Laser seeding attack in quantum key distribution

Measurement-device-independent quantum key distribution (MDI-QKD) is a promising approach to remove all side channels from the measurement unit, which is regarded as the "Achilles' heel" of QKD. An essential assumption in MDI-QKD is however that the sources are trusted. Here we experimentally demonstrate that a practical source based on a semiconductor laser diode is vulnerable to a laser seeding attack, in which light injected from the communication line into the laser results in an increase of the intensities of the prepared states. The unnoticed increase of intensity may compromise the security of QKD, as we show theoretically for the prepare-and-measure decoy-state BB84 and MDI-QKD protocols. Our theoretical security analysis is general and can be applied to any vulnerability that increases the intensity of the emitted pulses.