Energy-time attack on detectors in quantum key distribution

TL;DR

This work tests an avalanche single-photon detector sinusoidally-gated at 312.5 MHz for superlinearity and proposes two attacks that exploit a superlinear behaviour in single-photon detectors.

Abstract

Quantum key distribution is unbreakable in theory but may be hacked via imperfections in its hardware implementations. While many imperfections have been mitigated by countermeasures and advanced security proofs, several remain unsolved. One of these is a superlinear behaviour in single-photon detectors, when the click probability rises faster with the photon number of an incoming light pulse than expected from individual independent photon detections. Here we test an avalanche single-photon detector sinusoidally-gated at 312.5 MHz for superlinearity. Its click probability is moderately superlinear. However, we notice that the click timing depends strongly on the incoming pulse energy. The click occurs progressively earlier, shifting more than 2 ns as the energy rises over a wide 50-dB range. An attacker might use this energy-time effect to conditionally toggle the click between adjacent key bit slots, violating an implicit assumption in the security proofs and rendering them inapplicable. We propose two attacks that exploit this flaw.

Figures (6)

• Figure 1: Experimental setup. SG, signal generator (SG1, Keysight 81180B; SG2 and SG3, Highland Technology P400); LD, laser diode (Gouch & Housego AA1405-193200-100-PM900-FCA-00); Iso, isolator (Thorlabs IO-H-1550APC); Osc, oscilloscope (LeCroy WavePro 735Zi); VOA, variable optical attenuator (OZ Optics DA100); SPD, single-photon detector under test (QRate).
• Figure 2: Superlinearity characterisation for SPD1 and SPD2. (a) Coincidence count rate $R$. (b) Photon detection efficiency $\eta$ calculated from \ref{['eq:efficiency']}. A straight line with negative slope at high energy is caused by saturation. Note that with true saturation, $R \ge f$ and $\eta(t, \mu)$ can not be evaluated. In our case, dark counts and afterpulses sometimes cause the detector's being in a deadtime during the coincidence window, resulting in $R < f$ at saturation. There, $R$ is virtually independent of $\mu$ and $\ln \eta(t, \mu)$ becomes an almost linear function of $\ln \mu$.
• Figure 3: Click time shift distribution for each detector: red (gray) for SPD1 and black for SPD2. Each histogram is normalised individually.
• Figure 4: Mean value of click time shift distributions in \ref{['fig:reaction-time']}. Dotted lines and hollow symbols denote full-width at half-maximum (FWHM) of distribution exceeding $0.32~\nano\second$. Black stars indicate conditions for each detector that maximise the difference in its click timing for an energy ratio of $7.7~\deci\bel$; they occur at $1.2$-$\nano\second$ trigger pulse shift for both detectors.
• Figure 5: Temporal alignment of bit windows at Bob’s devices needed for the faked-state attack.