Laser seeding attack in quantum key distribution

Quantum key distribution (QKD) based on the laws of quantum physics allows the secure distribution of secret keys over an insecure channel. Unfortunately, imperfect implementations of QKD compromise its information-theoretical security. Measurement-device-independent quantum key distribution (MDI-QKD) is a promising approach to remove all side channels from the measurement unit, which is regarded as the"Achilles' heel"of QKD. An essential assumption in MDI-QKD is however that the sources are trusted. Here we experimentally demonstrate that a practical source based on a semiconductor laser diode is vulnerable to a laser seeding attack, in which light injected from the communication line into the laser results in an increase of the intensities of the prepared states. The unnoticed increase of intensity may compromise the security of QKD, as we show theoretically for the prepare-and-measure decoy-state BB84 and MDI-QKD protocols. Our theoretical security analysis is general and can be applied to any vulnerability that increases the intensity of the emitted pulses. Moreover, a laser seeding attack might be launched as well against decoy-state based quantum cryptographic protocols beyond QKD.


I. INTRODUCTION
The distribution of a secret key between two authorized parties, Alice and Bob, is a fundamental but challenging cryptographic task. Such secret key is the essential resource of the one-time-pad algorithm [1], the only known encryption method that can offer unconditionally secure communications. Public-key cryptography solves this problem by resorting to computational assumptions, for instance, the difficulty of factoring large numbers [2]. This approach is however vulnerable to technological advances in both hardware and software; indeed, it is wellknown that factoring is an easy problem on a quantum computer [3]. Quantum key distribution (QKD), on the other hand, provides a solution based on the laws of quantum physics, and thus, in theory, it can guarantee that the distributed keys are information-theoretically secure [4][5][6].
There is however a big gap between the theory and the practice of QKD because the behaviour of real QKD devices typically deviates from that considered in the security proofs. Such deviation could be exploited by an eavesdropper, Eve, to obtain information about the secret key without being detected in QKD implementations . Most of the quantum hacking attacks realized so far exploit imperfections of the single-photon detectors (SPDs) -the "Achilles' heel" of QKD [7- * angelhuang.hn@gmail.com 15,[18][19][20]22]. Indeed, in recent years there has been an enormous effort to try to close the detectors' security loopholes and restore the security of QKD realizations. Some solutions are based on hardware and software patches [28,29], whose drawback is however that each patch typically protects only against a specific loophole, i.e., the system might still be vulnerable to unknown attacks. Moreover, patches might also be hacked [20,22]. A safer and more elegant solution is that of measurement-device-independent QKD (MDI-QKD) [30,31]. Remarkably, this latter approach guarantees security independently of the behaviour of the measurement device, which can be treated as a "black box" fully controlled by Eve. This is achieved by turning Bob's receiver into a transmitter by means of a time-reversed Einstein-Podolsky-Rosen (EPR) protocol [32,33]. MDI-QKD has been successfully demonstrated in several recent experiments [34][35][36][37][38][39] including an implementation over 404 km [40].
With the advent of MDI-QKD all security loopholes from the measurement unit are closed, so the focus is now on how to protect the QKD transmitters. For instance, decoy-state QKD [41][42][43] is a practical solution to defeat the photon-number-splitting attack [44,45]. More recently, several works have considered other imperfections of the transmitter, and new security proofs that guarantee security in the presence of such imperfections have been developed [46][47][48][49][50][51][52][53]. For example, Refs. [48][49][50] quantify the optical isolation that is needed in order to achieve a certain performance (i.e., a certain secret key arXiv:1902.09792v3 [quant-ph] 27 Nov 2019 rate over a given distance) in the presence of a Trojanhorse attack (THA), in which Eve injects bright light into the transmitter and then analyses the back-reflected light to obtain information about the quantum signals emitted. Finally, a type of light injection attack that affects the operation of the laser diode in the transmitter has recently been introduced, allowing Eve to actively derandomise the source's phase and even change other parameters [54]. Indeed, the use of non-phase-randomised signals has a severe effect on the security of QKD, as has been shown in the past decade [55][56][57][58].
While the results above are promising, there is still a long way to go to be able to ensure the security of QKD implementations. For instance, a fundamental assumption of QKD is that the intensity of the quantum states prepared by Alice is set at a single-photon level. This assumption is indeed vital for a QKD system. However, no study has investigated whether or not Eve could increase the mean photon number of the prepared states. Here we introduce, and experimentally demonstrate, a quantum hacking attack, which we call "laser seeding attack", that can increase and control the intensity of the light emitted by the laser diode in the transmitter of a QKD system. This attack has been confirmed experimentally for two types of laser diodes. Different from the THA that analyses the back-reflected light that is originally from an external independent source, the laser seeding attack manipulates the functioning of the transmitter's laser diode directly. That is, while in a THA Eve tries to correlate her signals with the quantum states prepared by the legitimate users of the system, in a laser seeding attack the goal of Eve is to directly increase the intensity of such quantum states. Most importantly, this attack seriously compromises the security of decoy-state based QKD, which includes MDI-QKD with practical light sources as a prominent example. More precisely, in the presence of this attack, current security analyses overestimate the resulting secret key rate and thus they do not guarantee security.

II. EXPERIMENTAL SETUP
To investigate to which extent Eve can increase the output optical power of a laser diode by injecting light into it, we conduct an experiment whose schematic is illustrated in Fig. 1. On Alice's side, the laser diode, as a testing target, generates optical pulses. As a hacker, Eve employs a tunable laser (Agilent 8164B) to send continuous-wave (c.w.) bright light to Alice's laser diode via a single-mode optical fibre. The tunable laser is able to adjust the wavelength and output power of the signals emitted so that Eve can inject photons with a proper wavelength into Alice's laser. In so doing, the energy of each injected photon can match the energy difference between the excited state and the ground state of the laser, and thus satisfy the condition for stimulated emission.
In order to maximize the injection efficiency, a polar- ization controller is used to adjust the polarization of Eve's laser such that it matches that of Alice's laser. To separate Eve's injected light from that emitted by Alice, we employ an optical circulator. Eve's light enters port 1 of the circulator and exits through its port 2, while Alice's light goes from port 2 of the circulator to its port 3 (see Fig. 1). We record Alice's output pulses with an optical-to-electrical converter with 40 GHz bandwidth (Picometrix PT-40A) that is connected to a highspeed oscilloscope (Agilent DSOX93304Q) of 33 GHz bandwidth. The average pulse energy is then calculated by integrating the recorded averaged waveform. A cross-check using an optical power meter has confirmed that this method is accurate. We observe the energy of Alice's laser pulses with and without Eve's tampering laser. We have tested two ID300 short-pulse laser sources from ID Quantique and one LP1550-SAD2 laser diode (LD) from Thorlabs. They are triggered by an external signal. ID300 contains a factory pre-set pulsed driver electronics and produces 50-70 ps full width at half maximum (FWHM) optical pulses, with their repetition rate controlled by our external electronic pulse generator (PG; Picosecond 12050). LP1550-SAD2's diode current is driven directly from the PG with pulse parameters set to obtain about 60 ps FWHM optical pulses from the LD. The pulse repetition rate for all samples is 1 MHz. The electronic pulse generator also acts as the external trigger of the oscilloscope as shown in Fig. 1.

III. EXPERIMENTAL RESULTS
Both samples of ID300 exhibit controllability of their output power by Eve. We first measure the center wavelength of each laser with a spectrum analyser (Yokogawa AQ6370D). Then, in the experimental setup shown in Fig. 1, we dial the value of Alice's wavelength in Eve's laser. As a result, the output power of Alice's pulse suddenly increases. To obtain the maximum output power under Eve's control, we finely tune Eve's wavelength until the largest energy rise is observed, which is 1550.15 nm for sample 1 and 1550.44 nm for sample 2. This is the case we focus on. Additionally, we have noted that slightly different seed wavelengths result in different pulse Average energy of Alice's output pulses as a function of Eve's tampering power for two samples of the laser ID300 from ID Quantique (black curves) and the laser diode LP1550-SAD2 from Thorlabs (red curve). The energy of the pulse increases up to 3.07 times for ID300 sample 1, 4.57 times for ID300 sample 2, and 1.13 times for Thorlabs LP1550-SAD2.
shapes as shown in Appendix A.
When we gradually increase the power of Eve's c.w. laser, the energy of Alice's emitted pulses also increases. This is shown in Fig. 2 (a) and (b), which illustrates the waveforms of Alice's pulses for various tampering light powers. If we compare these results with the original waveform of Alice's pulses (i.e., that in the absence of Eve's tampering laser), there are two main effects. First, as already mentioned, we see that the energy of the emitted optical pulses gets larger when we increase the tampering light power. Especially, Eve's injected light makes Alice's laser pulses wider with a much longer and higher tail as shown in Fig. 2 (a) and (b). The tail contains more energy when higher power is injected into the diode. Second, under the laser seeding attack, the main peak of Alice's pulse shifts to be earlier. This is because the injected light triggers the stimulated emission that happens quicker than the spontaneous emission in Alice's laser diode. Thus, Alice's pulse reaches the peak power earlier and is followed by a tail with 2-4 secondary oscillations under the attack.
We have measured the energy of Alice's pulses for different tampering light powers. The results are shown in Fig. 3 as black curves. In particular, we find that when there is no attack, this energy is 0.232 pJ (0.169 pJ) for sample 1 (2). Then, we gradually increase the power of Eve's c.w. laser up to 9 mW, and obtain that the output energy of Alice's laser rises up to 0.712 pJ (0.773 pJ) for sample 1 (2). That is, the pulse energy increases 3.07 (4.57) times for sample 1 (2).
Under the same experimental procedure done with ID300, a similar effect is observed in the laser LP1550-SAD2. The wavelength of the injected c.w. light is set to the center wavelength of the laser diode first, then tuned slightly to 1551.32 nm where we observe the maximum increase in Alice's pulse energy. Figure 2 (c) shows the waveforms of Alice's pulses for the same tampering light powers as those in Fig. 2 (a) and (b). Similarly to ID300 lasers, here the energy of the pulses increases with the tampering power as well. The rising edge of Alice's pulse also starts earlier in the presence of the attack. The increase of the pulse energy as a function of Eve's tampering power is shown in Fig. 3 as a red curve. If there is no attack, the average energy of Alice's laser pulses is 0.196 pJ, while it reaches 0.221 pJ when the tampering power is 9 mW. That is, in this case the pulse energy increases 1.13 times.
We note that the commercial lasers under test in our experiment (ID300 and LP1550-SAD2) contain an internal optical isolator of the order of 30-40 dB. Thus, a few mW light that is applied in our experiment is first attenuated at the internal isolator of the laser, which means that only about 100 nW power actually reaches the laser cavity. This analysis indicates that an injection power in the order of 100 nW could be enough to control the intensity of Alice's pulses. Indeed, this value of injection power has been also confirmed recently by the experimental results shown in Ref. [59], in which Eve's injection power is in 100-160 nW range. We also note that a real QKD system may use a laser diode without the internal isolator, then the injection power used in our laser seeding attack may be reduced to the above level.

IV. EFFECT ON THE SECURITY OF QKD
Now we show theoretically how an unnoticed increase of the optical power emitted by a QKD transmitter, due to the attack described above, could seriously compromise the security of a QKD implementation. We assume that Alice's photon number statistics is Poissonian and is not influenced by our attack. The former may not necessarily be the case [60], and investigating the validity of the latter assumption could be the topic of a future study. Based on this assumption, we shall consider the case of decoy-state based QKD [41][42][43], which includes the most implemented QKD schemes today. We refer the reader to Appendix B for further details about decoystate based QKD. For simplicity, in our analysis we shall assume the asymptotic scenario where Alice sends Bob an infinite number of pulses, i.e., we disregard statistical fluctuations due to finite size effects. Also, motivated by the experimental results presented in the previous section, we shall consider that Eve's attack increases all the intensities µ by the same factor κ > 1. That is, we will assume that µ = κµ for all µ.
Next, we quantitatively evaluate the effect that a laser seeding attack has on the security of the standard decoystate BB84 protocol and of MDI-QKD for a typical channel model. For concreteness, we will consider first the case of the standard decoy-state BB84 protocol with phase-randomized weak coherent pulses (WCPs); afterward, we will consider the case of MDI-QKD.

A. Standard decoy-state BB84 protocol
Regarding the standard decoy-state BB84 protocol, we evaluate the typical implementation where Alice and Bob use three different intensities, µ s , ν 1 and ν 2 that satisfy µ s > ν 1 > ν 2 , and they generate secret key only from those events where they employ the signal intensity µ s in the Z basis, while they use the X basis events for parameter estimation. In the asymptotic limit of an infinite number of transmitted signals, the secret key rate can be lower bounded by [61,62] where we assume the efficient version of this protocol [63]. In Eq. (1), Y Z 1,L (e X 1,U ) denotes a lower (upper) bound on the single-photon yield Y Z 1 (phase error rate e X 1 ), the parameter f e is the error correction efficiency, G µs Z (E µs Z ) represents the overall experimentally observed gain (the overall experimentally observed QBER) when Alice send to Bob a WCP of intensity µ s in the Z basis, and To estimate Y Z 1,L and e X 1,U one can use analytical or numerical tools. Here we use the analytical method proposed in Ref. [61]. In particular, we have that with Y Z 0,L being a lower bound on Y Z 0 given by and where the parameter Y X 1,L represents a lower bound on Y X 1 . This last quantity can be obtained by using Eq. (2) but now referred to the X basis.
In the presence of a laser seeding attack, Alice and Bob estimate Y Z 1,L and e X 1,U using Eqs. (2) and (3) but now with the experimentally observed quantities G µ α and E µ α , with α ∈ {Z, X}, µ = κµ and µ ∈ {µ s , ν 1 , ν 2 } for a certain κ that depends on the attack.
In our analysis we shall also evaluate an ultimate upper bound on the secret key rate. That is, this upper bound holds for any possible post-processing method that Alice and Bob could apply to their raw data. The only assumption here is that double click events are randomly assigned to single click events. For this, we use the technique introduced in Ref. [64]. More precisely, the upper bound on the key rate is given by where r n ≈ e −µs µ n s /n! is the probability that Alice sends Bob an n-photon state with the signal intensity, λ n BSA is the maximum weight of separability among all the bipartite quantum states σ n AB that are compatible with Alice and Bob's observables, and I ent n (A; B) is the Shannon mutual information evaluated on the entanglement part of the state σ n AB that has the maximum weight of separability. See Ref. [64] and Appendix C for further details.
For simulation purposes we use the experimental parameters listed in Table I. The resulting lower and upper bounds on the secret key rate are shown in Fig. 4. The blue dotted line represents the lower bound R L given by Eq. (1) in the absence of the attack. Here, for each given value of the distance, we select the optimal values of the intensities µ s , ν 1 and ν 2 that maximize R L . These optimized intensities are then fixed, and we use them to simulate the degradation of the security bounds due to Eve's laser seeding attack.
More precisely, the red solid line in Fig. 4 shows the value of R L that Alice and Bob would estimate in the   Table I. presence of the attack when κ = 2. That is, as explained above, here Alice and Bob estimate the parameters Y Z

1,L
and e X 1,U with the observed quantities G µ α and E µ α , with α ∈ {Z, X}, µ = κµ and µ ∈ {µ s , ν 1 , ν 2 }, together with the original intensities µ s , ν 1 and ν 2 . The red dashdotted line, on the other hand, illustrates the correct secure value of R L in the presence of the attack. That is, here Y Z 1,L and e X 1,U are estimated with the observed quantities G µ α and E µ α , with α ∈ {Z, X}, µ = κµ and µ ∈ {µ s , ν 1 , ν 2 }, together with the modified intensities µ .
As we can see in Fig. 4, the secure R L given by the red dash-dotted line is significantly below the R L actually estimated by Alice and Bob. That is, in the presence of the attack, the security proof introduced in Refs. [61,62] cannot guarantee the security of the secret key obtained by Alice and Bob. Finally, the red dashed line illustrates the upper bound R U given by Eq. (5) in the presence of the attack. Remarkably, this upper bound is below the R L estimated by Alice and Bob for most of the distances,  Table I.
which demonstrates that the estimated secret key rate is actually insecure no matter what security proof is used.
Finally, in Fig. 5 we show the effect that the multiplicative factor κ has on the bounds on the secret key rate. For this, we now fix the transmission distance at a certain value, say 40 km. In this case, Fig. 5 shows that the incorrect lower bound R L that Alice and Bob would estimate is always above its correct value whenever κ > 1. This is remarkable because it means that in the presence of a laser seeding attack Alice and Bob always overestimate their secret key rate above that provided by the security proof. Moreover, if κ is large enough (around 1.7 for the experimental parameters used in Fig. 5), it turns out that the upper bound R U is below the estimated secret key rate, which confirms that there is no security proof which can make the estimated secret key rate secure.
We remark that in practice Eve might need to throttle the key rate to roughly the original expected level in the absence of the attack. Indeed a human operator of QKD equipment may suspect something abnormal is happening on if the key generation rate rises well above the expected level (blue dotted line in Fig. 4). To reduce the rate, Eve can simply introduce additional optical attenuation in the channel.

B. MDI-QKD
Next we consider the case of MDI-QKD with WCPs [30]. Similar to the previous example, we shall assume that each of Alice and Bob use three different intensities, µ s , ν 1 and ν 2 that satisfy µ s > ν 1 > ν 2 , and they generate secret key from those events encoded with the signal intensity in the Z basis, while they use the X basis events for parameter estimation. In the asymptotic limit of an infinite number of transmitted signals (and assuming for simplicity a sifting factor ≈ 1), the secret key rate is lower bounded by [30] (6) where p µsµs 11 is the probability that both Alice and Bob emit a single-photon pulse in the Z basis when they both use the signal intensity setting µ s , Y Z 11,L is a lower bound on the yield associated to these single-photon events, e X 11,U is an upper bound on the phase error rate of these single-photon pulses, f e is again the error correction efficiency, G µsµs Z and E µsµs Z are the gain and the QBER when both Alice and Bob send to the relay Charles WCPs of intensity µ s in the Z basis, and H 2 (x) is the binary Shannon entropy function defined previously.
To evaluate Eq. (6), Alice and Bob need to calculate the parameters Y Z 11,L and e X 11,U based on the experimentally available data G ζω α and E ζω α , with α ∈ {Z, X} and ζ, ω ∈ {µ s , ν 1 , ν 2 }, and their knowledge on the probability distribution p ζω nm with n, m ∈ N, where N is the set of the non-negative integers. Again, this estimation can be done analytically or numerically, and for simplicity here we use the analytical approach introduced in Ref. [65]. For completeness, below we include the expressions for Y Z 11,L and e X 11,U : and e X 11,U ≤ where Y X 11,L represents a lower bound on the yield associated to those single-photon events emitted by Alice and Bob in the X basis. This last quantity can be estimated using Eq. (7) but now referred to the X basis.
To evaluate R L in the presence of a laser seeding attack we follow a methodology similar to that used in the previous subsection, and we omit it here for simplicity.
Also, to evaluate an upper bound R U on the secret key rate, we extend the technique introduced in Ref. [64] to the case of MDI-QKD. Here, for simplicity, we consider that Alice and Bob only distill secret key from nonpositive partial transposed entangled states [66,67], i.e., we disregard the key material which could be obtained from positive partial transposed entangled states [68]. We refer the reader to Appendix D for further details about the upper bound R U .  Table I.
For simulation purposes, we use again the experimental parameters given in Table I. For simplicity, we assume that Eve performs a symmetric attack in which she injects light of the same intensity into both Alice's and Bob's transmitter devices, which moreover we assume are identical. The resulting lower and upper bounds on the secret key rate are shown in Fig. 6. For this example we consider three possible values for the multiplicative factor κ = {1, 1.5, 2.5}. The case κ = 1 corresponds to the scenario without attack. The results are analogous to those illustrated in Fig. 4. In particular, the incorrect value of R L that Alice and Bob would estimate in the presence of the attack is well above the correct value of R L delivered by a proper application of the security proof (i.e., for the case where one considers the correct values of the output intensities modified by the attack). This is particularly critical for the case where κ = 2.5, as the security proof provides no secure key rate in this scenario while Alice and Bob would incorrectly estimate a relatively high value for R L . Also, in this case, the upper bound R U is below the estimated R L for all distances (see Fig. 6).

V. DISCUSSION AND COUNTERMEASURE
In this laser seeding attack, the isolation present in a real QKD system may significantly affect Eve's injection power. Thus, we should analyse this effect in detail. The first factor that contributes to such isolation is the presence of an attenuator to attenuate Alice's signals to the single-photon level. If we assume that the power of Alice's laser is similar to the laser we tested, the required attenuation would be in the order of 60 dB to obtain single-photon-level pulses. This means that Eve's initial injection laser (before going through the attenuator) should be in the order of 100 mW (assuming that there is no internal isolator in the laser) such that about 100 nW power can enter the laser cavity. This value is reasonable and can be safely transmitted through optical fiber, which confirms that the laser seeding attack is practical.
Furthermore, we note that the attenuation provided by optical attenuators can be decreased via a laser damage attack [24]. Specifically, Eve can illuminate Alice's attenuator with a c.w. laser with power of several watts. The experimental results reported in [24] show that it is possible to permanently decrease the attenuation by more than 10 dB by the c.w. laser. Importantly, this can be done such that no connector or other components in the experiment are damaged. The attenuator is the only component that responds. Therefore, if Eve applies first the laser damage attack against the attenuators to decrease their attenuation, then the injection power of the laser seeding attack could be even lower than 100 mW. This strategy of combination attacks makes the laser seeding attack easier to implement thanks to the laser damage attack.
The second factor that could contribute to have more isolation is to include an external isolator. The isolator indeed makes Eve's attack more difficult. However, according to the working mechanism of an optical isolator, the isolation of the backward injection light is due to the polarization rotation inside the isolator, after which the rotated light is extinguished. The rotation is realized by a magneto-optic effect. It is notable that the magnets used in isolators are temperature-dependent [69]. That is, the higher temperature, the smaller rotation. Thus, the temperature is an important factor in practice to determine the real isolation value. From Eve's point of view, she may somehow hack the isolator by increasing the temperature. The quantitative study of the dependence between the optical isolation provided by an optical isolator and the temperature that Eve can achieve is beyond the scope of this paper, but we've studied this topic in another manuscript [70].
It is clear that for a given power of Eve's injected light, the more effective isolation the users' transmitters have, the smaller the value of the multiplicative factor κ will be, and thus also the effectiveness of the attack. For example, according to Fig. 3, if the power of Eve's injected light is say 10 W, then an effective isolation > 80 dB would result in a multiplicative factor κ < 2 for ID300 sample 2. Importantly, however, as we have seen in Fig. 5, whenever κ > 1 (which in principle might happen even for very high isolation), Alice and Bob might always overestimate their secret key rate, unless, of course, they modify their security analysis to properly incorporate the effect of the laser seeding attack.
For this, for instance, Alice and Bob could first bound the power of Eve's injected light to a reasonable value, as done for example in Refs. [24,[48][49][50]. With this assumption in place, and for a given value of the isolation of their transmitters, as well as the behaviour of their laser sources, Alice and Bob could in principle upper bound the maximum value, κ max , that the parameter κ can take. In so doing, and for given observed experimental data (i.e., gains and error rates associated to different values of the intensity settings), they could simply minimize their secret key rate by taking into account that now the intensities of the emitted light pulses might lay in an interval [µ, κ max µ], where µ is the value of the original intensity setting. This way Alice and Bob consider the worst-case scenario and can guarantee that the resulting secret key rate is indeed secure.
Another alternative for Alice to determine the parameter κ max might be to use an incoming-light monitor to detect the injection light. The main drawback of this approach is, however, that the classical monitor that detects the injected light is not a reliable device. For example, in Ref. [71], it has been shown that the classical monitor can be bypassed by Eve's pulses with high repetition rate, and thus the classical monitor cannot correctly quantify the amount of injected light. This is due to the limited bandwidth of the classical monitor. Furthermore, the classical monitor may even be damaged by Eve's light [22]. According to the experimental results in Ref. [22], the classical monitor is the first component in Alice that is damaged by Eve's laser. Therefore, the classical detector also may not be a reliable countermeasure to prevent Eve's injection of light.
In practice, it is important to note as well that Eve could in principle combine the laser seeding attack with various attacks to enhance her hacking capability, for example, with the laser damage attack [22,24] as mentioned above, with the THA analysed in Refs. [48-50, 53, 72, 73], and/or with the recently introduced injection-locking attack [59]. For instance, Eve could employ the fact that the laser seeding can be affected in real time by the state of Alice's modulator, changing the laser wavelength depending on the modulator setting [59] and/or modulating the intensity multiplication factor κ. Besides using her injected light to modify the internal functioning of the transmitter (as done in the laser seeding attack), Eve could also simultaneously perform a THA and measure the back-reflected light to obtain information about the transmitter's settings for each emitted light pulse. This means that to properly evaluate the security of a QKD system, one should probably combine the techniques described in the previous paragraphs with the security analysis introduced in Refs. [48][49][50]53].

VI. CONCLUSION
This study has experimentally demonstrated that the laser seeding attack is able to increase the intensity of the light emitted by the laser diode used in a QKD system, breaking the fundamental assumption about the mean photon number of a QKD protocol. Moreover, we have shown theoretically that such increase of the intensity might seriously compromise the security of QKD implementations. For this, we have considered two prominent examples: the standard decoy-state BB84 protocol and MDI-QKD, both implemented with phase-randomized WCPs. In both cases, we have demonstrated that, in the presence of the attack, the legitimate users of the system might significantly overestimate the secret key rate provided by proper security proofs, even well above known upper bounds. This theoretical security analysis can be applied to any attack that increases the intensity of the emitted pulses. For instance, a laser damage attack against the optical attenuators also shows that Eve can increase the intensity of Alice's pulses by decreasing the attenuation provided by the attenuators [24].
Although MDI-QKD is immune to all detector sidechannel attacks, our work shows Eve's capability of hacking the source of a QKD system and highlights that further research is needed to protect the system against source side-channel attacks. Moreover, we remark that the laser seeding attack may compromise as well the security of other quantum decoy-state based cryptographic systems beyond QKD, like, for instance, various twoparty protocols with practical signals [74], quantum digital signatures [75,76], and blind quantum computing [77,78].
While preparing this Article for publication, we have learned of another laser seeding experiment that changes the wavelength of Alice's laser rather than its intensity [59].
states that Alice and Bob could have shared in a virtual entanglement protocol that is equivalent to the actual protocol. For simplicity, Ref. [64] considers a decoy-state protocol where Alice and Bob use an infinite number of decoy settings. Note, however, that in the asymptotic limit where Alice sends Bob an infinite number of signals, an upper bound on the secret key rate for this protocol applies as well to a protocol using a finite number of decoy settings. We follow the same procedure here.
In particular, let S n denote the set of all bipartite quantum states, σ n AB , which are compatible with Alice and Bob's measurement results in a virtual entanglement protocol that is equivalent to the actual protocol when Alice sends Bob an n-photon signal. That is, this set is defined as where {A k } k and {B j } j are the measurement operators of Alice and Bob in the virtual entanglement protocol, and p n kj represent the measured statistics associated to the n-photon signals emitted by Alice. Since we assume that Alice uses an infinite number of decoy intensities, we consider that she can estimate these probabilities precisely.
The states σ n AB ∈ S n can always be expressed as a convex sum of one separable state, σ n sep , and one entangled state, ρ n ent , as follows σ n AB = λ n σ n sep + (1 − λ n )ρ n ent , for some real parameter λ n ∈ [0, 1]. Then, the BSA of the states in S n corresponds to that state with the maximum value of the parameter λ n , which we shall denote by λ n BSA . That is, for every n, we want to find the parameter λ n BSA = max[λ n |σ n AB ∈ S n ], as well as the corresponding entangled state ρ n ent for the BSA.
In standard decoy-state QKD with four sending states, Alice's measurement operators {A k } k can be described by a projective measurement in a four-dimensional Hilbert space, i.e., A k = |k k| with k ∈ {1, 2, 3, 4}. Each operator A k is associated with Alice sending one of the four possible polarization states of the BB84 protocol. On Bob's side, his measurement operators {B j } j correspond to a positive-operator valued measurement (POVM) with the following elements where |± = 1 √ 2 (|0 ± |1 ), and |vac is the vacuum state. As already mentioned in the main text, here we implicitly assume that double click events are randomly assigned by Bob to single click events.
In addition, we have that in a prepare&measure QKD scheme the reduced density matrix of Alice, ρ n A = Tr B (σ n AB ), is fixed by her state preparation process. In the scenario considered, it turns out that ρ n A can be written as [64] ρ n A = 1 4      1 0 2 −n/2 2 −n/2 0 1 2 −n/2 (−1) n 2 −n/2 2 −n/2 2 −n/2 1 0 2 −n/2 (−1) n 2 −n/2 0 1 Putting all the conditions together, one can obtain the parameter λ n BSA and the corresponding entangled state ρ n ent , for each n, by solving the following semidefinite program (SDP) [64] min 1 − Tr σ n sep (x) , s.t. σ n AB (x) ≥ 0, Tr[σ n AB (x)] = 1, Tr[A k ⊗ B j σ n AB (x)] = p n kj , ∀k, j, Tr B (σ n AB (x)) = ρ n A , σ n sep (x) ≥ 0, where the vector x is used to parametrize the density operators and Γ denotes partial transposition of one of the subsystems. Note that in Eq. (C6) the state σ n sep (x) represents an unnormalized state, i.e., if we compare this state with that given in Eq. (C2) we have that σ n sep (x) = λ n σ n sep . From the optimal solution, x sol , of the SDP above we have that (C7) The upper bound on the secret key rate can then be written as [64,80] where r n ≈ e −µ µ n /n! is the probability that Alice sends Bob an n-photon state, where µ is the mean photon number of the signal, and I ent n (A; B) is the Shannon mutual information evaluated on q n kj = Tr(A k ⊗ B j ρ n ent ). Note that to calculate Eq. (C8) it is typically sufficient to consider only a finite number of terms in the summation, because of the limit imposed by the unambiguous state discrimination attack. See Ref. [64] for further details.

Appendix D: Upper bound R U for MDI-QKD
Here we extend the results in Ref. [64] to the MDI-QKD framework to calculate an upper bound on the