Adversarial Limits of Quantum Certification: When Eve Defeats Detection

Adversarial Limits of Quantum Certification: When Eve Defeats Detection Davut Emre Taşar Independent Researcher, Madrid, Spain detasar@gmail.com Abstract The security of quantum key distribution (QKD) relies on certifying that observed correlations arise from genuine quantum entanglement rather than eavesdropper manipulation. While theoretical security proofs assume idealized conditions, practical certification must contend with adaptive adversaries who optimize their attack strategies against detection systems. We establish fundamental adversarial limits for quantum certification using Eve-GAN, a generative adversarial network trained to produce classical correlations indistinguishable from quantum statistics. Our central finding is striking: when Eve interpolates her classical correlations with quantum data at mixing parameter α ≥0.95, all tested detection methods achieve ROC AUC = 0.50, equivalent to random guessing. This means an eavesdropper needs only 5% classical admixture to completely evade detection. Critically, we discover that same- distribution calibration—a common practice in prior certification studies—inflates detection performance by 44 percentage points compared to proper cross-distribution evaluation, revealing a systematic methodological flaw that may have led to overestimated security claims. Analysis of the Popescu-Rohrlich (PR-Box) regime identifies a sharp phase transition at CHSH S = 2.05: below this value, no statistical method distinguishes classical from quantum correlations; above it, detection probability increases monotonically. Hardware validation on IBM Quantum demonstrates that Eve-GAN achieves CHSH = 2.736, remarkably exceeding real quantum hardware performance (CHSH = 2.691), illustrating that classical adversaries can outperform noisy quantum systems on standard certification metrics. These results have immediate implications for QKD security: adversaries maintaining 95% quantum fidelity evade all tested detection methods. We provide corrected methodology using cross-distribution calibration and recommend mandatory adversarial testing for quantum security claims. Keywords: adversarial machine learning, quantum certification, generative adversarial net- works, QKD security, Bell inequality, calibration leakage. 1 Introduction Quantum key distribution promises information-theoretic security by exploiting fundamental properties of quantum mechanics [1, 2, 3]. The security of device-independent QKD protocols relies on certifying that shared correlations exhibit genuine quantum nonlocality through Bell inequality violations [4, 5], with loophole-free experimental demonstrations now firmly established [19, 20, 21]. An eavesdropper (Eve) constrained to local hidden variable models should be detectable via sub-threshold Bell values: correlations satisfying |S| ≤2 are certified as classical, while violations indicate quantum origin [6, 7]. Device-independent security proofs [22, 23] and self-testing protocols [24] provide theoretical foundations for such certification. This reasoning contains a subtle but critical assumption: that Eve cannot mimic quantum statistics sufficiently well to evade detection. We address this gap through Eve-GAN, a generative adversarial network [8, 17] trained to produce classical correlation matrices indistinguishable from genuine quantum correlations. Our approach draws on the broader adversarial machine 1 arXiv:2512.04391v1 [quant-ph] 4 Dec 2025 learning literature, where carefully crafted perturbations can cause state-of-the-art classifiers to fail [18]. Our investigation yields four principal findings: First, we establish the α ≥0.95 detection limit (Figure 2). When Eve’s classical correlations are mixed with quantum data at ratio α ≥0.95, none of the tested detection methods—including TARA-k, TARA-m, direct CHSH comparison, and multi-feature ensemble classifiers—achieve performance significantly above random chance (AUC ≤0.502). While we cannot rule out the existence of more sophisticated detection methods, this represents a strong empirical lower bound on adversarial robustness. Second, we discover the 44-point leakage problem. Same-distribution calibration inflates detection AUC by 44 percentage points compared to proper cross-distribution calibration, a systematic methodological flaw that may affect prior quantum certification studies [14]. Third, we identify a phase transition at CHSH S = 2.05 in the superquantum regime. Below this value, none of our tested statistical methods reliably distinguish classical from quantum correlations; above it, detection probability increases monotonically. Fourth, we demonstrate the Eve advantage paradox. On IBM Quantum hardware, Eve-GAN achieves CHSH = 2.736, exceeding the real hardware value (CHSH = 2.691) on this metric. 2 Threat Model Before presenting technical details, we formally define the adversarial scenario. 2.1 Adversary Capabilities Eve’s knowledge: • Full knowledge of the certification protocol (TARA-k, TARA-m, or any

This content is AI-processed based on open access ArXiv data.