Quantum hacking: Saturation attack on practical continuous-variable quantum key distribution

We identify and study a security loophole in continuous-variable quantum key distribution (CVQKD) implementations, related to the imperfect linearity of the homodyne detector. By exploiting this loophole, we propose an active side-channel attack on the Gaussian-modulated coherent-state CVQKD protocol combining an intercept-resend attack with an induced saturation of the homodyne detection on the receiver side (Bob). We show that an attacker can bias the excess noise estimation by displacing the quadratures of the coherent states received by Bob. We propose a saturation model that matches experimental measurements on the homodyne detection and use this model to study the impact of the saturation attack on parameter estimation in CVQKD. We demonstrate that this attack can bias the excess noise estimation beyond the null key threshold for any system parameter, thus leading to a full security break. If we consider an additional criterion imposing that the channel transmission estimation should not be affected by the attack, then the saturation attack can only be launched if the attenuation on the quantum channel is sufficient, corresponding to attenuations larger than approximately 6 dB. We moreover discuss the possible countermeasures against the saturation attack and propose a countermeasure based on Gaussian postselection that can be implemented by classical postprocessing and may allow one to distill the secret key when the raw measurement data are partly saturated.

Figure 1

Model for a practical homodyne detection: Its output $X_{B_{\text{sat}}}$ can be seen as the ideal output $X_{B_{\text{lin}}}$ on which a saturation function is applied [Eq. (8)].

Figure 2

Experimental characterization of the saturation behavior of a practical homodyne detection. (a) Mean of the homodyne output $\langle X_{B_0,\text{sat}}\rangle$ vs LO intensity. (b) Variance of the homodyne output $\text{Var}\left(X_{B_0,\text{sat}}\right)$ vs LO intensity.

Figure 3

General description of the GMCS CVQKD under the saturation attack: Alice, prepare the coherent state with quadratures $X$ and $P$; Eve, measurement and repreparation stage; G, gain; D, displacement; Bob, perform the homodyne detection: AM, amplitude modulator; ${\eta }_1$ and ${\eta }_2$, signal transmission coefficients; PM, phase modulator; and $[-\alpha ,\alpha ]$, linear working range.

Figure 4

Simulations of estimated excess noise and channel transmission under attack strategy I. See Sec. 7c1 for the simulation parameters. (a) Estimated excess noise ${\widehat{\xi }}_{\text{sat}}$ versus $\mathrm{\Delta }$ for different distances. (b) Estimated transmission ${\widehat{T}}_{\text{sat}}$ versus distance for different $\mathrm{\Delta }$.

Figure 5

Simulations under attack strategy II, step (a). See Sec. 7c1 for simulation parameters. (a) Gain $g$ verifying Eq. (19) as a function of $\mathrm{\Delta }$. (b) Estimate excess noise as a function of $\mathrm{\Delta }$ for different link lengths.

Figure 6

Simulations under saturation attack strategy II, step (b). See Sec. 7c1 for the simulation parameters. (a) Excess noise versus $\mathrm{\Delta }$ and distance. Solid lines with symbols show the estimate excess noise ${\widehat{\xi }}_{\text{sat}}$ and dashed lines the null key threshold ${\xi }_{\text{null}}$. (b) Key rate versus distance for different values of $\mathrm{\Delta }$. No attack is possible for links shorter than 31 km under criteria II (see the text).

Figure 7

Simulation of Gaussian postselection. Blue dots show the simulated experimental data with an infinite linear detection limit, $\mathrm{\Delta }=19.2\sqrt{N_0}, L=20\text{km}, V_A=11.58N_0$, and data number $N={10}^6$. Red dots show the simulated experimental data with a linear detection limit $\alpha =20\sqrt{N_0}$; other parameters are the same as the blue ones. Green dots show the Gaussian postselected data among the red dots, with the Gaussian postselection parameter, ${\sigma }_g^2=2.5N_0, {\mu }_g=16.55N_0$, and the number of postselected points $N^{\prime }=15.37\%N$. For other simulation parameters see Sec. 7c1.