Laser Damage Attack in Quantum Communications
- Laser Damage Attack (LDA) is an adversarial technique that permanently or semi-permanently alters optical components to create exploitable security loopholes in QKD systems.
- The method employs high-power optical illumination to modify key parameters such as detector dark counts, attenuation, and isolation, enabling precise control via trigger pulses.
- LDA acts both as a standalone and enabling attack by engineering hardware backdoors that invalidate fixed-device security proofs in quantum communications.
Laser Damage Attack (LDA) is an adversarial technique in quantum communications in which high-power optical illumination is injected through the normal optical interface of a system to permanently or semi-permanently alter the characteristics of optical or optoelectronic components. In quantum key distribution (QKD), the objective is not merely denial of service, but the creation of new implementation loopholes—reduced detector dark counts, shifted breakdown voltages, degraded isolation, altered attenuation, enlarged apertures, or modified spectral transfer functions—that invalidate the fixed-device assumptions of security proofs while often leaving the system operational (Bugge et al., 2013, Makarov et al., 2015).
1. Conceptual definition and relation to other optical attacks
LDA differs from earlier classes of optical attacks by changing the hardware itself. Laser blinding relies on real-time illumination to force detectors into controllable states, and Trojan-horse probing uses low-level injected light to read internal settings noninvasively. By contrast, LDA uses optical power high enough to induce permanent or semi-permanent changes in component characteristics, so that protections previously relied upon by the security proof are neutralized and exploitable deviations appear (Makarov et al., 2015).
This distinction is especially important because LDA can function both as a standalone attack and as an enabler. On the source side, degrading the isolation of an isolator or circulator weakens defenses against Trojan-horse attack (THA) and laser-seeding attack (LSA); on the receiver side, damaging a detector can convert a single-photon device into a controllable linear photodetector. A plausible implication is that LDA is best understood as a hardware backdoor creation attack: it does not merely exploit an implementation flaw, but engineers one in situ (Ponosova et al., 2022).
The threat model throughout the literature assumes that the adversary can inject high optical power through the legitimate optical entrance, select wavelength, timing, and power profile, and avoid collateral failure modes by tuning the illumination regime. The same literature also stresses that Kerckhoffs’ principle applies: an attacker can rehearse on identical hardware, infer post-damage parameters by remote characterization or public exchanges, and then exploit the altered device behavior (Makarov et al., 2015).
2. Receiver-side damage regimes in single-photon detectors
The first proof-of-principle LDA on QKD receivers targeted the PerkinElmer C30902SH silicon avalanche photodiode (APD), widely used in free-space QKD experiments, implemented as a standard passively-quenched single-photon detector with a 400 kΩ ballast resistor and thermoelectric cooling to −25 °C. Damage was delivered by an electrically controlled 807 nm continuous-wave laser diode through a 200 µm-core multimode fiber, with collimation, a 50:50 non-polarizing beamsplitter, a mechanical shutter, and a focusing lens producing a 50 µm full width at half maximum spot on the APD. The typical exposure protocol used 60 s continuous-wave illumination per step (Bugge et al., 2013).
The observed permanent effects were grouped into regimes. The most security-relevant regimes are summarized below.
| Power regime | Permanent change | Security relevance |
|---|---|---|
| 0.3–0.45 W | to V; detection efficiency decreased by a factor of 0.83–0.90 at fixed bias | Stable detector-efficiency mismatch |
| 0.5–0.8 W | Dark count reduction by 1.7–5.4× | Apparent detector improvement; lower observed QBER |
| 1.2–1.7 W | Large dark current; permanent blinding below breakdown | Linear-mode click control with bright pulses |
| W | Catastrophic structural damage | Denial of service; countermeasure sensors can also fail |
Below 0.25 W, the APD showed only a temporary rise in dark count rate, which dissipated after hours in darkness. In the 0.9–1.2 W regime, the dark count rate increased permanently. In the 1.2–1.7 W regime, the APD drew excessive current through the 400 kΩ ballast, causing the passive quench circuit to drop the bias below breakdown; photon detection efficiency and dark counts permanently dropped to zero, but the detector remained photosensitive in linear mode. Under these blinded conditions, 10 ns optical trigger pulses produced controllable clicks, and at typical APD overvoltages of 10–15 V, changing trigger pulse power by less than 3 dB moved click probability from 0 to ; at overvoltage V, deterministic 0-or-1 control was achievable (Bugge et al., 2013).
The same study emphasized that a practical attack would not require direct access to a bare APD. The damaging beam could be injected through Bob’s normal optical entrance. For free-space receivers, where a narrowband interference filter is commonly present, the damaging wavelength must be near the legitimate signal wavelength; many free-space systems operate at 770–850 nm, which is compatible with the 807 nm damaging wavelength used in the experiment. The attack could also be launched opportunistically during power outages or against an unpowered system (Bugge et al., 2013).
3. Source-side, front-end, and channel-interface implementations
Subsequent work showed that LDA is not confined to receiver detectors. In a commercial plug-and-play fiber QKD and quantum coin-tossing system, a 1550.7 nm continuous-wave laser delivered 0–2 W at Alice’s entrance for 20–30 s and selectively damaged the pulse-energy monitoring photodiode : partial damage reduced its sensitivity by 1–6 dB for 0.5–1.5 W, and W made it completely insensitive. In a separate free-space BB84 receiver, an 810 nm diode laser delivering 3.6 W continuous-wave at the pinhole plane for s melted a 25 µm spatial-filter pinhole and enlarged it to µm, re-opening a previously closed detector-efficiency-mismatch side channel (Makarov et al., 2015).
Later studies extended this component-by-component picture to attenuators, isolators, circulators, and DWDMs.
| Component class | Reported modification | Security consequence |
|---|---|---|
| Fiber attenuators and VOAs | Permanent attenuation decrease; representative values up to dB, with averages of 0 dB for MEMS VOA and 1 dB for VDMC VOA | Increased mean photon number 2 |
| Isolators and circulators | Isolation reduction by 15.2–34.5 dB under continuous-wave heating; residual isolation 6.4–42.4 dB | THA and LSA become easier |
| Off-band pulsed isolator attacks | 19.5 dB reversible isolation drop at 17 mW picosecond average power; permanent degradation after 1160 mW sub-nanosecond exposure | Safe-threshold isolation violated while forward transparency persists |
| DWDMs | Multi-peak spectra above 5–8 W in susceptible samples | Spectral side channel |
For source attenuators at 1550 nm, one experimental study tested four fiber-optic attenuator types commonly used in QKD. The fixed in-line attenuator was “safe” to 32.8 dBm and showed an average successful permanent attenuation decrease of 3 dB with attack threshold 4 dBm; the MEMS VOA was “safe” to 34.5 dBm and showed an average successful permanent decrease of 5 dB with attack threshold 6 dBm; the variable-density metal coating VOA was “safe” to 32.9 dBm and showed 18/25 successful permanent decreases with average 7 dB and attack threshold 8 dBm; the manual VOA showed no change even at 39.5 dBm for 20 min, so that test was described as inconclusive (Huang et al., 2019).
A later pulsed study at 1061 nm showed that the attack surface is broader than continuous-wave in-band illumination. Mechanical blocking VOAs and fixed air-gap attenuators remained robust up to 1030 mW pulsed average power, but one MEMS VOA exhibited irreversible attenuation decrease of up to 9 dB across the full control-voltage range, and fixed attenuators with an absorption element developed latent damage such that a subsequent 1550 nm continuous-wave exposure caused temporary attenuation reductions up to 7 dB at 1 W, far below the previously needed direct continuous-wave threshold (Ruzhitskaya et al., 28 Apr 2026).
Source isolation components proved similarly vulnerable. Under 1550 nm continuous-wave backward injection with powers up to 6.7 W and exposures of 60–900 s, measured isolation reductions ranged from 15.2 to 34.5 dB, with residual isolation between 6.4 and 42.4 dB before catastrophic failure; forward insertion loss typically increased by only 0.5–1.1 dB during heating, so the line remained functional until irreversible high-loss failure occurred (Ponosova et al., 2022). Off-spec pulsed irradiation at 1061 nm added a different regime: in two commercial 1550 nm fiber-optic isolators, degradation began around 600 mW average power in the 200–400 ps regime, a 19.5 dB isolation reduction was produced at only 17 mW average power in the picosecond regime, and 1160 mW sub-nanosecond exposure left one sample at 0 dB isolation after 1–3 days while preserving forward transparency (Ponosova et al., 23 Jun 2025).
The DWDM study extended LDA to wavelength-selective front-end components. Ten DWDM samples were tested under high-power continuous-wave illumination injected into the COM port. In susceptible DWDM1 samples, new spectral peaks appeared once the injected power reached 5–8 W; the observed comb-like structure included peaks near 1548.7, 1549.7, 1550.7, and 1551.7 nm, with the strongest peaks near 1549.7 and 1550.7 nm. At the Pass port, the new peak near 1549.7 nm lay close to the nominal quantum passband, thereby transmitting more of the attacker’s light toward Alice’s encoder than the original input wavelength would have. Three of ten samples showed this effect, and its permanence after illumination was not characterized (Gao et al., 12 Dec 2025).
4. Protocol-level consequences for QKD security
The protocol-level significance of LDA is that it breaks the parameter stationarity assumed by security proofs. On the detector side, normal operation with Poissonian sources of mean photon number 1 is often modeled, for small 2, by
3
with dark count probability 4 and total efficiency 5. A representative decoy-state BB84 key-rate expression is
6
After receiver-side LDA in the linear-mode blinding regime, Bob’s detectors are no longer single-photon avalanche devices; 7 and 8 are set by Eve’s trigger pulse power and timing rather than by quantum statistics, so observed QBER can be made arbitrarily low while Eve learns the entire key (Bugge et al., 2013).
On the source side, the central quantity is the attenuation setting that determines the mean photon number. For an upstream laser of mean photon number 9, an attenuator with attenuation 0 produces
1
If laser damage reduces attenuation by 2 dB, then
3
The resulting change in multiphoton statistics is large. One reported example uses 4, for which the weak-coherent-state multiphoton probability 5 is 6. After 7 dB, 8 and 9; with 0 dB, 1 and 2 (Huang et al., 2019).
This source-side deviation has direct consequences for decoy-state security. A recent analysis parameterizes LDA by 3, with 4 and 5, and studies a USD-based intercept-resend strategy. The reported thresholds at which standard decoy-state checks cease to detect the attack are 6 dB for 7, 8 dB for 9, and 0 dB for 1. With a modified USD receiver employing an additional beam splitter, the threshold for 2 can be reduced below 10 dB (Sushchev et al., 21 Jul 2025).
LDA also amplifies side-channel attacks that depend on isolation. In source isolators and circulators, the measured isolation reduction of 15.2–34.5 dB increased Trojan-horse leakage by 2–3 orders of magnitude and, according to the cited security analyses, shrank achievable distance by 20–100 km. In the DWDM spectral-side-channel study, the LDA-induced comb near the quantum passband increased the effective Trojan-horse leakage sufficiently to reduce the maximum secure distance to 66.9% of its original value under the reported parameter set (Ponosova et al., 2022, Gao et al., 12 Dec 2025).
5. Countermeasures, qualification, and certification
A central architectural response is the use of sacrificial front-end protection. One proposal is to place an additional isolator or circulator at the source exit that is not counted in the security model. Under attack, it should either withstand the incoming power while attenuating it to a safe level or fail into a permanent high-attenuation state that breaks the line. Experiments with off-the-shelf fiber-optic isolators and circulators under continuous-wave attack measured residual isolation of 6.4–42.4 dB before catastrophic failure and line-breaking insertion loss 3 dB in destroyed isolators; the same work explicitly states that isolation accounting in the security model should start behind the sacrificial device (Ponosova et al., 2022).
Receiver-side countermeasures require equal caution because monitors can themselves be targets. In the APD study, the authors note that if a watchdog photodiode or APD is used as an optical power meter in a countermeasure, it can itself be destroyed by LDA (Bugge et al., 2013). This suggests that optical monitoring alone is insufficient unless the monitor is protected by its own damage-tolerant front end.
The broader mitigation program proposed in the literature combines passive and active layers: passive optical power limiters, single-use optical fuses that permanently break the link above threshold, optical isolators in one-way architectures, battery-powered active power monitoring supplemented with wavelength filtering, watchdog self-tests that continuously re-characterize sensitivities and splitting ratios, robust bias circuits with fast overcurrent protection and small energy reservoirs, and acceptance-test procedures that deliberately stress systems across powered-on and powered-off states, nanosecond steps to millisecond ramps, in-band and out-of-band wavelengths, and different spatial illumination profiles (Makarov et al., 2015).
Recent off-band pulsed attacks imply that certification must go beyond continuous-wave testing near the nominal QKD wavelength. Recommended measures include spectrally aware monitoring at 1061 nm as well as 1550 nm, bandpass filtering in the backward path, multiple isolators or circulators in series, optical power limiters or fuses calibrated to peak power or pulse energy rather than average power only, and destructive qualification in picosecond-to-nanosecond regimes (Ponosova et al., 23 Jun 2025). On the attenuator side, the pulsed robustness study recommends favoring air-gap fixed attenuators and mechanical blocking VOAs directly at the output, avoiding absorptive attenuators where possible, and flagging attenuation or 4 deviations exceeding 1 dB (Ruzhitskaya et al., 28 Apr 2026).
For DWDMs, the proposed test plan is similarly explicit: characterize the nominal transfer function with a tunable laser sweep, then illuminate via COM with continuous-wave power stepped in 5 W increments and held up to 10 minutes per step while monitoring Pass and Ref spectra live. Devices that show multi-peak formation below 10 W should be rejected or shielded by additional isolation and filtering (Gao et al., 12 Dec 2025).
6. Scope, limitations, and broader significance
LDA is not restricted to any single component family. The original detector study explicitly argued that changes in most optical components—attenuators, filters, modulators, connectors, lenses, mirrors, sources, and detectors—could create exploitable loopholes (Bugge et al., 2013). The 2015 backdoor-creation work extended that claim from QKD receivers to QKD sources and to quantum coin-tossing, showing that a monitor detector can be desensitized and a spatial-filter pinhole can be enlarged so that earlier countermeasures themselves become weak points (Makarov et al., 2015).
At the same time, the literature does not support the claim that every device is equally vulnerable under every illumination regime. Some components resisted the tested conditions: the manual VOA in the 1550 nm continuous-wave attenuator study showed no change even at 9 W for 20 min, and the test was described as inconclusive rather than secure (Huang et al., 2019). In the DWDM study, only 3 of 10 samples exhibited the reported spectral side channel, and polarization dependence and permanence after removal of the high-power laser were not characterized (Gao et al., 12 Dec 2025). For isolators and circulators, the continuous-wave source-side study explicitly identifies pulsed attacks as an open edge case, noting that high-peak-power pulses could induce different thermal and nonlinear effects (Ponosova et al., 2022).
A common misconception is that high-power light injection must immediately produce obvious denial of service. The published experiments show otherwise. In the Clavis2 tests, QKD continued uninterrupted in some trials and resumed after reconnection in the rest; in the attenuator work, the most security-relevant outcomes left the transmitter apparently functional; in the 1061 nm pulsed isolator study, forward transparency was preserved while isolation fell below a safe threshold (Makarov et al., 2015, Huang et al., 2019, Ponosova et al., 23 Jun 2025). This suggests that LDA occupies an especially problematic region of the attack landscape: it can create persistent hardware deviations that are compatible with superficially acceptable protocol statistics.
The cumulative implication of the literature is that practical quantum-communication security cannot be reduced to closing known side channels at installation time. LDA makes hardware characteristics mutable under adversarial illumination. Security proofs that assume fixed, characterized devices remain valid only if the devices are protected, monitored, and re-qualified against precisely the illumination regimes that an attacker can choose (Bugge et al., 2013, Makarov et al., 2015).