# Decoherence as an Attack Vector for QKD

**Source**: https://quantumsequrity.com/blog/decoherence-as-attack-vector
**Category**: Threats & Attacks

---

[← Back to Blog](../../blog.html) Threats & Attacks

# Decoherence as an Attack Vector for QKD

12 min read

Quantum systems are fragile. The same property that makes quantum computers so powerful (superposition and entanglement of qubits) is also what makes them so hard to engineer. Any interaction between a qubit and its environment, whether thermal noise, stray electromagnetic fields, or vibrations, causes the qubit's quantum state to collapse into a classical state. This process is called decoherence, and fighting it is one of the central challenges of building useful quantum hardware. For quantum key distribution systems, decoherence is doubly significant. Not only is it a natural enemy to overcome, but it is also a potential attack vector. An adversary who can deliberately induce decoherence in a QKD link can disrupt key generation, force fallback to less-secure modes, or in some scenarios, leak information about the key being generated. This post walks through how decoherence works as a denial-of-service vector for QKD, what operational implications it has, and why these considerations push national security agencies toward post-quantum cryptography rather than QKD for most applications.

## What Decoherence Is

When a qubit exists in superposition, it is in a delicate quantum state where its measurement outcome would be probabilistic. The state is described by a quantum amplitude vector, and any small perturbation can cause that vector to interact with the environment in a way that "measures" the qubit, collapsing it into a definite classical state. This collapse is decoherence.

In a quantum computing context, decoherence destroys the quantum information you are trying to compute with. T1 relaxation (the qubit returning to its ground state) and T2 dephasing (the qubit losing its phase relationship) are the two primary decoherence mechanisms. State-of-the-art superconducting qubits achieve T1 and T2 in the hundreds of microseconds. Trapped ion qubits do better, with T2 sometimes in the seconds. But even the best qubits cannot maintain coherence for long.

In a QKD context, the photons traveling from Alice to Bob are technically not "qubits" in the gate-based computing sense, but they carry quantum information in their polarization or phase. They are subject to similar decoherence: any interaction with the environment can collapse the quantum state, randomizing the bit value Bob measures. The QKD protocol detects this through the error rate: if too many bits disagree between Alice and Bob, they assume eavesdropping and abort the key generation.

## Decoherence as Denial of Service

Here is the operational issue. A QKD system is engineered to tolerate a small amount of natural decoherence (from fiber loss, thermal noise, polarization drift). When the error rate is below a threshold, the protocol proceeds. When the error rate exceeds the threshold, the system aborts and tries again.

An attacker who can induce extra decoherence on the channel can force the system to abort. They do not need to learn the key. They just need to make the legitimate parties unable to agree on one. Methods include shining a bright laser into the fiber to scramble polarization, vibrating the fiber mechanically to introduce phase noise, or heating the fiber to change its propagation properties.

This is denial of service. The QKD link is unable to produce key material as long as the attacker keeps interfering. For applications that depend on QKD for key establishment (some military communication systems, some banking links), this is a significant operational concern. The attacker has a way to make the link fail without leaving an obvious trace, since the system will simply log "high error rate, aborting" rather than "active attack."

Compare this to a classical TLS connection, where an attacker who interferes with the handshake will trigger an obvious failure: the connection drops, an error is logged, and the user retries. The denial-of-service surface is the same in spirit, but the failure mode is more apparent.

## Forced Fallback Risks

A more subtle attack scenario involves forcing fallback. Many QKD systems are deployed alongside a classical key establishment fallback, in case the quantum link fails. If an attacker induces decoherence to make the QKD link fail, the system may fall back to a classical key exchange, which (depending on the protocol) might be vulnerable to the very quantum attacks that QKD was supposed to defend against.

This pattern echoes the TLS protocol-downgrade attacks like POODLE (see [POODLE Attack SSL](poodle-attack-ssl.md)). The fallback mechanism, intended to maintain availability, can be exploited to drag the connection into a weaker mode. QKD systems with classical fallback need to think carefully about what the fallback algorithm is and whether it is still secure when the QKD link is unavailable.

The defense, in both the TLS and QKD cases, is to ensure that the fallback is at least as strong as the primary mechanism. For QKD, this means using post-quantum cryptography as the classical fallback rather than RSA or ECC. For TLS, it means rejecting downgrade attempts via mechanisms like TLS_FALLBACK_SCSV.

## Decoherence and Side-Channel Leakage

Beyond denial of service, deliberate decoherence might leak information in some advanced attack scenarios. The argument is subtle. Suppose an attacker can selectively decohere photons based on some property they want to learn. For example, an attacker might tune the decoherence to affect photons emitted in certain time windows, allowing them to distinguish between two basis choices Alice might have made. This is closer to the timing-based and basis-detection attacks discussed in the QKD side-channel literature (see [Quantum Side Channels](quantum-side-channels.md) for the detector-blinding and photon-number-splitting attacks that share this conceptual structure).

The practical relevance of selective-decoherence attacks is debatable. Most published work has focused on simpler attacks like detector blinding, which work against deployed systems with high reliability. Selective decoherence is more theoretical, but it represents the kind of attack pattern that could become more practical as adversaries refine their techniques.

## What This Means Operationally

For organizations considering QKD deployments, decoherence-based denial of service is a real operational risk. The cost of mounting such an attack is relatively low (you need a fiber-tap or a way to interact with the fiber, but you do not need to break any cryptography). The cost to the defender is significant (loss of key generation, potential cascading failures in dependent systems).

Defenses include physical hardening of the fiber path, monitoring for anomalous error rates that suggest active interference, redundant QKD links over different physical paths, and graceful fallback to post-quantum cryptography when the QKD link fails. None of these are free. Each adds operational complexity to a system that is already more complex than a classical cryptographic deployment.

This is part of why national security agencies are recommending post-quantum cryptography for most applications. The UK's NCSC, the US NSA, France's ANSSI, and Germany's BSI have all published guidance recommending PQC over QKD for general-purpose use. The reasons cited include the side-channel attack surface (covered in [Quantum Side Channels](quantum-side-channels.md)), the limited reach (current QKD systems work over hundreds of kilometers, not global distances), the need for trusted relays at long distances (which reintroduces classical-style trust assumptions), and yes, the denial-of-service attack surface from decoherence and similar physical attacks.

## How Post-Quantum Cryptography Sidesteps This

PQC algorithms like ML-KEM and ML-DSA do not depend on quantum-physical channels. They run as classical software on classical computers. The signal that they exchange is a classical bit stream, transmitted over standard internet protocols. There is no quantum state to decohere. Denial of service is still possible (any network connection can be interrupted), but the failure modes are the same as classical cryptographic protocols, with the same well-understood mitigations.

The hybrid construction (see [Hybrid Encryption](hybrid-encryption.md)) further provides resilience. Even if a future attack were found against the post-quantum component, the classical X25519 layer would still hold. Conversely, even if a quantum computer became powerful enough to break X25519, the post-quantum component would still hold. There is no decoherence-based vector that could disrupt the protocol; an attacker would have to either break both algorithms cryptographically or break the underlying network connection (which is a different and well-defended threat).

## What This Means for QNSQY

QNSQY does not use QKD. It uses post-quantum cryptography combined with classical cryptography in a hybrid construction. The threat model assumes a software environment running on classical hardware connected via classical networks. None of the QKD-specific decoherence-based attacks apply.

The practical denial-of-service threats to QNSQY are the same as for any cryptographic software: an attacker who can interrupt your network connection can prevent encryption or decryption from succeeding, but they cannot recover plaintext. The hybrid PQC + classical construction means that even an attacker with significant cryptographic capabilities cannot recover plaintext encrypted by QNSQY without breaking both the post-quantum and classical components, which we have no evidence anyone can do.

## What QKD Is Actually Useful For

In fairness to QKD, it does have a role in certain specialized scenarios. For ultra-high-assurance applications where the threat model includes nation-state adversaries and the deployment environment is fully controllable (a single building, a campus with shielded fiber, a secure tunnel between two trusted facilities), QKD can complement classical defenses. The decoherence-based attacks become much harder when the attacker cannot reach the fiber.

These are niche applications. For everyday cryptography, including the kind of file-level encryption that QNSQY does, post-quantum cryptography is the right answer.

## The Theoretical Roof

It is worth saying clearly: the underlying physics of QKD is not broken. The information-theoretic security guarantees that BB84 provides remain valid in the idealized model. The issue is that real-world QKD systems do not match the idealized model. Decoherence-based attacks, side-channel attacks, and protocol-level vulnerabilities all stem from the gap between idealized physics and real engineering.

Cryptographers face the same gap with classical algorithms. RSA's mathematical security relies on factoring being hard. Real RSA implementations have been broken by side channels, fault injection, and bad randomness, all of which are unrelated to the mathematical hardness of factoring. The implementation gap is the eternal challenge of cryptographic engineering, regardless of whether the underlying primitive is classical or quantum.

The practical question is which gap is easier to manage. For PQC, we have decades of experience with classical implementation issues and well-established defenses. For QKD, the engineering experience is younger, the attack surface is broader (lasers, detectors, fibers, all in addition to the classical electronics), and the defenses are still being developed.

## FAQ

**Could decoherence attacks affect post-quantum cryptography in any way?**
No. Decoherence is a property of physical quantum systems. Post-quantum cryptography (ML-KEM, ML-DSA, etc.) runs entirely on classical computers using classical operations. Decoherence does not apply.

**Is QKD safer if it is deployed over short distances in shielded environments?**
Yes, somewhat. The physical attack surface is smaller when the attacker cannot reach the fiber. But QKD still has issues with detector blinding, photon-number splitting, and other side channels that exist regardless of channel length. See [Quantum Side Channels](quantum-side-channels.md) for the comprehensive picture.

**Why don't more national security agencies recommend QKD?**
The UK NCSC, US NSA, French ANSSI, and German BSI have all published guidance recommending against QKD for general use. The reasons include the side-channel attack surface, the operational complexity, the need for trusted relays at long distances, and the limited reach. PQC is the recommended path for almost all applications.

**Does QNSQY benefit in any way from quantum technologies?**
QNSQY uses post-quantum cryptography (ML-KEM, ML-DSA), which is designed to resist attacks by future quantum computers. So in a sense, QNSQY is a defensive response to the looming threat of quantum computing. But QNSQY does not use any quantum hardware itself. It runs entirely on classical computers.

**What if QKD systems improve and the side-channel attacks get fixed?**
Improvements are happening, particularly in the form of decoy state protocols and randomized detector calibration. But the fundamental issues (limited reach, need for trusted relays, denial-of-service via decoherence) are structural to QKD as a technology, not just to current implementations. Even if all known side-channel attacks were fixed, QKD would still be a niche tool rather than a general-purpose cryptographic primitive.

## Sources

1. Bennett, C. H., and Brassard, G. "Quantum Cryptography: Public Key Distribution and Coin Tossing." International Conference on Computers, Systems and Signal Processing, 1984.
2. UK National Cyber Security Centre. "Quantum security technologies." NCSC guidance, March 2020. https://www.ncsc.gov.uk/whitepaper/quantum-security-technologies
3. National Security Agency. "Quantum Key Distribution (QKD) and Quantum Cryptography (QC)." NSA Cybersecurity Information Sheet, October 2020. https://media.defense.gov/2021/Aug/04/2002821837/-1/-1/1/Quantum_FAQs_20210804.PDF
4. ANSSI. "Should Quantum Key Distribution be Used for Secure Communications?" Position paper, May 2020. https://cyber.gouv.fr/sites/default/files/2020/05/anssi-technical_position_papers-qkd.pdf
5. Schiansky, P., Kalb, J., Sztatecsny, E., et al. "Demonstration of quantum-digital payments." Nature Communications 14, 3849 (2023). (Recent QKD operational paper.) https://www.nature.com/articles/s41467-023-39519-w
6. Pirandola, S., Andersen, U. L., Banchi, L., et al. "Advances in quantum cryptography." Advances in Optics and Photonics 12, 1012-1236 (2020). https://opg.optica.org/aop/abstract.cfm?uri=aop-12-4-1012

## Related Articles

- [Quantum Side Channels](quantum-side-channels.md)
- [What Is Post-Quantum Cryptography](what-is-post-quantum-cryptography.md)
- [POODLE Attack SSL](poodle-attack-ssl.md)
- [Hybrid Encryption](hybrid-encryption.md)
- [NIST FIPS Guide](nist-fips-guide.md)

---

### Protect Your Data Before Q-Day Arrives

QNSQY's NIST-standardized post-quantum encryption protects files against both current and quantum-era threats.

[Try QNSQY](../../pricing.html)
