Quantum Side-Channel Attacks
- Quantum side-channel attacks are exploits that target physical imperfections and leakage in quantum devices, bypassing idealized secure protocols.
- They encompass both narrow QKD-specific attacks, such as detector blinding and time-shift, and broader exploits in quantum hardware and cloud services.
- Researchers use a mix of security proofs, experimental leakage measurements, and hardware countermeasures to mitigate these vulnerabilities.
Quantum side-channel attacks are attacks that exploit physical imperfections, auxiliary degrees of freedom, or externally observable leakage in quantum information systems rather than the intended idealized interface of a protocol or circuit. In quantum key distribution, they include detector blinding, time-shift, source distinguishability in non-operational modes, and Trojan-horse-style leakage; in a broader quantum-systems literature, closely related attacks target timing, power, and radio-frequency leakage from cloud quantum services, simulators, and quantum-control electronics. The subject therefore sits at the intersection of security proofs, optical and microwave device physics, hardware architecture, and protocol design (Braunstein et al., 2011, Baliuka et al., 2023, Xu et al., 2023).
1. Definition, scope, and taxonomy
In one explicit QKD taxonomy, “side channels exploited by interacting with the quantum channel” are called quantum side channels, whereas “all other side channels” are called classical side channels (Baliuka et al., 2023). Within that usage, detector time-shift attacks, detector blinding, spectral or temporal leakage of emitted quantum states, and Trojan-horse probing of optical components belong to the quantum side-channel class because they act on, or through, the quantum communication interface. By contrast, RF electromagnetic emissions, power consumption, acoustic leakage, and timing of classical services are classical side channels in that taxonomy, even when they compromise a quantum device (Baliuka et al., 2023).
A broader research usage is nevertheless visible across the literature. Work on cloud quantum services studies timing leakage from backend scheduling and execution metadata; work on superconducting and trapped-ion hardware studies power and RF leakage from the classical control plane; and work on quantum circuit simulators studies timing and memory signatures of simulated circuits (Lu et al., 2024, Xu et al., 2023, Dong et al., 16 Sep 2025, Grigolo et al., 6 Mar 2026). This suggests that the field now uses “quantum side-channel attacks” in two nested senses: narrowly, for attacks on the quantum communication channel of QKD, and more broadly, for side-channel attacks against quantum technologies as systems.
The central conceptual feature is the same in both senses. Security proofs typically specify a modeled Hilbert space, a modeled device behavior, and a modeled adversarial interface. Side channels arise when physically accessible degrees of freedom or physical responses outside that model remain correlated with sensitive information. In QKD, the missing variables may be wavelength, timing, spatial mode, detector response, or back-reflections. In quantum computing, they may be control-pulse timing, controller power traces, AOM or AOD RF leakage, simulator runtime distributions, or cloud job latencies (Lu et al., 2013, Duplinskiy et al., 2019, Erata et al., 2024).
2. Canonical side-channel classes in quantum key distribution
Detector-side attacks are the historically most prominent QKD side channels. The detector-side model discussed for two-way deterministic QKD includes detection efficiency mismatch attacks, time-shift attack, faked-states attacks, and blinding attacks, with the general abstraction that Bob’s measurement device on the backward line can be treated as arbitrary and even effectively moved to Eve (Lu et al., 2013). In that setting, imperfections such as efficiency mismatch, timing windows, wavelength dependence, and blinding susceptibilities are not parameterized microscopically; they are absorbed into Eve’s most general attack on the measurement process (Lu et al., 2013).
Source-side attacks are structurally different. In the passive light-source model for BB84 with decoy states, each logical state is written as
where is the intended operational degree of freedom and is the state in all other degrees of freedom, collectively denoted by (Duplinskiy et al., 2019). Temporal profile, spectrum, spatial mode, polarization mode structure beyond the encoded qubit, intensity fluctuations, phase noise, and multi-mode structure can all populate . If the family of states is not identical across bits and bases, Eve can distinguish states outside the encoded qubit space without causing the disturbance predicted by the ideal model (Duplinskiy et al., 2019).
The passive light-source side-channel model has been strengthened further by explicit joint eavesdropping constructions. Instead of measuring the operational degree of freedom and the side channel separately, Eve can apply the optimal phase-covariant cloning attack to the BB84 qubit and then perform a joint collective measurement on the cloned operational subsystem and the passive side-channel subsystem (Babukhin et al., 2022). In that model the relevant Holevo information is the one for the composite state, not a sum of two independently accessible informations, and the resulting attack gives lower secret-key rates than earlier explicit attacks limited to separate measurements (Babukhin et al., 2022).
Continuous-variable QKD exhibits an analogous pair of side-channel models. On Alice’s side, a sender-side lossy side channel leaks part of the outgoing mode through a beam splitter of transmissivity ; on Bob’s side, a receiver-side noisy side channel injects Eve-controlled noise through a beam splitter of transmissivity (Derkach et al., 2016). The sender-side leakage increases Eve’s information and reduces tolerable channel excess noise. The receiver-side noise infusion is more severe: it “breaks the security even for a purely attenuating main quantum channel” if not countered (Derkach et al., 2016).
3. Security models and proof techniques
The detector-side immunity result for two-way deterministic QKD is formulated in an unconditional-security framework. For the two-encoding variant, Bob prepares one of the four BB84 states, Alice applies either or , and Bob measures in the same basis he used for preparation; all encoding-mode rounds contribute to the raw key, and in the asymptotic limit the key generation rate per signal is
0
The privacy-amplification term is written as
1
and the key step is to show basis independence,
2
so that moving Bob’s backward-line detector to Eve does not change the state relevant for privacy amplification (Lu et al., 2013).
For source side channels in BB84, the dominant proof language is fidelity and basis imbalance. The basis imbalance parameter is
3
where 4 is the fidelity between the basis density matrices. Hong–Ou–Mandel interference provides an experimentally accessible route to that fidelity. For phase-randomized weak coherent pulses, the paper derives
5
which connects measured HOM visibility to state fidelity, and then uses a Bures-angle bound to lower-bound 6 and hence upper-bound 7 (Duplinskiy et al., 2019). In the joint-eavesdropping setting, the side channel is folded into an effective error method by defining an effective Bob error 8 such that the extra Holevo information 9 is re-expressed as a larger effective error in otherwise standard decoy-state formulas (Babukhin et al., 2022).
A distinct proof strategy is the virtual mapping method of side-channel-secure QKD. The real imperfect-source protocol is reduced to a perfect virtual protocol if there exists a map 0 sending the perfect protocol states to the real emitted states. For Alice and Bob this requires conditions of the form
1
with lower bounds on the vacuum amplitudes 2. Under those inequalities, the real protocol can be treated as the perfect protocol “in key rate calculation,” and finite-size composable security against coherent attacks follows by combining the perfect-protocol proof with the post-selection technique (Jiang et al., 2023).
At the architectural end of the spectrum, “side-channel-free” QKD replaces direct exposure of sources and detectors by virtual channels implemented through local entangled states, quantum memories, and an untrusted entanglement-swapping station. The accessible Hilbert space is thereby filtered so that Eve’s probes remain confined to sacrificial public subsystems, while the secret-bearing subsystems 3 and 4 stay inside private spaces. In that model the asymptotic one-way secret-key rate is lower-bounded by the coherent information
5
and the design target is not a specific side channel but the elimination of quantum port access to the devices that carry or measure the secret (Braunstein et al., 2011).
4. Protocols and architectures designed to neutralize side channels
Two-way deterministic QKD gives a protocol-level example of detector-side immunity. In the four-state variant, Bob sends one of 6, Alice either checks or encodes, and Bob reads the encoding deterministically without basis sifting. The result proved is precise: “Two-way DQKD protocols are immune to all detector side channel attacks at Bob’s side, while we assume ideal detectors at Alice’s side for error testing.” The immunity covers all detector side channels on Bob’s backward receiver, including those akin to time-shift, faked states, blinding, wavelength dependence, and timing dependence, because the security proof already allows Eve to perform the relevant measurement herself without changing the key-rate formula 7 (Lu et al., 2013).
Source-side immunity has been pursued by redesigning the encoding itself. In the experimental side-channel-free protocol, key bits are encoded by sending or not sending a coherent state of fixed amplitude in the encoding mode, while all source side-channel degrees of freedom are treated as adversarial and all measurement devices at the central node are untrusted. The experiment reported “a secure key rate of 4.80e-7 per pulse through 50 km fiber spools,” and the protocol is described as “not only measurement-device-independent, but also immune to all side-channel attacks in the source” under the assumption of a perfect vacuum state in the encoding space (Zhang et al., 2021).
The side-channel-secure protocol extends that line to “fully realistic conditions.” It remains measurement-device independent, is “effective with imperfect (and unstable) source devices including imperfect vacuum and imperfect coherent-state source,” and uses the virtual mapping idea to obtain a non-asymptotic key rate under “whatever out-side-lab attack, including whatever side-channel coherent attack” (Jiang et al., 2023). A subsequent analysis of “the practical issues of side-channel-secure quantum key distribution” incorporates state-dependent correlated errors and Trojan-horse attack while preserving the protocol’s reliance only on upper bounds on intensities rather than a full infinite-dimensional source description. In that model, when the reflected light intensity from Trojan-horse attacks falls below 8, “Eve can scarcely extract additional key information from the reflections” (Jiang et al., 21 Aug 2025).
For continuous-variable QKD, the countermeasure story is unusually explicit. On the sender side, the negative effect of a lossy side channel can be “completely removed” by applying modulated coherent light to the side-channel input, optimally correlated to the main modulation, and “optionally, introducing additional squeezing in the case of the squeezed-state protocol” (Derkach et al., 2016). On the receiver side, optimal monitoring of the residual output of the noisy side channel and a weighted linear combination of the two homodyne measurements reconstruct the pre-side-channel variable exactly in the beam-splitter model, so the noisy side channel is again removed completely (Derkach et al., 2016). A recurring misconception is therefore that detector-side or channel-side fixes alone suffice: the literature instead shows a layered picture in which immunity can be obtained at Bob’s detector, Alice’s source, or both, but typically under protocol-specific assumptions.
5. Side-channel attacks on quantum computing platforms and services
A substantial recent literature studies leakage outside the optical QKD channel. On cloud-based quantum services, timing metadata alone can be a side channel. In IBM’s public quantum cloud, end-to-end job latency can be used for backend fingerprinting, and “with just 10 measurements, it is possible to identify the underlying quantum computer that executed the circuit.” For Grover’s algorithm, the same timing channel can leak the oracle “with a mere 500 measurements” (Lu et al., 2024). A closely related attack on cloud quantum simulators uses fine-grained execution timing and memory behavior to classify circuits from QASMBench. The experimental results reported are “88% to 99.9% identification rate of quantum circuits based on different datasets,” and a two-stage KNN-plus-Wasserstein pipeline attains 91.13% Top-1 identification accuracy overall, with 88.42% on small circuits and ≈99.98% on medium circuits (Dong et al., 16 Sep 2025).
The control layer of physical quantum computers exposes richer channels. “Exploration of Quantum Computer Power Side-Channels” introduces five attack types based on timing, total energy, mean power, total power traces, and per-channel power traces, and shows that control-pulse information can reveal user circuits, oracle choices, ansatz families, qubit mappings, and processor identity (Xu et al., 2023). The follow-on reconstruction work formalizes single-trace attacks on quantum computer controllers and demonstrates two concrete methods: a per-channel brute-force attack and a total-power attack using Mixed-Integer Linear Programming. Evaluation on “32 real benchmark quantum circuits” shows that the technique recovers all non-virtual 9 gates in every benchmark, while 0 remains invisible because it is virtual on IBM backends (Erata et al., 2024).
RF leakage offers an electromagnetic analogue of power analysis. On a QKD sender employing an FPGA and four VCSEL drivers, a deep convolutional neural network applied to near-field RF traces can recover symbol information “up to ~99%” near the FPGA, and the authors state that “at a distance of a few centimeters” they can “recover virtually all information about the secret key.” At 1 m with a log-periodic antenna they cannot decode key symbols in that setup, but they can distinguish “sending key” from “no key” with 100% accuracy in a band around 2 GHz (Baliuka et al., 2023). Trapped-ion hardware exhibits a parallel channel: leaked RF drive signals from AOMs and AODs can be captured with “off-the-shelf components,” and the proof-of-principle analysis extracts pulse characteristics of both single-ion and entangling gates (Grigolo et al., 6 Mar 2026).
These results show that even when a protocol is upgraded to be measurement-device-independent, or when the quantum channel itself is not touched, classical leakage from the surrounding electronics may remain a separate attack surface. This does not erase the QKD taxonomy that distinguishes quantum from classical side channels; rather, it indicates that practical quantum security must handle both (Baliuka et al., 2023).
6. Countermeasures, certification, and unresolved problems
A major line of defense is measurement and certification of leakage. For passive source side channels in BB84, HOM interference acts as an integrated “meter” of total mode mismatch across temporal, spectral, spatial, polarization, and other degrees of freedom. Best published HOM visibilities for phase-randomized weak coherent pulses lie close to the theoretical maximum 3, including 4, 5, 6, 7, and 8, and the security analysis shows that even values such as 9 already produce noticeable key-rate degradation while still permitting key generation (Duplinskiy et al., 2019). The method does not remove side channels; it bounds them quantitatively and feeds the result into the security proof.
Engineering countermeasures remain indispensable. For the RF side channel of a QKD sender, a revised electronics design using standard EMC principles, BGA packaging, differential routing, grounding, and decoupling capacitors substantially reduces both RF amplitude and ML test accuracy; a metallic shield of a few millimeters can drive attack performance down to random guessing, although even an aperture of approximately 0 cm reintroduces statistically significant leakage 1 (Baliuka et al., 2023). For trapped-ion RF leakage, the recommended mitigations include restricted physical access, improved shielding, decoy ions and dummy operations, and randomized compiling, while noting that full-lab Faraday shielding is rarely feasible and that injected RF noise can itself damage fidelity (Grigolo et al., 6 Mar 2026).
On the quantum-computing side, a distinct countermeasure class is transpiler-level masking. If a subset of gates can be shielded from side-channel observation, then a transpiler can rewrite every gate into a fixed public skeleton plus hidden gates from the shielded subset. For IBM’s native set this exploits virtual 2 gates, and the paper proves that one can conceal all information in a circuit by transpiling it into a new circuit “whose depth grows linearly, depending on the quantum computer’s architecture” (LeGrow et al., 13 Jan 2025). The key idea is that virtual gates are invisible to the modeled power side channel, so algorithm-specific information can be pushed into them while the observable non-virtual pattern is standardized.
Several open problems remain explicit across the literature. Current proofs for source flaws and SCS QKD still rely on specific assumptions such as trusted inside-lab randomness, bounded vacuum amplitudes, or trusted detectors on one side of a protocol (Jiang et al., 2023, Lu et al., 2013). HOM-based certification is asymptotic and does not by itself cover non-optical side channels such as RF leakage or acoustic emissions (Duplinskiy et al., 2019). RF and timing attack papers repeatedly note that modern machine learning makes weak leakage exploitable, while formal composable security proofs for such classical emissions are still missing (Baliuka et al., 2023, Dong et al., 16 Sep 2025). This suggests that the long-term problem is not merely to patch isolated attacks, but to connect protocol design, hardware layout, shielding, compiler transformations, and leakage measurements into unified security models for quantum technologies.