Mitigation of Channel Tampering Attacks in Continuous-Variable Quantum Key Distribution

Despite significant advancements in continuous-variable quantum key distribution (CV-QKD), practical CV-QKD systems can be compromised by various attacks. Consequently, identifying new attack vectors and countermeasures for CV-QKD implementations is important for the continued robustness of CV-QKD. In particular, as CV-QKD relies on a public quantum channel, vulnerability to communication disruption persists from potential adversaries employing Denial-of-Service (DoS) attacks. Inspired by DoS attacks, this paper introduces a novel threat in CV-QKD called the Channel Amplification (CA) attack, wherein Eve manipulates the communication channel through amplification. We specifically model this attack in a CV-QKD optical fiber setup. To counter this threat, we propose a detection and mitigation strategy. Detection involves a machine learning (ML) model based on a decision tree classifier, classifying various channel tampering attacks, including CA and DoS attacks. For mitigation, Bob, post-selects quadrature data by classifying the attack type and frequency. Our ML model exhibits high accuracy in distinguishing and categorizing these attacks. The CA attack's impact on the secret key rate (SKR) is explored concerning Eve's location and the relative intensity noise of the local oscillator (LO). The proposed mitigation strategy improves the attacked SKR for CA attacks and, in some cases, for hybrid CA-DoS attacks. Our study marks a novel application of both ML classification and post-selection in this context. These findings are important for enhancing the robustness of CV-QKD systems against emerging threats on the channel.


I. INTRODUCTION
Quantum key distribution (QKD) is a quantum technology that ensures secure key distribution between two parties.Traditionally, the parties are called Alice (transmitter) and Bob (receiver).The confidentiality of shared keys against a potential eavesdropper (Eve) is guaranteed by the laws of quantum mechanics.Once established, the keys are used to encrypt communication between the parties.Photon-based QKD employs discrete variable (DV) encoding, using discrete properties like polarization, while coherent light-based QKD involves continuous variable (CV) encoding, utilizing the continuous attributes of the electromagnetic field, such as amplitude and phase, for secure key establishment [1].Thus, we have two classes of protocols: DV-QKD and CV-QKD.The first DV-QKD protocol has been designed by Bennett and Brassard which is referred to as BB84 [2].It performs especially well for long distances [3].In contrast, CV-QKD protocols generate secret key bits at a high rate over short distances [4,5].
Despite significant advancements in CV-QKD and its commercial availability, vulnerabilities persist due to imperfections in implementation.This leads to various side-channel attacks such as local oscillator (LO) intensity fluctuation, wavelength, calibration, and saturation attacks [6][7][8][9][10][11][12][13][14].Consequently, identifying new attack vectors on implementations is necessary for the continued robustness of CV-QKD.Additionally, the public quantum channel used in QKD introduces susceptibility to disruption, with the denial-of-service (DoS) attack being a significant threat [15].This attack, disrupting both classical and quantum channels, involves Eve introducing errors by sporadically blocking traffic in the quantum channel.In particular, in the case of CV-QKD, Eve can modify the channel transmittance T with a DoS attack to reduce the secret key rate (SKR) [16,17].Inspired by the DoS attack, we devise a novel threat, where Eve does not merely reduce but amplifies the transmittance T which has implications for the SKR.This leads to the Channel Amplification (CA) attack on CV-QKD as a subset of channel tampering attacks which can be defined as any physical attack that modifies the channel transmittance.Detection and mitigation of these attacks is crucial for ensuring the robustness of CV-QKD systems and is the focus of this study.
Emphasizing the need for vigilance, there is a recent trend that applies machine learning (ML) techniques to detect sidechannel attacks in CV-QKD.For example, there have been applications of ML to the detection of calibration attacks [18], wavelength attacks [19] and universal quantum attacks [20,21].However, accurate ML models for detecting these attacks rely on extensive datasets with large feature vectors, often utilizing computationally intensive convolutional neural networks (CNNs).Our ML approach to channel tampering attack detection streamlines classification by employing a decision tree classifier and focusing on more relevant data features.
Unlike other ML applications for attack detection in CV-QKD [18][19][20][21], we not only identify the accuracy of ML classification but also quantify the utility of a mitigation strategy centered on post-selection.This post-selection technique, also known as data clusterization, has been previously applied to free-space CV-QKD in [22,23], and here we find an application to mitigation of channel tampering attacks in a CV-QKD optical fibre implementation.To our knowledge of the current literature, our study marks a novel application of both ML classification and post-selection in this context.
In this work, we devise a physical channel tampering attack implemented in a CV-QKD optical fiber setup.We employ a parameter estimation and ML model for accurate attack clas-sification with minimal resources.We also investigate mitigation strategies after classification.Our contributions entail: • Introducing the CA attack in a CV-QKD implementation and providing identifiable channel tampering attacks.The knowledge of the existence of novel physical channel tampering attacks improves the security of CV-QKD.
• Implementing a supervised ML model that is lightweight and fast to classify diverse channel tampering attacks.The advantage of the ML model is high-accuracy classification.
• Minimizing overhead by extracting features from LO intensity measurements.The advantage of this scheme is the reduced time for classification of channel tampering attacks and capability to determine frequency of attack f attack .
• Employing post-selection on classified attacks to enhance SKR and thereby mitigate the effects of the attack.
The work is organized as follows.In Section II, we introduce the CV-QKD protocol implementation in optical fibre and the parameter estimation procedure.Next, in Section III, we introduce the quantum security analysis.In Section IV, inspired by the DoS attack, we detail the framework for channel tampering attacks and identify three possible types of attacks: CA, CA-DoS and DoS attacks.In Section V, we simulate real case scenarios for the three cases of attacks and develop an ML model for classification.We find a high accuracy, even with typical noise found in the implementation, but this drops when the noise is high.In Section VI, we employ postselection of the classified channel tampering attacks and compare SKRs.We find that ML classification and post-selection improves the SKR.Next, in Section VII, we discuss our results, touching upon the feasibility of such an attack with current optical technologies and the limitations of our model.In the next section, we summarize and conclude our study.

II. PARAMETER ESTIMATION IN CONTINUOUS VARIABLE QUANTUM KEY DISTRIBUTION
We describe the Gaussian modulated coherent state QKD protocol [24][25][26].In this protocol, Alice prepares coherent states |α A 0 . . ., α A i ⟩ in the phase space described by the position quadrature X = a + a † and momentum quadrature P = −i(a − a † ) where a and a † are the annihilation and creation operator, respectively.Alice modulates the coherent states according to a Gaussian distribution N ((X A = 0, P A = 0),V A N 0 ) centered at X A = 0, P A = 0 with variance V A N 0 where N 0 is the shot noise, V A is Alice's modulation variance, X A is the mean of X and P A is the mean of P. The coherent states with phase space positions at {{x A,0 , p A,0 }, . . .{x A,i , p A,i }} are sent through the channel with transmittance T and excess noise ξ .Bob receives the coherent states and measures the quadratures X and P using a heterodyne detector.The states received by Bob are correlated with the states sent by Alice.
Bob can perform statistics on the received measurement data {{x B,0 , p B,0 }, . . .{x B,i , p B,i }}, which are also distributed according to a Gaussian distribution N ((X B = 0, P B = 0),V B ).
In a standard CV-QKD implementation, parameter estimation is performed using a fraction of the quadrature measurements and the maximum likelihood estimation of T and ξ .In our CV-QKD system depicted in Fig. 1, Alice and Bob also continuously monitor the intensity of the LO and estimate T .
In our CV-QKD system, we assume that the local oscillator (LO) locking the quadrature phases is polarization and/or time-multiplexed with the quantum signal.The design is similar to [27] but with a few additions.Namely, a power monitor is placed at Alice and Bob to measure the optical power into the channel P in and out of the channel P out .P in experiences power fluctuations due to temperature fluctuations and electronics.For Bob to estimate T , Alice needs to constantly send P in using the classical communication channel.Alternatively, as this could be a security risk, Alice could characterize the mean and variance of P in before the protocol starts.The LO experiences relative intensity noise RIN due to the channel, which we quantify by σ RIN,LO given by noise models in [28].The excess noise of the system is ξ σ RIN,LO where we have defined ξ B to be the baseline excess noise without the RIN of the LO and V ⊥RIN,LO = V A + 1 is the variance of the quadrature without RIN of the LO.
Alice and Bob then perform parameter estimation, postprocessing, and privacy amplification to obtain a positive SKR (see Ref. [29] for a review on CV-QKD).In the usual parameter estimation, the measurement data at Bob is modeled by a normal linear transmission model: where for constant transmittance t = √ T η, η is the detector efficiency, x A are coherent states modulated by Alice and z R is the Gaussian noise of N (0, σ 2 R ) where σ 2 R = v el +N 0 +ηT ξ is the channel noise.However, if T is not constant i.e.T = t2 /η, as would be the case in a fluctuating channel, the expectation values E(T ) and E( √ T ) need to be estimated.A fraction m/N of the total quadrature measurement data N is used to estimate the parameters: and For the estimation of T , we note that the variance of Bob's measured quadrature X B is where v el is the electronic noise of Bob's detector.The crosscorrelations or covariance between Alice and Bob are given by: Based on the measurement of the shot noise N 0 , electronic noise v el , Alice's modulation variance V A and excess noise ξ , one could estimate the mean value of T by In Fig. 1, Eve performs the channel tampering attack.In this attack, she modifies the transmittance parameter and its statistics with probability distribution P(T ).Eve hijacks part of the optical fibre communication up to a length of D Eve and leaves the rest of the fibre length of D Bob unchanged.The parameters under attack of the modified channel are [30] (which are also derived in the Appendix A): The above approach relies on measuring other parameters precisely.On the other hand, monitoring the LO optical power provides more information about the distribution of √ T and T without sacrificing an additional part of the key to monitor for channel tampering attacks.Monitoring the LO intensity has previously been suggested as a defense against wavelength and calibration attacks [7,9].In our CV-QKD protocol depicted in Fig. 1, we assume that monitoring T via the LO intensity is correlated with the estimated parameters in Eq. (7).
As Bob estimates T from the measurement of the LO intensity, a fraction of the quadrature measurement data m/N is needed for parameter estimation of the normal unattacked T and the excess noise ξ .For increased security, one could also determine correlations between TLO from the LO and Tsig from quadrature measurements.In practice, there are statistical effects due to the finite number of symbols sent between Alice and Bob.As such, there is a worst-case scenario estimation for the channel parameters given by [31]: where where V 0 = 2 for heterodyne detection, m is the number of keys for the parameter estimation, c PE = 0 as in [31] and where ε PE is the error probability of parameter estimation failure.

III. QUANTUM SECURITY ANALYSIS
Eve's information is obtained by the Holevo bound χ EB , which is determined by the covariance matrix of Alice and Bob.The SKR of CV-QKD in the asymptotic limit is [28] where β is the reconciliation efficiency, and I AB is the mutual information between Alice and Bob.The SKR calculations in the asymptotic limit of the Gaussian modulated coherent state with heterodyne detection are shown in Appendix B. Security proofs in the asymptotic limit are based on the reduction of coherent attacks to collective attacks and Gaussian optimality [32][33][34].With finite-size effects, the equation for the secret key against collective (Gaussian) attacks for success probability of error correction p ec and ε-secrecy is given by [35,36]: for total block-size of N and remaining symbols for the secret key n = N − m, where where d is the size of the alphabet after analogue-to-digital conversion (usually set to d = 2 5 ) and secrecy ε = 2p ec ε PE + ε cor + ε h + ε s .

IV. CHANNEL TAMPERING ATTACKS
As in Fig. 1, we split the Eve's capability into channel tampering attacks and quantum attacks.Eve has the capability of modifying T of the channel.In this particular setup, we assume that the signal and LO are equally affected by the modified channel.The latter is a fair assumption if the signal and LO are multiplexed in the same physical fibre.Subsequently, Eve has the capability of performing a quantum attack based on the modified channel parameters.We emphasize that the channel tampering attack affects the parameter estimation of a complete CV-QKD protocol, which is different from an attack on the implementation of the quantum processes.
Normally, DoS attacks manipulate T according to either a two-point or uniform distribution [30].In this attack implementation, we will only refer to the two-point distribution.The two-point distribution corresponds to intermittently blocking communications, with the transmittance, which varies from 0 to T 0 and follows a binomial distribution of B(1, p), where p is a parameter between 0 and 1 chosen by Eve.The expected values are E( Let Eve split the fibre with a loss L (in dB/km) and replace it with a fibre with a lower loss L ′ .For example, Eve can patch the optical fibre during a blackout with an optical switch into a lower-loss fibre.Therefore the transmittance is gT 0 , where g = 10 −L ′ d Eve /10 /10 −Ld Eve /10 = 10 ∆Ld Eve /10 , d Eve is Eve's fibre cable length and ∆L = L −L ′ .Thus, the above expected values become: We can simulate such an attack by generating T according to the distribution: where T Bob = 10 −Ld Bob /10 with d Bob being the length of fibre from Eve to Bob and N (T ; T Bob , σ RIN , 0, 1) is a normal distribution between 0 and 1.In this model, Eve has the freedom to launch the CA attack at any point of the optical fibre.Note that a swap of optical fibres is not the only method to perform this attack by Eve.She can also change the vacuum properties of the channel.This can be done, for instance, by decoupling the signal and LO from the fibre into a vacuum chamber of refractive index n 0 = 1 and back into the fibre [37].Given the channel tempering attack, the estimated channel parameters become: Based on these parameters, we can simulate a realistic attack with a loss L = 0.2 dB/km for standard fibre and L ′ = 0.15 dB/km for ultra-low loss fibre.From this point forward, we define the CA attack with these parameters.We consider the following case studies for Eve's channel tampering attacks: Case I: p = 1 and g > 1.A successful CA attack is when the transmittance parameter T = gT 0 is amplified, and excess noise remains the same ξ = ξ .
Case II: p = 1/ √ g and g > 1.In this hybrid CA-DoS attack, the two-point distribution parameter is tuned by Eve such that T = T 0 and ξ = √ g(V A + ξ ) − V A .The excess noise is higher than if there were no attack but the average transmittance remains the same.
Case III: p < 1 and g ≤ 1.In this DoS attack, Eve performs a stronger DoS attack that reduces the SKR significantly, and therefore it reduces the number of key bits exchanged between Alice and Bob.
Without the knowledge that the first type of attack in Case I had occurred, a naive defense strategy would be to average over the channel parameters and follow information-theoretic security in Section III.In Case II, if the attack is weak p ≈ 1 and g ≈ 1, Alice and Bob can continue their interactions as usual, regardless of whether the attack is detected or not.Alternatively, if Eve is nearly blocking all communications as in Case II & III i.e. when p << 1 and upon the classification of this attack, Alice and Bob can use a part of their key to randomly select a different optical fibre channel if available.We shall see in the next sections that the effect of the channel tampering attacks in Case I & II on the SKR can be detected and mitigated.

V. MACHINE LEARNING CLASSIFICATION RESULTS
After the parameter estimation, a ML model for classifying attacks is used to identify the three types of attacks outlined in the previous section.
Our supervised ML model is as follows: • Based on the distribution P(T ), we generate N Samples × M samples of T i 's of the normal operating CV-QKD system T norm in optical fibre and of the three types of attacks T I,II,III given by the cases in Section IV.The sample size is N Samples = 1000 and M = 800.We note that N Samples and M are not the same as the block size or number of symbols used for parameter estimation.These are independent samples from the measurement of the LO intensity.
• The feature vectors for the four classes {X norm , X I , X II , X III } where X is the expectation values E(T ) and E( √ T ) of the sample transmittance values generated i.e.T norm and T I,II,III .
• A ratio of 4 : 1 of the shuffled generated data is used for training {X train , y train } and for testing {X test , y test }.
• We use the decision tree classifier model as it is lightweight and requires reduced computational power [38] to generate predictions {X predict , y predict } on the test data.
In essence, as depicted in Fig. 2, the supervised ML model learns from the labelled data of E(T ) and E( √ T ).It makes a decision based on the features of the data.Based on this knowledge, the type of attack can be predicted from unlabelled data. Fig.
(3) depicts the confusion matrices for classifying the channel tampering attacks using this ML model.We find that when Eve controls the optical fibre starting from Alice for D Eve = 10 km, the channel tampering attacks are classified with 100% accuracy for both low noise σ RIN,LO = 0.01 and high noise σ RIN,LO = 0.1.However, for D Eve = 1 km, the accuracy drops as the channel parameters are only slightly modified by the attack.It is especially harder for the ML model to distinguish between CA and CA-DoS attacks with a high RIN of LO.For an LO of typical optical bandwidth in optical fibre σ RIN,LO = 0.0014 [28].Hence, the noise of the LO in typical CV-QKD implementations are rarely of the high noise regime.

VI. POST-SELECTION OF CLASSIFIED ATTACK
If Alice and Bob continue their protocol without identifying the type of attack and frequency of attack f attack , the new channel parameters, as measured by Alice and Bob, are the weighted average of the attacked and unattacked probability distributions.Therefore,

E(
The channel parameter estimators are given by Eq. ( 7) and explicitly shown in Appendix C. Based on these channel parameters, we denote K Attack as the 'attacked SKR' where Bob  carries on with the channel estimation without knowledge of the attack.However, with our ML model, Alice and Bob can classify the type of channel tampering attack and tag the quadrature data.The post-selected SKR is binned into the unattacked sub-channel and attacked sub-channel: where K 0 (T 0 , ξ 0 ) is the unattacked SKR and K(T ′ , ξ ′ ) is the attacked SKR where T ′ and ξ ′ are the estimators given by Eq. (15).The above formula applies to both the asymptotic limit and finite-size effects.In this section, we will see how the attack affects the SKR, and also assess the performance of the mitigation strategy.The chosen parameters for our CV-QKD system are β = 0.9 for the reconciliation efficiency, the baseline excess noise ξ B = 0.01, the electronic noise v el = 0.05, the detector efficiency η = 0.9 and the shot noise N 0 = 1.These parameters are based on experimental values from [27].The block size is N = 10 12 , ε cor = ε PE = ε h = ε s = 10 −9 , p ec = 0.99 and the number of symbols used for parameter estimation is m = N/10.Alice's modulation variance V A is optimized w.r.t. the unattacked channel parameters and falls in the range V A = {2.79,2.89}.
In Fig. 4 (a), the SKR is plotted for σ RIN,LO and D Eve .It can be seen that the SKR with the CA attack K Attack in the left subfigure has a region in the top right where there is zero SKR.As seen in the right subfigure, the SKR after the mitigation K PS then solves this issue by achieving a positive SKR in this region and increasing the SKR overall.In Fig. 4 (b), we can see the effect of the CA attack on the SKR.Compared to the unattacked SKR K 0 , the attacked SKR K attack increases in the blue region, while decreases in the red region.After miti- gation, as seen in the right subfigure, the SKR is better for all parameters.The SKR improvement is up to 0.024 bits/pulse.Of particular significance is the region at which the mitigation increases from zero to non-zero SKR.In Fig. 5, we plot the SKR improvement as a function of Eve's frequency of attack for a point in this region.It can be seen that the SKR always drops and is zero for f attack = 0.25 to 0.6.
In the left-hand side of Fig. 6 it can be seen that the CA-DoS attack significantly reduces the SKR.On the right-hand side of the figure, our mitigation strategy is found to improve the SKRs under attack with Eve between 2 − 12 km in the triangular region shown in the right subfigure of Fig. 6 (b).The SKR advantage is up to 0.002 bits/pulse.Despite this marginal improvement, this attack is more detrimental to communication compared to the CA attack.
For CA attacks with a bandwidth or pulse rate of 100 MHz, the SKR in bits/s improves on average by 6 kb/s which is comparable to the average SKR of 20 kb/s.For CA-DoS attacks, the improvement in the region of non-zero SKR is on average 1.6 kb/s compared to the average SKR of 15 kb/s.For state-of-the-art repetition rates of 1 GHz, these quotes SKR values would increase an order of magnitude.
False classification.We repeat here that the ML classification is for binning of the data to optimize the SKR, and the quadrature data contains all information to bound Eve's information as described in Section III.The channel tampering attack modifies the transmittance-a parameter assumed to be controlled by Eve in the security analysis-to disrupt communication.This contrasts with Eve exploiting the hardwarespecific implementation to facilitate a side-channel attack.Hence, false classifications would simply change the statistics of T and ξ but not the security of the coherent state protocol.
To further this point, we explore the scenario where there would be a CA attack (a positive) but the ML model falsely classifies this attack as a normal channel without Eve tampering the channel i.e. a false negative (FN).For example, in Fig. 3 d) this happens 1 out of 800 times in this simulation.Upon this false classification, the block of correlated ⟨X A X B ⟩ is binned into the normal data wrongly with T Wrong = gT 0 about 1 out of 800 times for the total block size N = 10 12 .
The penalty for this false classification1 is that the estimate for the transmittance from the binned normal data is T /800 2 which is slightly higher than T 0 .Whereas if the normal data is falsely classified as a CA attack 3 in 400 times i.e. false positives (FP), the estimated transmittance is T /400 2 which is slightly less than gT 0 .Hence false classifications do not change the security of the protocol but rather reduce the efficiency of the parameter estimation.
In this example, despite some of the quadrature data tagged incorrectly, the security is dependent on the transmittance of the unattacked and attacked sub-channels with true negative + false negative and true positive + false positive binned data, respectively.Although the SKR may not be as high as the most accurate ML model, the security of the coherent state protocol remains unchanged.Hence, using Eq.17, we can continue to employ the post-selection method.
Fast ML classification.The number of samples in our ML model is N Samples = 1000 and M = 800.The mean time for the ML model using the scikit-learn Python libraries on a 12th Gen Intel(R) Core(TM) i7-1270P 2.20 GHz with 32.0 GB RAM to make a prediction is 0.0042 s = 4.2 ms.For a repetition rate of 100 MHz, this means every batch of samples takes only 0.1 ms.Therefore, there is a slight bottleneck for processing and tagging Bob's quadrature data in high repetition systems.Dedicated options including the use of Field-Programmable Gate Arrays (FPGAs) and Graphics Processing Units (GPUs) could optimize this process.Hence, this necessitates lightweight and fast ML models for detection of channel tampering attacks in real-time.

VII. DISCUSSION
Our results indicate that the classification of channel tampering attacks enhances the SKR under attack of CV-QKD.We have devised an attack model, where Eve can perform a channel amplification attack.In the attack, Eve can amplify the transmittance of the channel and counterintuitively reduce the SKR as seen in Fig. 4. The channel amplification attack can be understood as Eve disturbing the channel to deviate the system from the optimal performance.At D Eve = 40 km, the amplification of the CA attack is g = 1.58 and hence the average T = ( √ 1.58+1) 2 T 0 4 ≈ 1.27T 0 .After the mitigation, the subchannels are T unattacked = T 0 and T attacked = 1.58T 0 .Since Alice optimized her modulation variance V A for T 0 and ξ 0 , the SKR is the maximum for the unattacked subchannel (T 0 , ξ 0 ) multiplied by the factor 1 − f attack .Hence the improvement of the SKR is especially seen when the attack nullifies the SKR in Fig. 4  when Eve hijacks a short-length fibre as seen in the left subfigure of Fig. 4 b) (up to 23 km), the CA attack slightly improves the SKR because of the small amplification of the channel.As seen in the right-hand figure, the mitigation does not improve the SKR below approximately 6 km because the V A for the attacked sub-channel remains close to the optimal V A of the unattacked sub-channel.In addition, when post-selecting into attacked and unattacked, the blocks decrease to f attack N and (1 − f attack )N and hence the SKR decreases due to finite-size effects.However, for the chosen block-size N = 10 12 there is no discernible detriment to the SKR.Nonetheless, postselection can reduce the SKR for small block-sizes as seen in Appendix D.
As demonstrated by our numerical simulations in Fig. 3, the accuracy of our ML classifier is 100% in operational environments with typical noise.This accuracy drops to 91.4% in high noise environments.Our numerical calculations in Figs 4 and 6 show that there is insignificant SKR improvement of correct CA or CA-DoS attack classification when Eve is near to Alice i.e. for D Eve ≤ 1 km.Coincidentally this is when the ML model is least accurate as Eve barely tampers with the channel.Hence, a false positive or false negative classification would likewise not be detrimental.Nonetheless, future work could consider spectral estimation techniques for detecting low rate of DoS attacks in this parameter regime as studied in [17].
As confirmed numerically in Fig. 4, we find that our mitigation strategy works especially well for some parameter regimes.We can explain its effectiveness by the following statement: the information-theoretic security of the Gaussian modulated CV-QKD relies on Gaussian optimality, which explains the overestimation of Eve's information due to the averaging of channel parameters if Alice and Bob do not postselect their data.Averaging over the channel parameters loses information advantage over Eve (i.e.SKR), but it still remains secure as Eve's information is overestimated (the average of two Gaussians broadens the Gaussian distribution).Post-selection is effective because the parameter estimation of T and ξ is binned into sub-channels, rather than averaging over the channel parameters.This post-selection technique, also known as data clusterization, has been applied to freespace CV-QKD in [22,23], and here we find an application to optical fibre.Nonetheless, the type of post-selection in our method involves only the binning of the data, whereas other methods of post-selection that emulate noiseless amplifiers were shown to improve SKR [39].It is left to future work to determine whether this type of post-selection on the attacked binned data can further help mitigate the channel tampering attacks.
In practice, the CA attack that we propose here involves the coupling and decoupling of the signal and LO from a standard optical fibre to an ultra-low loss fibre.In our results, we assumed no additional optical loss.Current technology does not allow this as there is an inevitable loss through the optical switches and coupling between fibres [40].Nonetheless, even for a less-than-perfect CA attack, a mitigation strategy based on ML and post-selection, as we have shown here, would help improve the SKRs under attack.Although we have focused here only on the specifications of a metropolitan scale system in optical fibre, the CA attack could be adapted to free-space CV-QKD and longer distances.A CA attack in free-space CV-QKD may take the form of a focusing lens to reduce the broadening of the beam, thus modifying T .
One of the limitations of our ML classification model is that the model only learns from a specific set of possible channel tampering attacks.We have not yet tested on an unknown attack.Also, our model is not universal in detecting sidechannel attacks as done in [21].Hence, there is a tremendous need to include all known attacks including the channel tampering attacks in the next generation of ML models for attack detection.Furthermore, our system is set up to monitor the intensity fluctuations of LO.Our assumption is that LO and signal are affected by the eavesdropper equally.However, as the LO and signal-to-noise ratio can be modified independently, Eve can perform an intercept-and-resend attack [7,41].Other attacks, such as the wavelength attack, share similar characteristics to the CA attack.The similarity is from the fact that the transmittance of an optical component is modified [9,10].The difference is that the CA attack modifies the channel rather than the shot noise N 0 .Finally, we remark on the channel tampering attack in CV-QKD systems with locally generated LOs at Bob.In these systems, the reference pulse, which is usually a strong pulse is used to synchronize the quadrature reference of Alice and Bob [42,43].In our analysis of the channel tampering attack, we implicitly assumed that there are no other modifications of the reference pulse or LO.However, Eve can modify the reference pulse to exploit security loopholes [44], compared to the channel tampering attack on the signal pulse.This leads to the following discussion on the need for universal countermeasures against side-channel attacks in addition to physical attacks.
A universal ML detection scheme would include both quadrature data from the signal and intensity measurements of LO to monitor all the aforementioned attacks that inde-pendently affect the signal and LO.Despite significant advancements in CV-QKD and its commercial availability, vulnerabilities persist due to imperfections in hardware implementation.This leads to various side-channel attacks such as local oscillator (LO) intensity fluctuation, wavelength, calibration, and saturation attacks [6][7][8][9][10][11][12][13][14].Consequently, defense strategies necessitate meticulous monitoring of transmission parameters, albeit adding complexity to the CV-QKD design [45].We leave it to future research to develop a universal defense strategy that includes all types of attacks including the novel threat that we have devised here.
We note that amplifying the signal can expose CV-QKD implementations to side-channel attacks as recently considered in Ref. [46].Authors motivate an attack based on modifying the magnetic field of an eridium-doped fibre amplifier (EDFA).The effect of this vulnerability is that Eve can perform a partial intercept-and-resend attack without being detected.Despite also amplifying the signal, the difference is that in the channel tampering attack, it is assumed that Eve does not exploit this side channel to perform an additional attack.Nonetheless, it would be interesting as a future work to consider the feasibility of intercept-resend attacks hidden behind channel tampering attacks.We also note the importance of optimal quantum attacks in practical optical fibre setups recently considered in Ref. [47].Authors in Ref. [47] explore different types of optical fibre between Alice and Bob as well as part of Eve's teleportation-based collective attack.In our paper, we do not consider Eve's optimal quantum attack strategies in practical settings and we assume the much more "paranoid" security approach where the eavesdropper employs the most powerful quantum attack with infinite resources and no loss (this is the red curve in Fig. 4 of [47]).In some limits, if Eve's EPR source suffers no loss then this will lead to the CA attack if the optical fibre between Alice and Bob is replaced with fibre of decreased loss.Contrary to the motivations of this paper, the channel tampering attack in our paper is proactive and is aimed to subtly disrupt communications between Alice and Bob.

VIII. CONCLUSION
In this work, we devised a new physical attack involving the amplification of the channel in an implementation of CV-QKD in optical fibre.The effect of the CA attack is not trivial, requiring a detection and mitigation strategy.Furthermore, we developed an ML model that learns the features of the LO intensity and classifies the type of attack on the channel.The knowledge of the existence of diverse channel tampering attacks improves the efficiency of CV-QKD.Subsequently, we set up a mitigation strategy that makes use of ML classification to post-select quantum data and improve the SKRs under attack.Our results are important for ensuring the robustness of CV-QKD systems.

Figure 1 :
Figure 1: An implementation of Gaussian modulated coherent state QKD protocol with channel tampering attacks in optical fibre.Alice splits a coherent laser source into a quantum signal and LO with an unbalanced beamsplitter.Alice modulates coherent signals with Gaussian distribution N (0,V A ).The signal and LO are multiplexed and sent through an optical fibre with transmittance T and excess noise ξ .The channel tampering attack modifies the channel parameters up to a distance of D Eve and subsequently, leaves the rest of the optical fibre length of D Bob unchanged up to Bob. Bob measures the power fluctuations P out of the LO in addition to the coherent detector measurement.

Figure 2 :
Figure 2: Decision tree classifier for classification of channel tampering attacks.The supervised ML model learns from the labelled data the type of channel tampering attack that occurred.It makes a decision based on the features of the data.

Figure 3 :
Figure 3: The confusion matrix for classifying the types of channel tampering attacks.In (a) D = 40 km where Eve performs a CA attack at D Eve = 10 km and the σ RIN,LO = 0.01.The attack parameters for the CA attack are g = 1.12 and p = 1, for the CA-DoS attack g = 1.12 and p = 0.94, and for the DoS attack g = 0.9 and p = 0.9.In (b), the same parameters as subfigure (a) but σ RIN,LO = 0.1.In (c) D = 40 km where Eve performs a CA attack at D Eve = 1 km and the σ RIN,LO = 0.01.The attack parameters for the CA attack are g = 1.01 and p = 1, for the CA-DoS attack g = 1.01 and p = 0.99, and for the DoS attack g = 0.9 and p = 0.9.Subfigure (d) is the same as (c) but with σ RIN,LO = 0.1.

Figure 4 :
Figure 4: In (a) is the SKR (in bits per pulse) under attack (left), and with the mitigation (right) in a 40 km optical fibre.In (b) is the change of the SKR after the CA attack (left) and the SKR improvement (right) plotted against the RIN of the LO and the length of Eve's optical fibre.The block size is N = 10 12 , ε cor = ε PE = ε h = ε s = 10 −9 , p ec = 0.99 and the number of symbols used for parameter estimation is m = N/10.The magenta dashed line is when K Attack = 0. V A is optimized to maximize K 0 .(Otherparameters: f attack = 0.5, β = 0.9, v el = 0.05, η = 0.9, ξ B = 0.01 and N 0 = 1).

Figure 5 :
Figure 5: SKR as a function of f attack for K Attack (blue) and K PS (red) with D Eve = 39 km and σ RIN,LO = 0.098.

Figure 6 :
Figure 6: CA-DoS attacks with parameters the same as Fig. 4.