Lydersen et al. reply:

We are glad that our results have improved awareness and stimulated discussions concerning the imperfections of detectors, particularly among the leading research groups that use APDs in QKD systems. Yuan et al. propose a method to avoid the blinding of gated APD-based detectors, such as those used in the two commercial QKD systems addressed in our recent publication1. Our experimental data from Clavis2 indicate that the countermeasure suggested by Yuan et al. will make it more difficult to blind gated detectors.

However, for gated detectors, avoiding blinding is insufficient to avoid our attack. Gated detectors operate in linear mode between the gates, and the trigger pulse can therefore be applied directly after the gate (discarding these clicks based on arrival times seems to be impractical because of detector jitter). We remarked that this causes afterpulses1, but in fact the after-gate attack can fully compromise the security for a wide range of system parameters2. Even outside this range, one must quantify in a proof-of-security how well Eve may perform. Removing the bias resistor and lowering the comparator threshold does not avoid exploiting the linear mode between gates. In fact, lowering the comparator threshold reduces the required trigger pulse power, and thus probably improves the after-gate attack by reducing afterpulsing.

Furthermore, it seems that the detectors can still be blinded even with the changes proposed by Yuan et al.; simply removing the bias resistor has turned out to be insufficient. In our recent paper3, we removed the bias resistor from Clavis2 but were still able to blind the detectors in several ways. Yuan et al. did not observe thermal blinding from continuous-wave illumination. This may be due to the lower comparator threshold and/or insufficient heating, as they illuminate only one APD instead of two, while operating at a higher temperature, which effectively increases the cooler capacity.

Even if the bias resistor is removed and the discrimination level is set just above the capacitive charging signal, the detectors seem to be vulnerable to sinkhole blinding3. In sinkhole blinding, the APD is illuminated between the gates. With a suitable duty cycle of the blinding illumination, it should be straightforward to blind the detector while keeping the comparator input well below the amplitude of the capacitive signal.

Monitoring the photocurrent of the APDs is like using a power meter at Bob's entrance, which we discussed in our original paper1. Furthermore, this will not reveal the after-gate attack.

It seems that the countermeasure proposed by Yuan et al. does not prevent our general attack of tailored bright illumination. So far, we have been able to blind and control every APD-based detector that we have looked at thoroughly (albeit with different techniques), including three different passively quenched detectors4, one actively quenched detector5 and two different gated detectors1,2,3.

In our opinion, this discussion shows how important it is to close the QKD security loophole in a thorough and provable way. We doubt that this can be achieved efficiently in small increments of intuitive patches, which will cause rapid iterations and so force manufacturers to update their QKD systems frequently. We are confident that APD-based single-photon detectors can be, and will be, made secure by a proper implementation of QKD combined with a sufficiently general security proof.

As a final remark, we want to emphasize that in our experiments1,2,3 the QKD systems were treated as black boxes, just as they would be for Eve. We reverse-engineered the detector circuitries (realistically, Eve can buy a copy of Bob and do the same) and non-intrusively recorded the detector response during our experiments. Clavis2 shipped with its factory settings ready for QKD, including the discrimination level, which we used for our experiments. As pointed out in our Supplementary Information1, QPN 5505 did not ship with factory settings, but we followed the manual and used the settings that gave us the best QKD performance.