Adversarial Learning Game for Intrusion Detection in Quantum Key Distribution

TL;DR

A high-fidelity simulation framework for intrusion detection in decoy-state QKD, modeled as a minimax game between a learning-based defender and a physically constrained, adaptive adversary is presented.

Abstract

While Quantum Key Distribution (QKD) provides information-theoretic security, the transition from theory to physical hardware introduces side-channel vulnerabilities that traditional error metrics often fail to characterize. This paper presents a high-fidelity simulation framework for intrusion detection in decoy-state QKD, modeled as a minimax game between a learning-based defender and a physically constrained, adaptive adversary. The defender utilizes block-level telemetry (comprising decoy-state residuals, timing-histogram moments, and detector imbalances) to trigger alarms that gate key distillation . Unlike heuristic thresholds, our optimization objective is strictly operational: missed detections are penalized based on the resulting degradation of the finite-key secret fraction calculated via three-intensity decoy estimators and entropy-accumulation (EAT) penalties. The emulated adversary performs an automated search over time-shift, detector-blinding, photon number splitting (PNS), and Trojan-horse families, subject to hardware-limited feasibility bands. Concurrently, the defender co-trains one-class and temporal detectors (LSTM/TCN) using hard-negative mining to minimize the missed-attack rate at a calibrated false-alarm rate ($\text{FAR}$). Under adaptive attack scenarios, the system preserves $82\text{--}92\%$ of the honest finite-key rate while discarding only approximately $1.2\%$ of traffic, representing a net gain of $+20\text{--}35$ percentage points in usable secret bits over non-adversarial baselines. These results demonstrate that optimizing detection directly for secret-bit retention provides a robust, physically grounded layer of defense against adaptive side-channel strategies in practical QKD deployments.

Figures (8)

• Figure 1: End-to-End Minimax Training Pipeline. The diagram captures the adversarial feedback loop: the adversary (blue) samples physically feasible attack parameters to maximize the operational loss, while the defender (red) updates its neural weights to minimize the degradation of the finite-key secret fraction ($r$). The simulator serves as the non-differentiable environment bridging the two agents.
• Figure 2: Schematic of the Simulation Pipeline & Threat Model. The framework models the physical layer (Alice to Bob), the adversarial intervention (Red), and the defensive telemetry processing (Blue). Dashed lines indicate the gradient-free feedback loop used to train the adversary and the finite-key-aware loss used to update the defender.
• Figure 3: Comparison of honest vs. attacked feature distributions at $L\in\{50km,\,100km\}$. Panels display (a) timing skew/kurtosis, (b) decoy-residual norms, and (c) detector-imbalance scatter, illustrating the separability provided by the high-dimensional telemetry.
• Figure 4: ROC curves by attack family and distance. Shaded bands indicate 95% confidence intervals. All families operate in the high-AUC regime, though PNS and THA show slightly reduced separability at extended distances.
• Figure 5: Operational Impact: Retained secret-key fraction ($r/r_0$) versus False Alarm Rate. The adversarial detector (solid lines) significantly outperforms the baseline (dashed lines), recovering up to 35% of the key rate that would otherwise be lost to privacy amplification penalties.