Quantum secure direct communication (QSDC) constitutes a vital branch of quantum communication, enabling the direct transmission of confidential information without relying on pre-shared keys or complex key management infrastructures. The concept was originally introduced by Long et al. [1], and its foundational framework was further refined by Deng et al. [2]. Over the subsequent decades, QSDC has witnessed substantial theoretical progress, as evidenced by a series of influential works [3–20]. In addition, considerable developments have been made across several subfields, such as continuous-variable protocols [21–23], quantum error-correcting codes [24, 25], quantum networks [26–29], and quantum-memory-free protocols [30]. Experimentally, the field has also achieved significant milestones, including the realization of single-photon-based [31–34], entanglement-based [35, 36], and continuous-variable QSDC systems [37–39], along with advances in quantum network implementations [40, 41].

Although QSDC is theoretically absolutely secure, information leaks may occur in practical applications due to imperfect devices. Imperfect light sources and detectors, in particular, introduce vulnerabilities that eavesdroppers can exploit. In response, a range of robust protocols has been developed. Notable among these are measurement-device-independent (MDI) QSDC [42–50] and device-independent (DI) QSDC [51–55]. The former removes detector-side vulnerabilities by relaying measurements to an untrusted third party, while the latter certifies security through the violation of Bell’s inequality, thus ensuring robustness against general eavesdropping strategies. In theory, DI protocols are capable of resisting all side-channel attacks targeting implementation devices. However, such protocols currently face severe limitations in photon transmission loss and transmission distance [56, 57]. Moreover, experimental realizations of device-independent quantum key distribution (DI-QKD) were not achieved until 2022 [58–60], and experimental DI-QSDC has yet to be realized. Therefore, considering the practical complexity involved, the QSDC protocols that are currently approaching practical application are predominantly grounded in single-photon-based (DL04) protocol.

Currently, the DL04 protocol has been proven secure against photon-number-splitting (PNS) attacks and collective attacks [61–63]. However, to date, no quantitative analysis has been conducted on the security of this protocol against optical injection attacks, such as Trojan-horse attack (THA) triggered by device reflections. During the THA process, an eavesdropper injects concealed photons into the transmitting device. These photons interact with internal optical components—such as modulators or phase shifters—and are subsequently reflected out of the system. By collecting and analyzing these reflected photons, the eavesdropper can extract confidential information without triggering conventional security monitoring. Such attacks often evade detection by mimicking legitimate signal patterns, employing techniques such as collecting back-reflected light, manipulating source characteristics, or exploiting timing vulnerabilities [64–69]. In addition, THA also poses a serious threat to multi-party quantum communication, including measurement-device-independent quantum key distribution (MDI-QKD) [70], quantum secure sharing (QSS) [71], quantum conference key agreement (QCKA) [72] and quantum cryptographic conferencing (QCC) [73].

To investigate the impact of THA on QSDC systems, this paper conducted a comprehensive analysis, covering attack principles, security analysis using a weak coherent pulse (WCP) source combined with the decoy-state method, and numerical simulations. Our work aims to: (i) establish a THA model targeting the DL04 QSDC protocol; (ii) derive the secrecy message capacity under THA and extend the formulation to incorporate decoy-state analysis; and (iii) quantitatively evaluate the relationship between attack intensity and system performance through numerical simulations.

This paper is structured as follows. In Section 2, we begin with a concise overview of the DL04 protocol steps, along with Eve’s attack strategy. Subsequently, a security analysis is conducted for the first and second rounds of transmission under THA, leading to the derivation of secrecy message capacity expressions for both rounds under such attacks. Furthermore, the analysis is extended by incorporating decoy-state techniques, establishing the estimated single-photon error rate and single-photon yield. In Section 3, we perform numerical simulations to examine how THA affects the secrecy message capacity and the maximum communication distance. In Section 4, we provide a discussion of the results and summarize the conclusions.

This paper presents an analysis of a THA targeting the DL04 protocol, and the corresponding system structure is illustrated in Fig. 1. We begin by outlining the DL04 protocol, which involves two parties — the sender Bob and the receiver Alice — and consists of five steps in total.

(i) Bob performs random phase encoding on the initial single-photon state |+⟩=\frac{1}{\sqrt{2}}(|H⟩+|V⟩), where |H⟩ and |V⟩ denote the horizontal and vertical polarization states, respectively. Subsequently, this state is processed by the encoding device, which generates four single-photon states \left\{|+⟩,|-⟩,|R⟩,|L⟩\right\}, corresponding to \frac{1}{\sqrt{2}}(|H⟩+{\mathrm{e}}^{\mathrm{i}{\alpha }_{\mathrm{B}}}|V⟩) with phase values {\alpha }_{\mathrm{B}}=\{0,\pi ,\pi /2,3\pi /2\}. The X basis comprises the states \left\{|+⟩=\frac{1}{\sqrt{2}}(|H⟩+|V⟩),|-⟩=\frac{1}{\sqrt{2}}(|H⟩-|V⟩)\right\}; the Y basis is defined as \left\{|R⟩=\frac{1}{\sqrt{2}}(|H⟩+\mathrm{i}|V⟩),|L⟩=\frac{1}{\sqrt{2}}(|H⟩-\mathrm{i}|V⟩)\right\}. Then, Bob sends these encoded single photons to Alice.

(ii) Upon receiving the photons, Alice randomly selects a subset of them as samples for an eavesdropping check. For each sampled photon, she randomly selects a measurement basis (X or Y), performs the measurement, and then announces the photon’s position, her chosen basis, and the measurement outcome. Using an authenticated classical channel, Alice and Bob compare their results to estimate the detection bit error rate (DBER).

(iii) If the DBER remains below a pre-agreed threshold, Alice proceeds with the following steps. First, she randomly selects a subset of the received photons for random encoding, which is a process used for error estimation. Subsequently, she performs information encoding on the remaining photons. Specifically, Alice applies a operation U=|H⟩⟨H|+{\mathrm{e}}^{\mathrm{i}{\alpha }_{\mathrm{A}}}|V⟩⟨V| to \{|+⟩,|-⟩,|R⟩,|L⟩\}, where the phase value {\alpha }_{\mathrm{A}} is chosen from the set \left\{0,\pi \right\} to encode a secret information bit: {\alpha }_{\mathrm{A}}=0 corresponds to bit 0, and {\alpha }_{\mathrm{A}}=\pi corresponds to bit 1. Then, Alice returns the encoded sequence of photons to Bob.

(iv) Bob receives and stores the photon sequence. Subsequently, Alice announces the position of the randomly encoded photon within the sequence. Bob then randomly selects either the X basis or the Y basis for measurement. After the measurement succeeds, Alice announces the specific details of the random encoding performed in Step 3. Then, Bob extracts these designated photons to perform the second round of security testing and compute the quantum bit error rate (QBER).

(v) Upon successful completion of the second security check, Bob infers Alice’s encoded information based on his initial state information and the decoded information.

As shown in Fig. 1, for Eve, she has two opportunities to execute THA, including attacking on both the first-round transmission and the second-round transmission.

During the first-round transmission, Eve can execute the THA. Specifically, during Step 1 of the protocol, she injects a bright pulse of Trojan photons ({\mu }_{\mathrm{i}\mathrm{n}}, prepared as coherent states |\sqrt{{\mu }_{\mathrm{i}\mathrm{n}}}⟩) into Bob’s encoding device to probe the secret phase {\alpha }_{\mathrm{B}}. These externally injected photons co-propagate with Bob’s own single-photon signal and experience the same phase modulation. Due to the reflectivity of the encoding device, a fraction of the modulated Trojan photons (|{\mathrm{e}}^{\mathrm{i}{\alpha }_{\mathrm{B}}}\sqrt{{\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}}⟩, where {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}=\beta {\mu }_{\mathrm{i}\mathrm{n}} and \beta \ll 1 quantifies the optical isolation of the encoding device) is reflected out of the encoder. By collecting and analyzing the phase of these reflected photons, Eve can influence the results of basis selection measurements, causing Alice’s basis selection measurements to deviate, thereby affecting the error rate and leading Alice to underestimate the error rate. By combining collective attacks, Eve can obtain more information.

During the second-round transmission, Eve executes THA by sending a large number of Trojan photons to Alice’s encoding device in the third step. After undergoing encoding operations, some Trojan photons are similarly reflected outward due to the reflection mechanism. Eve gathers these reflected photons {\mathrm{e}}^{\mathrm{i}{\alpha }_{\mathrm{A}}} (when {\alpha }_{\mathrm{A}} is 0 or \pi, it corresponds to the values +1 and −1, respectively). Therefore, Eve can use appropriate measurements to distinguish between the resulting coherent states |+\sqrt{{\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}}⟩ and |-\sqrt{{\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}}⟩. This allows her to gain access to the encoded information.

In this section, we analyze the secrecy message capacity of the protocol under Eve’s attacks during the first and second rounds of transmission.

In the first round, Eve inputs Trojan photons |+\sqrt{{\mu }_{\mathrm{i}\mathrm{n}}}⟩ into Bob’s encoding device. Then, these photons undergo the same phase encoding as the initial state |+⟩=\frac{1}{\sqrt{2}}(|H⟩+|V⟩). After performing the encoding operation, the encoded Trojan photons become coupled with the four single-photon states generated by Bob’s encoding, the portion of reflected photons collected by Eve can be expressed as tensor products:

where {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}} is the average number of reflected photons from Bob’s encoding device. The subscript \mathrm{B}\mathrm{E} indicates that the quantum state belongs to Bob and Eve.

First, the original DL04 protocol secrecy message capacity formula can be expressed as [8]

where Q_{\mu }^{\mathrm{B}\mathrm{A}\mathrm{B}} is the overall signal gain of Bob after a round-trip BAB, and E_{\mu }^{\mathrm{B}\mathrm{A}\mathrm{B}} is the QBER. Q_{\mu ,n}^{\mathrm{B}\mathrm{A}\mathrm{E}} denotes the gain of n-photon events from Eve. e_{x,1}^{\mathrm{B}\mathrm{A}} and e_{y,1}^{\mathrm{B}\mathrm{A}} are the single-photon error rates under the X basis and Y basis, respectively. Similarly, e_{x,2}^{\mathrm{B}\mathrm{A}} and e_{y,2}^{\mathrm{B}\mathrm{A}} are the two photon error rates under the X basis and Y basis, respectively. h(x) is the binary entropy function, which is defined as h(x)=-x{\log }_{2}x-(1-x){\log }_2(1-x).

Additionally, since the two-photon component contributes less to the protocol, we cite the simplified formula in Ref. [9] to analyze the secrecy message capacity of the protocol, which can be represented as follows:

Since THA causes measurement inaccuracies in the protocol, it leads to deviations in Alice’s basis selection, thereby affecting the single-photon error rate. Therefore, the secrecy message capacity formula for the DL04 protocol after suffering a THA is

The term e_{x,1}^{{\mathrm{B}\mathrm{A}}^{\prime }} (e_{y,1}^{{\mathrm{B}\mathrm{A}}^{\prime }}) is the single-photon error rate estimated in a virtual protocol, where Alice measures in the Y(X) basis and Bob announces the X(Y) basis, defined as [76]

where y=min\left[y_x,y_y\right], y_x and y_y are the single-photon yields in the X and Y basis, respectively. In practice, Bob selects either the X basis or Y basis with equal probability when encoding single photons. When subjected to a THA at Bob’s end, this equilibrium is disrupted. Therefore, we utilize the “quantum coin” \mathrm{\Delta } [76] to quantify the severity of the attack. Since quantum coins \mathrm{\Delta } are affected by the actual yield obtained from the X or Y basis, the communicating parties must accordingly renormalize \mathrm{\Delta } to {\mathrm{\Delta }}^{\prime }, referred to as the effective coin imbalance (see Appendix B for details).

In the second transmission round, Eve inputs Trojan photons |+\sqrt{{\mu }_{\mathrm{i}\mathrm{n}}}⟩ into Alice’s encoding device. Then, Alice performs encoding operations, which involve applying an operation U=|H⟩⟨H|+{\mathrm{e}}^{\mathrm{i}{\alpha }_{\mathrm{A}}}|V⟩⟨V| to \left\{|+⟩,|-⟩,|R⟩,|L⟩\right\}. When {\alpha }_{\mathrm{A}} is 0, the phase remains unchanged, equivalent to an I=|0⟩⟨0|+|1⟩⟨1| operation; when {\alpha }_{\mathrm{A}} is \pi, the phase is inverted, equivalent to a Z=|0⟩⟨0|-|1⟩⟨1| operation. Therefore, the output from Alice’s encoding device can be represented as

The subscripts \mathrm{A} and \mathrm{E} indicate that the reflected photons belong to Alice and Eve, respectively. After Eve performs the THA operation in the second round, since Alice’s encoding operation is state-independent, Eve’s system becomes independent from both Alice’s and Bob’s systems. This means Eve’s attack will not cause any errors. In this scenario, Eve’s eavesdropping remains undetected by Alice and Bob, and she merely needs to discriminate between the two coherent states |+\sqrt{{\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}}⟩ and |-\sqrt{{\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}}⟩, to obtain the encoded bit information from Alice’s end.

The information entropy accessible to Eve can be determined from the eigenvalues of the corresponding Gram matrix [74]. For the states under consideration, the Gram matrix is given as follows:

The eigenvalues of the Gram matrix are {\lambda }_1=\frac{1}{2}+\frac{1}{2}{\mathrm{e}}^{-2{\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}} and {\lambda }_2=\frac{1}{2}-\frac{1}{2}{\mathrm{e}}^{-2{\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}}. Then, the amount of information leakage caused by Eve executing THA in the second round is expressed as I(\mathrm{A}:\mathrm{E})=h({\lambda }_1)=h({\lambda }_2).

Therefore, the secrecy message capacity formula for Eve after performing THA only on the second round of transmission can be expressed as

where Q_{\mu ,\mathrm{e}\mathrm{n}\mathrm{c}\mathrm{o}\mathrm{d}\mathrm{e}\mathrm{r}}^{\mathrm{B}\mathrm{A}\mathrm{E}} denotes the gain when Eve intercepts the photon and Alice completes the encoding operation.

Considering the worst-case scenario, we assume that the information obtained from the first round of attacks and the second round of attacks is non-overlapping. Attacking with both rounds can be regarded as the cumulative effect of the first and second rounds of attacks. Therefore, when Eve performs THA during both the first and second rounds, the secrecy message capacity for the QSDC system is derived from Eqs. (4) and (7) as follows:

In this section, we estimated the single-photon error rate for the first round and the second round using the decoy-state method.

In this paper, we assume that the single-photon error rates under the X basis and Y basis are equal, i.e., e_{x,1}^{\mathrm{B}\mathrm{A}}=e_{y,1}^{\mathrm{B}\mathrm{A}}=e_1^{\mathrm{B}\mathrm{A}}. The use of the decoy-state method in QSDC can effectively defend against PNS attacks and collective attacks. In here, we employ four decoy states with intensities \mu, v_1, v_2, and v_3 (where \mu denotes the signal-state intensity). The upper bounds of single photon DBER e_1^{\mathrm{B}\mathrm{A}} are given by [8]

where

In addition, the signal state and decoy state intensity we utilize must also satisfy the following conditions:

In numerical simulations, based on the inequality conditions in Eq. (12), we set the strength of the decoy state as: v_1=0.7\mu, v_2=0.445\mu, and v_3=0.3\mu. The parameters in Table 1 are primarily used for numerical simulations [8].

Figure 2(a) illustrates the secrecy message capacity during the first round of the THA attack. It is worth noting that the secrecy message capacity corresponding to the value of {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-8} remains indistinguishable from the no attack case ({\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}=0) over almost the entire range of transmission. In addition, we note that when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}} increases to {10}^{-3}, the secrecy message is still all stolen by Eve, i.e., the secrecy message capacity vanishes entirely. Finally, when the attack intensity {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-4} is applied, the maximum secrecy message capacity achievable is 1.89\times {10}^{-4} bit/pulse, with a maximum secure communication distance of 6.97 km.

Figure 2(b) illustrates the secrecy message capacity during the second round of the THA attack. As shown in Fig. 2(b), we observe that for an average reflected photon number {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}} reaches the magnitude of {10}^{-4}, the secrecy message capacity remains nearly indistinguishable from the unattacked case over almost the entire transmission distance. Compared with Fig. 2(a), when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}} is uniformly set to {10}^{-4}, the system can still achieve a maximum secrecy message capacity of 3.23\times {10}^{-4} bit/pulse and a maximum secure communication distance of 16.68 km. Unlike the scenario where the THA targets only the first round, selecting the maximum attack strength {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-2} allows the system to attain a maximum secrecy message capacity of 2.07\times {10}^{-4} bit/pulse and a maximum secure communication distance of 9.18 km. These results collectively indicate that confining the THA to the second transmission round substantially reduces its effectiveness relative to an attack launched solely in the first round. From a physical standpoint, this is because Eve’s attack in the first round affects Bob’s quantum state, and by combining it with a coherent attack, she can obtain a greater amount of information. But when Eve conducts a THA during the second transmission round, although her activities remain undetectable to the legitimate parties, she can only extract information by distinguishing among a constrained number of reflected photons. Consequently, the amount of information she acquires is substantially reduced compared to an attack mounted in the first round.

Figure 3(a) illustrates the secrecy message capacity of the first round of the THA attack after numerical optimization. There is a trade-off between the total gain Q and the error rate E. A larger \mu increases the probability of photon reception, thereby improving the response rate; however, it also increases the multiphoton component, leading to more information leakage to Eve. These two influences contribute positively and negatively to the secrecy message capacity, and our so-called numerical optimization is to find an appropriate value of \mu in the channel attenuation such that the equilibrium point between the two effects can be achieved at a specific \mu. As shown in Fig. 3(a), when the attack is relatively weak, the impact is minimal. For instance, when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-7} and {10}^{-8}, at a channel attenuation of 6 dB, the message capacities are 1.41\times {10}^{-5} bit/pulse and 1.73\times {10}^{-5} bit/pulse, respectively, with maximum communication distances of 17.80 km and 17.46 km. For comparison, when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}=0, the secrecy message capacity is 4.13\times {10}^{-5} bit/pulse, and the maximum communication distance is 17.96 km. As attack intensity gradually increases, both secrecy message capacity and maximum communication distance decrease accordingly. For example, at an attack intensity of {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-5} and {10}^{-6}, the secrecy message capacities at a channel attenuation of 5 dB are 6.68\times {10}^{-6} bit/pulse and 4.56\times {10}^{-5} bit/pulse, respectively, with maximum communication distances of 13.71 km and 16.46 km. Notably, when the attack strength increases again to the {10}^{-3} magnitude, the secrecy message is still all stolen by Eve, i.e., the secrecy message capacity is always zero.

Figure 3(b) illustrates the secrecy message capacity of the second round of the THA attack after numerical optimization. Numerical simulation results indicate that when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}} is set to {10}^{-8} and {10}^{-4} under a 7 dB channel attenuation, the secrecy message capacities are 5.54\times {10}^{-7} and 1.79\times {10}^{-7} bit/pulse, respectively. With maximum communication distances of 17.80 and 17.63 km, respectively. Therefore, we conclude that when attack intensity is low, the impact is minimal. However, as attack intensity increases, the resulting impact grows rapidly. When attack intensity reaches {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-2}, the maximum secrecy message capacity is 1.07\times {10}^{-3} bit/pulse, and the maximum secure communication distance reaches 9.85 km.

Figure 4 illustrates the secrecy message capacity of the THA attack over two rounds under finite decoy states and infinite decoy states following numerical optimization. Here, we employ Eqs. (A3) and (A7) to calculate the error rate and yield under the theoretical model, respectively. The values calculated by this theoretical model are equivalent to those computed under conditions of infinite decoy states. Provided that the stolen secrecy message is non-repeating, Fig. 4 can be regarded as a simple accumulation of Figs. 3(a) and (b). For example, when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-8}, at a channel attenuation of 6 dB, the secrecy message capacity under finite and infinite decoy-state conditions is 1.41\times {10}^{-5} bit/pulse and 1.84\times {10}^{-5} bit/pulse, respectively, with maximum communication distances of 17.32 km. As attack intensity gradually increases, both secrecy message capacity and maximum communication distance decrease accordingly. For example, at an attack intensity of {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-6}, the secrecy message capacities at a channel attenuation of 5 dB are 4.55\times {10}^{-5} bit/pulse and 4.88\times {10}^{-5} bit/pulse, respectively, with maximum communication distances of 16.32 km. Similar to Fig. 3(a), when the attack intensity increases again to {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-3}, the secrecy message capacity is zero. In summary, under infinite decoy states, the secrecy message capacity is slightly higher than under finite decoy states, while the maximum secure communication distance remains consistent.

In this work, we have presented a comprehensive security analysis of THA on the DL04 protocol. By developing a detailed threat model and combining WCP source with the decoy-state method, we derived analytical expressions for the secrecy message capacity under attacks targeting the first round, the second round. Our numerical simulations are based on practical experimental parameters and are visualized in Figs. (2), (3) and (4). They yield several key, quantifiable insights into the system’s security.

First, the system’s security is highly sensitive to the average number of reflected Trojan photons, {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}. We identify a critical boundary: In the first round, for {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}\le {10}^{-8}, the secrecy message capacity and maximum communication distance remain nearly identical to the attack-free case ({\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}=0). In contrast, when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}} increases to {10}^{-3}, the secrecy message capacity drops to zero, indicating compromised security. This threshold underscores the necessity of stringent optical isolation in encoder design to suppress {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}} below {10}^{-8}. In the second round, when , the secrecy message capacity and maximum communication distance are nearly identical to those under no attack conditions. Therefore, this threshold range slightly reduces the requirements for optical isolators.

Second, we reveal a pronounced and operationally significant asymmetry in vulnerability between the two transmission rounds. Figure 2 provides a direct comparison: a first-round attack at strongest ({\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-2}) nullifies the secrecy message capacity [Fig. 2(a)], whereas a second-round attack at the same intensity still supports a maximum secrecy message capacity of 2.07\times {10}^{-4} bit/pulse and extends the maximum secure distance to 9.18 km [Fig. 2(b)]. This stark contrast arises from a fundamental difference in Eve’s information-gain mechanism. During a first-round attack, she influences the quantum state and matches collective attacks to obtain more information. Consequently, this significantly compromises security. In the second round, she could theoretically steal more information undetected. However, in practice, she can only obtain information by distinguishing a limited number of reflected photons, resulting in substantially less information compared to the first round.

Finally, Fig. 3 demonstrates the practical value of numerical optimization for the system. Figure 4 illustrates the secrecy message capacity of the THA attack over two rounds under finite decoy states and infinite decoy states following numerical optimization. By strategically adjusting the signal strength \mu according to channel attenuation, we can balance the trade-off between higher photon reception probability and increased multi-photon leakage. Figure 3(a) shows that optimization recovers performance even under moderate attack strength (e.g., achieving 6.68\times {10}^{-6} bit/pulse at 5 dB for {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-5}). By comparison, Fig. 3(b) shows that when attack strength is {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-4}, a performance of 1.79\times {10}^{-7} bit/pulse can still be achieved at 7 dB. Therefore, the second round of attacks has a relatively minor impact on the protocol’s secrecy message capacity. The values in Fig. 4 can be regarded as a simple summation of those in Figs. 3(a) and (b). Numerical simulations show that when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}={10}^{-4}, the secrecy message capacity becomes zero under 3 dB channel attenuation conditions. This result further demonstrates that when THA attacks both the first and second transmission rounds, the first round of attacks is dominant.

Our results bridge a critical gap in QSDC security analysis, as prior work on THA has focused primarily on QKD [64–67]. Unlike QKD, where THA targets detector vulnerabilities, QSDC’s direct encoding of the secrecy message into quantum states makes it uniquely susceptible to phase leakage via reflected photons. This distinction underscores the necessity of tailored security frameworks for QSDC, such as the one presented here. Our research findings provide guidance on safety boundaries for practical system design.

As captured by Eq. (1) and Eq. (6), the overall effect of the THA is fully characterized by the parameter {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}. Therefore, the derived secrecy message capacity holds for any QSDC system that enforces a strict upper bound on the number of Trojan photons reflected back to Eve at the transmitter. Traditionally, to prevent THA attacks at their source, typical countermeasures include the use of optical isolators or optical power limiters [77, 78]. These components significantly attenuate externally injected optical signals, thereby reducing the effectiveness of such attacks. However, recent studies indicate that under high power optical illumination, the attenuation of optical attenuators and the isolation of optical isolators degrade, potentially allowing Eve to resume light injection attacks [79]. When combined with THA, this compromises the security of QSDC systems. Fortunately, significant advances have been made in THA defense strategies. For example, in 2022, Chen et al. [80] employed reference technology to enhance the security of four-phase MDI-QKD protocols under imperfect real-world light sources. By constructing a reference state representation, this method systematically characterizes and quantifies potential vulnerabilities such as light source preparation defects, mode-dependent side channels, pulse correlations, and THA, correlating these parameters with experimentally measurable data. In 2026, Chen et al. [81] proposed and experimentally verified an improved coherent one-way quantum key distribution (COW-QKD) protocol. By employing quantum state modulation using only vacuum and coherent states, this method avoids potential side-channel leaks caused by imperfections in light sources, a common issue in traditional decoy-state protocols. In addition, Wei et al. [82] proposed a numerical method to enhance the security boundary of decoy-state QKD systems under THA. Lastly, fully passive QSDC protocols [83] — which avoid active modulation of quantum states — offer a promising approach to mitigate side-channel risks introduced by THA. In terms of experiments, Avesani et al. [84] developed a polarization encoder capable of producing predefined polarization states with a fixed reference frame in free space, achieving long-term stability without requiring calibration at either the transmitter or receiver. Building on this work, Toni et al. [85] introduced an adaptive countermeasure that utilizes such a polarization encoder to effectively suppress THA. In practice, these methods intrinsically suppress the value of {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}, and when combined with decoy-state techniques, they collectively improve the practical security of the system. This direction aligns with recent progress in passive quantum communication protocols [86–92], reflecting a growing research focus on achieving robust, device-agnostic security.

It should be noted that our analytical framework is not directly applicable to other types of quantum communication protocols without modification. For example, the MDI-QSDC protocol introduces additional complexity due to its reliance on untrusted third parties and a measurement-device-agnostic architecture. In such a setting, THA may target not only the encoding devices of the legitimate users but also the measurement stations. Although the current model does not extend straightforwardly to the measurement side, the core methodology — bounding information leakage via reflected photons from the encoding module — remains transferable. Specifically, by examining the encoding operations of both Alice and Bob, as well as the characteristics of the corresponding reflected optical signals, analogous adaptation strategies can be developed. Hence, future work could aim to generalize this framework to accommodate MDI-QSDC systems.

Notably, our security analysis is based on asymptotic assumptions, whereas practical systems must account for finite-key effects. Therefore, our results should be regarded as upper bounds on performance under ideal conditions. A more comprehensive finite-key analysis will be addressed in future research. We plan to address this limitation in future work by incorporating finite-key effects into the security model [93, 94]. This will enable us to derive more precise estimates of the secrecy message capacity and security thresholds, thereby providing more practical guidance for selecting experimental parameters.

To analyze the security of QSDC systems under THA, we establish a comprehensive system model encompassing the light source, quantum channel, and detection components, with key parameters defined as follows.

The transmission efficiency of the quantum channel is characterized by signal attenuation, expressed as

where {\alpha }^{\mathrm{p}\mathrm{a}\mathrm{t}\mathrm{h}} denotes the quantum channel losses and \mathrm{p}\mathrm{a}\mathrm{t}\mathrm{h}\in \{\mathrm{B}\mathrm{A},\mathrm{B}\mathrm{A}\mathrm{B}\}, where \mathrm{B}\mathrm{A} denotes the initial transmission path and \mathrm{B}\mathrm{A}\mathrm{B} denotes the two-way path (Bob \to Alice \to Bob) involving round-trip photon transmission.

The total transmission efficiency, accounting for both channel loss and device imperfections, is

where {\eta }_{\mathrm{o}\mathrm{p}\mathrm{t}}^{\mathrm{p}\mathrm{a}\mathrm{t}\mathrm{h}} are the specific device’s inherent optical losses and {\eta }_d^{\mathrm{p}\mathrm{a}\mathrm{r}} denotes the detection efficiency associated with either Alice or Bob, i.e., \mathrm{p}\mathrm{a}\mathrm{r}\in \left\{\mathrm{A}\mathrm{l}\mathrm{i}\mathrm{c}\mathrm{e},\mathrm{B}\mathrm{o}\mathrm{b}\right\}.

The channel’s yield and gain are determined to ascertain the secrecy message capacity. The yields of n-photon signals at the locations of Alice and Bob, respectively, can be represented as Y_n^{\mathrm{A}} and Y_n^{\mathrm{B}}, which can be expressed as

where Y_0^{\mathrm{p}\mathrm{a}\mathrm{r}} is the zero-photon yield. (1-Y_0^{\mathrm{p}\mathrm{a}\mathrm{r}})(1-{\eta }^{\mathrm{p}\mathrm{a}\mathrm{t}\mathrm{h}}{)}^n means that all photons are lost during quantum channel transmission and no dark count occurs.

We can ascertain the overall signal gain and error rate by developing the aforementioned channel model. The overall signal gain can be expressed as follows:

where P(n,\mu )=\frac{{\mathrm{e}}^{-\mu }}{n!}{\mu }^n is the Poisson distribution of photon numbers with average \mu, and Q_{\mu ,n}^{\mathrm{p}\mathrm{a}\mathrm{t}\mathrm{h}} are the n-photon signal gain at Alice or Bob.

According to Ref. [8], the total signal gain of Eve can be computed as follows:

where {\eta }^{\mathrm{B}\mathrm{A}\mathrm{E}} represents the total transmission efficiency of the information that Eve acquires after Alice receives and encodes the photon, and {\eta }^{\mathrm{B}\mathrm{A}} symbolizes the total transmission efficiency of the photon that Alice receives and measures. Similarly, we can calculate the error rate of our QSDC protocol as follows:

Here, we construct the error model e_n{Y}_n^{\mathrm{p}\mathrm{a}\mathrm{r}} as

where e_0^{\mathrm{p}\mathrm{a}\mathrm{r}} is the error rate resulting from dark counts, and e_d^{\mathrm{p}\mathrm{a}\mathrm{r}} is the detector error response rate. e_0^{\mathrm{p}\mathrm{a}\mathrm{r}} is assumed to be 0.5, which means when no photons arrive, one of the two detectors may produce an erroneous reading due to dark counting, with a probability of 0.5.

Here, we employ entanglement-based quantum state preparation [76]. The states to be prepared are given in Eq. (1). We rewrite them here for convenience:

The X basis states can be prepared by Bob by measuring in the basis \left\{|+⟩,|-⟩\right\} the following entangled state:

The Y basis states of Eq. (B1) can be prepared by Bob by measuring in the basis \left\{|R⟩,|L⟩\right\} the following entangled state:

where the states |{\mathrm{\Psi }}_X⟩ and |{\mathrm{\Psi }}_Y⟩ are hard to distinguish when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}\to 0. Using

we find

When {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}\to 0, the inner product of |{\mathrm{\Psi }}_X⟩ and |{\mathrm{\Psi }}_Y⟩ approaches 1. This implies that the states |{\mathrm{\Psi }}_X⟩ and |{\mathrm{\Psi }}_Y⟩ largely overlap. Consequently, it becomes difficult to distinguish whether the emitted state originated from the choice of the X basis or the Y basis. Meanwhile, since the attack analysis considers the single-photon scenario, we consider the worst-case scenario, i.e., two-photon and above information leakage is taken as 1. Therefore, the secrecy message capacity for the DL04 protocol using X or Y basis random preparation would be [9]

where Q_{\mu }^{\mathrm{B}\mathrm{A}\mathrm{B}} is the overall signal gain of Bob after a round-trip BAB. E_{\mu }^{\mathrm{B}\mathrm{A}\mathrm{B}} is the QBER. Q_{\mu ,n}^{\mathrm{B}\mathrm{A}\mathrm{E}} denotes the gain of n-photon events from Eve. The terms e_{x,1}^{\mathrm{B}\mathrm{A}} and e_{y,1}^{\mathrm{B}\mathrm{A}} denote the single-photon error rates under the X basis and Y basis, respectively.

In our worst-case scenario analysis, we attribute full information leakage (h(e)=1) to multi-photon events (n\ge 2). This is a standard and conservative approach in quantum cryptography, justified by the PNS attack, where Eve can perfectly split off and store one photon from a multi-photon pulse without introducing detectable loss. While this might overestimate Eve’s actual information gain, it ensures the unconditional security of the remaining secrecy message capacity.

When the preparation is not perfect, the states |{\mathrm{\Psi }}_X⟩ and |{\mathrm{\Psi }}_Y⟩ will become basically distinguishable, and the above secrecy message capacity formula needs to be replaced by the following:

where the term e_{x,1}^{{\mathrm{B}\mathrm{A}}^{\prime }} (e_{y,1}^{{\mathrm{B}\mathrm{A}}^{\prime }}) is the single-photon error rate, where Alice chooses Y-based measurements while Bob declares X basis (or Alice chooses X basis measurements while Bob declares Y basis). In other words, the terms e_{x,1}^{{\mathrm{B}\mathrm{A}}^{\prime }} and e_{y,1}^{{\mathrm{B}\mathrm{A}}^{\prime }} are upper bounds on the single-photon error rate.

To find the relationship between the upper limit of the single-photon error rate e_{x,1}^{{\mathrm{B}\mathrm{A}}^{\prime }} and e_{y,1}^{{\mathrm{B}\mathrm{A}}^{\prime }}, we can assume that Bob owns a private bidimensional quantum system, the “quantum coin” [76], and prepares the following state:

where the subscript C denotes the quantum coin. |H⟩ and |V⟩ denote the two quantum states prepared in the Z basis, respectively. Bob can then prepare the states in Eq. (B1) by first measuring the quantum coins in the basis of \left\{|H⟩,|V⟩\right\}, and then based on the results of the measurements of the states |{\mathrm{\Psi }}_X⟩ or |{\mathrm{\Psi }}_Y⟩ obtained by measuring them based on \left\{|+⟩,|-⟩\right\} or \left\{|R⟩,|L⟩\right\}, respectively.

To quantify how Bob’s emitted state depends on the basis choice, we examine the imbalance of the quantum coin. First, we rewrite Eq. (B9) in the Z basis:

In addition, we also need to evaluate the probability that two states |{\mathrm{\Psi }}_X⟩ and |{\mathrm{\Psi }}_Y⟩ are different. A useful way to do this is to consider what would happen if Bob measured each of his coins based on the X eigenstates rather than the Y eigenstates; the result X=-1 (associated with the state |-⟩) would then occur with probability \mathrm{\Delta } that

It should be emphasized that \mathrm{\Delta } quantifies the degree of leakage of the “basis correlation” at the source end, and Eve exploits this correlation to enhance the efficiency of her attacks.

By combining Eq. (B5), we can further derive the probability of \mathrm{\Delta } [75]

We can find that when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}=0, \mathrm{\Delta }=0, the quantum state emitted by Bob is independent of the basis. However, when {\mu }_{\mathrm{o}\mathrm{u}\mathrm{t}}>0, \mathrm{\Delta } is positive, and the quantum state carries some basis information out of Bob’s device. Eve can utilize some basic information to enhance her attack strategy. Specifically, since not all signals from the source are necessarily detected, Eve can replace the actual channel with a lossless one. Then, it will selectively drop some states that are unfavorable until the loss rates measured by both communicating parties match. To account for this possibility, we must consider the worst-case scenario in which all undetected events come from the X=1 eigenstates of the quantum coin, and adjust \mathrm{\Delta } accordingly:

where y=min\left[y_x,y_y\right], y_x and y_y denote the single-photon yields measured under the X basis and Y basis, respectively. The relationship between the estimated upper limit of the single-photon error rate, e_{x,1(y,1)}^{{\mathrm{B}\mathrm{A}}^{\prime }}, and the theoretical single-photon error rate, e_{x,1(y,1)}^{\mathrm{B}\mathrm{A}}, can be obtained by utilizing the Bloch sphere bound [95] and the effective coin imbalance {\mathrm{\Delta }}^{\prime }.

We now introduce the relevant mathematical objects. Let {\rho }_x and {\rho }_y denote the density matrices of the X and Y basis states, respectively, when preparation errors are taken into account. Let \left\{E_n\right\} represent a POVM set [96]. The fidelity between these two density operators, which relates to the statistical overlap of measurements, satisfies the following inequality:

We make the following assumptions for our security analysis. For each signal state that Bob sends: If Bob announces the X basis, the joint state of his qubit and the bosonic mode is {\rho }_x. If Bob announces the Y basis, the joint state is {\rho }_y. Alice’s detection efficiency is independent of the basis choice. Under these conditions, let y_x and y_y denote the measurement probabilities corresponding to the joint states {\rho }_x and {\rho }_y, respectively. In addition, there are three kinds of results in the POVM set: one is to output “Uncertain” when Alice’s measurement result is uncertain; the other is to output “Consistent” when Alice utilizes X basis to make a measurement and the result is certain and consistent with Bob’s X basis result; the other is to output “Consistent” when Alice utilizes Y basis to make a measurement and the result is certain and consistent with Bob’s Y basis result. Third, when Alice’s X basis measurement result is certain, but the result is consistent with Bob’s X basis measurement result, the output is “consistent”. When Alice’s X basis measurement result is certain but inconsistent with Bob’s X basis measurement result, the output is “inconsistent”. Then inequality (B14) is further written as

For fixed values of y_x+y_y, the right-hand side of the inequality obtains its maximum value when y_x=y_y. Thus, defining y=(y_x+y_y)/2 further yields

Note that Eve’s attack does not increase the distinguishability of {\rho }_x and {\rho }_y, so we have

where \mathrm{\Delta } quantifies the dependence of Bob’s sending signaling state on the basis. By combining Eq. (B13), Eq. (B16) and Eq. (B17) can be obtained:

If further using the Cauchy−Schwartz inequality [97], the upper bound for e_{x,1(y,1)}^{{\mathrm{B}\mathrm{A}}^{\prime }} can be estimated as