Securing practical quantum communication systems with optical power limiters

Controlling the energy of unauthorized light signals in a quantum cryptosystem is an essential criterion for implementation security. Here, we propose a passive optical power limiter device based on thermo-optical defocusing effects providing a reliable power limiting threshold which can be readily adjusted to suit various quantum applications. In addition, the device is robust against a wide variety of signal variations (e.g. wavelength, pulse width), which is important for implementation security. Moreover, we experimentally show that the proposed device does not compromise quantum communication signals, in that it has only a very minimal impact (if not, negligible impact) on the intensity, phase, or polarization degrees of freedom of the photon, thus making it suitable for general communication purposes. To show its practical utility for quantum cryptography, we demonstrate and discuss three potential applications: (1) measurement-device-independent quantum key distribution with enhanced security against a general class of Trojan-horse attacks, (2) using the power limiter as a countermeasure against bright illumination attacks, and (3) the application of power limiters to potentially enhance the implementation security of plug-and-play quantum key distribution.


I. INTRODUCTION
Quantum key distribution (QKD) enables two remote network users to exchange provably-secure keys when it is implemented faithfully [1][2][3]. To ensure implementation security, the research community has been focusing on the security of practical systems in recent years, developing methods to narrow the gap between the theory and practice of QKD. On the theoretical side, robust QKD protocols have been proposed, which not only make practical systems more secure against device imperfections but also easier to calibrate and validate in practice (since fewer assumptions are required). On the experimental side, efforts have been focused on tackling quantum side-channels and a wide variety of countermeasures have been proposed and developed [3,4].
Trojan-horse attacks (THAs) [5,6] represent one of the biggest threats to QKD security. These attacks aim to steal the secret key information via the injection of unauthorized light pulses, seeking to carry critical modulation information out of the transmitters. More specifically, in these attacks, the adversary (henceforth called Eve) injects bright light pulses into the transmitter and collects the reflected light pulses. Consequently, this allows Eve to learn some information about the secret key. It has been shown that these kind of attacks can be readily implemented using standard optical methods [5][6][7][8]. To mitigate this issue, one can use specialized security analyses to include security against specific types of THAs; for instance, by modeling the unauthorized input light pulses as coherent states. Then, under the assumption that the energy of the reflected light pulses is bounded, one can compute the secret key rate, as was done in Refs. [9,10].
The bright illumination attacks are another particularly powerful class of side-channel attacks. These include laser damage attacks [11][12][13] and blinding attacks [14][15][16]. In these attacks, bright light pulses are used to control QKD devices by exploiting their implementation knowledge. Consequently, these allow Eve to avoid eavesdropping detection and hence security is no longer guaranteed. Fortunately, there exist countermeasures which are pretty effective against such attacks [16,17] and innovative QKD protocols which are completely immune against detection side-channel attacks are known as well, e.g., see measurement-deviceindependent QKD (MDI QKD) [18,19].
Based on the above, it can therefore be said that the injection of (unauthorized) bright light pulses into quantum communication systems is a catalyst for side-channel attacks. This is not so surprising since the presence of bright light pulses essentially breaks one of the most important assumptions of quantum cryptography-that the energy of the underlying quantum signals is at the singlephoton level (or sufficiently small). To overcome these potential loopholes, one promising solution is to limit the energy of incoming light. Indeed, if this is achieved, one can be sure that the QKD system is operating at the single-photon level and the energy of any outgoing light pulse is bounded as well. Consequently, this will allow the system to operate faithfully in the quantum regime.
In practice, this solution would mean introducing a kind of quantum power limiting device into the QKD system. Based on current research on side-channel attacks, we believe an ideal quantum power limiter should possess the following properties: (a) able to provide a reliable and adjustable photon energy limiting down to the order of a few photons to hundreds of photons for each arXiv:2012.08702v2 [quant-ph] 2 Mar 2021 quantum state, (b) have a minimum insertion loss if the input power is below the threshold and stop the transmission or maintain at the threshold power once the input power exceeds the threshold, and (c) the power limiting effects are independent of other physical degrees of freedoms, e.g., frequency, polarization, etc. In terms of practical considerations, the power limiter device should also be cost-effective, passive, and easily replaceable (if it cannot recover to its normal state after being exposed to strong light).
Here, we propose and demonstrate a novel and practical quantum power limiter that can secure a broad class of QKD setups [20]. The device is based on a form of thermo-optical defocusing effect, which effectively bounds the output optical power by some predetermined threshold. By modeling the system using a set of physically relevant assumptions, we show that the outputinput optical power relation of the proposed device can be precisely controlled by changing the system parameters, e.g. the length of the prism and the diaphragm width. Consequently, this allows us to tailor the device to different quantum cryptographic applications. The feasibility and performance of our proposed power limiter device are confirmed using COMSOL (a multi-physics simulation software) and experimental data.
The paper is organized as follows. In Section. II, we first present the design details and the modeling of our power limiter. Thereafter, simulation and experimental results are illustrated. Section. III discusses the potential implementation loopholes and the robustness of the proposed power limiter. In Section. IV, we experimentally verify that the power limiter is essentially transparent to standard quantum encoding choices such as intensity, phase, and polarization degrees of freedom. In Section. V, we illustrate the broad utility of the proposed power limiter over three different QKD systems. In the first application, we provide a general security analysis of MDI QKD that allows for Eve to inject in any kind of state in a given Trojan-horse optical mode. Thereafter, a detailed study on the application of our power limiter in MDI QKD is presented, followed by the simulation results. In the second and third applications, we discuss how the proposed power limiter could be utilized to deter bright illumination attacks and to enhance the implementation security of plug-and-play QKD [21][22][23]. In Section. VI we end with a conclusion.

II. OPTICAL POWER LIMITER DESIGN
Our power limiter design is shown in Fig. 1. The input light and output light are collimated using a pair of fiber collimators. An acrylic prism is placed along the optical path as the core part of our proposal, whose negative thermo-optical coefficient (TOC) dn/dT is exploited, where n is the refractive index and T is the temperature. Noted here any material with negative TOC could be used with similar analysis. The absorption of input 15 Acrylic Prism z r FIG. 1. Schematic of the power limiter design. An acrylic prism is used as the active medium. The input collimated Gaussian beam diverges due to the thermo-optical defocusing effect, when the absorbed energy introduces temperature gradients inside the prism. A diaphragm is placed after the prism to control the collectable optical power. The optical filter restricts the working wavelength range for security analysis. The inset is the top view of the acrylic prism and the diverged Gaussian beam. Owing to the isotropic nature of acrylic, both the optical and thermal responses are assumed to be axially symmetric along the optical axis.
light generates a heat gradient inside the prism, which is then converted to a refractive index gradient accordingly. The negative TOC leads to a relatively smaller reflective index at the center of the prism, resulting in the whole optical architecture works as a concave lens and diverges the transmitting light, as shown in the inset of Fig. 1. By adding a diaphragm with customizable width, the amount of output power can be suitably controlled. An optical filter is then introduced to restrict the working wavelength range of the device for security analysis, which will be discussed in detail in Section. III. We remark that all the components used here are cost-effective and commercially available.
The mechanism of thermal optical defocusing and related power limiting phenomenon have been widely studied in both theory and experiments [24][25][26]. In our case, We first simulate the temperature and electric field distribution inside a 10 cm acrylic prism with 7.9 mW input power using COMSOL, whose results are shown in 2 (a) and (b). The simulation results indicate a distinct temperature distribution inside the medium, and a clear divergence of the light field. Towards a better quantitative understanding, we model our power limiter design by balancing the optical absorption and the heat transfer inside the prism under steady-state condition [27]: where α is the absorption coefficient of the material, I represents the input light power density, T is the temperature, and k is the thermal conductivity. If we as-sume that the light propagates along the z-direction and follows a Gaussian profile, temperature gradient in the zdirection is negligible, and the radiative and convective heat transfer is minimal, the steady-state laser radiation intensity at position (r, z) can be solved as [27] I(r, z) =I(r, 0) where the input intensity I(r, 0) = P0 πa 2 e −r 2 /a 2 , a is the radius where the light intensity drops to 1/e of its axial value, and P 0 is the incident laser power. The output optical power can be obtained by integrating the light intensity over a certain area which depends on the position (prism length) and the width of diaphragm.
The maximum output power (defined as power limiting threshold) and the insertion loss at different prism length and diaphragm width are shown in Fig. 2 (c) and (d).
Since a larger prism length will lead to a greater photon absorption as well as a larger light divergence, a higher insertion loss and a smaller power limiting threshold can thus be expected. Likewise, a smaller diaphragm collects less photon energy, which also results in a higher insertion loss and a smaller power limiting threshold. Therefore, depending on the application, it is possible to choose a set of parameters that balance the insertion loss and power limiting threshold that meet system requirements.
Note here that the Gaussian profile assumption only holds when the beam divergence is relatively small, thus the analytical model may only be able to provide a quick guidance for parameter selection. Hence, experiments are conducted to verify the feasibility of our proposal.
A proof-of-concept experiment is performed using a simplified version of Fig. 1. A collimator is used for light coupling from single mode optical fiber to free-space. Here a transmissive collimator based on graded-index (GRIN) lens is used in the setup for feasibility demonstration, and it can be conveniently replaced by reflective collimators to ensure the proper functioning over a wide range of wavelengths for security reasons (See Section.III for details). Then the Gaussian beam with a beam width of 0.4 mm is directed into the Acrylic Prism. Three acrylic prisms with lengths of 25.4, 50.8, and 101.6 mm are tested. The output light will then be collected after the diaphragm. Diaphragm width of 25, 50, 380, 750 and 1300 µm are used in our experiment. Fig. 2 (e) shows the measured output-input relationship at different diaphragm width and the same prism length of 101.6 mm, while Fig. 2 (f) shows the result at different prism length with the same diaphragm width of 25 µm. The results clearly show the power limiting effect in various conditions. The output power linearly increases with the input power at low power region. As the input power further increases, the output power will increase slowly, and finally be limited to a certain threshold.  [28], n = 1.47 [29], k = 0.19 Wm −1 K −1 [30], a = 0.14 mm. (e) Experimental output-input power relationship at different diaphragm width with the same prism length of 101.6 mm. The results indicate that smaller the diaphragm width, lower the output power threshold. Also with a diaphragm width larger than the beam width, the insertion loss will remain minimum.
(f) Experimental output-input power relationship at different prism length but with the same diaphragm width of 25 µm. Longer prism length could provide lower output power threshold but the insertion loss will be higher. Both the simulation and experimental results confirmed the power limiting effect of our design and an adjustable power limiting threshold is feasible.
Besides, the experimental results verified that the power limiting feature of our proposal can be readily adjusted by modifying the prism length and diaphragm width. Among all of our system configurations, the lowest power limiting threshold of -27.9 dBm is measured, with a insertion loss of -34.0 dB, when a 101.6 mm prism and 25 µm diaphragm are chosen. Similarly, a lower insertion loss of -5.1 dB can be obtained, together with a 10.3 dBm output power limiting threshold, when a 50.8 mm prism and 750 µm diaphragm are used. For dif-ferent applications, one can expect different requirements for power limiting device. For example, for protecting transmitters against THA, the insertion loss of the power limiter is less concerned since we can always adjust the optical attenuators to generate expected quantum states. While in order to protect receivers from bright illumination attacks, the insertion loss of the device can be a critical factor to system performance. Thus, we would imagine customised power limiter configurations for different application scenarios.

III. ROBUSTNESS AGAINST POTENTIAL IMPLEMENTATION LOOPHOLES
The above analyses so far only show the feasibility of the proposed power limiter under a steady-state condition. Below, we analyze the robustness of the proposed device against potential implementation loopholes that could happen via the variation of standard optical properties.
One important consideration is the finite response time of the proposed device. To investigate this property, we install an electronic variable optical attenuator (EVOA) after a continuous-wave (CW) laser source to create a laser pulse with relatively long pulse width and measure the output response of the power limiter. The experimental results are shown in Fig. 3 (a), where a 101.6 mm prism is used with a 750 µm diaphragm. The settling time of our power limiter is measured to be 300 ms. We observed that the peak output power close to the starting time can be a few times higher than the steady-state output power (which happens after about 300 ms). Crucially, this suggests that one could exploit the finite response time of the power limiter to breach the desired energy threshold.
However, as we will show in Section. V. A, the information leakage due to THAs can, in fact, be bounded using only the average energy constraint (integrated over the finite response time); it is not necessary to bound the maximum (peak) energy for security. Thus, in the experiment, we study the average output optical power at constant-energy pulse input but with different duty cycles. The time domain results are shown in Fig. 3 (b), where a 101.6 mm prism is used with a 25 µm diaphragm. The input laser pulse is modulated at 1 Hz frequency with average input power of 10.5 dBm and 13 dBm. The corresponding average output power is shown in Fig. 3 (c). The results indicate that the average output power is higher at a larger duty cycle. The maximum appears at duty cycle equals 1, i.e. CW light input. In other words, given fixed average input power, CW input will give the largest averaged output power, where Eve is getting the most amount of information about the transmitter. As such, we will be using the power limiting threshold obtained under the CW Trojan horse input assumption for THA analysis; see Section. V. A. To explain this effect, we study the temperature response inside the The COMSOL simulated maximum temperature inside the prism with constant average input power of 20 mW. The result shows that higher peak power heats the prism faster and reaches a higher temperature. Thus, a higher thermo-optical effect can be expected.
medium under constant-energy pulse input with different peak power and different duty cycles using COMSOL. The results are shown in Fig. 3 (d). The simulation results indicate that a higher input peak power will lead to a higher maximum temperature, even with the same amount of average power. Therefore, a higher refractive index gradient and larger divergence of input laser are expected with a higher instantaneous power of the input light, leading to a larger thermo-optical defocusing effect and consequently a lower output power. Another possible attack is to try to change the power limiting threshold by varying the wavelength of the incoming light. This could allow Eve to send in brighter light pulses with a different wavelength. To investigate the possibility of such an attack, we analyze how different input wavelength could affect the TOC and heat generation of the power limiter device.
Generally, the TOC can be modeled by [31,32] where f (n(λ)) is defined as (n 2 − 1)(n 2 + 2)/(6n), n is the reflective index, λ is the wavelength of input light, Φ is the electronic polarizability and β is the volumetric expansion coefficient. In most polymers, the volumetric expansion coefficient is more dominant, i.e. Φ β,  and hence the overall TOC is typically negative [31]. More importantly, notice that the volumetric expansion coefficient is physically independent of the wavelength. As such, the wavelength dependency of TOC is only related to f (n(λ)). The f (n(λ)) for acrylic as the function of wavelength is shown in Fig. 4 (a). The corresponding TOC change will introduce a small difference in the output power threshold calculation, as referenced to the power at 1550 nm, which is shown as the red curve in Fig. 4 (a).
As for heat generation, it is related to the absorption loss of the material. A lower loss indicates less energy converted from the optical energy to heat energy, thereby resulting in a lower temperature gradient and a higher power limiting threshold. Based on this, a spectral filter with a large power handling capability can be applied to limit the transmission spectrum of the device; in which case the peak power (over the transmitted spectrum) is considered for the security analysis.
Considering optical fiber-based applications at 1550 nm, the optical fiber itself is, in fact, a bandpass filter for about 300-2100 nm wavelength, beyond which the transmission loss is higher than 100 dB/km [33]. Thus, by applying a secure fiber with adequate length, light beyond this wavelength range can be suppressed to a negligible level. In this way, it is effective to only consider the wavelength dependency feature within this band.
For the material of our power limiter, acrylic, its absorption loss spectrum is shown in Fig. 4 (b) with some low loss bands marked [29,34]. The loss is about 1.29 dB/cm at 1550 nm and 0.82 dB/cm at 1310 nm, which are standard communication bands. The loss below 1100 nm is even lower. The minimum occurs at about 800 nm with 0.15 dB/cm loss. Based on the absorption spectrum and considering a prism length of 10 cm with 750 µm diaphragm, the maximum output power spectrum and the corresponding input power is calculated based on Eq. 2, as shown in Fig. 4 (c). The power threshold below 1100 nm is about 11 dB higher than the 1310 nm band and more than 17 dB higher than the 1550 nm band. Although a pessimistic power bound of about 8 dBm can be set and used as the system power bound (marked as a red triangle), it is better to use an optical filter to block the light below 1100 nm wavelength. The silicon absorber can be a good candidate, which provides a stable and robust filtering performance. By adding a thin layer of silicon sheet after the power limiter, the output power can be significantly suppressed. As shown in Fig. 4 (c), with only about 1 mm thick silicon, the maximum output power shifts back to the communication bands. The maximum output photon number per second can be further calculated, as shown in Fig. 4 (d). The maximum output photon number per second appears at 1260 nm wavelength with a photon energy of 1.58 × 10 −19 J; as such, this wavelength is considered in the security analysis using the worst-case approach.
Similarly, for other degrees of freedom, e.g. the state of polarization, the polymer acrylic used in our design inherently possesses isotropic behavior. Thus, by nature, it will not introduce any birefringence related changes and is independent of the thermo-optical effect, which avoids introducing related loopholes to the system.
Another consideration is laser damage attacks [11][12][13]. Preliminary simulations indicate that the acrylic prism could be damaged with only about 400 mW of input power [35,36]. If the acrylic is damaged or burnt, the thermal defocusing effect is not applicable anymore and the light might be collected by the output collimator directly. Consequently, the power limiting effect may not hold. However, this issue can be resolved by replacing the crossing-through prism with a total internal reflection structure, where the input beam is non-coaxial with the output. In this way, any damage to the material will not weaken the robustness of our proposal; instead the device works as an optical fuse to permanently block the optical path.

IV. QUANTUM SIGNAL INTEGRITY
To determine if the proposed power limiter is useful for practical use, it is also important to study if the quantum signals will be disturbed when passing through the device. To this end, experiments based on time-bin (intensity), phase, and polarization encoding are implemented to see whether the quantum signal integrity will be af-fected.
Here, we study the QBER of the system, which is defined as the number of errors (N error ) over the total number of detection counts (N correct + N error ), In addition, given that the detector is well characterised (e.g., its background noise and single-photon efficiency are known), we may further write QBER = QBER opt + QBER det , where QBER opt comes from quantum optical imperfections (e.g., imperfect state preparation, optical misalignment, etc) and QBER det comes from the detector dark counts. Here, as mentioned above, our main focus is the QBER opt for intensity, phase and polarization encoding schemes, which represent three of the most popular choices for QKD in practice. The QBER of intensity or time-bin encoding scheme is measured first. As shown in Fig. 5 (a), the intensity extinction ratio of a pulsed laser is measured to infer the QBER. The pulsed laser is attenuated to about 0.1 photon per pulse and measured by an avalanche photodiode (APD) operating in the Geiger mode (gated). The laser pulse has a repetition frequency of 100 MHz and a pulse width of 400 ps. The APD has a gate width of 1 ns. The delay on the APD gate signal is scanned to cover both the laser pulse (bit 1) and dark region (bit 0). The dark counts here are subtracted after the data acquisition for an accurate extinction ratio measurement of the optical pulse. The power limiter used here has a length of 101.6 mm and a diaphragm width of 750 µm. An average input power of 14.49 dBm and -19.72 dBm are tested to demonstrate the cases when the input power is close to and far below the power limiting threshold, respectively. The schematic of the signal controls are shown in Fig. 5 (b). The resulting counts as a function of delay is shown in Fig. 5 (c) and (d). For the input power and the cases with and without the power limiter, the resulting extinction ratios are all above 35 dB, indicating a QBER of less than 0.032%. Therefore, we conclude that the introduction of the proposed power limiter will not introduce any significant noise to QKD systems based on time-bin encoding.
For the phase encoding scheme, the experimental setup is shown in Fig. 6 (a). The input CW laser is modulated using a phase modulator switching between 0 and π phase with 50 MHz frequency. The laser output power is 10.28 dBm. Schematics of the signal controls are shown in Fig. 6 (b). The modulated signal is then decoded using an asymmetric Mach-Zehender interferometer (AMZI) with a path delay of around 10 ns. Moreover, a phase shifter is added in one of the paths of the AMZI to lock the relative phase. As such, the interference visibility as well as the QBER can be obtained. Finally the output is attenuated to 0.1 photon per gate and measured by an APD. The counts as a function of delay are shown in Fig. 6 (c) and (d), which corresponds to the case with and without power limiter installed, respectively. The interference visibility V is shown in Fig. 6 (e) as (1 − V ) for a clear view. The maximum visibility with and without power limiter are 0.9844 and 0.9836, corresponding to a QBER of 0.78% and 0.82%, respectively. Thus like in the case of time-bin encoding, we conclude that the proposed power limiter device is also suitable for phase-encoding QKD systems. Finally, we study the impact of the device on polarization encoding. The experimental setup is shown in Fig. 7, where a CW laser with an output power of 11.41 dBm is used and polarization is manually tuned with a polarization controller. The attenuated output goes through a polarization beam splitter (PBS) and the outputs are measured by two APDs. The polarization extinction ratio is calculated from the ratio between the two APD counts. The result shows a polarization extinction ratio of 30.1 dB and 32.6 dB for the case with and without the power limiter, corresponding to QBERs of 0.098% and 0.055%, respectively. This clearly shows that the power limiter will not significantly disturb the state of polarisation of the photon.
All in all, we experimentally confirmed that our power limiter device does not introduce any significant noise (in terms of the QBER) to standard QKD systems based on time, phase, and polarization encoding schemes. However, it should be noted that the power limiter does introduce extra losses (insertion loss) to the signal so the photon collection efficiency would decrease when it is deployed on the receiver side. In our experiment, a minimum insertion loss of -5.1 dB is measured, which is equivalent to an transmission efficiency of around 31%, or a transmission distance of 25.5 km(assuming single mode fiber with a transmission loss of 0.2 dB/km). We note that this issue could be mitigated by using materials with higher TOC values so that smaller amount of light absorption is required to trigger the power limiting effect.  8. Schematic of the phase-encoding MDI QKD system with the power limiter installed. Alice and Bob are the users preparing the phase-encoding coherent states using their lasers, modulators, and attenuators. The prepared states are sent to Charlie for Bell state measurement. The distance between Alice and Bob is contributed by the two fiber spools combined. The Trojan horse attack from Eve could provide her with a maximum ν Trojan horse photon, which is taken into consideration for secure key rate calculation.

A. Security against THAs
As an application of our proposed power limiter, we consider a phase-encoding MDI QKD protocol [18,19,37] with energy constrained THAs. A schematic of our system is shown in Fig. 8, where Alice and Bob are distant quantum transmitters and supposed to prepare the required phase-encoding coherent states, then send them to Charlie for Bell-state measurement. The protocol is outlined below: Alice and Bob randomly prepare one of the four coherent states {|e ix π 2 α } and {|e iy π 2 β }, where x, y ∈ {0, 1, 2, 3} are the classical information of Alice and Bob, respectively. Then Alice and Bob send the quantum states to Charlie via the quantum channel for Bell-state measurement. The distance between Alice and Bob is contributed by the two fiber spools combined.
Charlie interferes the incoming states from Alice and Bob using a 50-50 beam-splitter and measures the outputs using single-photon detectors. Thereafter, he announces the measurement result z ∈ {L, R, ∅} through the authenticated classical channel, which corresponds to the left detector clicks, the right detector clicks, and none of the detector clicks or both detectors click. Alice and Bob repeat the state preparation and measurement for N rounds.
Upon receiving the Bell-state measurement results from Charlie, Alice and Bob only keep data of those rounds give z = L, R. Besides, Bob flips the value of y if z = R. Alice and Bob then obtain the statistics of all the state combinations of Alice and Bob, conditioned on z = L, R. Particularly, for rounds with x, y = 0, 2, Alice and Bob keep the data for extracting the secret keys.
Alice and Bob then implement parameter estimation and apply error correction and privacy amplification thereafter to extract a pair of identical and secure keys.
To take THAs into consideration, different models for Trojan horse states have been proposed. For example, in Ref. [9], the Trojan horse state is modeled as a pure coherent state with a fixed phase and intensity. However, this model might be too restrictive as Eve can send other states. In practice, she could send a mixture of coherent states with different intensities or other states that could potentially leak more information. Another model that can address potential THAs is presented in Refs. [38,39]. There, the non-vacuum component of the Trojan horse state is modeled by an arbitrary state that lives outside the qubit space in which the legitimate parties encode the information. While this model is very general and could take into accounts of any source sidechannels, the resulting bound can be overly pessimistic, since in the worst-case scenario the leakages might correspond to orthogonal quantum states and hence would leak full information about the modulation (key information).
In our analysis, we take the intermediate step and allow Eve to send any Trojan horse state in a given optical mode. However, because the modulators in Alice's and Bob's labs are trusted, the resultant Trojan horse states will not be orthogonal after the modulation. As such, the THA will not leak complete information about Alice's and Bob's key information. Without loss of generality, the Trojan horse state can be written as where |n , |m are the Fock states injected into Alice's and Bob's apparatus, respectively. |E nm is an ancilla that is kept in Eve's lab. The coefficients c nm are the quantum amplitudes of the Fock states. Note that the state of the form (5) includes Trojan horses that are mixed (after tracing out Eve's ancilla) and may even be entangled. The states |n and |m will accumulate some phases introduced by Alice's and Bob's modulators and hence they would leak some information about x and y. On the other hand, the states |E nm will not accumulate any phase since it is kept in Eve's lab. After gathering the modulation information from the modulators, the output THA state thus with the form Both the quantum states prepared by Alice and Bob and the THA state will be sent to Charlie via the quantum channel. Thus, the untrusted measurement can be modeled by a quantum-to-classical map, which can be described by an isometry U (with an appropriate purification): Therefore, given the fact that the Gram matrix G based on Eq. (7) is positive semi-definite and linearly constrained, a tight upper bound of the phase error rate can be obtained by solving the dual problem of a semidefinite program (SDP), similar to the security analysis presented in Ref. [40,41]. The asymptotic secret key rate can thus be obtained using the so-called Shor-Preskill key rate formula [42]: where e bit (e ph ) is the bit (phase) error rate of the system, P pass represents the probability of successful Bell state measurement when Alice and Bob choose the key generation basis, and h 2 (·) is the binary entropy function.
A detailed security analysis is given in the supplemental material. To restrict information leakage, the mean photon-number, ν, of the THA state should be much less than one. This requirement can be achieved using the proposed power limiter together with an optical attenuator. These devices can be readily implemented in standard quantum transmitters as shown in Fig. 8.
To be more specific, based on the power limiting threshold obtained in Section. III, a maximum photon number of injected eavesdropping light can be strictly constrained by the proposed optical power limiter. Then, the injected light will go through the attenuator twice before being collected by Eve, while the quantum state for QKD has just been attenuated once. Consider a QKD system working at a frequency of 1 GHz, with a power limiting threshold of 1 mW and an ideal phase modulator that does not introduce any extra insertion loss. In this case, an attenuation of 69 dB is sufficient to guarantee an average energy output of ν = 10 −7 . At the same time, the laser output can be adjusted to optimize the intensity µ for QKD, where an averaged optical power of 23 µW can be used to generate quantum states with µ = 0.0183. This is similar to the optimized intensity for MDI QKD with a detector efficiency of η det = 85%, dark count rate p dc = 10 −7 , and a 100 km transmission distance. Comparing to Ref. [9] where the 12.8 W optical fiber damage threshold was used as the upper bound, the proposed power limiter could limit the power by 4 to 5 orders of magnitude lower. As a result, the requirement for attenuator and optical isolator is significantly reduced. Also, removing the need to have isolators could benefit future chip-based integration of such MDI QKD systems.
As mentioned, due to the finite response time of the power limiter, only the average power of the THA (instead of the maximum power of the THA pulses) can be bounded. To this end, we develop a general proof technique (see the supplemental material) that uses only the average photon number information of the THA. In particular, the security proof takes into account attacks where Eve employs a mixture of bright Trojan horse pulses with the vacuum (where the probability of sending a bright light is small enough such that the energy constraint is satisfied). As such, the proposed optical power Secret key rate per pulse FIG. 9. Simulation for asymptotic key rate for phase-encoding MDI QKD under two set of parameters: (a) detector's efficiency η det = 10%, dark count rate p dc = 10 −5 , (b) detector's efficiency η det = 85%, dark count rate p dc = 10 −7 . Trojan horse photon number ν of 10 −5 , 10 −6 , 10 −7 and 0 are shown. The output intensity µ of each transmitter is optimized for each distance to maximize the key rate.
limiter can be used to ensure that the assumptions of the security proof are enforced during the protocol.
To benchmark the performance of the protocol, we simulate the achievable asymptotic key rate with two sets of parameters: (1) detector's efficiency η det = 10%, dark count rate p dc = 10 −5 , (2) detector's efficiency η det = 85%, dark count rate p dc = 10 −7 . For both sets of parameters, misalignment error e ali is set to be 2%, and the transmission loss of optical fiber is set to be 0.2 dB/km. We also assume that the central node is equidistant to Alice and Bob and µ A = µ B = µ, which has been optimized over the simulation. As for the THA intensity, we set ν A = ν B = ν. The results of the simulation are shown in Fig. 9. The results indicate Alice and Bob can get a promising key rate without being affected much by the Trojan horse attack if the energy of the THA is properly upper bounded.

Bright illumination attacks
Laser damage attacks are a particularly powerful class of bright illumination attacks. In Ref. [11][12][13], it is shown that the detectors and optical components are prone to permanent changes and damages when Eve sends in a bright damaging laser with power in the order of Watts. This is crucial because the security of most QKD systems depend on the integrity of their devices-that they behave according to design specifications.
Another class is detector blinding attacks [14][15][16]. By exploiting the implementation knowledge of singlephoton detectors and the imperfect detector performances, Eve can send in a relatively strong eavesdropping light to change the working condition of the detector and get partial (or even full) control over the outcomes [14-16, 44, 45].
For illumination-related attacks, a common feature is that Eve must send in relatively bright light pulses. Hence, by restricting the input optical power using the (c) The current-input power relationship of an APD operating in linear mode. By controlling the input power below or above the power threshold P T h , the detector could be controlled to register fake-states. (d) The input power on Bob's detector with and without a power limiter.
proposed power limiter, it is expected that some of these attacks could be thwarted. To illustrate this possibility, we sketch out a method that could prevent the bright illumination attack presented in Ref. [43]; see Fig. 10 (a). To start with, we note that standard single-photon detectors based on APD typically require low-temperature operation to minimize the detectors' background noise, i.e., to limit the dark count rate. To cool the detectors, thermoelectric coolers (TECs) are used but these have limited cooling capacity. In Ref. [43], it is shown that injection of bright light pulses can create a situation in which the generated heat fails to dissipate completely. This leads to the breakdown voltage of the APD going above the predetermined value, which consequently puts the detector into the linear mode (instead of Geiger mode); see Fig. 10 (b). In this case, the detector is no longer sensitive to single-photon input (i.e., blinded ) and Eve can manipulate its outcome by sending in a control light pulse superimposed on the bright light pulse, as depicted in Fig. 10 (c). According to Ref. [43], a bright CW light with an optical power of around 10 mW is required to blind the commercial QKD detectors, and a control light pulse with a peak power of around 1 mW is sufficient to fully control the detector's outcome. If the power limiter is in place, as shown in Fig. 7 (a), the input light power can be limited below than this blinding threshold, which would prevent the temperature of detector from raising and hence the detector from being blinded (see Fig. 10 (d)). For example, we can use an acrylic prism with length of 50.8 mm and a diaphragm width of 380 µm to provide a power limiting threshold of 6.03 dBm (with -6.02 dB insertion loss) to prevent such attack. It's important to note that in normal working conditions, quantum signals (i.e., optical signal with small energy levels) in principle will experience a small amount of loss while passing through the power limiter device, since the power limiting effect hasn't been triggered. As such, the introduction of our power limiter are not expected to greatly reduce the overall performance of practical QKD systems. As with our current design, we can expect a smaller insertion loss as well as a stronger power limiting effect, for example, by using material with a higher TOC.

Plug-and-play QKD with untrusted light sources
Plug-and-play QKD is a two-way communication configuration [21] that aims to simplify implementation requirements such as polarization compensation and reference frame calibration. This approach is especially useful for practical MDI QKD systems since it naturally guarantees near-perfect mode matching for the required twophoton interference [22,23,46]. However, in using external (untrusted) light sources instead of trusted light sources, plug-and-play systems are prone to transmitter-based attacks [6,47,48]. Again, the central issue here is that Eve can inject bright light pulses to break the working assumptions of QKD. To overcome this issue, one popular approach is to monitor the energy of the incoming light with a classical detector [22,49,50]. However, it has been shown that such active monitoring methods are not entirely robust and the classical detectors can still be hacked by exploiting their electrical circuitry, e.g., see Refs. [12,51].
In light of the above, it is thus interesting to explore alternative countermeasures that are based on passive devices instead of active devices such as detectors. To this end, we propose to replace (or augment) the active power monitoring device with a passive power limiter as shown in Fig. 11. Similar to the arguments provided in Section. V A, the power limiter would limit the energy of the outgoing light and hence Eve's knowledge about the key information as well; we leave a more careful security analysis to future work.
In addition, it is worthwhile to add that existing methods to limit incoming light energy are typically based on isolators/circulators and laser damage threshold of devices [9,12,13]. These are however one-directional and add additional attenuation on the propagating direction of the eavesdropping light. In the case where quantum signal has the same propagation as Eve's light, i.e., plug-and-play QKD or quantum receivers to resist against bright-illumination attacks, they may either pessimistically estimate Eve's information-since the actual input power significantly deviates from the device damage threshold, which will be used for security analysis, or introduce large insertion loss so the system performance will be greatly affected.
As a comparison, the proposed power limiter is shown to be able to provide an adjustable power limiting threshold on the output optical power, and capable of protecting the system where the eavesdropping light and quantum signal have the same propagation direction.

VI. CONCLUSION
In this report, we have proposed and demonstrated a passive power limiter design based on the thermo-optical defocusing effect of an acrylic prism. By numerical simulations and the experimental demonstration, we rigorously studied the feasibility and performance of our power limiter design. In our experiment, the lowest optical power limiting threshold of -27.9 dBm with an insertion loss of -34.0 dB is measured. With a different setting, a low insertion loss of -5.1 dB is achieved with a 10.3 dBm power limiting threshold. The values are adjustable according to different system requirements. It is possible to further reduce the insertion loss at a certain power threshold by switching to a material with higher TOC values or/and reduce the beam width. Besides, our design possess desirable features like compactness, robustness, plus polarization and spectrum-dimension independence.
To illustrate the applicability of our proposed power limiter, we have quantitatively developed a general security analysis that allows for arbitrary of Trojan-horse states. By properly limiting the THA energy leakage in a MDI QKD system, a desirable secure key rate and transmission distance can be achieved. Moreover, based on the previous evidences, we remarked that the power limiter can be useful for deterring bright illumination attacks in a quantum cryptography system. We took the thermal CW-blinding attack on the APD detectors as an example, and show how the power limiter can be designed to prevent such an attack. We further discussed the possibility of using a power limiter to secure the plug-and-play QKD systems without active elements.
As demonstrated in our paper, by simply limiting the incoming/outgoing optical energy, a broad class of QKD protocols can be practically protected without introducing cumbersome device modification. Beyond these, one can also expect such a power-limiting device to find applications in securing semi-device-independent quantum protocols based on energy constraints [52][53][54][55], linetopology or ring-topology multiparty quantum communication systems [56,57]. As such, we believe it will attract much interest and possess the potential to become a standard tool for quantum cryptography applications. where P pass = 1 4 P (L|00) + P (R|00) + P (L|02) + P (R|02) + P (L|20) + P (R|20) + P (L|22) + P (R|22) is the probability of successful Bell state measurement given Alice and Bob choose the key generation basis (i.e. when x, y ∈ {0, 2}) which is observed directly in the experiment. The linearity of the constraints and the objective function allows us to use semi-definite programming (SDP) to find a tight bound on the phase error rate e ph . For fixed observed statistics, the phase error rate e ph depends only on the Gram matrix of the effective signal states {|φ xy } x,y . Our goal is therefore to characterize the set of Gram matrices of the effective signal states subject to the constraint on the mean energy of the Trojan horse lights. Indeed, the main difference between our security analysis and the one presented in Ref. [41] lies in the fact that φ x y |φ xy is not perfectly characterized, but it can be bounded due to the energy constraints on the Trojan horse state.
Assuming that Alice and Bob each modulate lights from a single mode, the most general form of Trojan horse state that Eve can send is given by where the registers a, b, e are held in Alice's, Bob's, and Eve's lab respectively. The states |n and |m denote photon number states. In general, the Trojan horse can also be entangled to some ancillary system e that is kept in Eve's lab which we denote by |E nm . In practice, only a fraction of the Trojan horse lights is reflected out to the quantum channel. The rest of the photons are lost (and, therefore, are inaccessible to Eve). In our model, we conservatively ignore the loss in the modulators. Finally, for the remainder of this section, we will omit the subscripts denoting the registers when there is no danger of ambiguity. Now, Alice's and Bob's phase modulations can be described by the unitary operatorŝ U x = e i π 2 xn U y = e i π 2 ym (A7) wheren andm are the number operators acting on a and b registers, respectively. Thus, after the phase modulations, the Trojan horse evolves into |ξ xy =Û x ⊗Û y ⊗1 |ξ = n,m c nm e i(nx+my) π 2 |n |m |E nm (A8) which gives the effective state |φ xy = |e ix π 2 α |e iy π 2 β |ξ xy (A9) when Alice is given the input x and Bob is given the input y. Hence, for a fixed combination x, y, x , y , we have φ x y |φ xy = nm |c nm | 2 e i(n(x−x )+m(y−y )) π 2 × e ix π 2 α|e ix π 2 α e iy π 2 β|e iy π 2 β (A10) where the term in the parenthesis is the contribution due to the THA. Here, α and β denote the amplitudes of Alice's and Bob's lasers. Now, due to the symmetry of the phase modulations, observe that e i(n+4)xπ/2 = e inxπ/2 e i2πx = e inxπ/2 e i(m+4)yπ/2 = e imyπ/2 e i2πy = e imyπ/2 (A11) for all x, y ∈ {0, 1, 2, 3}. Hence, without loss of generality, it is sufficient to consider n, m ∈ {0, 1, 2, 3}. Denoting the probability that Alice and Bob receive n and m photons respectively, |c nm | 2 = P nm , it is therefore sufficient to consider finite number of {P nm } n,m .
Here, in contrast to the analysis presented in Ref. [41], the Gram matrix of the effective signal states are not fixed as Eve can vary the photon number distribution to maximize the leakage. Therefore, there are two variables that we consider in our optimization, namely the Gram matrix of Eve's quantum side information (which we denote by G) and the photon number distribution (which we denote by P nm ). Therefore, taking into account Eve's freedom to choose the Trojan horse state, we have to solve the following optimization problem max G,Pnm e ph s.t. G 0, e ph ≤ 1/2, P (z|x, y) = e z xy |e z xy , P nm ≥ 0, n,m P nm = 1, n,m P nm n ≤ ν A , n,m P nm m ≤ ν B , z e z x y |e z xy = nm P nm e i(n(x−x )+m(y−y )) π 2 Λ x y ,xy where n, m ∈ {0, 1, 2, 3}, ν A and ν B denote the intensity of the Trojan horse lights (measured at the output of Alice's and Bob's source, respectively) and Λ x y ,xy = e ix π 2 α|e ix π 2 α e iy π 2 β|e iy π 2 β (A13) is the inner product of Alice's and Bob's characterized signal states (i.e. the signal states in the absence of THA). One could then plug the bound on e ph into the key rate formula R ≥ P pass [1 − h 2 (e ph ) − h 2 (e bit )] (A14) where h 2 (·) is the binary entropy function and e bit is the bit error rate in the key generation basis.