Automated verification of countermeasure against detector-control attack in quantum key distribution

Attacks that control single-photon detectors in quantum key distribution using tailored bright illumination are capable of eavesdropping the secret key. Here we report an automated testbench that checks the detector’s vulnerabilities against these attacks. We illustrate its performance by testing a free-running detector that includes a rudimentary countermeasure measuring an average photocurrent. While our testbench automatically finds the detector to be controllable in a continuous-blinding regime, the countermeasure registers photocurrent significantly exceeding that in a quantum regime, thus revealing the attack. We then perform manually a pulsed blinding attack, which controls the detector intermittently. This attack is missed by the countermeasure in a wide range of blinding pulse durations and powers, still allowing to eavesdrop the key. We make recommendations for improvement of both the testbench and countermeasure.


I. INTRODUCTION
In recent years, quantum key distribution (QKD) [1] has attracted significant attention by both science and industry.This interest is based on its security guaranteed by the laws of quantum mechanics.However, differences exist between the theory of QKD and its practical realisation.They can be exploited by an eavesdropper Eve to steal secret information.For example, a laser pulse attenuated to contain less than one photon on average still sometimes contains two or more photons, which contradicts theoretical assumptions in QKD.A photonnumber-splitting attack that exploits these multi-photon pulses was historically the first QKD loophole shown in the year 2000 [2].Since then, over twenty different other loopholes have been discovered .
The single-photon detector (SPD) currently seems to be the most unsafe QKD system element.There are several attacks focusing on it.Some of them create and exploit mismatch in photon detection efficiency between two or more detectors in the receiver Bob.These include * achevap17@yandex.ruefficiency mismatch in the time domain [7,8], wavelength [11,19], spatial mode [21], and during a deadtime [33].Other attacks control the detector deterministically while blinding it with bright light [9,10,13] or injecting bright pulses at the closing edge of a detector gate [14,34] or in-between the gates [12].The detector control attack was first proposed in 2009 [35] and found to be applicable to commercial QKD systems the following year [9].A protection against the attacks on detectors is difficult because Bob has to receive all light from a transmission line with as low loss as possible.(In contrast, a sender Alice can be effectively isolated against attacks that inject light [29][30][31]36].) Several countermeasures against the bright-light attacks on detectors have been proposed [9,[37][38][39][40][41][42][43][44][45][46][47][48][49][50].The most radical one is a measurement-device-independent (MDI) QKD scheme that eliminates the detectors, and thus all their vulnerabilities, from the secure equipment [38].However, it is less convenient and more costly for commercial implementation than the standard QKD schemes.Other approaches vary in their maturity and effectiveness.An optical power meter at Bob's entrance with a classical threshold [9] is not fast enough and may overlook a pulsed blinding attack.A random-detectorefficiency patch [40] was shown to contain unrealistic assumptions on hardware after a careful investigation [22].A measurement of coincidence click rates [45] and application of a random optical attenuation [48] are at a proofof-principle stage and need further tests.Optical power limiters [49,50] are not mature and sensitive enough to become a countermeasure.A more mature technology is the measurement of photodiode current to sense the blinding [37,41], which is implemented in some commercial SPDs [41,51].However, its effectiveness as a countermeasure in QKD depends on implementation details and needs to be tested.
For a wide adoption of QKD as a data protection technology, it needs to have certification [52].The certification standards for QKD include tests for the quality of countermeasures against the known vulnerabilities [53].Formalising and automating the testing procedure would both simplify its application in a certification lab and reduce human factors.We are therefore developing an automated testbench and algorithm that tests SPDs against the bright-light attacks.
The contribution of this paper is two-fold.First, we report an automated setup for testing SPDs against the bright-light attacks.Second, we apply this setup to an SPD with the current-measurement countermeasure.The latter is proven effective against the attack that uses continuous-wave (cw) blinding [41].This is confirmed with our automated testbench.However, this countermeasure might miss an attack that blinds the detector intermittently by light pulses [41,54].We probe experimentally in a manual regime the limits of the existing countermeasure implementation.We then make recommendations for both countermeasure and testbench improvement that would hopefully make them complete and ready for certification.
The development of a complete countermeasure is nontrivial.In more than ten years elapsed since the discovery of these attacks [9], no countermeasure for non-MDI QKD systems has been independently tested and certified as secure.Although it is obvious in the hindsight that the rudimentary countermeasure we test here is insufficient, this is not clear to an engineer designing it without the help of independent testers.We have chosen to focus our development on this type of countermeasure, because it is the simplest and cheapest to implement (being just some extra electronics in the SPD) and it has a potential to close this class of loopholes.However our test methodology may be adopted to other types of countermeasures.
The paper is organised as follows.In Section II we describe the testbench setup, its software, and the detector under test.In Section III we report experimental results and simulate the attack.We discuss and conclude in Sec.IV.

II. EXPERIMENTAL SETUP
The SPD control attack using bright light can be realised in several ways.We distinguish three main types of it: continuous blinding [9,35], pulsed blinding [13,55], and after-gate attack [12].Under the continuous blinding attacks, a cw laser light is applied to the SPD, which is then controlled continuously.Under pulsed blinding, the SPD is blinded and controlled for a period of time longer than the SPD's deadtime.The after-gate attack exploits controllability of gated SPDs in-between the gates, sending short bright pulses outside the gates.We think that testing for all three types of attacks can be automated.
Here we demonstrate the automated testing for continuous blinding.We perform the pulsed blinding manually, to better understand the requirements for its automation.The after-gate attack is not applicable to a free-running SPD chosen for our experiment.

A. Automated testbench
Our testbench setup is shown in Fig. 1 [9].It uses two lasers, a pulsed one and a cw one.Light from each of them passes through an isolator for stability reasons and then a programmable attenuator.Attenuated light from both lasers is then combined on a 90 : 10 beamsplitter, whose outputs are connected to an optical power meter and the detector under test.A computer controls all the devices, runs a testing algorithm, and analyses the data.

B. Software and methodology
Our software for the automated testbench is written in LabVIEW.It works in two stages.At the first stage, the testbench blinds the SPD by the cw laser.At the second stage, it attempts to control the SPD by the pulsed laser (this method is similar to earlier manual experiments [9]).The program then saves a printable PDF report, an example of which is given in Fig. 5, and all the raw data collected.For this particular report example, the entire test sequence took about 1.5 h.
During the first stage, the program uses CL to apply cw power at the SPD, while PL is turned off.The attenuation of VOA1 is scanned through its full 60 to 0 dB range by a user-settable step (1 dB in our case).The power is measured by the PM and varies from approximately 2.3 × 10 −11 W (near the sensitivity limit of the PM) to 1.25 × 10 −5 W. At each power level, the detector click rate (measured by the counter) and photocurrent monitor readout value (explained in the next subsection) are recorded.If the click rate drops to zero, the SPD is considered to be blinded.
If the blinding is recorded at one or more power levels, the program proceeds to the second stage.It steps VOA1 again from the maximum attenuation at which the blinding has been recorded through 0 dB.At each power level, it also applies short-240 ps full-width at half-magnitude (FWHM)-pulses from the PL at 10 kHz rate while scanning the attenuation of VOA2 from 60 to 0 dB by a user-settable step (1 dB in our case).The energy E of these control pulses is pre-calibrated and varies from 10 −18 to 10 −12 J.The detector click rate and monitor readout value are again recorded at each energy level.The program then analyses whether the detector clicks with above-zero probability in response to these control pulses (if it does, the SPD is declared controllable in the report) and if a change of E by 3 dB or less leads to the change of click probability from 0 to 100%.The latter is a sufficient condition for a perfect attack on Bennett-Brassard 1984 (BB84) QKD protocol [9].The report also contains monitor readout plots under control, which may be analysed manually by the operator to see if the countermeasure is effective.

C. Detector under test
In this work, we investigate a free-running singlephoton detector manufactured by QRate (serial number 3-054).This detector does not use gating, which makes it easy to use in a versatile educational kit [56] (whereas QRate's commercial QKD system employs a different detector model with sinusoidal gating that has improved performance [57]).Our free-running detector is based on an InGaAs/InP fiber-pigtailed APD (Wooriro WPACPGMOSSNCNP serial number PA19H262-0052) thermoelectrically cooled to −35 • C. The detector circuit uses passive quenching with enforced deadtime (Fig. 2) [57][58][59].For Geiger-mode operation, the voltage across the APD should exceed its breakdown voltage by about 2 V.A high-voltage supply (HV; based on Maxim Integrated MAX1932) applies V bias = +68.6V at the cathode of the APD via a current mirror and bias resistor R1.When the detector is waiting ready for an avalanche, a stray capacitance between the APD cathode and the circuit ground is charged to the same voltage.This capacitance, on the order of 1 pF, is not shown in the circuit diagram but is essential for the detector operation.Once the avalanche begins, the capacitance supplies its current and discharges via the APD and low-impedance circuits connected at the APD anode.The voltage across the APD quickly drops; once it about equals the breakdown voltage, the current reduces to a value when the avalanche no longer self-sustains and the avalanche then stops [60].Note that in this passively-quenching circuit, the current supplied from HV via R1 is not sufficient to sustain the avalanche.It merely recharges the stray capacitance relatively slowly to V bias after the avalanche quenches.
The onset of the avalanche current is sensed by an amplifier (Analog Devices HMC589AST89E) and highspeed comparator (Analog Devices ADCMP573), then expanded in duration to 70 ns with a single-shot generator, producing a logic signal at the output of the detector.To reduce afterpulsing, an enforced deadtime τ = 20 µs is applied by raising the voltage at the APD anode by 11.3 V. (This also ensures ending any occasional avalanche that does not cease via the passive quenching [60].)The deadtime driver removes this voltage at the end of the deadtime gradually via a variable resistor VR (implemented with a series of transistor switches), to avoid triggering additional avalanches [57,59].Once this process is complete, the stray capacitance charges via R1 to V bias and the detector becomes ready for the next avalanche.The photon detection efficiency of our detector sample is 2.2% at 1550 nm and the dark count rate D = 412 Hz.
We remark that a commercial QKD system would use a gated detector with a higher photon detection efficiency, such as the sinusoidally-gated detector [57], which we have also tested on this testbench without a countermeasure [61].However this free-running detector sample is sufficient for the initial development of our testbench and the countermeasure.Its low photon detection efficiency does not affect the test methodology.In the future, the FIG. 3. Monitor readout M as a function of a constant APD current I pd .The curve has been theoretically calculated based on the data sheets of the integrated circuits.Note that with V bias = +68.6V and the resistor values used in this particular detector sample, I pd cannot exceed about 6.8 mA.
countermeasure will also be implemented and tested in QRate's sinusoidally-gated detector.
To provide the countermeasure against detector blinding [9], the present free-running SPD employs a photocurrent monitor circuit (Fig. 2) [37,41].The current I pd flowing into R1 is copied by a current mirror, processed by a logarithmic converter (Analog Devices AD8305) configured with a reduced bandwidth, and digitised by an analog-to-digital converter (ADC; Microchip MCP3425) with 15-bit resolution.The analog-to-digital converter outputs a readout value which obeys this equation in a wide range of constantcurrent values from 10 −9 to 10 −2 A (Fig. 3).The logarithmic signal passes a low-pass frequency filter with 7.5 Hz rolloff (intrinsic to the ADCs of delta-sigma type) and is digitised at 15 Hz rate.The latest readout value is made available via a universal serial bus (USB) interface to a computer running either a detector monitoring software supplied by the manufacturer or user-written program like our testbench automation.The latter records a single sampled value whenever it takes a data point for the automatically generated report.These single values of M fluctuate significantly when the detector is producing random counts (the fluctuation is up to ±700 for dark counts, less at higher count rates).To reduce these random fluctuations, in manual measurements of pulsed blinding we have done additional averaging for each data point, sampling 30 readout values spread evenly over 14.5 s and calculating their mean.Note that the 7.5 Hz low-pass filter in the monitor circuit is placed after the logarithmic converter, which itself outputs a signal with a much higher bandwidth of the order of 1 kHz.When I pd varies in time at a frequency faster than 7.5 Hz but below 1 kHz, this circuit does not average the photocurrent but rather averages its logarithm.The readout M then underestimates the mean value of I pd .This helps Eve in defeating this countermeasure, as we show below.

A. Countermeasure calibration
Before the monitor readout can be used to detect attacks, we need to estimate the values of M observed during normal operation of the QKD system.We simulate the single-photon regime by illuminating the SPD with laser pulses attenuated to 0.8 photon/pulse at a varying rate.The results are shown in Fig. 4. We assume a typical detector click rate in a modern QKD system is 20 kHz [62].The monitor readout is then expected not to exceed 8100 for single sampled values (or 7900 averaged).Any value larger than that indicates an attack.

B. Continuous-wave blinding of detector
The continuous blinding attack is executed automatically by the testbench.The report (Fig. 5) includes the following plots: the dependence of the count rate and monitor readout value M on cw laser power (with PL off), the probability that the blinded SPD produces a click versus control pulse's energy E (each curve is at a different cw blinding power), the maximum pulse energy that never produces a click E never and minimum energy that always produces a click E always [9] versus the cw blinding power, and the dependence of M on the SPD click rate when it is being blinded and controlled (each curve is at a different cw blinding power).The software automatically analyses the click rates and makes conclusions that this detector is blindable and the click probability under control is non-zero.Note that the cw power and E are both scanned an order of magnitude or more above and below the values where the full control is observed.
We can manually analyse the monitor readout plots and see that the countermeasure catches this attack.When the SPD is blinded at 2.96 nW, the countermeasure registers M ≈ 14800, and under total control at 75.6 nW M ≈ 15000.This significantly violates the The device under test is tested for vulnerability against a bright light attack in two steps.First, constant radiation with varied power is applied to try blinding.Successful blinding refers to a situation when constant radiation is applied to the detector, and the output of the device under test is 0 Hz.Second, control pulses with varied energy are added to try detector control.Successful pulse attack refers to the following conditions: the detector is blinded; control pulses are applied; detector count probability is more than 0.
During the test the program searches for attack optimal parameters.The best Here Enever is the maximum control pulse energy that does not couse a click; Ealways is the minimum control pulse energy that couses a click.Both Enever and Ealways depend on constant radiation power generated by CW laser.safety condition M ≤ 8100 calibrated in Sec.III A.
For completeness, we also need to check M when the blinded SPD is controlled by the PL.The monitor readout drops perceptibly when the detector begins to click, while being otherwise independent on E (see Fig. 6 and the last plot in Fig. 5).The drop of M can be explained by the forced reduction of voltage across the APD during the deadtime, which decreases the APD's internal gain and thus its mean photocurrent in response to cw illumination.However, even the reduced M ≥ 13405 remains well above the "normal" monitor readout of 8100.This keeps the countermeasure effective against the continuous blinding.
We observe no temporary or permanent deterioration of the SPD during our tests.This type of APD-based detector is known to withstand 10 mW cw optical illumination without damage [10], which is higher than the optical power in our testbench.

C. Pulsed blinding of detector
The photocurrent-measuring countermeasure may be ineffective against the pulsed blinding attack [41,54].In this attack, the SPD is blinded temporarily and controlled while blinded.It works in the normal photon counting mode between the blinding pulses.We modify our experimental setup slightly (Fig. 7) and use it to manually test the SPD.We first apply 10 ms long blinding pulse of peak power P (measured by PM) at 20 Hz repetition rate and observe the detector clicks.The results are shown in Fig. 8.We use an oscilloscope (3.5 GHz bandwidth; LeCroy 735Zi) to select the clicks that occur during the blinding pulse and measure their rate.The complete blinding within the pulse occurs at P = 2.46 nW, which is almost the same power as in the cw blinding (2.96 nW).
The detector behaviour within the pulse closely resembles that under the cw blinding.If an additional short trigger pulse of energy E is applied during the blinding pulse, it responds with a click (Fig. 9).Less than 3 dB change of E is required to transition between 0 and 100% click probability.Note that the detector always clicks at the start of the blinding pulse, and often also at the end of it.Because of these additional uncontrollable clicks, it is beneficial for Eve to apply multiple trigger pulses during the blinding pulse.In Figure 10, control by four trigger pulses is illustrated.The response to the trigger pulse does not depend on its timing within the blinding pulse; the click probability changes less than 2% throughout.We have also verified that up to 199 trigger pulses spaced 20 µs apart (i.e., the exact length of the detector deadtime τ ) applied during a longer 4 ms blinding pulse work as well.The monitor readout decreases slightly as the number of triggered clicks increases, similarly to the effect observed in Fig. 6.Finally, we check how the countermeasure responds to the pulsed blinding of different duty cycle values.We vary the blinding pulse width while keeping its repetition rate constant at 20 Hz, see Fig. 11.At this repetition rate, the blinding pulse can be as long as 20 ms without causing an abnormally high monitor readout of more than 7900.The low monitor readout under the pulsed blinding is partially explained by the unwisely constructed sequence of first taking the logarithm then averaging at the low-pass frequency filter in the photocurrent monitor circuit (Sec.II C).This implementation of the countermeasure is thus unable to detect the pulsed blinding of up to 40% duty cycle, which leaves Eve ample room for attack.

D. Intercept-resend attack model
The experimental results on pulsed blinding show that Eve has a significant degree of control over the SPD, while not being revealed by the countermeasure.This SPD behaviour violates the assumptions on a measurement apparatus made in most security proofs for QKD, in particular the independence of detection probability on Bob's basis choice [14], rendering these proofs inapplicable.We thus clearly cannot guarantee the security of QKD that employs such SPDs, regardless of whether we know how to construct Eve's attack in detail or not.
Nevertheless, here we attempt to model such attack.We assume the QKD system runs the BB84 protocol [1] with an active basis choice and two detectors at Bob. Eve intercepts Alice's output at the beginning of the lossy quantum channel using a receiver with a high detection efficiency and very low error rate.She then resends blinding pulses and faked states to Bob according to her measurement results [9].We also assume Bob's dark counts are the only source of errors in the system without Eve.Let us approximately estimate Alice's and Bob's quantum bit error rate (QBER) under attack and the rate at which Eve can trigger clicks at Bob.
We consider one pulsed blinding period of length T , consisting of CT blinding time and (1 − C)T idle time, where C ∈ (0, 1) is the duty cycle.The blinding pulse causes a simultaneous click in both Bob's detectors at its start and, possibly, a click at its end.We assume these, on average, record in the raw key as two clicks, of which one is erroneous.During the blinding time Eve can induce ≳ CT /2τ controlled clicks at Bob (the exact number depends on Eve's detection rate and whether she can send faked states during Bob's deadtime).Bob also registers about 2(1 − C)T D dark counts during the idle time.Bob's click rate and We stress that the above calculation is approximate and ignores lesser effects like double clicks at Bob, rate reduction owing to his detector deadtime, sources of errors other than Bob's dark counts, etc. Taking the experimental parameters from this paper (T = 50 ms, C = 0.4, etc.), we get R B ≈ 10.5 kHz and QBER ≈ 2.5%.These are reasonable parameters for a QKD system and it should generate a key.Since Eve is performing the intercept-resend attack, the generation of secret key under this attack is in fact impossible [63].
The main limitation of this attack is its ability to replicate R B expected by the legitimate users.Its value depends on the system implementation and the line loss, and for many practical settings is less than 10.5 kHz [64].Also a faster QKD system would use detectors with shorter τ , which helps Eve obtain a higher R B [Eq. ( 2)].If Bob's click rate under the attack is still insufficient to replicate the system performance expected by Alice and Bob, Eve can choose to bypass a fraction of Alice's photons into the quantum channel to Bob during the idle time.This strategy would not be an optimal attack.We would then need to consider Eve's key information versus the amount of privacy amplification Alice and Bob apply.We speculate that either attack strategy should also work with the decoy-state protocol [28], as this attack does not drastically affect the yield of different photonnumber states.

IV. DISCUSSION AND CONCLUSION
Our testbench has tested the free-running SPD for cw blinding and control and made conclusions about it fully automatically, essentially replicating the well-known manual testing method [9,41].A manual analysis of collected data shows that the countermeasure reveals the cw blinding reliably.We then manually demonstrate pulsed blinding and control of this SPD.The countermeasure fails to reveal the pulsed blinding of up to 40% duty cycle, allowing Eve to control the detector during the blinding pulses.Our modeling shows that the intercept-resend attack on QKD should then still be possible.
To build the testbench good enough for certification purposes, its automatic operation should be extended to pulsed blinding regimes.The testbench should also automatically analyse the countermeasure output under both cw and pulsed blinding, and make a pass/fail conclusion whether the countermeasure reveals all the attacks.Such extension of the testing algorithm is a topic for future work.In order to develop it, we need to have the SPD with a properly implemented countermeasure that reveals the pulsed attacks.
The existing countermeasure implementation fails to reveal the pulsed blinding primarily because of very low ADC sampling rate of the photocurrent (15 Hz).Our results suggest that increasing the bandwidth and processing the monitor signal for peak detection would be a step in the right direction.Direct measurements of the signal at the output of the logarithmic converter with an oscilloscope suggest that an ADC with ∼ 1 MHz sampling rate or an analog comparator (i.e., a voltage threshold detector) would be sufficient to reveal the pulsed blinding.The necessary hardware can easily be added to the next version of QRate's free-running SPD.Implementing and testing this improved countermeasure, as well as adopting it for the sinusoidally-gated detector, will be our next study.Testing superconducting-nanowire single-photon detectors with a built-in countermeasure [55] is also a promising application.
The quantum key distribution protocol needs to be amended to take input from the countermeasure.One obviously secure method is to discard the entire accumulated raw key and start a new QKD session whenever an abnormally high monitor readout value occurs.A less wasteful approach might be to discard potentially compromised raw key data in a limited time range that surrounds the abnormally high monitor readout, while continuing the current QKD session.We remark that the countermeasure might occasionally be triggered by benign transient events like electromagnetic interference, computer glitch, or optical line maintenance [22].If the problem persists over multiple key distillation sessions, it might be a good idea to alert the human operator of the system of this abnormality, which may be caused by a technical malfunction or the actual attempt of attack.
We finally remark that our testbench does not test for effects that may appear at higher optical power, such as thermal blinding [10] and laser damage of APD [18].While the thermal blinding can be tested in this setup, the laser damage requires significant modifications of the testbench [27,36].

FIG. 4 .
FIG.4.Monitor readout M under detector illumination by 0.8-photon pulses.The leftmost point is for unilluminated detector with dark counts only, while the other points are under illumination at a laser pulse rate from 10 kHz to 1 MHz.An estimated "normal" detector click rate of 20 kHz or less results in single sampled values of M < 8100.
REPORT ON AUTOMATED TESTING OF SINGLE PHOTON DETECTOR FOR BRIGHT LIGHT CONTROL Test completed on: 2022-09-19 12:15 TEST SETTINGS Power range: 2.3E-11 W -1.25E-5 W Laser pulses energy range: 10E-18 J -10E-12 J Pulse frequency: 10 kHz PARAMETERS ADDED BY OPERATOR SPD: 3-054 CW -blinding step: 1 dB CW -control step: 1 dB PL -control step: 1 dB RESULTS Is SPD blind?TRUE; Blinding attenuation of CW laser: 24 dB Blinding power: 2.96E-9 W Successful pulse attack: TRUE Minimum power of CW laser, when Ealways/Enever is less or equal to 3 dB: 7.56E-8 W Enever, when Ealways/Enever is less or equal to 3 dB: 1.26E-15 J Ealways, when Ealways/Enever is less or equal to 3 dB: 2.51E-15 FIG. 5. Report generated by software after automated test of cw blinding and control.The multiple curves in the third and fifth plots are taken at cw power values shown in the fourth plot.See text for details.

FIG. 7 .FIG. 8 .
FIG.7.A modified setup for testing detector control under pulsed blinding.BPL, blinding pulse laser [1552 nm, 40 mW, Allwave Lasers SWLD-1550-100-PM(DBF)].The pulse generator drives BPL directly and induces long laser pulses.The pulsed laser (PL) is also driven by the pulse generator directly and emits a relaxation-limited short laser pulse with 240 ps FWHM delayed in respect to the start of the BPL pulse.The counter typically accumulates clicks over 1 s for each data point.

FIG. 9 .
FIG. 9. Control of SPD within 100 µs long blinding pulses applied at 20 Hz rate.(a) Click probability versus trigger pulse energy E. Click probabilities under cw blinding are shown for comparison.The probabilities are measured over 10 3 pulses.(b) The blinding and trigger pulses, the latter being of 240 ps FWHM and applied 50 µs after the start of the blinding pulse.(c) Detector output at P = 309 nW and E = 10 −15 J.This trigger pulse never causes a click.(d) The trigger pulse energy is increased by 3 dB to 2 × 10 −15 J.It always causes a click.
FIG. 11.Monitor readout under pulsed blinding at different duty cycle values of the blinding illumination, at 20 Hz repetition rate of the blinding pulses.100% is cw blinding, 50% is 25 ms long blinding pulse, 40% is 20 ms long blinding pulse, etc. Dotted horizontal lines indicate an expected countermeasure readout in the normal photon counting mode at 20 kHz click rate and at the dark count rate (as calibrated in Sec.III A).Dotted vertical lines indicate the minimum blinding power and minimum cw power at which E always /Enever ≤ 2.