Hacking single-photon avalanche detector in quantum key distribution via pulse illumination

Quantum key distribution (QKD) has been proved to be information-theoretically secure in theory. Unfortunately, the imperfect devices in practice compromise its security. Thus, to improve the security property of practical QKD systems, a commonly used method is to patch the loopholes in the existing QKD systems. However, in this work, we first time show an adversary's capability of exploiting the new feature of the originally flawed component to bypass a patch. Specifically, we experimentally demonstrate that the patch of photocurrent monitor against the detector blinding attack can be defeated by the pulse illumination attack proposed in this paper. We also analyze the secret key rate under the pulse illumination attack, which theoretically confirmed that Eve can conduct the attack to learn the secret key. This work indicates the importance of inspecting the security loopholes in a detection unit to further understand their impacts on a QKD system. The method of pulse illumination attack can be a general testing item in the security evaluation standard of QKD.


I. INTRODUCTION
Information security is a core of cybersecurity in the digital era. Cryptography provides a vital tool to achieve information security in cyber environment, particularly when untrusted channels are used. However, as shown in the history of cryptography, the competition between code makers and code breakers never ended. For example, the current widely-used public-key cryptographic infrastructure is threaten by a quantum computer [1]. To defeat the threat from the quantum world, quantum key distribution (QKD) [2] based on the laws of quantum mechanics provides a long-term solution, which has been proved its information-theoretical security. The key generated via QKD can be applied to one-time-pad algorithm, guaranteeing information-theoretically secure communication.
Due to plenty of efforts, QKD has developed with a fast pace even to be globalized and commercialized, becoming one of the most mature applications in the field of quantum information [3][4][5][6][7]. For example, QKD networks have been built in several countries [8][9][10], and even extend to global scale via a quantum satellite as a trusted relay [11][12][13][14]. Some enterprises have developed various commercial products based on QKD, including mobile phone, quantum safe service-mobile engine, and quantum security gateway [15]. Owing to such fast development, standardization of QKD is being considered in the European * angelhuang.hn@gmail.com † junjiewu@nudt.edu.cn Telecommunications Standards Institute (ETSI) [16], the International Standard Orgnization (ISO) [17], and the International Telecommunication Union (ITU). However, a practical QKD system may behave differently from its theoretical model, due to the discrepancies between ideal theory and imperfect practice. These discrepancies disclose security loopholes that can be exploited by an eavesdropper, Eve, to learn the secret key, compromising the practical security of QKD systems . To defeat quantum hacking, an effective countermeasure is to employ an innovative protocol, like measurement-device-independent QKD (MDI QKD) [45] and twin-field QKD (TF QKD) [46,47], to remove the threat from loopholes. However, the high demand of technique and relative low key rate of the innovative protocols limit their application and commercialization. Therefore, to relieve the security threat on the QKD systems in use, it is essential to patch the loopholes in the existing QKD systems [48,49], most of which employ prepare-and-measure QKD protocol.
As countermeasures, patches, instead of ending the hacking story, lead to a new era of quantum hackinginspire quantum attackers to conduct a new round of hacking investigation on the patched system. The quantum hackers usually take the following three strategies to counter the countermeasure. First, because a patch designer underestimates the threat of the original security loophole, Eve can apply the attack that uses the original loophole to crack the weakly patched system [36]. Second, patches challenge Eve to propose a new attack on the patches to de-functionalize them or even damage them [34,38]. Third, patches motivate Eve to discover the new feature of the flawed component to attack the patched system again, which reinforces Eve's hacking capability and shows a more general attack. Our work that bypasses a countermeasure against detector blinding attack, the photocurrent monitor, first time provides such an instance.
The detector blinding attack [23,24,27,29,36] is a quite powerful attack, which can be realized by today's technology on commercial QKD systems [23] and has been demonstrated in the full field [29]. Thus, this security threat has caused much attention to propose possible countermeasures [50][51][52][53][54]. A countermeasure that monitors the abnormal photocurrent going through the avalanche photodiode (APD) as the evidence of blinding attack was believed to be effective [50,51]. However, no independent third party has evaluated this countermeasure. In this paper, as a third-party evaluator, we show experimentally that an APD with the countermeasure of a photocurrent monitor can be hacked again. We discover that bright pulses can blind APD intermittently and meanwhile bypass the alarm of photocurrent monitor, although reasonable qubit error rate (QBER) is introduced. We call this method as pulse illumination attack.
The pulse illumination attack is a more general type of detector blinding attack than the original one that uses continuous wave (c.w.) light. In this attack, Eve does not only exploit the mode switch between the linear mode and Geiger mode via light shining, but also makes refined use of the hysteresis current after pulse shining to create a period of full blinding and detection control. This pulse illumination attack shows a novel strategy of hacking the countermeasure -exploit the new feature of the original flawed components (the APD in our case). The deep investigation on the loopholes strengthens Eve's hacking capability, and thus passes the challenge of protecting the QKD system to countermeasure proposers again. This study emphasizes the significance of further investigating the imperfections of single-photon detector, in order to improve the security property of the standard prepareand-measure QKD systems that are deployed the most in field [8,9,13]. Moreover, this study contributes a general testing item to the security certification list of QKD standard, which is being drafted in several international organizations, e.g. ETSI, ISO, and ITU [16,17,55].
In this section, we briefly review the origin blinding attack, i.e., c.w. illumination attack, and then introduce the countermeasure of the photocurrent monitor that is believed to be effective to blinding attacks. Finally, we propose pulse illumination attack as a new form of blinding attack that can bypass the photocurrent monitor.
For a BB84 QKD system, Eve can apply the c.w. blinding attack on APDs to eavesdrop the information. In the original c.w. blinding attack, Eve injects continuous light to generate a huge photocurrent through APD, which lowers the bias voltage and pulls the APD back to the linear mode that is insensitive to a single photon. Then, she conducts a fake-state attack as follows. She first intercepts and measures each state sent by Alice, and resends a trigger pulse encoded by her measurement result to control Bob's clicks as the same as hers. For more details about the original c.w. blinding attack, see Supplementary 1.
To patch the loophole exploited by the blinding attack, some QKD systems including our testing object in this work adopt a photocurrent monitor as a countermeasure against the blinding attack [23,36]. This countermeasure bases on an intuitive assumption that a blinding attack will certainly generate a distinguishable low-frequency photocurrent in the circuit of the detector. The monitor extracts the low-frequency photocurrent as an alarm of the blinding attack. Once the extracted photocurrent reaches an alarming threshold, the blinding attack is considered to be launched. Please note that the extracted photocurrent is named as reported photocurrent in the following text.
However, we find that this countermeasure can not completely hinder the pulse illumination attack. This is because the aforementioned assumption about the photocurrent under a blinding attack does not stand when optical pulses are sent to blind an APD. In this attack, a group of blinding pulses accumulatively introduces a high photocurrent. This photocurrent is also able to lower the bias voltage across the APD. As a result, the detector is blinded at that time. After the blinding pulses are gone, the detector is still blinded for a certain period, because the photocurrent gradually reduces due to capacitors in the detector. Thus the detector keeps being blinded until the photocurrent becomes fairly weak. Eve can exploit this blinded period to launch the fake-state attack to eavesdrop the information. Theoretically, the length of the blinded period is positively correlated with the energy of the blinding-pulse group.
Moreover, unlike the constant high photocurrent introduced by the c.w. illumination attack, here the photocurrent varies over time. The photocurrent monitor takes this current as high-frequency noise and ignores most of it. Therefore, Eve can apply the pulse illumination attack to eavesdrop the information without being noticed by the photocurrent monitor.

III. EXPERIMENTAL DEMONSTRATION
As a third-party evaluator, we conducted tests about the pulse illumination attack on a APD-based singlephoton detector module, provided by an independent party. In the tests, we assume that Eve only knows the public information of the detector as prior knowledge to show a real-life hacking scenario. For the single-photon detector module we tested, the frequency of gate signal is 40 MHz, and the photocurrent monitor inside the module first filters the photocurrent in the circuit of the detector via a lowpass filter to avoid high-frequency noise. The alarming threshold is set as 10 µA, which is an empiric value to safely detect c.w. illumination blinding attack. The threshold is far lower than the illegitimate value (31 µA) when c.w. illumination blinding attack works, as well as leaves a margin to the value of normal working state (1.4 µA) to avoid false alarms. Our experiment setup is shown in Fig. 1. A digital signal generator synchronize the whole system. The channel 1 of the waveform generator excites a 1550 nm laser diode to launch a group of blinding pulses towards the detector to produce a blinded period. In our experiments, the width of each blinding pulse was set as 4 ns, and we kept the energy of each blinding pulse being 13.32 pJ. The blinding pulses were applied outside the gate signals to avoid unwanted clicks caused by the blinding pulses. A group of blinding pulses only triggers a click at the beginning of the group, which is followed by 5 µs dead time. After that, the detector is blinded due to the accumulated photocurrent and thus no other clicks occur during the pulse illumination. This experimental result is shown in Fig. 2. More experimental details are given in Supplementary 2.
The channel 2 of the waveform generator excites another 1550 nm laser diode to launch a trigger pulse to calibrate the length of the blinded period and the fully controllable range inside. The methodology of calibrating a blinded period is shown in Fig. 3. A trigger pulse contains 67 photons, which can trigger a click in Geiger mode but is not strong enough to trigger a click in the linear mode. We first apply the trigger pulse at the gate just after the group of blinding pulses. If the trigger pulse causes no click, the detector is blinded during this gate.
The trigger pulse is then moved away from the group of blinding pulses gate-by-gate to repeat the calibration process until the trigger pulse causes a click. The period of no click is the blinded period. The length of the blinded period generated by a group of 250-/300-/350-/400-/450-/500-cycle blinding pulses is shown in Table I. As the trigger pulse here contained multiple photons, the length of the blinded period here is just conservative estimations.
By a similar methodology but varying the energy of the trigger pulse, we can further calibrate a fully controllable range. As shown in Fig. 2b, at each gate inside the blinded period, we vary the energy of a trigger pulse to observe the click probability and record the energy that can trigger a click with the probability of 100%/50%/0% as E always /E 1 2 /E never . If E always < 2E never , the detector at this gate in the blinded period is fully controllable by Eve for a BB84 QKD system. The experimental data of the fully controllable range in the blinded period generated by a group of 350-/400-/450-/500-cycle blinding pulses are shown in Fig. 4. Note that in all the testing above, the reported photocurrent keeps being far lower than the built-in alarming threshold of the photocurrent monitor (10 µA) as shown in Table I.

IV. SECURITY ANALYSIS FOR A DECOY-STATE BB84 QKD SYSTEM
In this section, we analyse Eve's maximum-profit strategy of attacking via pulse illumination, and we further study the threat of this attack to a real-life decoy-state BB84 QKD system. Here the detection parameters are from the Gobby-Yuan-Shields (GYS) experiment [56]. The interval length, the blinded period, and the fully controllable range are from our experimental results as shown in Table I.  and Enever inside the fully controllable range of a blinded period generated by a group of 350/400/450/500-cycle blinding pulses. The time origin is the arriving of the first blinding pulse in the group.

A. Eve's maximum-profit strategy
The strategy of Eve's attack is as follows. Without introducing deviation to the normal value of total gain, she launches fake-state attack during the fully controllable range, while blocks or passes the state from Alice during the unblinded time. Therefore, to eavesdrop the maximum information, she needs to optimize the parameters of her attack.
The total gain and QBER when the pulse illumination attack is applied can be written as where α = N control /N interval , β = (N blind + N dead )/N interval . η Bob = 4.5% is the transmittance of Bob's optical device. Here we assume ω ∈ {µ = 0.6, ν = 0.2, 0} is the mean photon number of the signal state, the decoy state, and the vacuum state. e 0 = 0.5 is the error rate of the background noise. e det = 3.3% is the misalignment error rate of the QKD optical system. Y 0 = 1.7 × 10 −6 is the probability of dark count per gate. N control /N blind /N dead /N interval is the gate number of the fully controllable range/the blinded period/the dead time/the interval length for a group of blinding pulses. p ∈ [0, 1] is the proportion of N control that Eve launches the fake-state attack. γ ∈ [0, 1] is the ratio that Eve blocks the photons from Alice during the unblinded time in each interval. During the rest of the unblinded time, the photons are allowed to pass and the corresponding gain in these gates is Q pass where η c = 10 −0.21L 10 is the transmittance of the quantum channel of the QKD system as a function of the channel length L) to hide her existence by modulating p and γ. Moreover, she will make p and γ as high as possible. Consequently, when Eve tries to make p = 1 and γ = 1 initially, she may confront with two cases: In this case, Eve only needs to decrease p to apply less fake-state attack during the fully controllable range to ensure Q µ = Q normal µ . Thus she can obtain almost all the information as all rounds of communication are either controlled or blocked.
II: Q µ < Q normal µ . In this case, Eve has to decrease γ to allow some photons pass from Alice to Bob without any intervention during the unblinded time, while keeps p = 1, and then increase Q µ to hide herself. Therefore, she can just obtain part of the total information in the communication.
Under this strategy, the QKD system cannot be aware of Eve's attack by checking the total gain. The QBER during the attack is shown in Fig. 5a.

B. The key rate estimated by Alice and Bob under pulse illumination attack
According to the decoy-state protocol [57], Alice and Bob can estimate the contribution of a single photon to the total gain and its error rate, which are given by Submitting Eq. 1 and Eq. 2 into the GLLP [58], Alice and Bob can estimate the lower bound of the key rate as Here q = 1/2 for the BB84 protocol, f (E µ ) = 1.2 for error correction, and H 2 (x) is Shannon entropy. The To judge whether Alice and Bob overestimate the key rate and thus introduce insecurity, we give the real upper bound and the lower bound of the key rate when the pulse illumination attack with Eve's strategy is applied.
The real contribution of a single photon to the total gain Y attack 1 and its error rate e attack 1 can be calculated as Then, the real upper bound and the lower bound of the key rate can be written as and R L real and R U real under 350-/400-/450-/500-cycle pulse illumination attack with Eve's strategy are shown in Fig. 5c/d/e/f as the dashed and dash-dot lines. The results show that Eve can successfully hack the QKD system and learn the secret key under certain communication distance between Alice and Bob. Take the scenario of 500-cycle pulse illumination attack as an example, we can easily find that when the channel length is between 20 km and 43 km, the estimated key rate by Alice and Bob is higher than the real lower bound but lower than the real upper bound. Thus, Alice and Bob overestimates the key rate. When the length of the quantum channel is longer than 43 km, we can ensure that the key rate estimated by Alice and Bob is insecure, because R L est is higher than R U real . Moreover, when less than 20 km, Alice and Bob happen to estimate the lower bound of the key rate correctly because GLLP is conservative when the total gain is high.

V. CONCLUSION
We investigate the effectiveness of a photocurrent monitor as a countermeasure against the detector blinding attack in a single-photon detector module that is provided by an independent party. The testing results show that the single-photon detector with a photocurrent monitor is vulnerable to the pulse illumination attack. Via this attack, Eve can blind the single-photon detector in a certain period and fully control its detection output, keeping the reported photocurrent of the photocurrent monitor similar to that in the normal state and thus without alarming the monitor. We also perform the theoretical security analysis to show that for a real-life QKD system under pulse illumination attack, Alice and Bob may overestimate the secret key rate and leak the key to Eve in a certain distance range. This pulse illumination attack indicates that the security issues in the detection side is still serious, which should be further investigated. As this attack seriously threatens the practical security of QKD systems, pulse illumination attack should be a standard testing item for the systematic security evaluation of a QKD system.
We also provide more details on the photocurrent of a detector under the pulse illumination attack obtained from a white-box experiment on our homemade detector (see Supplementary 3), which may provide some ideas of countermeasures against the pulse illumination attack. However, patching only solves the problem in a short term. A more secure method is to model the practical single-photon detector in the security proof, if the non-MDI-QKD system would like to be immune to various blinding attacks in a long term.

ACKNOWLEDGMENTS
We thank Vadim Makarov for very useful discussions. Supporting from Greatwall Quantum Laboratory is also acknowledged.

DISCLOSURES
Disclosures. The authors declare no conflicts of interest.
The BB84 protocol is typically used in QKD implementation, especially in commercial QKD systems. The polarization-encoding BB84 protocol works as follows. Alice encodes the secret key bits randomly in H/V basis or +/− basis of photons. Specifically, a photon polarized in H or + represents bit "0", while polarized in V or − represents "1". Bob likewise randomly chooses a basis from these two bases to measure the photon sent by Alice and keeps the result. After the raw key exchange, Alice and Bob compare the basis they chose for each round via a classical channel and only keep those bits that were under same basis for both sides. Then via post-processing, Alice and Bob can share the same string of the secret key. This scheme ensures the information- FIG. A1. Inner mechanism of the single-photon detector. a) The core part of the circuit of a typical single-photon detector. R bias is a huge resistor for passive quenching while Ro is a small resistor for readout. The voltage across Ro is Vo, which is the carrier of the output signals. VHV is the DC source of the single-photon detector's circuit. V bias is the bias voltage across the APD. Normally, V bias is lower than the breakdown voltage (V br ) and can be raised to be higher than it by gate signals. b) Schematic diagram of the relationship between the trigger pulse energy and the responding output signal when the APD is in the linear mode. I th is the threshold of a builtin comparator in the circuit of the single-photon detector.
Enever/E always is the trigger pulse's energy that triggers a click with 0%/100% probability, because the bound of its error bar is totally lower/higher than I th . Two different background colors intuitively indicate whether the trigger pulse can trigger a click. Only the situation that Bob chooses matching basis with Alice is discussed here. a) Bob selects the same basis (H/V ) with Eve. Subsequently, the full trigger pulse transmits through the polarizing beam splitter (PBS) and triggers a click that means 0, which is identical with Eve's measurement result. b) Bob selects the opposite basis (+/−). Half energy of the trigger pulse, which is less than Enever, arrives at each single-photon detector as the dashed line shows, and none of them is triggered. In a word, Eve steals an effective bit when she chooses the matching basis, while blocks the bit as her basis mismatches. theoretical security of the key even with the existence of eavesdropper, Eve. Because if she naively intercepts the photon and measures it with a random basis and resends it to Bob, she will introduce additional 25% QBER and thus will be detected [59][60][61].
Note that the above scenario only works well under the assumption that the APDs works in Geiger mode [62], where a single photon leads to huge transient avalanche photocurrent and thus causes a click. However, a reallife QKD system deviates from the ideal model: the APD can be turned into the linear mode (be blinded) and then the clicks are controlled by Eve. One approach to achieve blinding is to illuminate the APD by carefully modulated c.w. light. The principle behind the c.w. illumination blinding is as follows. Bright c.w. light applied on the APD knocks out many electron-hole pairs, and thus a huge photocurrent is generated. According to the circuit shown in Fig. A1a, the APD is in series with the R bias , so the strong photocurrent also goes through the R bias . Because the R bias is a huge resistor for passive quenching, the voltage across R bias increases dramatically and thus V bias goes lower than V br as the total voltage is conserved.
Having been blinded, the single-photon detectors of Bob can be controlled secretly by applying trigger pulses. A trigger pulse can always trigger a click when its energy is higher than E always , and is impossible to trigger a click when the energy is lower than E never , as shown in the Fig. A1b. More specifically, with the assumptions that the all of Bob's single-photon detectors are identical and satisfy Bob can be fully controlled by the fake-state attack [63] if the energy of the trigger pulse in [E always , 2 × E never ). In a round of the communication Eve intercepts the photon and measures it in a randomly chosen basis, and then resends a trigger pulse encoded by the measurement result to Bob. Eve can ensure that when she happens to choose the same basis as both Alice and Bob, the information of this round will be shared among Alice, Bob, and Eve (see Fig. A2a), while Bob will get no click and lose the information when Eve unfortunately chooses a wrong basis (see Fig. A2b). Afterwards, with the help of basis comparison in the post-processing (which happens in a public classical channel and can be listened by Eve), all of Alice, Bob, and Eve keep the bits that are measured with same basis. As a result, Alice and Bob innocently share the final entire secret key with Eve.

Detailed analysis on the parameters of blinding pulses
Here we first demonstrate the simplest case -1-cycle blinding pulses in each group. In the experiment, we controlled the interval between each group of blinding pulse and the energy of each single pulse. Then we observed the reported photocurrent. Fig. A3  energy of each single blinding pulses versus the reported photocurrent with interval of 500ns/600ns/700ns. Generally, the reported photocurrent increases with the rising of single pulse energy. The reported photocurrent rises slightly at the beginning and then goes up dramatically at about 0.67 pJ. Finally, the reported photocurrent ascends linearly after 0.9 pJ. In addition, in Fig. A3, the points where the reported photocurrent is higher than 31 µA means that the low-frequency component is strong enough to blind the APD in the whole time domain (constant blinding). The orange vertical arrow in Fig. A3 shows that the reported photocurrent reduces as the interval rises. This is because for the same energy of blinding pulse, the larger interval between the groups results in the less generated photocurrent from different blinding pulses that superposes with each other. Consequently, the low-frequency components of the superposed photocurrent are less, which are reported by the photocurrent monitor. Contrarily, to increase the superposed photocurrent to constantly blind the APD when the interval is extended, higher energy of each blinding pulse is needed, as shown in the blue arrow in Fig. A3. From the testing result, we can see that Eve can extend the interval to reduce the reported photocurrent, and thus avoiding the alarm of the photocurrent monitor.
To further analyse the influence introduced by the cycle number in each group, we measured the total energy of each group with 1-/2-/3-cycle blinding pulses when the APD is constantly blinded in the whole time domain (which is defined as constant-blinding energy in the following text) versus the interval length. The measurement results are shown in Fig. A4. Comparing among the three curves in Fig. A4, for the same interval length, the summation energies of each 1-/2-/3-cycle group to constantly blind the APD are quite similar. Thus the equivalence between a single blinding pulse and three smaller blinding pulses is apparent. Moreover, the maximum intervals for the 1-/2-/3-cycle blinding pulses are 6 µs/12 µs/20 µs respectively. Taking the case of 1-cycle for illustration, if the interval is longer than its maximum value, the increased energy of pulses will no longer blind the APD but cause unwanted clicks. However, its equivalent split in 2-/3-cycle can still blind. Therefore, by using this multi-cycle approach, the corresponding blinded period is adjustable in a wider range.

The waveform of a homemade detector under pulse illumination attack
To acquire some evidences left by a pulse illumination attack, we conducted a white-box test of the pulse illumination attack on our homemade single-photon detector whose APD is produced by Princeton Lightwave. We directly observed the waveform of the voltage V o across the readout resistor R o (for our homemade single-photon detector, R o = 50 Ω) in the circuit of the single-photon detector shown in Fig. A1. The waveform of V o without/after blinding pulses are compared in Fig. A5. The fluctuation ranges of the output signals are indicated by the double-head arrows in the picture. Apparently, as shown in Fig. A5a, when the blinding pulses are not applied, output signals rise occasionally. These rises are strong enough to reach the comparator threshold to trigger a click because of the avalanche effect in Geiger mode. illumination attack, the output signals jump frequently but just in a much narrower range whose upper bound is far lower than the comparator threshold as shown in Fig. A5b. Thus, dark counts are eliminated in the blinded period.
Another interesting evidence is shown in Fig. A6, where we can clearly see that a blinding pulse causes a huge instantaneous photocurrent hill. A photocurrent monitor might be capable of figuring out this evidence by some engineering modifications, which may be not easy to be realized. Researches on reliable countermeasures against pulse illumination attack are still urgently needed.