Quantum Eavesdropping without Interception: An Attack Exploiting the Dead Time of Single Photon Detectors

The security of quantum key distribution (QKD) can easily be obscured if the eavesdropper can utilize technical imperfections of the actual implementation. Here we describe and experimentally demonstrate a very simple but highly effective attack which even does not need to intercept the quantum channel at all. Only by exploiting the dead time effect of single photon detectors the eavesdropper is able to gain (asymptotically) full information about the generated keys without being detected by state-of-the-art QKD protocols. In our experiment, the eavesdropper inferred up to 98.8% of the key correctly, without increasing the bit error rate between Alice and Bob significantly. Yet, we find an evenly simple and effective countermeasure to inhibit this and similar attacks.

The security of quantum key distribution (QKD) can easily be obscured if the eavesdropper can utilize technical imperfections of the actual implementation. Here we describe and experimentally demonstrate a very simple but highly effective attack which even does not need to intercept the quantum channel at all. Only by exploiting the dead time effect of single photon detectors the eavesdropper is able to gain (asymptotically) full information about the generated keys without being detected by state-of-the-art QKD protocols. In our experiment, the eavesdropper inferred up to 98.8% of the key correctly, without increasing the bit error rate between Alice and Bob significantly. Yet, we find an evenly simple and effective countermeasure to inhibit this and similar attacks.
The communication of sensitive data has become part of our everyday life resulting in a growing need for mechanisms which ensure secure transmissions of these data. The secrecy of the information transfer can be guaranteed using a classical cryptographic method called one-time-pad. This method enables unconditionally secure communicationprovided that the exchange of the cryptographic key has been perfectly secure. In 1984 Ch. Bennett and G. Brassard showed that this indeed can be achieved using quantum cryptography, or more precisely quantum key distribution (QKD) [1,2], an approach which employs non-orthogonal quantum states for encoding information. Over the past years there have been remarkable QKD experiments pushing both the limits in distance and/or key rate [3][4][5][6] as well as the level of applicability achieving network functionality [7,8] with first systems for quantum secured communication being commercially available.
Yet, what does "secure" mean? Today there exist security proofs [9,10] showing that the ideal protocol is secure in the sense that any knowledge of an eavesdropper about the key can be quantified and consequently made negligibly small. However, these proofs rarely specify requirements for QKD hardware and, if they do, real implementations will usually not fully comply with these specifications. This can lead to new types of attacks which are not covered by the proofs and hence won't be revealed by standard security tests. Recently, considerable effort has been made to reveal those potential threats [11][12][13][14][15] and to find countermeasures against them [16][17][18][19][20][21][22]. Many attacks are designed only for very specific systems and/or require sophisticated technology which is not yet (public) state-of-the-art.
In this paper we introduce a novel type of attack which even does not need to intercept the qubits sent over the quantum channel. We show how to utilize an imperfection, which almost all QKD-systems display, namely the fact that common single photon detectors are rendered inactive for a period of time (called dead time) after a detection event. This enables the eavesdropper to unveal the full key without significantly changing the quantum bit error ratio using very simple equipment. On the one hand we demonstrate that this new attack renders a conventional QKD system absolutely insecure, but, on the other hand, we also provide an effective countermeasure.
There are two characteristic features of nearly all QKD systems implemented so far. The first is the fact that when a SPAD registers a photon, there usually follows a period of time during which it will not be able to detect a second event. This period (called dead time τ D ) can range from less than a nanosecond to some tens of microseconds. The second feature is the periodic operation: The transmitter emits signals only at well defined times t i = i · T , with period T . Consequently, in order to reduce noise originating from intermediate dark counts and scattering events, the receiver accepts a detection event only during a narrow time window (∆ tw T ) around t i -all events outside these time windows are discarded.
Several attacks have been proposed making use of the dead time of SPADs to enable intercept-resend eavesdropping strategies [24][25][26]. Effectively, for these attacks the eavesdropper employs a sophisticated intercept-resend setup and uses bright light to gain full control over the SPADs of the receiver and to generate detection events equal to his own. The attack demonstrated here is technically much simpler and neither intercepts the quantum channel nor does it require bright light to control the receiver or to spy into this system by some Trojan horse attack. Rather, it utilizes the fact that dead times enable the eavesdropper to manipulate the detection efficiencies for a short time around t i by blinding some of the installed detectors. Although the eavesdropper does not need to intercept the qubits sent over the quantum channel, she can reveal the full key without being detected.
. Depending on intensity and polarization of the pulse, Bob's SPADs detect this light with a certain probability, except for the SPAD detecting the orthogonal polarization. Bob then is partially blinded (note, in QKD protocols the events caused by blinding pulses are not taken into account as they are outside of Bob's time window) and if he agrees with Alice on using a particular event in the sifting phase Eve will have significant information about the respective key bit as it could have been detected only by not blinded detectors. Eve can easily tune the intensity of her blinding pulses and thus the information about the key. As it turns out, dim pulses containing only a few photons are sufficient to determine almost all the key (see Methods). In the following we describe a model QKD device which employs a BB84 protocol [1] with the polarization of single photons or attenuated light pulses encoding the qubits. The general principle can be easily transferred to nearly all other QKD-systems [6,27]. We set up a copy of our free space QKD system [7,23] in the lab. There, Alice used a four diode transmitter and was connected by a short free space quantum channel to Bob's four SPAD receiver module (Fig. 1a). Both, transmitter and receiver units where fully computer controlled and ran a real-time BB84 protocol. Additionally, Eve coupled dim pulses from a transmitter module, similar to the Alice module, into the quantum channel. For easier synchronization with Alice and Bob, control signals for the Eve module were obtained from Alice's controller.
The timing was set such that Alice's signal pulses were sent with a period of T = 4 µs (long enough to allow the SPADs to recover with a high probability between two consecutive signal pulses and to guarantee unbiased detections). In accordance with the timing conditions of our setup (τ D ∼ 2 µs, ∆ tw = 5 ns) the randomly polarized blinding pulses  Fig. 1. η B describes the transmission from Eve to Bob. Uniform, but non-unity transmission and detector efficiencies can be included here. For receiver modules with active basis switching (two detectors), only half of the blinding pulse intensity is necessary.
Eve's key was deduced solely from the knowledge about the setting of her blinding pulses and from eavesdropping the classical communication between Alice and Bob. To demonstrate the efficiency of this attack, Eve applied different blinding intensities during regular runs of the BB84 protocol between Alice and Bob. The calculated blinding pulse detection probabilities (Fig. 2a) are in good agreement with the experimental data particularly for low blinding pulse intensities µ ef f B . For higher values of µ ef f B , the predictions differ mainly because of a higher number of background events due to increased spontaneous emissions from Eve's laser diodes between the pulses. These, too, can render the detectors inactive and thus reduce the probability for multi-photon detection events due to blinding pulses. In our experiment no hardware gating was used, i.e. the SPADs are in principle always active. Yet, as gate times are device information we can safely assume that the eavesdropper knows about the timing of the detector efficiency relative to the signal pulses and will act accordingly.
As expected, for low blinding pulse intensities, Eve's attack has only a low probability of success and her key is hardly correlated with the sifted key between Alice and Bob. Yet, by slightly increasing the power of her pulses, the match between the keys rises rapidly. The maximum observed overlap between Bob's and Eve's sifted keys was as high as 98.83 % at a blinding pulse mean photon number of only µ ef f B = 16.52, corresponding to a mutual information I EB = 0.908 Bit (Fig. 2b). Figure 3 visualizes the success of Eve's attack, who easily recovers the emblem of the University of Munich from the one-time pad encrypted cipher.
In conclusion, we have demonstrated a powerful and successful attack that threatens many state-of-the-art QKD systems. By inserting blinding pulses into the quantum channel and eavesdropping on the classical communication only, an adversary is able to gain almost full information about the sifted key without being detected. The potential  Eve's information for the different blinding pulse intensities used in the experiment. The three datasets marked with a "*" are the ones used to decrypt the secret message shown in Fig. 3. Note, there is only a minor change of the QBER between Alice and Bob making it impossible for them to discover the attack. The sifted key files were each longer than 20 kByte, resulting in a statistical error of the QBER of < 3%.
of this attack is especially high because of its simplicity. The eavesdropper does not need to intercept the quantum channel and does not need to measure the low light level photonic signals emitted by Alice. Fortunately, the defence against this blinding attack is as simple. Evidence could be obtained, if Bob analyzes the detection events not only during the short time windows. However, by cleverly employing (several) blinding pulses at random times during this interval, Eve would simulate background noise and her attack still could remain unnoticed. A better strategy would monitor the status of the SPADs. This can be deduced from the bias voltage at the SPADs such that it is guaranteed that the detection efficiency is at a nominal level. Now, if we use only those detection events for the key generation where all detectors were active, the blinding attack and all other currently proposed dead time attacks [24][25][26] become ineffective. This scheme also avoids possible problems due to saturation effects in ultra high rate QKD set-ups [28,29], thereby establishing significant trust in this quantum secure photonic communication method.

Dead Time Analysis
SPADs exhibit a detection efficiency which depends on the overbias voltage applied. After detection, depending on the electronics, it takes some time until the detector regains full efficiency. For the characterization of the detector's dead time, we illuminated it by two consecutive faint laser pulses. The delay between the first and second pulse has been varied and the corresponding relative detection efficiency (normalized to the value after 3.5 µs was recorded (see Fig. 1b). The line is a fit using the function E(t ) = 1 with t time after detection and fit parameters τ D ,τ 2 (jitter due to pulse discrimination) and τ 3 (charging time of SPAD capacity). For passive quenching electronics the dead time τ D is particularly long (≈ 400 ns), whereas it is about 50 ns when using active quenching. Nevertheless, the eavesdropping scheme can be applied equally well.

Detection Probabilities
Blinding pulse detection probabilities To estimate Eve's information (Fig. 2) we assume that the delay between two of Bob's signal time slots and also between Eve's blinding pulse and the preceding signal pulse is greater then the average dead time of the SPADs, which itself is longer than a signal time slot. We will further assume the recovery process to be binary (on or off) with a certain dead time and a passive basis choice setup with four detectors (see Fig. 1). Active switching systems with two detectors can be analyzed accordingly.
We first calculate the detection probabilities of blinding pulses (coming from Eve) and signal pulses (emitted by Alice). We start with the blinding pulses. Let P p (µ ef f B ) and P d (µ ef f B ) be the probability that a blinding pulse is recognized in the detector analyzing parallel and diagonal polarization relative to the blinding pulse polarization, respectively. The corresponding detection probability in the orthogonal orientation is negligible. Detection probabilities depend on the blinding pulse intensity expressed as the mean photon number per pulse µ ef f B coupled into the (ideal) quantum channel. Here we include the coupling efficiency from Eve to Bob.
The probabilities of registering detections in one, two or three of the respective detectors at the same time then are: So the probabilities that none, one, two or three detectors fire due to a blinding pulse are (Fig. 2): Signal pulse detection probabilities Using the previous results, the probability that a detector registers a signal pulse, depending on the detector's polarization φ and the signal pulse's polarization θ with respect to the blinding pulse can be calculated giving with φ, θ ∈ {p, d, o} meaning parallel, diagonal and orthogonal and P o (µ ef f B ) = 0 and the signal pulse mean photon number at the receiver µ ef f S := η S µ S with mean photon number at the (signal) source µ S and coupling efficiency from Alice to Bob η S .
From this, the amount of information an adversary can gain from such an attack can be estimated: The difference between the maximum (= 1) and the current value of the binary entropy is used as the information gain a potential eavesdropper would have: it is intuitively clear that for large µ ef f B , i.e. high blinding intensities, all the terms with p S d,d and p S p,p will become small, because most of the time all detectors but the one orthogonal to the blinding pulse will be inactive. Now the information gain (A.12) can be calculated to give: In the simulation (Fig. 2) it is assumed that the photon statistics of signal and blinding pulses in a four SPAD receiver ( Fig. 1)  . This work was funded by the Elite Network of Bavaria program "QCCC" and the BMBF project "QPENS".