Out-of-Band Electromagnetic Injection Attack on a Quantum Random Number Generator

Random number generators underpin the security of current and future cryptographic systems and are therefore a likely target for attackers. Quantum random number generators have been hailed as the ulti-mate sources of randomness. However, as shown in this work, the susceptibility of the sensitive electronics required to implement such devices poses a serious threat to their security. We present an out-of-band electromagnetic injection attack on a photonic quantum random number generator through which an adversary can gain full control of the output. In our ﬁrst experiment, the adversary forces the binary output of the generator to become an alternating string of 1s and 0s, with near 100% success. This attack may be spotted by a vigilant user performing statistical tests on their output strings. We therefore envisage a second more subtle attack in which the adversary forces the output to be a random pattern known to them, thus rendering any protection based on statistical tests ineﬀective.


I. INTRODUCTION
Random number generators (RNGs) are essential for a wide variety of applications, from lotteries to statistics, from computer simulations to cryptography [1,2]. For some applications, e.g., computer simulations, the RNG output is only required to be statistically random whereas for others, like cryptography, it is critical that the RNG output is also unpredictable. This guarantees that an adversary cannot steal personal, financial, or classified data by predicting or covertly controlling the output of the encryption system. Unpredictable RNGs also underpin the security of quantum key distribution, which provides quantum-based protection to optical telecommunications [3][4][5]. The generation rate of quantum key distribution can decrease dramatically if the RNG output features even a small imperfection, becoming partially known to the adversary [6,7].
The necessity for unpredictable random numbers has led to a colossal amount of research into "physical RNGs," whose randomness is based on physical processes from * davide.marangon@crl.toshiba.co.uk thermal noise to radioactive decay. Among these, "photonic RNGs" hold a special place due to the rich variety of implementations they enable, from chaotic lasers to singlephoton sources, and the promise of integration on chip. In response to our growing reliance on physical RNGs, international standards such as FIPS, NIST SP 800-90B, and AIS.31 [8,9] have been established to guarantee the security of cryptography-orientated RNGs.
Securitywise, it has been shown that the randomness of ring-oscillator-based RNGs can degrade if their circuits unintentionally act as receiving antennas and pick up electromagnetic radiation from the surrounding environment [10][11][12][13][14][15]. This undesired behavior can be turned into an attack. In this case, the attack targets the source of randomness itself by locking the ring oscillators to the injected signal. Such attacks, where an adversary injects signals other than those intended to be detected to alter the value of the output, are generally referred to as "out-of-band signal-injection attacks" [16]. These attacks are particularly dangerous because they can be executed remotely and often target the connection between the sensor and the analog-to-digital converter (ADC), which fundamentally cannot be authenticated [16]. They are distinct from highpower attacks aimed at disrupting, jamming, or burning the victim's system [17], or fault-injection attacks targeting digital electronics in cryptographic systems [18,19], or even side-channel attacks based on physical leakage from the devices [20,21]. Out-of-band signal-injection attacks have been demonstrated on RNGs based on ring oscillators [22][23][24][25][26][27][28], medical implants [29] and drones [30], among others [16]. However, there is no study yet of their effectiveness against a quantum device.
As a special subset of physical RNGs, quantum RNGs (QRNGs) provide randomness from a physical process that is fundamentally quantum. The unpredictability of their output is guaranteed by the laws of quantum mechanics, provided that their implementation meets the assumptions made in their theoretical analysis. These assumptions typically identify a security perimeter that the adversary, Eve, cannot cross. Eve can still have full knowledge of the nonquantum characteristics of the devices within the perimeter, but cannot actively exploit them to make her attack more effective. As such, it is assumed that the QRNG is operated in a static environment, perfectly shielded from external signals [1,2]. Such assumptions are hard to justify in practice. As we find out, in the absence of sufficient shielding, an adversary can control the QRNG output through the unintentional antenna behavior of its components.
Earlier works used custom-made BHD circuits, which were observed to suffer from picking up electromagnetic noise from the environment due to the difficulty in shielding the highly sensitive electronics involved [31,32,35]. This noise has a classical origin and is therefore typically assumed to be passively monitored by, and hence known to, Eve. The solution to maintain a high secure generation rate has often been to calibrate the output power spectrum of the generator and generate numbers using only the flat regions of the spectrum, which are free from these large classical noise contributions. However, the electromagnetic background is unlikely to remain the same during the operation of the CV QRNG, especially if a malicious party is actively trying to control the generator output.
In this paper we show how an attacker can create and then actively exploit an electromagnetic side channel to control the output of a QRNG whilst remaining undetected. To prove our point, we experimentally demonstrate the attack by targeting a typical CV QRNG that makes use of the most recent BHD equipment. Our attack is not limited to this setup and could be used against any system susceptible to picking up electromagnetic signals, for example generators based on chaotic semiconductor lasers, which make use of similar components [42,43].
Our attack is based on electromagnetic injection and is represented by the model in Figs. 1(b)-1(g). As shown in Figs. 1(b)-1(d), in the absence of EMI we expect the output of the CV QRNG to be Gaussian distributed, with zero mean and variance σ 2 given by the sum of the quantum noise σ 2 Q , proportional to the power of the local oscillator, and the electronic noise of the measurement system σ 2 E [32,35,[44][45][46][47]. The injected electromagnetic signal is superimposed on this output, inducing a shift in the mean of the Gaussian distribution. We assume that variations in the induced shift broaden the shifted Gaussians, increasing their standard deviation to σ T . In contrast to the aforementioned attacks on ring-oscillator-based RNGs, this attack targets the hardware between the photodiodes and the ADC rather than the source of randomness itself, which is the vacuum and therefore cannot be degraded through EMI. As illustrated in Figs. 1(e)-1(g), Eve's simplest attack strategy is to inject a sine wave at half Alice's sampling rate, such that the mean of the odd samples is shifted to −A and that of the even samples to +A. This results in the overall distribution being double peaked.
In the general case where Alice has an ADC with multiple bins and a finite range R, Eve will aim to shift the distribution such that almost all of Alice's samples fall in the outer bins, which we conservatively assume to extend from ±R to ±∞. Given that the magnitude of the induced shift is A, the probability of Eve incorrectly guessing Alice's outcome amounts to where erfc(x) = 1 − erf(x) and erf(x) = (1/ √ π) x −x e −t 2 dt (see Appendix A). In the following sections, we focus on the case where Alice has only two bins, for which R = 0, and present experimental results obtained when Eve is able to synchronize her clock with Alice's remotely. In this case, the autocorrelation and conditional Shannon entropy of the output can also be predicted (see Appendices B and C).

A. Injecting sine wave
In our first implementation of the EMI attack, the attacker exploits the electromagnetic side channel in a bidirectional fashion by placing a pair of antennas in the proximity of the QRNG, see Fig. 2 The probability that Eve's guess is wrong can be found by integrating over the shaded region. (e)-(g) When Eve injects a sine wave at half Alice's sampling frequency, it shifts Alice's output, moving the mean values (magenta lines) to −A for odd samples (f) and +A for even samples (g). Because Alice is unaware of this change, she will not modify the position of her bins [the blue lines in (f),(g) are the same as those in (c),(d)]. The attack, however, makes the output likely to fall in one of the outer bins, thereby greatly decreasing the probability that Eve, who now guesses Alice's output will correspond to this outer bin, is wrong. As can be seen from the shaded region in (f),(g) being much smaller than that in (c),(d).
the synchronization greatly improves the attack's success probability.
After setting the phase of her sine signal correctly, Eve expects Alice's output to be an alternating string of 0s and 1s, with the probability of her guessing each bit incorrectly being given by Eq. (1) with R = 0. Looking at the histogram of the 8-bit ADC samples in Figs. 2(b) and 2(c) we see that, as predicted, Alice's overall output distribution changes from a single Gaussian to a double peaked distribution made up of two Gaussians centered at ±A when Eve injects her electromagnetic signal. Eve can improve her control of Alice's output by increasing the amplitude of the induced shift, A, either by placing her transmitting antenna closer to the BHD, or by increasing the transmitted power. The attack would also become more effective if Alice were to reduce her LO power, lowering σ Q and consequently σ T . In Fig. 2(d), we show how all these conditions can affect the efficacy of the EMI attack (see Appendix F for further details).
The attack described so far can give Eve full control of Alice's output. However, this version of the attack may be spotted by a vigilant Alice who is performing statistical tests on the ADC samples. The AIS.31 standards for physical generators require that such tests be run continuously to monitor the quality of output randomness [8]. However, these tests are computationally intensive and therefore are often not run continuously or at all in most physical generator implementations [13]. Eve could therefore evade this countermeasure by restricting herself to attacking only when Alice is not performing tests, e.g., by monitoring the power drawn by Alice's device in order to ascertain when the tests are being run [20,48].
Even if Alice were to perform continuous randomness tests, Eve could still attack continuously and remain undetected if she can modify the injected signal to determine the value of each bit at will. She could then send a random sequence known to her which will pass Alice's tests, thus controlling Alice's output whilst rendering her statistical tests ineffective. In the following section we present an implementation of such an attack.

B. Injecting random patterns
There are potentially many different schemes which Eve could use to transmit her random pattern to Alice, including variations on frequency shift keying and the use of phased arrays of antennas. We choose to implement a scheme inspired by binary phase shift keying in which the carrier wave, at half Alice's sampling frequency, is multiplied by a non-return-to-zero pattern at Alice's sampling frequency using a mixer. This enables Eve to flip each bit at will (see Appendix D). This scheme is chosen because it can be implemented with common lab equipment and a single transmitting antenna. In order to force Alice's output to replicate her desired pattern, Eve must ensure that the power spectrum of the CV QRNG output closely matches that of her transmitted signal for at least one whole sideband. This is challenging to achieve in practice as the rf frequency response of Alice's setup is unlikely to be flat across a whole sideband, i.e., her setup is unlikely to be equally good at receiving signals across a whole sideband.
In our implementation, we concentrate on sending strings of repetitive 32-bit patterns, chosen using a pseudo RNG. Counting the number of matches between the sequence injected by Eve and the measured output for 1 281 250 samples in 3000 different patterns, we find an average match of 69.8% with a standard deviation of 6.7%, as shown in Fig. 3(b). This match can be interpreted as the probability of Eve correctly guessing each bit of Alice's output. Eve could extend these patterns to arbitrary lengths in order to better conceal her attack.
Much of the mismatch between Eve's injected sequence and the one obtained by Alice can be attributed to the rf frequency response of Alice's setup. Figure 3(a), obtained by sending a repeating 8192-bit pattern and sampling the output at 40 GSamples/s using an 8-bit oscilloscope, shows that the CV QRNG setup is poor at picking up injected signals below 500 MHz, as is clear from the mismatch between the power spectra of the output from Eve's mixer, shown in blue, and that of Alice's CV QRNG output, in orange. This in turn leads to the loss of the longer runs, i.e., uninterrupted sequences of identical bits, in Alice's output, as shown in Fig. 3(c), and consequently a lowering of the average match. As highlighted in Fig. 3(e) the match decreases almost linearly with the length of the longest run in the pattern Eve is attempting to transmit. This is due to the loss of the low-frequency components in the received signal. Eve ought to be able to correct for this distortion and increase her match if she has prior knowledge of the frequency response, by amplifying the parts of the spectrum for which the frequency response is weaker prior to transmission. Otherwise she could increase her average match by restricting herself to sending patterns containing only short runs.
Despite this imperfect match between Eve's target and the patterns received by Alice, it is clear from the autocorrelation shown in Fig. 3(d) that the received patterns have 32 sample-long repeating patterns within them. If instead of comparing the CV QRNG output to that of Eve's mixer we compare it to itself, taking the first 32 bits of Alice's output as the pattern, the average match rises to 88.7% with a standard deviation of 4%, as shown in Fig. 3(b). The remaining mismatch is attributed to the lack of power in the injected signal. Therefore Eve's guessing probability 044044-4 would improve considerably if she was aware of how her pattern had been distorted. Now consider a second scenario in which Alice uses the band from 625 MHz to 1.25 GHz to generate her output. Eve can adapt her input, using the upper sideband rather than the lower sideband to transmit her pattern by setting her carrier wave frequency to 625 MHz and mixing this with a 1.25-GHz pattern. In this case, after filtering our experimental results show that Eve's match increases to 88% on average with a standard deviation of 10% for 3000 32-bit patterns, as shown in Fig. 4(a). This is due to the fact that the rf frequency response of Alice's setup is relatively flat throughout this region, see Fig. 3(a), meaning that Eve is more successful in transmitting her pattern. This is reflected in the fact that the longer runs are preserved in the CV QRNG output, as shown in Fig. 4(b). If as before we compare Alice's output to the first 32 bits within it the match rises to 94% with a standard deviation of 3%, see Fig. 4(a).

III. CONCLUSION
In this work we present an out-of-band signal injection attack on a photonic QRNG through which an adversary can gain full control of the output through EMI. We present three proof-of-principle implementations against a CV QRNG with a binary output, using common lab equipment and a wideband isotropic antenna. The first is able to achieve near perfect control of the output by exploiting the out-of-band electromagnetic channel in a bidirectional fashion: eavesdropping Alice's clock for synchronization and injecting a sine wave. This attack forces the output to become a series of alternating 1s and 0s and could therefore be spotted by a vigilant user performing statistical tests on their output. We therefore investigate two scenarios in which Eve can achieve high degrees of matching between random patterns chosen by her and the CV QRNG output. We anticipate these matches could be increased with a more powerful and sophisticated transmitter setup, or perhaps a different modulation scheme. When perfected, such an attack would render any protection based on statistical tests on the output ineffective, highlighting the need for implementing countermeasures specific to EMI attacks (see Appendix H).
Our results are pertinent to the more common issue of unintentional electromagnetic interference, which may lead to the randomness of RNGs being degraded if they are deployed in server racks or other noisy environments with insufficient shielding. Out-of-band signal-injection attacks on quantum technologies, such as quantum key distribution systems, are an as yet unexplored research area 044044-5 P. R. SMITH et al.

PHYS. REV. APPLIED 15, 044044 (2021)
and could therefore pose previously unidentified security threats that shall be investigated in future works.

APPENDIX A: PROPORTION EVE GUESSES INCORRECTLY
Eve aims to shift Alice's distribution such that the outcome of Alice's measurement is most likely to fall in one of the outer bins of her ADC, which are assumed to extend from ±R to ±∞, and guesses that this will be Alice's output. The probability that this will not be the case can be found by integrating the filled region under each curve in Fig. 5. Given that the variance of the Gaussian is σ 2 T , the probability that Eve will guess the outcome of Alice's measurement incorrectly is given by Eq. (1) in the main text.
The widths of the inner bins of Alice's ADC are shown as being equal in Fig. 5, but could also be chosen such that the outcome of Alice's measurement is equally likely to fall in each bin, see, for example, Ref. [31]. In either case, Eve can maximize her guessing probability by maximizing the shift A that she induces in Alice's output. Determining how Eve can modulate her injected signal to maximize her guessing probability whilst remaining undetected by statistical tests run by Alice on her output when she has more than two bins is an interesting and complex problem, which would depend not only on Alice's choice of binning but also on which statistical tests she is performing, and shall not be discussed in any further detail in this work. Figure 6(a) shows that the data goes from being weakly correlated for low lags, due to the finite bandwidth of the detector, in the absence of EMI, to being strongly correlated for all lags when Eve injects a sine wave. The absolute value of the autocorrelation of the binary output for nonzero lags when Eve is injecting her signal can be shown to be given by

APPENDIX B: ABSOLUTE AUTOCORRELATION
( B 1 ) Figure 6(b) shows that the data obtained fit this prediction well.
The autocovariance function at lag k,f o rk ≥ 0i s defined as where the meanȳ = 1 n i=n i=1 y i . The autocorrelation function at lag k,fork ≥ 0, is defined as For the sake of compactness, assume that after thresholding at 0 V Alice's output will be +1 if the BHD output is positive and −1 if it is negative, such thatȳ = 0. We then Taking the limit as n →∞and assuming that each element is independent we can rewrite each sum as a sum over possible outcomes weighted by their probabilities. Defining p i,j as the probability that Alice's output will be i given that Eve predicts it to be j , and using Eq. (1) with R = 0 we have and p 1,1 = p −1,−1 = 1 − p 1,−1 . Considering the odd and even terms in the sums separately the autocorrelation for odd lags is then given by which using the results above simplifies to Similarly it can be shown that r even =+(1 − 2p 1,−1 ) 2 . Substituting in the probability from above, we find that absolute value of the autocorrelation for nonzero lags is given by which matches Eq. (B1).

APPENDIX C: CONDITIONAL SHANNON ENTROPY
The success of Eve's attack in the case where she injects a sine wave into Alice's QRNG whose output is binary can further be demonstrated by evaluating the conditional Shannon entropy of Alice's output, defined as where the conditional probability p(x|y) = [p(yx)/p(y)]is the probability that event x will occur, given that event y just occurred [49]. In the case of a binary output this can be rewritten as where for example p(0|1) = p(10)/p(1) corresponds to the probability that Alice's next output will be a 0 given that her last bit was a 1. Details of the procedure to obtain the necessary probabilities from experimental data can be found in Ref. [49]. As shown in Fig. 7, Alice's conditional Shannon entropy decreases as the normalized shift, (A/ √ 2σ T ), that Eve imparts to Alice's BHD output increases, reaching 0 for sufficiently large shifts. If Alice were evaluating the conditional Shannon entropy of her output, it would be clear to her at this point that her output is completely predictable. Crucially if instead Alice was simply evaluating the Shannon entropy of her output H =− x p(x) log 2 p(x), the value she would obtain would remain close to 1, and the attack would go unnoticed.
The conditional Shannon entropy of Alice's output can be predicted by calculating each of the probabilities in Eq. (C2) from Alice's perspective who is assumed to be unaware of Eve's attack: The conditional Shannon entropy is then given by As shown in Fig. 7 the experimental data fits this prediction well. The conditional min-entropy, for which we assume that the side information available to Eve is whether she was trying to send a 1 or a 0 at each sampling point, is also plotted in Fig. 7 to highlight how much this side information improves Eve's guessing probability. This guessing probability would further increase if, as in many QRNG protocols, we assume that the electronic noise from the detector is known to Eve.

APPENDIX D: EXPERIMENTAL METHODS
For our proof-of-principle experimental implementation we focus on the case in which Alice obtains her digital output by thresholding the BHD output at 0 V. The QRNG setup consists of a laser diode, connected to a variable optical attenuator (VOA), the output of which is connected to a 50:50 fiber coupler. The second input of the coupler is blocked as to provide a vacuum input. The two outputs from the coupler are connected to a Thorlabs PDB480C-AC BHD. Unless otherwise stated, the LO power is set just below the power at which the BHD saturates, such that around 4.7 mW is incident on each photodiode.
For the experiments in which Eve is sending a sine wave, the output is sampled at 1 GSamples/s using a dedicated ADC board. In this case the board's 1-GHz clock is picked up by placing an Aim-TTi PSA-ANT2 antenna close to the ADC board, the output from which is filtered and then frequency divided to provide the 10-MHz reference for Eve's setup, making the attack contactless. A schematic of this setup is shown in Fig. 2(a).
For the experiments in which more complex patterns are sent, the output from the BHD is sampled at 40 GSamples/s using an oscilloscope, then downsampled to 2.5 GSamples/s in postprocessing. Sampling at a high rate then downsampling to the required rate gives more flexibility in choosing the sampling point. In this case we assume that Eve has direct access to Alice's clock and trigger the oscilloscope on Eve's pattern generator output. A schematic of the setup is shown in Fig. 8.
The injected electromagnetic signal is generated using a signal generator in the case where we send a sine wave, and with a combination of said signal generator and a pattern generator whose outputs are combined using a mixer when sending more complex patterns. The signal is amplified to 24 dBm and then transmitted using an Aim-TTi PSA-ANT2 isotropic wideband antenna placed a few centimeters away from the BHD.
Whilst we cannot be certain which part of the system acts as an unintentional antenna and picks up the electromagnetic signal we suspect it is a combination of the power supply cable and the output SMA, as placing the antenna parallel and in close proximity to these close to their connections to the BHD box produces the largest response. The BHD circuit board may also be responsible although it is held in a shielded aluminum box [16,50,51].

APPENDIX E: UNSYNCHRONIZED CLOCKS
In the main text we consider the case where Eve can obtain Alice's clock and hence synchronize her attack with Alice's sampling, we now consider what happens if this is not the case. To keep the analysis simple we restrict ourselves to considering the case where Eve sends a sine wave at half Alice's sampling frequency. If Eve is unable to synchronize her clock with Alice's, Alice will no longer sample Eve's injected sine wave on the extrema, instead Alice's sampling point will drift along Eve's sine wave. Assuming that the clocks are stable, the shift imparted by Eve will evolve over time, t,a sA cos( ft), where f is the difference between the frequency of Eve's signal and half Alice's sampling rate. As shown by the experimental results in Fig. 9 if we subsample short sections of Alice's output, taking every other point, and calculate the mean shift imparted by Eve, we see that it oscillates sinusoidally as predicted.
044044-8 The proportion wrong and absolute nonzero autocorrelation show the same periodicity and can be accurately predicted from the normalized shift imparted by Eve using Eqs. (1) and (B1) respectively, as shown in Fig. 10.

APPENDIX F: EXPERIMENTALLY VARYING THE NORMALIZED SHIFT
Figures 11 and 12 provide further details of the parameters used to produce Fig. 2(d). In Fig. 11(a) we show that increasing the power output by Eve's signal generator increases the shift imparted by Eve and hence the distance between the two extrema in the overall distribution (solid line). The distributions obtained after subsampling, taking  every other point, are also plotted (filled) to emphasize the fact that they are simply shifted Gaussians. Figure 11(b) shows that increasing the LO power increases the width of the Gaussians. Further to this Fig.  12(a) shows that the variance of the subsampled distributions remains proportional to the LO power in the presence of EMI and that Eve's attack does not significantly change this variance compared to that obtained when she is not attacking. Figure 12(b) shows the dependence of the amplitude of the shift imparted by Eve on the power output from Eve's signal generator.

APPENDIX G: RANDOMNESS EXTRACTION
It is worth pointing out that CV QRNGs are normally provided with a unit for the application of so-called randomness extractors, i.e., algorithms to enhance the statistical uniformity of ADC samples and make them more difficult to predict. However, with this kind of attack this unit would be of little use. All the postprocessing steps applied by Alice in order to extract her final output from the bits must be known to Eve [52] and do not add any entropy to the output, therefore they cannot make the final output unpredictable to Eve if she knows the raw input. Worse still, it is common to only apply randomness test to the postprocessed bits in CV QRNG implementations [32,34,[36][37][38]40,41,[44][45][46][47]. Such tests ought to be passed even in the case where Alice's raw output is a string of alternating 0s and 1s if, for example, the raw output is hashed using a Toeplitz matrix, meaning that Alice will fail to spot even this simpler version of our attack [53].

APPENDIX H: COUNTERMEASURES
Countermeasures against electromagnetic interference, intentional or not, have been the subject of extensive research. It has been shown that shielding, differential coupling, and filtering can be applied to effectively attenuate electromagnetic signals [16,29,54,55]. Such countermeasures only attenuate Eve's signal and can therefore be overcome by Eve sending a more powerful signal. If instead Alice wishes to detect that the attack is taking place, she could monitor the power reaching the ADC as this will increase considerably during the attack. Alice may also place an antenna close to the RNG to monitor the electromagnetic background [29]. The need to implement monitoring ahead of the ADC has previously been highlighted in Refs. [56,57] and in the AIS.31 standards in the form of total failure tests on the entropy source [8].
As discussed above, in the case where Alice has only two bins, it is possible for Eve to adapt her input to render Alice's statistical tests ineffective. This becomes more difficult for Eve as the number of ADC bins increases as any shift imparted to Alice's output by Eve will increase the occurrence of samples in the outer bins. Alice may then be able to detect the attack by counting the occurrence of samples in these bins. This countermeasure can be made more effective if Alice counts the number of samples in the outer bins after randomly switching off the LO, as in a typical CV QRNG setup this will drastically reduce the probability of a measurement falling in the outer bins [32,55,58]. A detailed overview of further potential countermeasures against out-of-band signal-injection attacks in general can be found in Refs. [16,51].