After-gate attack on a quantum cryptosystem

We present a method to control the detection events in quantum key distribution systems that use gated single-photon detectors. We employ bright pulses as faked states, timed to arrive at the avalanche photodiodes outside the activation time. The attack can remain unnoticed, since the faked states do not increase the error rate per se. This allows for an intercept–resend attack, where an eavesdropper transfers her detection events to the legitimate receiver without causing any errors. As a side effect, afterpulses, originating from accumulated charge carriers in the detectors, increase the error rate. We have experimentally tested detectors of the system id3110 (Clavis2) from ID Quantique. We identify the parameter regime in which the attack is feasible despite the side effect. Furthermore, we outline how simple modifications in the implementation can make the device immune to this attack.


Introduction
An intriguing feature of quantum optics is that it enables communication protocols which are impossible to achieve by classical means.One prominent example is quantum key distribution (QKD) [1,2] which in principle allows two parties (Alice and Bob) to communicate with unconditional security.It is thus impossible for an arbitrarily powerful eavesdropper (Eve) to obtain knowledge of the transmitted information.
In the well-known Bennett-Brassard 1984 (BB84) protocol in its original form [3], Alice sends single photons of different polarizations to Bob.Under ideal conditions, the security of this protocol can be rigorously proved [4].Furthermore, practically feasible procedures for distilling a secret key from the exchanged quantum states are known [5].During the distillation, Alice and Bob generate a key sequence out of their raw data stemming from the quantum state exchange.Eve's attempt to gain knowledge results in a perturbation of the quantum states, such that her information about the raw key can be upper bounded.Alice and Bob can thus shrink their raw data such that Eve's knowledge of the resulting key sequence becomes negligible.
Rigorous security proofs show that Eve cannot successfully attack an ideal implementation of BB84.However, real implementations always exhibit deviations from the ideal model.In order to guarantee secure communication, such deviations must be included into the security proofs.One example is the use of weak coherent states instead of single photons which is considered in the Gottesmann-Lo-Lütkenhaus-Preskill (GLLP) security proof [6].The resulting reduction of the key rate can be mitigated by modifications to the protocol such as in the decoy state method [7,8,9] or in the Scarani-Acin-Ribordy-Gisin 2004 (SARG04) protocol [10].More subtle deviations can result in side channels through which information can unnoticeably leak to Eve.For example, photons might carry information in unwanted degrees of freedom [11].Once such side channels are known, they need to be considered in a more general security proof.
Nowadays, quantum cryptography has matured to the point that several commercial products are available [12,13].Each system might have loopholes which are particular to its implementation.Some implementations are, for example, susceptible to nonconforming light pulses that Eve sends into Alice's or Bob's devices.Eve could use reflectometry to read modulator states [14] or take control over the detectors by sending faked states [15,16], time-shifted pulses [17], or by detector blinding combined with faked states [18].The impact of such interventions strongly depends on the particular implementation.It is thus difficult to include them in general security proofs.Alternatively, specific countermeasures could be devised by adapting hard-or software of the systems, such that all assumptions in the security proof about the QKD module are again valid.
In this paper, we investigate a particular attack on the QKD device id3110 Clavis2 from ID Quantique.The fibre-based system utilizes the plug & play principle [19] where the quantum states are encoded as relative phase of two pulses.In our experiment, we send irregular, bright light pulses (faked states) outside the activation time of the gated detectors.We show that we can generate measurement results in the Bob module with only a slight increase in the quantum bit error rate (QBER), if side effects of the attack are considered properly.
The paper is organized as follows.Section 2 describes the basic principles of our attack.In Section 3, we elaborate on the particular implementation of the detectors in the Clavis2 system.In Section 4, we present the imperfections found in the system.Section 5 discusses the side effect of the faked-state attack, which actually partly protects the security of the system.Section 6 presents all the necessary elements for simulations and shows the parameters for which the Clavis2 system is not secure.In Section 7, we discuss possible countermeasures against the proposed attack before concluding in Section 8.

Intercept-resend attack using faked states
In the BB84 protocol [3], Alice randomly chooses one of two non-orthogonal bases to encode her quantum bit.Bob independently chooses his measurement basis at random.If his basis matches Alice's, he will measure the quantum state correctly.In half of the cases, however, Bob chooses the wrong basis.Alice and Bob compare encoding and measurement basis via a classical authenticated channel and remove all events with basis mismatch from their raw data.
In an intercept-resend attack, Eve places a copy of Bob's apparatus into the quantum channel.Then she performs the same kind of measurement as Bob, tries to reproduce the original quantum state and sends it to Bob.Since Eve is unaware of Alice's basis choice, she will inevitably introduce errors in case of a basis mismatch between her basis and the one used by Alice and Bob.Eve will thus always be detected in a perfect implementation of a QKD system [5,6].
In case of an imperfect implementation, however, Eve may attack the QKD system by sending faked states instead of quantum states [15].Her aim is to generate faked states which only produce a detection event in the Bob module if Eve's basis matches Bob's basis.In this case, after Alice and Bob discard their non-matching bases, all that remains in the key are bits for which Alice, Eve and Bob had the same basis.Thus, Eve generates no errors.
After the attack, Bob and Eve share identical bit values and basis choices.The attack works on widely used QKD protocols, namely BB84, SARG04, and the decoy method.The attack exhibits an extra 3 dB loss because of the possible basis mismatch of Eve and Bob.This is easily compensated in a practical Eve, since she may use better detector efficiencies and exclude loss in the line [15].

Detectors in Clavis2
The impact of faked states strongly depends on the implementation of the detection scheme in a QKD system.We will focus on systems employing avalanche photodiodes (APDs) in the Geiger mode, as it is the case in many QKD systems [20,21], and all commercially available realizations [12,13].Furthermore, we assume that the APDs are gated, i.e. activated only in time intervals when signal states are expected to arrive.During the activation time, a large reverse voltage is applied to the APDs such that the APDs are biased above the breakdown voltage.Then a single photon can trigger a carrier avalanche which results in a macroscopic current.If the generated current exceeds a certain threshold, a detection event (click) is registered.
As an example, we consider the behavior of the gated detectors in ID Quantique's Clavis2 QKD system.A detector circuitry reverse-engineered by us is shown in Figure 1.The APDs are biased by the high voltage supply with V HV;D0/D1 almost as large as the breakdown voltage (V HV;D0 = −42.89V and V HV;D1 = −43.08V).The detectors are gated in Geiger mode by means of TTL signals, which are applied on top of the bias voltage with a period of 200 ns.The gates are supplied as PECL logic level signals from the main board and converted to TTL signals by the buffer DD1.The comparator DA1 monitors the APD current and registers a click in the detector when the current peak passes a threshold (V Th;D0 = 77 mV, V Th;D1 = 84 mV).The comparator produces a PECL output pulse for each detection event.
During all the time not covered by the gate, each APD is biased at a constant value V HV;D0/D1 below the breakdown voltage.The current through the APD is then approximately proportional to the incident optical power.The circuit behaves similarly as a linear photodiode followed by a comparator.

Description of loopholes in the system
In the following subsections, we describe two unexpected deviations of the detection system from the idealized behavior implicitly assumed by the designers of the QKD system.We start by explaining the detection process in detail.In an ideal plug & play system, the relative phase between the signal states and reference pulses in the receiver module (0, π/2, π, 3π/2) is determined by a combined phase modulation of Alice and Bob, i.e. by a combination of Alice's bit and basis (0, π/2, π, 3π/2) and Bob's measurement basis (0, π/2).Let us consider a standard intercept-resend attack.For a matching basis choice of Alice, Eve and Bob, the phase difference is 0 or π.This restricts the possible outcome of the measurement to a single detector and results in a conclusive outcome for Bob.For a mismatched basis choice, the phase difference is π/2 or 3π/2.In this case, either of their detectors will click randomly.This clearly causes a QBER of 25%.

Linear mode APDs
In the linear regime of the APDs, Eve can substitute the quantum states with bright coherent states [18].Figure 2 shows examples of pulses which generate a click only if Bob's and Eve's bases match, since the comparator following the APD will only click, if the input optical power surpasses a critical power threshold.In case of a basis mismatch, the optical power is distributed equally among the detectors and no detection click is generated.
To exploit the loophole experimentally, we look closer at the detector characteristics.As mentioned, the APDs are biased below the breakdown voltage before and after the gate.Optically, Bob's phase modulation extends temporally on either side of the gate pulse by approximately 10 ns.We have verified that the system accepts clicks at least 10.5 ns after the gate, still assigning the click to the bit slot associated with the gate.
We sent bright laser pulses to both detectors before and after they are gated, in , which shows that an atttack is possible for delays of 4.5 ns to 10 ns with an optimal and comfortable margin of Θ at 7.5 ns.
order to find the click thresholds of each detector.A perfect control of Bob is possible, if the maximum power at which the detectors do not produce clicks is not lower than half the power at which they always produce a click.This can be written as where t is the time between the leading edge of the gate and the bright pulse, P D0;0% (t) is the maximum power that does not generate a click in D0 and P D0;100% (t) is the minimum power that certainly generates a click in D0 (analogously for D1).
We have found that the linear behavior prior to the gate can not be exploited, since charge carrier generation results in a large afterpulse effect during the gate.For an attack after the gate, Figure 3 shows the experimentally measured power thresholds and the corresponding values of Θ(t) for 0.12 ns long 1550 nm laser pulses.The figure shows that an attack is feasible in a wide time window with the maximum value of Θ(t) at 7.5 ns after the gate.At this time, a 587 µW laser pulse can cause a click in both detectors, while a 293.5 µW laser pulse will never cause a click in any detector.This result reveals a weak spot in the system.We have found, however, that the attack can not be applied straightforwardly, because of an afterpulsing side effect, which is discussed in Section 5. Therefore we attacked at the point 7.75 ns after the gate to slightly reduce the maximum laser power applied to the system.At 7.75 ns after the gate, a 575 µW laser pulse can cause a click in both detectors, while a 287.5 µW laser pulse will never cause a click in any detector.

Faked states applied during the dead time
As a second loophole in the system, we have found that the system registers detection events from bright faked states at any time.Typically, the device applies a dead time  of 10 µs whenever the system registers a click at any of the detectors, not gating both APDs for the duration of the dead time [24].However, we have found that the time between the detection events originating from our faked states can be as short as 30 ns.
Figure 4 shows the effect of a bright pulse arriving during the dead time.The electronic logic registers a valid click and subsequently resets the dead time to another 10 µs after the second bright pulse.We found experimentally that in the deadtime all faked states with laser peak power of 575 µW were detected by detector D0 while the detection probability of Bob's D1 was η B > 0.99985.In Section 6.2, we will show how this loophole can be exploited in order to overcome the negative side effect of afterpulses, which is described in the next section.

Characterization of afterpulsing side effect
Once a detection is registered in a gated APD, a long dead time is typically applied to reduce afterpulsing.This dead time is considerably longer than the inverse of the gating frequency and is typically of the order of several microseconds.
The afterpulse effect is due to carrier traps, which are populated by avalanche currents in the detection process [21,25].We have found that bright pulses also populate the carrier traps, irrespective of whether they generate detection events or not.Without a registered detection, a dead time is not applied by the detectors circuitry.The carriers released from traps can therefore cause afterpulsing in the detector.These uncontrollable clicks will contribute to the QBER.
We have characterized this side effect of the after-gate attack in the successive gates by plugging a laser directly to one of the fiber inputs of the 50:50 beamsplitter of Fig. 2. The laser pulses have a peak power of 287.5 µW for each detector.As expected, Afterpulses caused by the after-gate attack.The chart shows the experimentally measured cumulative probability to get at least one dark count after a 287.5 µW pulse applied to both detectors (red dots), a Monte Carlo simulation of the same process using the parameters from Table 1 (solid line).
the pulse never causes a click immediately.However, very often it causes an afterpulse within the following gates.Figure 5 shows the cumulative probability to get a click in any of the two detectors in the next gates.After 50 gates, the cumulative probability to get a random click has reached 84 %, which could jeopardize Eve's attack by causing a to high QBER.
Note that the system sends frames of 1075 pulses as dictated by the send-return configuration [19].Therefore, the attack can always be applied in the end of the frame with a reduced risk of a random afterpulse.If the system requires only one detection every second frame, then the security is completely compromised.Additionally, the attack may be applicable for a different set of system parameters, e.g.different operation frequencies of Bob.
We have modeled the afterpulse effects of carrier traps.We have found that the probabilities P ap;D0/D1 (t j ) of a detection event after a faked-state attack can be modelled using a double exponential decay for the detectors: A i;D0/D1 e −t j /τ i;D0/D1 , (2) where P dark;D0/D1 is the dark count probability, A i;D0/D1 are probability amplitudes that depend on the number of carriers which are generated in the detector, and τ i;D0/D1 are the associated decay constants.The afterpulse probabilities in Fig. 5 were reproduced by a Monte Carlo simulation using the double exponential decay model given by Eq. 2. By iterating the Monte Carlo simulation, the decay parameters were found by minimizing the squared distance between the measurement data and the simulation data, equivalent to the method of least squares in regression analysis.Table 1 shows the resulting decay parameters, and the final Monte Carlo simulation is shown in Fig. 5.The decay parameters are in agreement with earlier published data on APDs [21,25].1. Decay parameters of trap levels in both detectors.These parameters were used for the Monte Carlo simulation shown in Fig. 5.

Simulations of after-gate attack and QBER estimation
We estimate the QBER for different attack scenarios using a Monte Carlo simulation.
In our simulation, Alice and Bob use the BB84 protocol.Eve performs a faked-state attack by putting her modified Bob and Alice modules in the channel.Eve places her Bob module in the beginning of the line next to Alice.We assume that Alice sends an optimized signal amplitude [22] where the sent mean photon number µ is equal to the channel transmittance T .Unless otherwise noted, Eve measures this signal with perfect detectors (100 % efficiency and noiseless) and a lossless aparatus.Then she reproduces a bright faked state with the corresponding bit value for Bob.Bob's module is simulated including realistic parameters which were determined experimentally for our device.Besides the parameters for the afterpulsing and dark count effects (see Table 1), there are the optical transmittance of Bob's setup (T B = 0.412), the quantum efficiency of the detectors (η B = 0.1) and the detector dead time (τ dead = 10 µs).
In the simulation, we process the consecutive gates of a frame separately.We incorporate the side effect by increasing the afterpulse probability of a detector, if carriers were generated either by a regular avalanche or by bright pulses with full or half power ‡.We have experimentally verified that for the operation frequency and used optical powers the carrier traps in the detectors are not saturated by our attack and that the afterpulses of the two carrier-generating processes with different lifetimes occur independently and with Poissonian statistics [23].The afterpulse probability of a gate at time t j is then increased by a previous gate with carrier generation at time t k as P new ap;D0/D1 (t j ) = P old ap;D0/D1 (t j ) + (1 where γ i;D0/D1 is a correction of the probability amplitude A i;D0/D1 .In case of a bright pulse attack with 287.5 µW pulses γ i;D0/D1 = 1.For a bright pulse attack with full 575 µW power to one detector (successful attack), we increase the afterpulse probability ‡ Carrier generation by the half-power pulses is the most important effect, because the system does not apply the deadtime after them.twice applying Equation 3. We have measured that a regular avalanche in D0 and D1 has {γ i;D0 , γ i;D1 } = {1.836,3.673}.

Strategy of Eve with dead time
We first simulated the QBER without the deadtime loophole described in Section 4.2, i.e. assuming that Bob rejects detection events during the detector dead time.To increase the performance of Eve's attack, she adopts the following strategy: (i) Attack only the last χ gates of the total of N gates of a frame, as shown in Figure 6.This will lead to a larger trapped carrier density at the end of the frame, which, when gates are absent, is ignored by the detectors.(ii) Use a small classical memory (up to three consecutive gates), which allows for checking whether she received several consecutive clicks.These are then sent to Bob as a burst attack.This will lead to a decreased time between failed attacks and following attacks, which suppresses the afterpulsing by forcing earlier dead time.(iii) After the burst attack, wait as long as the dead time of Bob's detectors, in order to avoid carrier generation and afterpulsing directly after the dead time.
We perform a simulation of the QBER induced by the attack for varying repetition rate and channel transmittance.The simulation consists of two major steps.Firstly, Eve adjusts the number of attacked gates χ in order to adjust the channel transmittance T to the one anticipated by Alice and Bob.Eve tries to maximize the burst length in her attack.For a decreasing channel transmittance, Eve, however, receives fewer photons from Alice.Therefore, the maximal burst length decreases for decreasing transmittance, see Fig. 7(a).Secondly, the QBER is simulated for 10 4 frames.The average QBER is shown in Figure 7(b) and compared to upper bounds of two different security proofs [5,26].The protocol in [26] would require a single photon source and is therefore not directly applicable in Clavis2.Therefore, we find that the attack can not compromise the security of Clavis2 due to increased afterpulse probability at the gate repetition rate of 5 MHz.However, the security would be compromised for a more advanced system using single photons and the protocol in Ref. [26], or for gate frequencies below about 1 MHz.We note that there are numerous experimental setups and a commercial QKD system [13] working below the critical operation frequency of We show contour lines for QKD security proofs which are more [26] or less [5] tolerant to errors, allowing for a QBER of 20 % or 11 %, respectively.about 1 MHz.Additionally, technological improvements in the detectors could reduce the afterpulse effects and thereby enable the attack for high frequencies.

Strategy of Eve without dead time
Eve can adapt her attack strategy, if she has access to both the after-gate and dead-time loopholes.In the following, we show a strategy which is not an optimized one, but a rather intuitive and (as it turns out) successful approach.Eve again attacks the end of the frame as shown in Figure 6.Her strategy is to attack as frequently as possible.Thereby, she quickly enters a dead time of Bob's detectors.She will generate detection events during the dead time and, thereby, can prolong the detector dead time as shown in Section 4.2.Ideally, a major part of the attack happens during the dead state, which would completely remove the effect of afterpulses and result in negligible QBER for this part of the attack.
In the simulation, we again adjust the number of attacked gates χ and simulate the QBER for 10 4 frames.Figure 8 shows that for high transmittance the QKD system is vulnerable against the advanced attack, including for an eavesdropper with detection efficiency implementable today.The photon statistics are maintained during the attack.It is therefore applicable also to decoy state protocols.

Countermeasures
Note that both eavesdropping strategies (especially the latter one) leave strong fingerprints.In the latter case, the distance between two valid detection events can be smaller than the dead time of 10 µs.Therefore, one countermeasure is to search for too closely timed detection events.Furthermore, rejecting detections during the dead time would restrict eavesdropping to lower frequencies as shown by our first simulation (see Figure 7).A complete protection against the presented attacks is guaranteed if the detection times are resolved, such that Bob can discriminate between detections inside and outside the single-photon-sensitive part of the gate.Note however that this is highly non-trivial since the intrinsic jitter caused by the avalanche build-up is about equal to the length of the gate itself.Alternatively, a watchdog detector can be placed at Bob's input in order to detect bright faked states.Since such a detector cannot be an avalanche detector (this can be hacked), the countermeasure is only effective against bright faked states.

Conclusions
We have demonstrated that gated detectors in QKD systems can be controlled by an external eavesdropper using bright laser pulses during the linear mode operation.In particular, we have analysed the attack parameters for the commercial QKD system Clavis2 from ID Quantique.In principle, the system is controllable by bright control pulses arriving after the gate time.However, we have found a side effect: afterpulse generation due to the faked states.The side effect generates high QBER, and therefore actually protects the system from a straightforward faked-state attack.Eve can, however, take advantage of a second imperfection, namely that the system accepts the bright pulses even in the dead time and, furthermore, resets the remaining dead time.In a simulation of the attack, we have found that the system is not secure if clicks during the dead time are accepted.The presented after-gate attack can be used independently or together with the blinding attack in Ref. [18].Although the after-gate attack in contrast to the blinding increases the QBER, it has the advantages that the optical power sent into the Bob module is weaker.Therefore, the after-gate attack is harder to detect with a watchdog detector.Another advantage is that this attack can be applied to detectors that are not blindable.
ID Quantique has been notified about this loophole prior to the submission of the manuscript, and has implemented countermeasures.

Figure 2 .
Figure2.Principle of detector control.In the detection part of a phase-encoded QKD, the two pulses which could be generated by Eve as a faked state interfere at a 50:50 beamsplitter.(a) For Bob's basis choice matching Eve's, the signals interfere such that detector D0 clicks deterministically, because the photocurrent surpasses the detection threshold I Th;D0 .(b) For Bob's basis choice not matching Eve's, the power is split 50:50 to both detectors.The photocurrent does not surpass the threshold.Therefore, the faked state is not detected.

Figure 3 .
Figure 3. Detection click thresholds in Clavis2 for a pulse duration of 0.12 ns.(a) Power thresholds P D0,D1;0%,100% for 0 % and 100 % probability of a bright pulse detection in detector D0 and D1.The fluctuations are reproducible and are probably caused by the fluctuating bias voltage after the gate.(b) Calculated Θ(t) (see Eq. 1), which shows that an atttack is possible for delays of 4.5 ns to 10 ns with an optimal and comfortable margin of Θ at 7.5 ns.

Figure 4 .
Figure 4. Dead time extension behavior.The figure shows that if a bright pulse (or avalanche) causes a dead time (1st DT), any bright pulse during the dead time will be a valid detection and causes an extra dead time (2nd DT).Therefore it extends the effective dead time.(upper oscillogram) The gate pattern applied to the detector.(lower oscillogram) Optical power of successive bright pulses impinging on the detector with a delay of 4 µs.

Figure 5 .
Figure 5. Afterpulses caused by the after-gate attack.The chart shows the experimentally measured cumulative probability to get at least one dark count after a 287.5 µW pulse applied to both detectors (red dots), a Monte Carlo simulation of the same process using the parameters from Table1(solid line).

cNFigure 6 .
Figure 6.We attack only the last χ gates of the total number of gates N = 1075 in the frame, such that the raw key rate generated by the attack on each frame is equal to the rate without eavesdropping.

Figure 7 .
Figure 7. Simulated attack performance for the case when Bob discards clicks during the detector dead time.(a) Burst length for different channel transmittances and gate frequencies.(b) QBER generated by the attack.We show contour lines for QKD security proofs which are more[26] or less[5] tolerant to errors, allowing for a QBER of 20 % or 11 %, respectively.

Figure 8 .
Figure 8. Simulated attack performance without dead time.The figures show the QBER generated by the attack taking advantage of the sensitivity of the detectors during the dead time together with the elongation of the dead time.(a) The QBER with a perfect Eve.The attack is feasible for all repetition rates and a wide range of channel transmittances.(b) QBER with a realistic Eve with a detection efficiency T B = 0.5 and a dark count probability P dark = 10 −5 , corresponding to a technically advanced but feasible eavesdropper.