see subsection I B.They also collaborate with research institutes: in fact,many attacks discussed in section IV were performed ontheir research platform ‘Clavis2’ [42]. In the forthcomingsection, we shall elaborate on these attacks.

B. Imperfections and assumptions

In the previous pages, the imperfect behaviour of lightsources and detectors employed in QKD implementationswas discussed. For instance, while realistic single photonsources may sometimes produce zero or multiple photons(|n = 0〉 or |n > 1〉 states, respectively), detectors maysometimes not only fail to detect a photon but also ex-hibit false detection events (efficiency η < 1 and darknoise level d > 0, respectively). Such intrinsic limita-tions have a major impact on the operation of the QKDsystem. For instance, dark noise results in a finite QBEReven without Eve’s presence in the quantum channel.

curr

ent, I

reverse voltage, V

Geiger mode

detection event

no detection event

V br

Linear mode

FIG. 5. Current-voltage characteristics of a single photonavalanche diode (SPAD). To detect a single photon, the SPADis operated in the Geiger mode where a voltage larger thanthe breakdown voltage Vbr is applied across the SPAD. In thisregime, a single photon can generate an avalanche of electron-hole pairs. This avalanche produces a measurable currentthrough the diode which indicates the detection of the photon.

10

Furthermore, the theoretical model considered by thesecurity proofs (see subsection II D) may make seemingly-harmless assumptions that can however not be validated,even in principle. For instance, many of the early secu-rity proofs implicitly assumed an asymptotic operationof the QKD protocol, i.e. Alice and Bob were assumedto exchange infinitely long keys. Only recently, the is-sue of non-infinite length keys was investigated and theinsecurity arising from such ‘finite size’ effects quanti-fied [34, 43].

Imperfections in the QKD system hardware and insuf-ficient/unverified assumptions in the security proof there-fore lead to deviations between the theoretical model andthe practical implementation. These theory-practice de-viations often open loopholes in the security framework,rendering the QKD system vulnerable to quantum hack-ing. In other words, Eve could manipulate the operationof the QKD protocol using suitable attack strategies thatviolate the guarantees of the security proofs without Al-ice’s and Bob’s realization.

1. Side channels

The nature of Eve’s action depends on the loophole.For instance, Eve can actively manipulate the signalstravelling from Alice to Bob on the quantum channel.Alternatively, she injects some radiation in Alice’s andBob’s subsystems with the purpose of modifying the op-eration of a specific set of components or obtaining in-formation about their settings. Such attacks generallycarry the risk of being discovered.

In contrast, Eve may also perform certain measure-ments that do not directly affect Alice or Bob. To bemore precise, Eve does not interact with either the physi-cal devices or the quantum signals. These attacks usuallyhappen if and when there is a (possibly inadvertent) leak-age of information from the QKD devices. The term ‘sidechannel’ attacks is sometimes used in such contexts: onemay interpret the encoding/decoding of information tak-ing place on channels that exist beside the quantum andauthenticated channels. For instance, imagine the send-ing device of Alice: a metal box that fits inside a standard19” rack. The box features an LED that is supposed toindicate the power status of the device. However, due tobad engineering, the LED’s driving current becomes elec-tronically coupled to the electro-optical modulator usedfor preparing the quantum state in a basis otherwise un-known to Eve. The impact is that the LED flashes de-pending on the state of the modulator, thus giving awaythe raw key of Alice to an eavesdropper just observingthe device from a distance.

In general, whether a side channel assists Eve dependson the precise type and quality of the information avail-able through it. The main point though is that Eve canavoid alerting Alice and Bob of her eavesdropping actionsin this case.

C. Conditions for successful breach

A quantum hacking attempt is successful if it can beproven that Eve gains information of a non-negligibleamount of the final secret key extracted by Alice and Bobwithout alerting them. The latter may be elaborated bysaying that during Eve’s attack,

1. the incurred QBER must not cross the abortthreshold (q ≤ Qabort), and

2. the fluctuation in the value of channel transmit-tance observed by Alice and Bob must remainwithin tolerable limits (δ < δabort).

The precise values of Qabort and δabort hardwired in thephysical QKD implementation ought to depend on theQKD protocol and the security proof it follows. TheQKD device manufacturer may however choose moreconservative values. For instance, the research platform‘Clavis2’ from ID Quantique features Qabort ≈ 8% < QL

and δabort = 0.15 for the BB84 protocol [44, 45].In the next section, we discuss several quantum hack-

ing attempts that have been devised on a variety of QKDimplementations in the last decade. We also analyze theirperformance with respect to the aforementioned condi-tions. Note that with the possible exception of the workpresented in Ref. [46], all attacks were performed in aproof-of-principle manner.

IV. LOOPHOLES/ATTACKS IN PRACTICE

In this section, we present the main ideas of severalknown attacks on practical QKD. A great deal of themexploit (natural) limitations in the single photon detec-tors and/or imperfections in their optoelectronic inter-faces. The most commonly-discussed detector type in thenext pages shall be the gated 2 single photon avalanchediode (SPAD). While SPADs have been the workhorsedetectors of single photons [39], unfortunately, they havealso proven to be one of the biggest source of vulnerabil-ities when it comes to practical security.

A. Faked-state attacks

A majority of attacks on single photon detectors in thelast few years were based on the concept of faked states oflight [47]. These states are specially-crafted optical sig-nals prepared by Eve and sent into Bob to control his de-tection outcomes in a manner dictated by her. As shown

2 A train of narrow voltage pulses applied on the diode so thatit switches between the linear mode and Geiger mode are calledgates. Refer subsection III A 2 and Fig. 5 for details on thesemodes.

11

quantum channel

intercept &

measureunit

reprepare &

sendunit

Evee e e}

quantum signalsfrom Alice

faked statesto Bob

}

time

Vth0

time

Vth1

Click!

time

Vth0

time

Vth1

a)

b)

BS

D0

D1

identicalbasis

choice

e

BS

D0

D1

e differentbasis

choice

vol

tage

volt

age

volt

age

volt

age

FIG. 6. (Color online) Basic principles of faked-state attacksagainst BB84. As discussed in subsection II D, Eve interceptsand measures the quantum signals from Alice in a randomly-chosen basis. She prepares new states of light to fake detectionevents in Bob in a controllable manner. b) If the basis chosenby Bob is identical to that of Eve, the optical power of Eve’sfaked state is detected fully by one of the two detectors. Theresulting voltage pulse crosses the ‘click’ threshold, given byVthj (for j = 0 or 1), and Bob obtains the bit correspondingto the detector that clicked as the measurement outcome. Onthe other hand, if the bases are different, the optical poweris equally split across the detectors. The resulting voltagepulses in both D0 and D1 are below the respective thresholdsVth0 and Vth1, and no measurement outcome is recorded.

in Fig. 6a, a faked-state attack (FSA) is implemented inthe style of an intercept and resend attack (IRA), andtargets detector imperfections to perform better than aconventional IRA. To be more specific, if Eve measuresAlice’s state in the ‘correct’ basis (implying Eve and Al-ice share the same bit, bE = bA in that slot), her fakedstate has two possibilities for Bob:

1. Record a detection with bB = bE if Bob’s chosenbasis coincides with Eve’s basis.

2. No detection event if Bob chooses the incompatiblebasis.

Figure 6b displays these two measurement scenarios(with detectors D0 and D1 assumed to be gated SPADs)due to faked states prepared in the same basis as thatused by Alice.

However, if Eve measures Alice’s state in the incorrectbasis, the situation is reversed in the sense that a detec-tion of Eve’s state in Bob would happen only when Bob’sand Alice’s bases do not coincide. Since such measure-

ment outcomes are sifted (see subsection II C 1), the onlyslots kept for further classical processing would be whereBob registered a detection outcome, and the bases of Al-ice, Bob and Eve were the same. With the above argu-ments, it can also be observed that the bits bE = bA = bBin all such slots. In other words, Eve’s raw key matchesthat of Alice and Bob. Thereafter, she can simply listento error correction and privacy amplification performedby Alice and Bob and apply the same operations on herraw key.

To understand what detector imperfections may enablesuch an attack, note that SPADs are sensitive to sin-gle photons only when they are operated in the Geigermode. Conversely, in the linear mode, the SPADs arenot photon-sensitive; they actually act as normal photo-diodes that output currents proportional to the intensityof the input optical pulses. A faked-state attack maythen be implemented using pulses of appropriate intensi-ties if Eve can somehow access Bob’s detectors in linearmode.

Before we discuss the methods to do so, note that theintensity levels must be carefully calibrated to controlthe detection events: different Bob-Eve basis choice slotsshould never result in clicks, identical basis choice slotsshould always give clicks. This is illustrated by Fig. 6b.With perfect control, the attack can satisfy the condi-tions mentioned in subsection III C easily. In fact, itcan even be completely traceless [48] because in principleit does not contribute to the incurred QBER. Secondly,Bob cannot distinguish (at least, not in a simple way)between the genuine quantum signals and faked statesbecause the detection statistics can be preserved.

1. Blinding loophole

The notable feature of the first few faked-state at-tacks [46, 48–50] was on the ability of Eve to remotelycreate access to Bob’s SPADs in the linear mode. InRefs. [46, 48] for instance, Eve sends in CW light fromthe quantum channel to Bob, thereby eliciting a currentthrough the SPADs. The impedance of the high-voltagesupply (connected to the SPAD for biasing) experiencesa voltage drop due to this current. This effectively leadsto a lowering of the reverse bias across the SPAD: ata specific CW power, the reverse-bias voltage drops be-low the breakdown voltage; refer Fig. 5. This impliesthat the SPAD is out of Geiger mode; or blind to singlephotons. The blinding loophole is arguably the most fa-mous example of quantum hacking; perhaps because ithas also been demonstrated on a variety of single pho-ton detectors, including those based on superconductingnanowires [51], gated SPADs [48], and both actively- andpassively-quenched SPADs [46, 52, 53].

12

(a)

(c)

(b)

SPAD

gat

e vo

ltage

/In

put

illum

inat

ion

pow

er

time

rising edge

falling edge

FIG. 7. (Color online) Faked-state pulses for exploiting theblinding and superlinearity loopholes and used in the after-gate attack on gated SPADs. The blue line show the gatevoltage as a function of time. The filled objects representthree different methods for launching the faked-state attack.(a) A bright faked-state pulse containing a few million pho-tons on average arrives inside the gate on top of CW lightthat has blinded the SPAD. (b) Eve’s pulse in the after-gateattack is roughly the same intensity as in (a) but arrives afterthe falling edge of the gate, i.e. when the SPAD is no longerin Geiger mode. (c) In the superlinearity loophole, the faked-state pulse is relatively dim (10− 100 photons per pulse) andarrives at the falling edge of the gate.

2. After-gate attack

In case of gated SPADs, the linear mode can be re-motely accessed in a much simpler way, i.e. withoutblinding. Typically, the duty cycle of the electronic gat-ing signal is very small, e.g., it is < 2% for the Clavis2system [42]. Eve can therefore attack by sending thebright faked-state pulses to impinge on the detector af-ter the gate, i.e. when the system has withdrawn thegate (but may still validate the registration of a click dueto the impinging bright pulse). Figure 7b conveys theidea, especially relative to the case of blinding, wherethe faked-state pulse arrives well inside the gate. Indeed,in Ref. [50], detector control through bright ‘after-gate’faked states was demonstrated. However, the brightpulses in this case led to a severe increase in the darknoise of the detectors — resulting in a rapid rise of theQBER. Nonetheless, simulations showed that this prob-lem could be overcome in at least some operating regimesof the QKD system. The channel transmittance T couldalso be preserved.

3. Superlinearity loophole

The optical intensities required to carry out the aboveattacks are tremendously higher than what Bob normallyexpects. Simple countermeasures called watchdog moni-tors, which we shall discuss in more detail in section V,would catch such attacks. However, if Eve could some-how use relatively dim faked states, such countermea-sures might fail. Of course, for the attack to still work as

explained in the beginning of this section, the detectorresponse needs to be somewhat amplified so that evenpulses that are 4 − 5 orders of magnitude dimmer thantheir blinding or after-gate counterparts can provide areasonable level of detector control.

Such an amplification of the response, coined superlin-earity 3 in Ref. [54], is indeed possible if the dim pulse issent during the transition from Geiger mode to the linearmode. An investigation of the gated SPADs of Clavis2in the same work revealed a high degree of superlinear-ity: a faked-state pulse containing 10− 100 photons andarriving on the falling edge of the gate, as depicted inFig. 7c, could be detected with a probability much higherthan the theoretically-modelled value. The detector con-trol however is not perfect: while different Bob-Eve basischoice slots sometimes result in clicks (that are erroneousin half the cases), identical basis choice slots do not al-ways yield clicks. The former leads to an increment in theQBER while the latter brings down the overall channeltransmittance. Nonetheless, by tuning the parametersof the faked states, QBER and T could be controlled inorder to satisfy the conditions given in subsection III C.

B. Laser damage attack

Instead of coming down the power scale, the eaves-dropper can go one step further in the other direction,i.e. even beyond detector blinding. The intention is to in-flict optical damage on a certain component in the QKDsystem and permanently change its characteristics. Ifthe new characteristics then assist the eavesdropper inan attack without Alice or Bob getting any hints of it,the security of that practical QKD system would be inserious trouble.

In a recently-demonstrated work [55], the proper-ties and functionality of single photon avalanche diodes(SPADs) were studied after exposing them to laser lightwith power in the few-watts regime, i.e. 3 − 4 orders ofmagnitude higher than the power levels used in blind-ing [46, 48, 51–53]. As the input power on the SPADwas increased, a large variety of effects — ranging from apermanently-induced lowering of the efficiency and darknoise level to catastrophic damages to its physical struc-ture — were noticed. Several loopholes due to these ef-fects were proposed and analyzed.

One of the attacks is based on the ability of the eaves-dropper to remotely control the detector efficiency and

3 The expected behavior scales as 1− exp[−µ · η(t)] with the meanphoton number µ of a coherent state used for faking the detec-tion outcomes; η(t) is the single photon detection efficiency asa function of time. Since η(t) << 1 at the falling edge of thegate, 1 − exp[−µ · η(t)] ≈ µ · η(t). In other words, the expectedbehaviour must be nearly linear. The measured behaviour of thedetection probabilities is however always above this linear curve,therefore the term superlinear.

13

dark noise levels, which conflicts with the assumptionsin most security proofs [9, 30, 33, 36] since these param-eters are implicitly assumed to be outside Eve’s control.Some proofs in fact suggest to ‘calibrate’ the dark noisebeforehand and subtract its effect from the QBER to ef-fectively increase the maximum channel length; see sub-section III A 2. If Eve could remotely lower the dark noiseof Bob’s detectors, the resultant decrease in the QBERcan be leveraged to attack the system (in some other way,e.g. using faked states).

At very high power levels, the SPAD was found to bedamaged to the extent that its interconnects had melted,leaving the component in an open circuit essentially. Thissuggests that an SPAD based watchdog monitor, de-ployed at the entrance of Alice/Bob could be rendereduseless by shooting enormous levels of optical power intothe physical QKD system from the quantum channel. Aheightened vulnerability to faked-state attacks was alsoobserved due to the blinding effect, which was remark-ably permanent in this case.

Finally, in some cases, the detection efficiency of theSPAD was also observed to have substantially decreased.Given a quadruple detector assembly, such as the one inFig. 4b, Eve can target one of the detectors (by choosingthe input polarisation) and reduce its efficiency w.r.t. thedetector meant to measure the orthogonal polarisation.This opens up the detector efficiency mismatch loophole,which we describe below.

C. Detection efficiency mismatch loophole

The origin of this loophole lies in the relationship ofBob’s measurement results with his detectors. Theoreti-cally, and as explained in subsection II C 1, only the rela-tive choice of the bases of Alice and Bob must determinethe measurement outcome. Assuming the detector as-sembly in Fig. 8a, this would require D0 and D1 to beindistinguishable. This is hard to obtain in practice sincethe physical properties of two detectors cannot be thesame. Limitations in the manufacturing process alongwith variations in environmental conditions can make thedetectors discernible 4. For example, lengths of the fibersconnecting D0 and D1 can vary [56] due to different tem-peratures, jitter produced by an electronic circuit fluctu-ates over time, sensitivities at the same input wavelengthcan differ [57] due to intrinsic variations in the materialcomposition.

If the discerning physical property also aids controlover — the clicking of — the mismatched detectors, a

4 To understand the concept of discernability in a simple way, oneshould be able to, for instance, simply exchange D0 and D1 with-out hindering or altering the operation of the QKD system. Ofcourse, the key obtained by Bob would then be uniformly oppo-site to that of Alice but a simple NOT operation would sufficeto reconcile their keys.

BS

D0

D1

delaying arm

advancing arm

fromAlice

toBob

time, t-T 0 T 2T0

20406080100

phot

on c

ount

s

δτ

D0D1

-T 0 T 2T020406080100

phot

on c

ount

s

time, t

δτD0D1

Eve

original

link

quantumchannel

basisselector

a)

c) d)

b)Bob

FIG. 8. (Color online) Detection efficiency mismatch andtime-shift attack. a) Bob measures the periodic train of pho-tons from Alice by selecting bases and measuring the corre-sponding outcome in D0 or D1 for each photon. b) A sim-ulated histogram of the instants in time when photodetec-tion events are recorded by D0[D1] in red[blue]. While notideal, the situation is still secure because to Eve, no distin-guishing information is available. c) The separation in timebetween the red and blue histograms results in a mismatchthat Eve can exploit in different ways. d) Schematic of theequipment to attack the insecure system shown in c) by de-laying/advancing the arrival time of Alice’s photons in Bob.

QKD system that employs that pair of detectors willcarry a risk of an attack due to the detection efficiencymismatch (DEM) loophole [56]. Figures 8a–8c explainthe idea of the loophole, with the discerning physicalproperty being time. In an ideal world, a periodic trainof incoming photons would be detected and counted atprecisely the same time (say t = 0, measured relative toa reference, such as the system clock) in both D0 andD1. In practice, however, there is a spread as illustratedby the red and blue histograms of the arrival times mea-sured by D0 and D1 in Fig. 8b, with T denoting the fullwidth at half maximum (FWHM) value. Nonetheless,the large overlap between the two histograms signifiesthat the detectors are not easily discernible.

The outer envelopes of the histograms correspond tothe detection efficiencies η0(t) and η1(t) of D0 and D1,respectively, as a function of time. The efficiency mis-match that allows distinguishing the detectors stronglydepends on the temporal separation δτ between the effi-ciency curves. This can be easily visualized by comparingFigs. 8c and 8b.

Two attacks for exploiting the DEM loophole areknown. In the original proposal [56], an attack usingfaked states [47] was considered and its performance wastheoretically analyzed. A simpler alternative which wediscuss below is the time-shift attack [58]. Notably, thiswas the first known quantum hacking attempt on a com-mercial QKD system.

14

D. Time-shift attack

Suppose Eve is aware that the QKD implementationsuffers from detection efficiency mismatch as illustratedin Fig. 8c. To attack the system, she can simply delayor advance the arrival of the quantum signal pulses inBob’s subsystem randomly. Figure 8d shows an appara-tus constructed using optical switches and fibre patch-cords that can perform the above actions, once installedin the quantum channel.

Using a sufficiently long[short] fibre patch cord to actas the delaying[advancing] arm, Eve can make sure thatthe probability for Bob to detect a photon in D1[D0] isnegligible even if his basis choice relative to Alice’s shouldhave resulted in that outcome. Due to this, Bob’s mea-surement outcomes are highly dependent and correlatedwith Eve’s actions. The keys obtained by Bob and Alicewould be quite similar to that of Eve (delaying ≡ bit 0and advancing ≡ bit 1).

Nonetheless, one can realize that the time-shifting ac-tion results in fewer detection events than normally ex-pected. This impacts the estimation of the channel trans-mittance and implies that the second condition listed insubsection III C may be hard to satisfy. Also, the in-curred QBER would elevate as the ‘photonic’ detectionsare lowered with respect to the intrinsic ‘dark noise’ ofthe detectors; see subsection III A 2.

More practically, the assumption that Eve knows theexact nature of detection efficiency mismatch may nothold true. In the actual demonstration [58], the au-thors (who obviously had access to the QKD system)performed the time shifts only in the instances where theefficiency mismatch favoured their attack. But in prac-tice, Eve does not have access to the actual system andthere is no information that allows her to control or pre-dict the temporal separation δτ . Even worse, δτ is astochastic quantity fluctuating around zero. Figure 9 il-lustrates this scenario (only the green disks) for Clavis2;we shall explain this in more detail below. Its impact onthe efficacy of a realistic time-shift attack should howeverbe clear: instances in which |δτ | is large (as marked bythe green disks with red borders) occur in < 5% of allinstances.

E. Calibration loophole

To use the time-shift attack successfully, Eve needsthe QKD system to somehow exhibit a large temporalseparation. Additionally, the corresponding detection ef-ficiency mismatch must remain deterministic and ideally,the variance of δτ must be as low as possible. The righthand side of Fig. 9 (i.e. only the red dots) depicts ascenario in which at least the first condition is satis-fied. These points were experimentally observed on theClavis2 QKD system [42] by repetitively running by thedetector calibration routine in a manner that remotelyexploited a loophole in the routine firmware and led to

2T

3T

T

-T

FIG. 9. (Color online) Shift in the temporal separation be-tween the detectors of Clavis2 due to Eve’s manipulation.Experimentally measured values of the temporal separationobtained after calibration runs operated without (in green)and with (in red) Eve’s hack; T is the FWHM value of thedistributions shown in Figs. 8b and 8c. The induced detec-tion efficiency mismatch (DEM) after the hack is sufficientlyhigh to increase the efficacy of a time-shift attack [58], or evenlaunch a successful faked-state attack [44].

the induction of this temporal separation [44].It can be compared with the situation when the cali-

bration routine was run normally (green dots in Fig. 9).Note that while the corresponding average value of δτ ,shown by the dashed-green line, is indeed quite close tozero, a small fraction of calibration runs did exhibit highdetection efficiency mismatch. These instances are de-picted by green dots with red borders.

The calibration routine is run by Clavis2 intermittentlybetween the key exchanges to reduce any existent DEM,which can occur over time due to reasons explained insubsection IV C. The basic steps are: Alice sends a trainof classical light pulses (instead of quantum signals) toBob over the quantum channel. Bob periodically scansin time the arrival of Alice’s pulses by changing the gate-activation times of both detectors independently. As andwhen the activation instant coincides with the impingingof the pulse on say D0, the number of photon detec-tion events recorded in D0 reaches maximum. A similarmaximum in D1 is recorded; the final situation ideallylooks like the one presented in Fig. 8b. The correspond-ing value of δτ ≈ 0.0 on average, as illustrated by thegreen-dashed line in Fig. 9.

The weakness that allowed the exploitation of thisloophole arose due to the fixed settings of bases by Aliceand Bob during the calibration phase [44]. In the normalcase, photons from any part of Alice’s optical pulse canyield a click in Bob’s detectors. However, Eve can manip-ulate these classical pulses (on the quantum channel) insuch a way that the first temporal half yields clicks onlyin D1, while the second half yields clicks only in D0. Thisresults in a situation similar to that shown in Fig. 8c. Ex-perimentally, an average separation δτ > 2T is achieved,as illustrated by the dotted-red line in Fig. 9. This largeefficiency mismatch induced between Bob’s detectors canbe exploited by a faked-states attack and the conditionsof subsection III C can be satisfied for a large range ofthe channel transmittance values.

15

FIG. 10. (Color online) Intercept and resend strategy to ex-ploit the wavelength dependence of a beam splitter. Eve in-tercepts and measures the photon from Alice in Basis j (j = 0or 1). The passive beam splitter (BS) in Bob has a very dif-ferent splitting ratio at λj with the values R(λ0) = 0.3×10−2

and R(λ1) = 0.986 experimentally observed in Ref. [60] forλ0 = 1290 nm and λ1 = 1470 nm. Eve’s resent state (not nec-essarily quantum in nature) to Bob is prepared at λj whichmeans that the chances of Bob measuring it in the Basis i arequite low[high] if i 6= j[i = j]. Also, Eve can easily select thedetector to be clicked (D0 or D1) by choosing an appropriatepolarisation for her resent state.

F. Wavelength-dependent beam splitter attack

Imperfections in components other than detectors canalso result in vulnerabilities. A recent example [59, 60]is due to the wavelength dependence of a beam splitter,which is one of the most frequently-used components inquantum-optical experiments. A symmetric beam split-ter employed at the telecom wavelength of λ ≈ 1550 nmwould have roughly the same reflectivity and transmittiv-ity values, i.e. R(λ) ≈ T (λ) ≈ 0.50 (the absorption lossesare usually insignificant). A photon passing through thisbeam splitter would hence be detected in the transmis-sive or the reflective output with equal probability.

The response of the same beam splitter at other wave-lengths can however be quite different. Let us assumethere are two wavelengths λ0 6= λ1 at which the beamsplitter is highly transmissive and highly reflective, re-spectively, i.e. T (λ0) . 1.0 and R(λ1) . 1.0. Anattacker can substitute the quantum signals at λ withlight at λ0[λ1] to address only the transmissive[reflective]port in a deterministic fashion. More specifically, an in-tercept and resend attack that exploits the wavelengthdependence is possible. Figure 10 shows the scheme ofsuch an attack demonstrated with λ0 = 1290 nm andλ1 = 1470 nm [60].

The attack reportedly did not increase the QBER mea-sured by Bob in any significant manner. Although thedetection efficiency of Bob’s SPADs also varied at λ0 andλ1, any differences in the detection rates (with respect tothe values expected at the normal wavelength λ) could

be compensated by employing appropriately-bright co-herent states in the resending stage.

G. Trojan-horse attacks

Trojan-horse attacks are amongst the most well-knownclass of attacks on practical QKD implementations. Thisterm has been borrowed from classical cryptography al-though in the context of practical QKD, it is a misnomersince most attacks demonstrated in this category do notinvolve Alice or Bob accepting seemingly-benign objectsfrom Eve. Coined in Ref. [61], the term has becomewell established over the years even though another term‘large pulse attack’ for the same concept had been pro-posed [62, 63]. Nonetheless, to maintain consistency, weshall not buck the trend here.

In principle, the basic idea facilitating these attacksis that light is reflected/scattered back as it propagatesthrough optical components. For instance, the changeof refractive index across an interface between two com-ponents results in a Fresnel reflection. In case the lightencounters mirror-like surfaces, a specular reflection isobtained. If the back-reflected photons travel through abasis selector, such as those shown in Figs. 3b and 4a,they can capture the state of the polarizer or the mod-ulator. If they also eventually trickle out of the QKDsystem unnoticed onto the quantum channel, Eve can in-tercept them and perform appropriate measurements todiscriminate between different bases settings.

Eve can actively create grounds for such an attack bysending bright pulses into the equipment of Alice/Bobfrom the quantum channel and scanning through the dif-ferent reflections to obtain the relevant information. Theworks in Refs [61, 63] explored the basic ideas and appli-cability conditions for implementing such type of attacks.They also proposed experimental tools, e.g. optical timedomain reflectometers, to quantify the reflections in timeand amplitude of a fibre-optical system. This facilitatedbuilding of the (static) reflection maps of sample QKDsystems which could be crucial to decide Eve’s photonbudget. Recently, proof-of-principle attacks were car-ried out in real-time on the QKD research platforms ofID Quantique and SeQureNet [45, 64]. The basic mes-sage of these attacks is that Eve can probe the settingsof the basis selector on-the-fly and just with a handful ofthe back-reflected photons.

Eve’s attack may be caught using a so-called watch-dog monitor, which we shall describe in some detail inthe next section. Alternatively, an optical isolator canthwart the attack by simply preventing light from Eveto even enter the QKD system. However, apart from thefact that such countermeasures cannot always be simplyadopted for a given QKD system, they may anyway provevulnerable if Eve resorts to another wavelength for theattack [45, 65].

16

Alice

laserstate

preparation

watchdogdetector

Bob

detectorsbasischoice

watchdogdetector

FIG. 11. (Color online) Basic QKD implementation withwatchdog detectors to guard against Eve’s radiation. Thedetectors monitor the incoming light to find out if Eve is car-rying out an attack. These monitoring devices may be con-nected to the rest of the QKD system via a coupler or a switch.Ideally, a watchdog detector should be able to discern legit-imate quantum signals from Eve’s radiation to prevent falsealarms.

V. COUNTERMEASURES

In the previous pages, we have demonstrated amplecases of how a quantum hacker exploits deviations be-tween the theoretical model and the practical implemen-tation to attack the QKD system. We now discuss ap-proaches and mechanisms — technically referred to ascountermeasures — to prevent or catch such attacks frombreaking the security, thereby restoring the security ofthe practical QKD system.

A. Basic approaches

Against side channels in particular, two approaches arepossible: eliminate the leakage of information or makeit useless for the adversary. The first is usually quitedifficult, a better practice is to try binding the leakageand performing higher privacy amplification. Alterna-tively, the correlations between the side channel informa-tion and the actual secret encoding/decoding data can bereduced to the minimum possible level [66].

1. Addition or modification in hardware/software

For a significant number of attacks on QKD systemsdiscussed above, Eve employs bright light pulses. In thecases of blinding and after-gate attacks [46, 48, 50, 51],she sends the bright light towards Bob, targeting the im-perfections of the detection system. In a Trojan-horseattack, Alice’s device could also be subject to the brightillumination. For one-way QKD systems, an optical iso-lator at Alice’s entrance can be used to block the lightfrom Eve. A more universal method consists in placing anadditional detector at the entrance of Alice’s and Bob’sdevice. This so-called watchdog detector ideally monitorsa portion of all incoming radiation; see Fig. 11. Whenthe incoming light intensity is above a certain threshold,the QKD operation is interrupted and an alarm is raised.

In practice, a compromise is required between the frac-tion of light being monitored by the watchdog detector

and the losses induced by the tap. Randomly switchingbetween using the incoming light for QKD operation andfor monitoring offers an alternative [45]. Another methodwould be to use the quantum light detectors themselvesto monitor unwanted incoming light. As reported inRef. [67], traces of several attacks can be found by care-fully analysing the detection statistics from the quantumdetectors. Instead of additional hardware, the counter-measure can therefore be implemented in a software algo-rithm. A software countermeasure can also repel the cal-ibration loophole described in section IV E. The softwarepatch consists in implementing a random basis choice inBob during the calibration routine as well [44].

Changes in hardware are usually considered the last re-sort. Apart from the obvious investment of time, effort,and money in installing and testing the new hardware,such countermeasures can also prove to be the source ofnew risks. Alternatively, they may even prove insuffi-cient in protecting the QKD system. For example, it isvital that both isolators and watchdog detectors func-tion in the desired manner at ideally all the wavelengthsthat Eve could use to attack Alice’s or Bob’s devices [65].However, due to intrinsic limitations, as explained furtherin subsection V C below, this is quite difficult to guaran-tee. In other words, such countermeasures would provideAlice and Bob with a false sense of security.

2. Incorporating imperfections in security proof

In some cases, the imperfections of the QKD systemcan be theoretically quantified. An example is the loop-hole arising due to the different spectral distributions ofthe individual laser diodes used to prepare the quantumstate alphabet [66]. In this case, information leaked toEve can be erased by applying more privacy amplifica-tion. This effectively shrinks the key but with the assur-ance that Eve’s partial information is destroyed. Mea-sures like these are highly beneficial for practical QKDsince by directly considering the loophole in the secu-rity proof, they reduce the theory-practice deviation.Recently, quantitative bounds for a system exposed toTrojan-horse attacks were reported, and a passive archi-tecture to counteract the attack was proposed [68]. Thekey element in the evaluation – based on the specifica-tions of realistic optical components used in QKD – wasto treat the Trojan-horse attack as a side channel.

B. Conceiving novel QKD schemes

Instead of patching existent QKD protocols, it is alsopossible to devise schemes that are immune to one ormore classes of hacking attacks. Device independentQKD (DI-QKD) is based on the violation of a Bell in-equality in an entanglement-based QKD scheme [69].Such a violation can occur only when Alice and Bob sharequantum correlations. Proving a Bell inequality violation

17

relieves Alice and Bob from the need to exactly charac-terise the imperfections of their sources and detectors inthe context of possible attacks. However, DI-QKD cur-rently suffers from major practical drawbacks. The tol-erable losses are so low that a nearly loss-less channel (incombination with highly-efficient detectors) is required.

The extreme requirements of DI-QKD can be relaxedwhen employing the concept of measurement device in-dependent QKD (MDI-QKD) [70, 71]. Here, the sourcesof Alice and Bob are assumed to be outside the reachof Eve, whereas the detectors need not be trusted andcan even be controlled by Eve. (More generally, the ideaof public-private spaces of Alice and Bob and untrustedrelays in the middle to perform quantum measurements– on the public systems of Alice and Bob – can be usedfor designing QKD schemes that are free of all side chan-nels [71].) This is a remarkable development for QKDsince the majority of attacks so far exploited the imper-fections in the detection apparatus. In the MDI-QKDscheme, Alice and Bob send quantum states to an un-trusted relay called Charles who performs a Bell statemeasurement. The relay is potentially controlled by Eve,its trustworthiness is checked publicly by analysing theoutcomes of the Bell state measurements. This schemetolerates losses in the same order as standard QKD pro-tocols and is therefore practically feasible [72].

Another idea that can address numerous vulnerabili-ties in the photon detection apparatus of realistic QKDimplementations is to use optical sum frequency genera-tion, or upconversion, to protect Bob [73]. The processof upconversion employs a nonlinear interaction betweenthe quantum signal (from Alice) and a bright pump (in-side Bob), and the characteristics of the pump may bemanipulated/monitored by Bob to prevent/detect a widerange of quantum hacking attacks launched by Eve. Inthat sense, such an upconversion protected QKD receiveris similar to MDI-QKD, though unlike the latter, it lacksa rigorous security proof.

Finally, continuous-variable (CV) QKD schemes em-ploy homodyne detection of light using photodetectorsthat operate in the linear regime. Therefore, the faked-states attacks described in subsection IV A are notstraightforwardly implementable on CV-QKD systems.However, in a majority of CV-QKD setups, an additionalreference beam travels through Eve’s domain. Care hasto be taken that Eve’s potential manipulations of thisreference are monitored [74–76].

C. Word of caution against intuitive measures

1. Isolators against Trojan-horse attacks

As mentioned above, optical isolato is one of the best-known measures to shield practical QKD systems againstTrojan-horse attacks. Such a device lets light pass whenit comes from the forward direction, but blocks it whencoming from the reverse direction. However, it was re-

cently discovered that the light blockage can be guaran-teed only in a narrow region around the design wave-length [65]. Eve can therefore just choose another wave-length where the extinction level of the isolator (in doublepass) is insufficient. This phenomena occurs since typicalisolators are based on the wavelength-dependent Faradayeffect. A solution to this vulnerability is to use the opticalisolator in conjunction with a wavelength filter [65].

2. Watchdogs (superlinearity loophole)

The superlinearity loophole as described in subsec-tion IV A 3 can be exploited by dim states of light injectedby Eve into Bob’s device. Therefore this attack is difficultto catch with standard powermeter based watchdog de-tectors monitoring the incoming light power. The watch-dog detector itself would have to be sensitive on the fewphoton level, exposing it to loopholes discussed in sec-tion IV A. A remedy to this loophole consists in applyinggates with a varying activation time or width [77]. An-other possibility consists in the modification of the map-ping between detectors and bit value [78]. This remap-ping is done both in software and in the optical systemby applying a phase shift of either 0 or π. This so-calledbit-mapped gating leads to a QBER of 50% for detectionsoutside the middle of the gate.

VI. TAKE-HOME MESSAGE

As it celebrates its 30th anniversary, quantum key dis-tribution (QKD) has evolved from being just ‘a beauti-ful idea’ to the first applied quantum technology [8, 9,15, 17]. However, as and when a technology matures,bugs and loopholes are imminent. Quantum hacking ad-dresses the deviations between the theoretical and prac-tical worlds of QKD by discovering and closing loopholesand thus should be considered as a natural as well as es-sential ingredient in the evolution. Let us emphasize thatthe role of quantum hacking is not to derail its progressbut to prevent security problems in future if and whenQKD is deployed. That fortunately has also been thecase so far: the rise of quantum hacking has also gonehand in hand with miscellaneous landmarks in the lastdecade. To name a few:

• Maximum possible distance between Alice and Bobhas surpassed lengths well over 100 km [79–83] andsatellite quantum communication is in developmentat several places in the world. (Depending onthe application scenario, different orbital distanceshave been considered [84–86]).

• QKD links between rapidly-moving or floating plat-forms have been demonstrated [87, 88].

• Fiber networks with multiple nodes and new archi-tectures have been established [89–91].

18

• Efforts for the standardization of QKD spear-headed by the European Telecommunication Stan-dards Institute (ETSI) are in a fairly maturestage [12].

With advances in quantum computation threatening thesecurity of public key cryptographic systems, it is im-portant that security of technologies such as practicalquantum key distribution be scrutinized so that viable

alternatives are present in the future.

ACKNOWLEDGEMENTS

We thank Kevin Guenthner for proofreading themanuscript.

[1] S. Singh, The Code Book Doubleday, New York, NY,USA, 1999.

[2] M. Bellare and C. Namprempre, Authenticated Encryp-tion: Relations among Notions and Analysis of theGeneric Composition Paradigm, in Advances in Cryp-tology – ASIACRYPT 2000, Vol. 1976 of Lecture Notesin Computer Science Springer Berlin Heidelberg, Berlin,2000, pp. 531–545.

[3] W. Diffie and M. Hellman, New directions in cryptog-raphy, IEEE Transactions on Information Theory 22(1976), pp. 644–654.

[4] R.L. Rivest, A. Shamir, and L. Adleman, A method forobtaining digital signatures and public-key cryptosystems,Communications of the ACM 21 (1978), pp. 120–126.

[5] P.W. Shor, Algorithms for quantum computation: dis-crete logarithms and factoring, in Proceedings of the 35thAnnual Symposium on Foundations of Computer ScienceIEEE, Santa Fe, 1994, pp. 124–134.

[6] C. Shannon, Communication theory of secrecy systems,Bell System Technical Journal 28 (1949), pp. 656–715.

[7] G.S. Vernam, Secret signaling system; US Patent1,310,719 (1919).

[8] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Quan-tum cryptography, Reviews of Modern Physics 74 (2002),pp. 145–196.

[9] V. Scarani, H. Bechmann-Pasquinucci, N. Cerf, M.Dusek, N. Lutkenhaus, and M. Peev, The security ofpractical quantum key distribution, Reviews of ModernPhysics 81 (2009), pp. 1301–1350.

[10] D.J. Bernstein, J. Buchmann, and E. Dahmen (eds.),Post-Quantum Cryptography Springer-Verlag Berlin Hei-delberg, 2009.

[11] R.A. Perlner and D.A. Cooper, Quantum Resistant Pub-lic Key Cryptography : A Survey, in Proceedings of the8th Symposium on Identity and Trust on the InternetACM, Gaithersburg, Maryland, 2009, pp. 85–93.

[12] Quantum Safe Cryptography and Security; An intro-duction, benefits, enablers and challenges; EuropeanTelecommunications Standards Institute (ETSI) WhitePaper V1.0.0 (2014-10), ISBN 979-10-92620-03-0.

[13] R.J. McEliece, A public-key cryptosystem based on al-gebraic coding theory, Deep Space Network Report, Na-tional Aeronautics and Space Administration, 1978 vol.42 – 44, pp. 114 – 116.

[14] L. Lamport, Constructing digital signatures from a one-way function, Report CSL-98, SRI International, 1979.

[15] C.H. Bennett and G. Brassard, Quantum Cryptography:Public Key Distribution and Coin Tossing, in Proceedingsof IEEE International Conference on Computers Systemsand Signal Processing IEEE, Bangalore India, 1984, pp.

175–179.[16] S. Wiesner, Conjugate coding, SIGACT News 15 (1983),

pp. 78–88.[17] H.K. Lo, M. Curty, and K. Tamaki, Secure quantum key

distribution, Nature Photonics 8 (2014), pp. 595–604.[18] M.A. Nielsen and I.L. Chuang, Quantum Computation

and Quantum Information Cambridge University Press,New York, 2000.

[19] W.K. Wootters and W.H. Zurek, A single quantum can-not be cloned, Nature 299 (1982), pp. 802–803.

[20] V. Buzek and M. Hillery, Quantum copying: Beyond theno-cloning theorem, Physical Review A 54 (1996), pp.1844–1852.

[21] J. Carter and M.N. Wegman, Universal classes of hashfunctions, Journal of Computer and System Sciences 18(1979), pp. 143–154.

[22] M.N. Wegman and J. Carter, New hash functions andtheir use in authentication and set equality, Journal ofComputer and System Sciences 22 (1981), pp. 265–279.

[23] D. Stebila, M. Mosca, and N. Lutkenhaus, The Case forQuantum Key Distribution, in Quantum Communicationand Quantum Networking, Vol. 36 of Lecture Notes of theInstitute for Computer Sciences, Social Informatics andTelecommunications Engineering Springer Berlin Heidel-berg, 2010, pp. 283–296.

[24] T.C. Ralph, Continuous variable quantum cryptography,Physical Review A 61 (1999), p. 10303.

[25] P. Townsend, Experimental investigation of the perfor-mance limits for first telecommunications window quan-tum cryptography systems, IEEE Photonics TechnologyLetters 10 (1998), pp. 1048–1050.

[26] C.H. Bennett, G. Brassard, and J.M. Robert, PrivacyAmplification by Public Discussion, SIAM Journal onComputing 17 (1988), pp. 210–229.

[27] R. Renner, Security of Quantum Key Distribution, Ph.D.diss., E.T.H. Zurich, 2005.

[28] H.K. Lo and H.F. Chau, Unconditional Security of Quan-tum Key Distribution over Arbitrarily Long Distances,Science 283 (1999), pp. 2050–2056.

[29] P.W. Shor and J. Preskill, Simple Proof of Security ofthe BB84 Quantum Key Distribution Protocol, PhysicalReview Letters 85 (2000), pp. 441–444.

[30] N. Lutkenhaus, Security against individual attacks for re-alistic quantum key distribution, Physical Review A 61(2000), p. 052304.

[31] R. Renner, N. Gisin, and B. Kraus, Information-theoretic security proof for quantum-key-distribution pro-tocols, Physical Review A 72 (2005), p. 012332.

[32] B. Kraus, N. Gisin, and R. Renner, Lower and UpperBounds on the Secret-Key Rate for Quantum Key Distri-

19

bution Protocols Using One-Way Classical Communica-tion, Physical Review Letters 95 (2005), p. 080501.

[33] C. Branciard, N. Gisin, B. Kraus, and V. Scarani, Se-curity of two quantum cryptography protocols using thesame four qubit states, Phys. Rev. A 72 (2005), p.032301.

[34] H. Inamori, N. Lutkenhaus, and D. Mayers, Uncondi-tional security of practical quantum key distribution, TheEuropean Physical Journal D 41 (2007), pp. 599–627.

[35] C. Fuchs, N. Gisin, R. Griffiths, C.S. Niu, and A. Peres,Optimal eavesdropping in quantum cryptography. I. In-formation bound and optimal strategy, Physical ReviewA 56 (1997), pp. 1163–1172.

[36] A. Niederberger, V. Scarani, and N. Gisin, Photon-number-splitting versus cloning attacks in practical im-plementations of the Bennett-Brassard 1984 protocol forquantum cryptography, Physical Review A 71 (2005), p.042316.

[37] E. Biham and T. Mor, Security of Quantum Cryptographyagainst Collective Attacks, Physical Review Letters 78(1997), pp. 2256–2259.

[38] V. Scarani and C. Kurtsiefer, The black paper of quantumcryptography: Real implementation problems, TheoreticalComputer Science 560 (2014), pp. 27–32.

[39] R.H. Hadfield, Single-photon detectors for optical quan-tum information applications, Nature Photonics 3(2009), pp. 696–705.

[40] M.A. Itzler, X. Jiang, M. Entwistle, K. Slomkowski, A.Tosi, F. Acerbi, F. Zappa, and S. Cova, Advances inInGaAsP-based avalanche diode single photon detectors,Journal of Modern Optics 58 (2011), pp. 174–200.

[41] ID Quantique SA; Website address:www.idquantique.com.

[42] Clavis2 QKD system; Datasheet available fromwww.idquantique.com.

[43] V. Scarani and R. Renner, Quantum Cryptography withFinite Resources: Unconditional Security Bound forDiscrete-Variable Protocols with One-Way Postprocess-ing, Physical Review Letters 100 (2008), p. 200501.

[44] N. Jain, C. Wittmann, L. Lydersen, C. Wiechers, D.Elser, C. Marquardt, V. Makarov, and G. Leuchs, Devicecalibration impacts security of quantum key distribution,Physical Review Letters 107 (2011), p. 110501.

[45] N. Jain, E. Anisimova, I. Khan, V. Makarov, C. Mar-quardt, and G. Leuchs, Trojan-horse attacks threaten thesecurity of practical quantum cryptography, New Journalof Physics 16 (2014), p. 123030.

[46] I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurt-siefer, and V. Makarov, Full-field implementation of aperfect eavesdropper on a quantum cryptography system,Nature Communications 2 (2011), p. 349.

[47] V. Makarov and D. Hjelme, Faked states attack on quan-tum cryptosystems, Journal of Modern Optics 52 (2005),pp. 691–705.

[48] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J.Skaar, and V. Makarov, Hacking commercial quantumcryptography systems by tailored bright illumination, Na-ture Photonics 4 (2010), pp. 686 – 689.

[49] L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J.Skaar, and V. Makarov, Thermal blinding of gated detec-tors in quantum cryptography, Optics Express 18 (2010),pp. 27938–27954.

[50] C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J.Skaar, C. Marquardt, V. Makarov, and G. Leuchs, After-

gate attack on a quantum cryptosystem, New Journal ofPhysics 13 (2011), p. 013043.

[51] L. Lydersen, M.K. Akhlaghi, H.A. Majedi, J. Skaar,and V. Makarov, Controlling a superconducting nanowiresingle-photon detector using tailored bright illumination,New Journal of Physics 13 (2011), p. 113042.

[52] V. Makarov, Controlling passively quenched single pho-ton detectors by bright light, New Journal of Physics 11(2009), p. 065003.

[53] S. Sauge, L. Lydersen, A. Anisimov, J. Skaar, and V.Makarov, Controlling an actively-quenched single photondetector with bright light, Optics Express 19 (2011), pp.23590–23600.

[54] L. Lydersen, N. Jain, C. Wittmann, O.y. Maroy, J. Skaar,C. Marquardt, V. Makarov, and G. Leuchs, Superlin-ear threshold detectors in quantum cryptography, Phys-ical Review A 84 (2011), p. 032320.

[55] A.N. Bugge, S. Sauge, A.M.M. Ghazali, J. Skaar, L. Ly-dersen, and V. Makarov, Laser Damage Helps the Eaves-dropper in Quantum Cryptography, Physical Review Let-ters 112 (2014), p. 70503.

[56] V. Makarov, A. Anisimov, and J. Skaar, Effects of de-tector efficiency mismatch on security of quantum cryp-tosystems, Physical Review A 74 (2006), p. 022313.

[57] C.H.F. Fung, K. Tamaki, B. Qi, H.K. Lo, and X. Ma,Security proof of quantum key distribution with detectionefficiency mismatch, Quantum Information & Computa-tion 9 (2009), pp. 131–165.

[58] Y. Zhao, C.H. Fung, B. Qi, C. Chen, and H.K. Lo,Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distributionsystems, Physical Review A 78 (2008), p. 042333.

[59] J.Z. Huang, C. Weedbrook, Z.Q. Yin, S. Wang, H.W. Li,W. Chen, G.C. Guo, and Z.F. Han, Quantum hackingof a continuous-variable quantum-key-distribution systemusing a wavelength attack, Physical Review A 87 (2013),p. 062329.

[60] H.W. Li et al., Attacking a practical quantum-key-distribution system with wavelength-dependent beam-splitter and multiwavelength sources, Physical Review A84 (2011), p. 062308.

[61] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ri-bordy, Trojan-horse attacks on quantum-key-distributionsystems, Physical Review A 73 (2006), p. 022320.

[62] D. Bethune and W. Risk, An autocompensating fiber-optic quantum cryptography system based on polarizationsplitting of light, IEEE Journal of Quantum Electronics36 (2000), pp. 340–347.

[63] A. Vakhitov, V. Makarov, and D. Hjelme, Large pulseattack as a method of conventional optical eavesdroppingin quantum cryptography, Journal of Modern Optics 48(2001), pp. 2023–2038.

[64] I. Khan, N. Jain, B. Stiller, C. Marquardt, and G. Leuchs,Trojan-horse attacks on continuous-variable quantumcryptographic systems, (2015), .

[65] N. Jain, B. Stiller, I. Khan, V. Makarov, C. Marquardt,and G. Leuchs, Risk Analysis of Trojan-Horse Attackson Practical Quantum Key Distribution Systems, IEEEJournal of Selected Topics in Quantum Electronics 21(2015), pp. 168–177.

[66] S. Nauerth, M. Furst, T. Schmitt-Manderbach, H. Weier,and H. Weinfurter, Information leakage via side channelsin freespace BB84 quantum cryptography, New Journal ofPhysics 11 (2009), p. 065001.

20

[67] T. Ferreira da Silva, G.B. Xavier, G.P. Temporao, andJ.P. Weid, Real-time monitoring of single-photon detec-tors against eavesdropping in quantum key distributionsystems, Optics Express 20 (2012), pp. 18911–18924.

[68] M. Lucamarini, I. Choi, M.B. Ward, J.F. Dynes, Z.L.Yuan, and A.J. Shields, Practical Security BoundsAgainst the Trojan-Horse Attack in Quantum Key Dis-tribution, Physical Review X 5 (2015), p. 031030.

[69] A. Acın, N. Brunner, N. Gisin, S. Massar, S. Pironio,and V. Scarani, Device-Independent Security of QuantumCryptography against Collective Attacks, Physical ReviewLetters 98 (2007), p. 230501.

[70] H.K. Lo, M. Curty, and B. Qi, Measurement-Device-Independent Quantum Key Distribution, Physical ReviewLetters 108 (2012), p. 130503.

[71] S.L. Braunstein and S. Pirandola, Side-Channel-FreeQuantum Key Distribution, Physical Review Letters 108(2012), p. 130502.

[72] Y. Liu et al., Experimental Measurement-Device-Independent Quantum Key Distribution, Physical ReviewLetters 111 (2013), p. 130502.

[73] N. Jain and G.S. Kanter, Upconversion-based receiversfor quantum hacking-resistant quantum key distribution,Quantum Information Processing 15 (2016), pp. 2863–2879.

[74] H. Haseler, T. Moroder, and N. Lutkenhaus, Testingquantum devices: Practical entanglement verification inbipartite optical systems, Physical Review A 77 (2008),p. 032303.

[75] C. Wittmann, J. Furst, C. Wiechers, D. Elser, H. Haseler,N. Lutkenhaus, and G. Leuchs, Witnessing effective en-tanglement over a 2km fiber channel, Optics Express 18(2010), pp. 4499–4509.

[76] J.Z. Huang, S. Kunz-Jacques, P. Jouguet, C. Weedbrook,Z.Q. Yin, S. Wang, W. Chen, G.C. Guo, and Z.F. Han,Quantum hacking on quantum key distribution using ho-modyne detection, Physical Review A 89 (2014), p.032304.

[77] M. Legre and G. Ribordy, Apparatus and method forthe detection of attacks taking control of the singlephoton detectors of a quantum cryptography apparatusby randomly changing their efficiency; intl. patent WO2012/046135 A2.

[78] L. Lydersen, V. Makarov, and J. Skaar, Secure gated de-tection scheme for quantum cryptography, Physical Re-

view A 83 (2011), p. 032306.[79] R. Ursin et al., Entanglement-based quantum communi-

cation over 144 km, Nature Physics 3 (2007), p. 481.[80] T. Schmitt-Manderbach et al., Experimental Demonstra-

tion of Free-Space Decoy-State Quantum Key Distribu-tion over 144 km, Phys. Rev. Lett. 98 (2007), p. 010504.

[81] H. Takesue, S.W. Nam, Q. Zhang, R.H. Hadfield, T.Honjo, K. Tamaki, and Y. Yamamoto, Quantum key dis-tribution over a 40-dB channel loss using superconductingsingle-photon detectors, Nature Photonics 1 (2007), pp.343–348.

[82] Z. Yuan, A. Dixon, D. J, A. Sharpe, and A. Shields,Practical gigahertz quantum key distribution based onavalanche photodiodes, New Journal of Physics 11(2009), p. 45019.

[83] P. Jouguet, S. Kunz-Jacques, A. Leverrier, P. Grangier,and E. Diamanti, Experimental demonstration of long-distance continuous-variable quantum key distribution,Nature Photonics 7 (2013), pp. 378–381.

[84] T. Jennewein and B. Higgins, The quantum space race,Physics World 26 (2013), p. 52.

[85] D. Dequal, G. Vallone, D. Bacco, S. Gaiarin, V. Luceri,G. Bianco, and P. Villoresi, Experimental single photonexchange along a space link of 7000 km, Physical ReviewA 93 (2015), p. 010301.

[86] D. Elser et al., Satellite Quantum Communication viathe Alphasat Laser Communication Terminal, in Inter-national Conference on Space Optical Systems and Ap-plications (IEEE ICSOS 2015), October 27 and 28, 2015,New Orleans, USA, 2015 arXiv:1510.04507 [quant-ph].

[87] S. Nauerth, F. Moll, M. Rau, C. Fuchs, J. Horwath, S.Frick, and H. Weinfurter, Air-to-ground quantum com-munication, Nature Photonics 7 (2013), pp. 382–386.

[88] J.Y. Wang et al., Direct and full-scale experimental ver-ifications towards ground-satellite quantum key distribu-tion, Nature Photonics 7 (2013), pp. 387–393.

[89] M. Peev et al., The SECOQC quantum key distributionnetwork in Vienna, New Journal of Physics 11 (2009),p. 75001.

[90] M. Sasaki et al., Field test of quantum key distributionin the Tokyo QKD Network, Optics Express 19 (2011),pp. 10387–10409.

[91] B. Frohlich, J.F. Dynes, M. Lucamarini, A.W. Sharpe,Z. Yuan, and A.J. Shields, A quantum access network,Nature 501 (2013), pp. 69–72.