We report here a new side channel attack on a practical continuous-variable (CV) quantum key distribution (QKD) system.
Inspired by blinding attack in discrete-variable QKD, we formalize an attack strategy by inserting an external light into
a CV QKD system implemented Gaussian-modulated coherent state protocol and show that our attack can compromise
its practical security. In this attack, we concern imperfections of a balanced homodyne detector used in CV QKD. According
to our analysis, if one inserts an external light into Bob’s signal port, due to the imperfect subtraction from the
homodyne detector, the leakage of the external light contributes a displacement on the homodyne signal which causes
detector electronics saturation. In consequence, Bob’s quadrature measurement is not linear with the quadrature sent by
Alice. By considering such vulnerability, a potential Eve can launch a full intercept-resend attack meanwhile she inserts an
external light into Bob’s signal port. By selecting proper properties of the external light, Eve actively controls the induced
displacement value from the inserted light which results saturation of homodyne detection. In consequence, Eve can bias
the excess noise due to the intercept-resend attack and the external light, such that Alice and Bob believe their excess noise
estimation is below the null key threshold and they can still share a secret key. Our attack shows that the detector loopholes
also exist in CV QKD, and it seems influence all the CV QKD systems using homodyne detection, since all the practical
detectors have finite detection range.