Abstract
We analyze realistic vulnerabilities of decoy-state quantum key distribution (QKD) arising from the combination of laser damage attack (LDA) and unambiguous state discrimination (USD). While decoy-state QKD is designed to protect against photon-number-splitting and beam-splitting attacks by accurately estimating the single-photon fraction, it relies on stable attenuation to prepare pulses with fixed mean-photon numbers. An eavesdropper (Eve) can exploit LDA to irreversibly alter the optical components on Alice's side, effectively increasing the mean-photon numbers beyond the decoy-state security regime. We show that once the alteration exceeds a critical threshold-on the order of 10-20 dB-Eve can implement an efficient USD-based intercept-resend strategy using current off-the-shelf technology, thus obtaining the entire secret key. Numerical simulations confirm that for sufficiently elevated mean-photon numbers, Eve's conclusive measurement outcomes skew the decoy-state statistics, yet remain undetected by standard security checks. We further demonstrate how a modified USD setup employing an additional beam splitter can reduce the required threshold, facilitating Eve's attack. Additionally, we introduce the pseudo-photon-number resolution USD attack, which allows Eve to emulate all observable gains at Bob's side so that she remains fully undetectable even with advanced statistical checks. Our findings emphasize the need for robust safeguards against high-power laser damage in QKD systems, including careful hardware selection, rigorous testing under high-power illumination, and real-time monitoring to ensure the integrity of the decoy-state protocol.