0+1 = .

R S|M = (5.28)

2 2

5 Attack Strategies on QKD Protocols 79

For the Shannon entropy we also get either 0, if Eve guessed the same basis as

Alice and 1 otherwise. This results in a Shannon entropy of

2

1 1

H S|M = 4 =. (5.29)

8 2

This strategy gives more information to Eve than the naive approach (cf. Eq. 5.16)

or the I&R attack in the Breidbart basis (cf. Eq. 5.25).

5.2.2 Entanglement-Based Attacks

5.2.2.1 BB84-Like Protocols

Another strategy for Eve is to use entanglement to interact with the signal sent by

Alice. In this case Eve prepares a probe for each signal, entangles the probe with

it and then passes only the signal on to Bob. Later on, Eve is able to perform a

measurement or any other quantum operation on the probe in her possession to gain

information about the original signal. As pointed out above, the analysis in this

chapter is restricted to individual attacks only. Thus, we will just look at scenarios

where Eve performs her operation on one single probe. An operation on a subset or

even all of the probes is a coherent measurement, as described above, which will

not be discussed here.

Taking the BB84 protocol [2] which we also referred to in Sect. 5.2.1, a rather

simple strategy for Eve is to use an entangled pair, i.e., one of the Bell states

1 1

|¦ p m = √ |00 ± |11 |Ψ p m = √ |01 ± |10 (5.30)

2 2

and to perform a measurement in the Bell basis on the photon coming from Alice

together with one of the entangled photons. This is equal to a quantum teleportation

scheme [4, 5, 20] where the unknown signal state is teleported onto Eve™s probe

1

±|H + β|V √ |H H + |V V =

2

1

|¦ + ±|H + β|V + |¦ ’ ±|H ’ β|V (5.31)

2

+ |Ψ + ±|V + β|H + |Ψ ’ ±|V ’ β|H .

Eve is able to keep her probe until Alice reveals her basis choice and measure

it in the correct basis to obtain full information. If we look at the average collision

probability and Eve™s Shannon information about Alice™s bit we see that

Pc = 1 1 ’ H S|M = 1.

and (5.32)

80 S. Schauer

Eve has full information about the bit Alice sent. Nevertheless, the signal, which

Eve has forwarded to Bob is now in a Bell state, i.e., it has lost every information

about Alice™s basis choice and is in a completely mixed state. Bob will obtain a

random result upon a measurement in the H/V as well as in the +/’ basis which is

easy to see from Bob™s average collision probability Pc = 1 . Thus, Alice and Bob

2

will detect too many errors during their sifting phase (around 50%) and therefore

will abort the protocol.

As we see, regarding the BB84 protocol, Eve gains full information about Alice™s

bit using this attack strategy but the average collision probability is the same com-

pared to the full I&R strategy (cf. Eq. 5.27). Thus, she can gain no additional infor-

mation from this strategy.

But what if Alice and Bob use entangled states for communication as in the Ekert

protocol [15]? A strategy for Eve in this case is to prepare her probes in the state

|H and perform a controlled NOT (CNOT) operation (cf. Eq. 5.33) on the signal

and her probe

CNOT12 = |H H | — I + |V V | — |0 1| + |1 0| . (5.33)

The CNOT operation is a quantum operator acting on two qubits, a source and a

target. If the source is in the state |V , a NOT or ¬‚ip operation is performed on the

target qubit. The subscripts in Eq. 5.33 denote which qubit is the source (¬rst index)

and which is the target (second index). This is convenient if the CNOT operation

is applied on a state consisting of more than two qubits to avoid confusions. The

CNOT operation applied on the signal coming from Alice and Eve™s probe will alter

the state into

1

CNOT23 |¦ + — |H = √ |H H H + |V V V . (5.34)

2

The resulting state is a GHZ state [17] which has the special property that if one

of the photons is measured the other two photons immediately collapse into a certain

state depending upon the measurement result. In case of Eq. 5.34 if Alice measures

in the H/V basis, Bob and Eve will obtain the same result as Alice if they also

perform their measurement in the H/V basis. In case Alice uses the +/’ basis,

Bob™s measurement result in the same basis will not correlate with Alice™s result

50% of the times. For the collision probability and Shannon information this means

Pc = 1 1 ’ H S|M = 1

and (5.35)

if Alice and Bob measure in the H/V basis. For a measurement in the +/’ basis,

Bob obtains the same result as Alice with probability Pc = 1 . Therefore, the

2

overall information Eve obtains on each secret bit is 1 ’ H (S|M) = 0.75, which is

signi¬cantly more compared to the I&R strategies discussed in Sect. 5.2.1. Never-

theless, an error is detected with probability 0.5 every time Alice and Bob use the

+/’ basis. This unbalanced occurrence of errors makes it easy for Alice and Bob

to identify the presence of Eve.

5 Attack Strategies on QKD Protocols 81

5.2.2.2 ZLG Attack

Besides the Ekert protocol, there are other entanglement-based protocols which

make use of a phenomenon of quantum mechanics called entanglement swapping

[40, 9]. Entanglement swapping is a special case of quantum teleportation where

a completely mixed state is teleported and thus the entanglement between certain

photons is changed. An attack strategy based on entanglement swapping is a rather

theoretical approach because the realization is very complex due to limitations of the

physical apparatus. Nevertheless, attack strategies based on entanglement swapping

have to be considered because Eve could have the physical means to perform such

attacks and some protocols have already been shown to be insecure against them.

An example for a protocol open to an attack based on entanglement swapping is

a protocol presented by Adan Cabello [13]. In this protocol Alice has two entangled

pairs in the state |Ψ ’ 12 and |Ψ + 35 , whereas Bob has one pair in the state |Ψ + 46

(cf. (1) in Fig. 5.4). Alice sends qubit 2 to Bob and performs a Bell state measure-

ment on qubits 1 and 3 in her possession which entangles qubits 2 and 5 due to

entanglement swapping:

1

|Ψ ’ +

|¦ ’ +

’ |¦ + ’

12 |Ψ = 13 |¦ 13 |¦

35 25 25

2 (5.36)

’ + + ’

+ |Ψ 13 |Ψ ’ |Ψ 13 |Ψ .

25 25

In detail, if qubits 1 and 3 are in the state |Ψ ’ 13 after the Bell state measurement,

Alice knows that qubits 2 and 5 are in the state |Ψ + 25 (cf. (2) and (3) in Fig. 5.4).

After receiving qubit 2 from Alice, Bob also performs a Bell state measurement on

qubits 2 and 4 and obtains, for example, |¦ + 24 . Now, qubits 5 and 6 are in the

entangled state |¦ + 56 (cf. Eq. 5.37 and (4) in Fig. 5.4).

1

|Ψ + +

|¦ + +

’ |¦ ’ ’

25 |Ψ = 24 |¦ 24 |¦

46 56 56

2 . (5.37)

+ + ’ ’

+ |Ψ 24 |Ψ ’ |Ψ 24 |Ψ

56 56

Bob sends qubit 6 to Alice, who is able to determine the state of qubits 5 and

6 by measuring them in the Bell basis. She publicly announces her result and both

parties are able to calculate the state of qubits 1, 3 and 2, 4, respectively. Alice and

Bob use these two states to agree upon a shared secret key.

In a comment [38] on the Cabello protocol Zhang, Li, and Guo presented an

attack strategy which gives an adversary full information about the key shared

between Alice and Bob (we will call this the ZLG attack further on). The idea is

that Eve prepares an entangled pair |Ψ + 78 and uses qubit 7 to replace qubit 2 ¬‚ying

to Bob (cf. (2) in Fig. 5.5). Since Bob™s measurement on qubits 4 and 7 entangles

qubits 6 and 8, Eve intercepts qubit 6 coming from Bob and performs a Bell state

measurement on it together with qubit 8. As we have seen above, qubits 2 and 5

are in the state |Ψ + 25 according to Alice™s measurement. Based on the outcome

82 S. Schauer

Alice Bob Alice Bob

¦’

12

¦’

12

(2)

(1)

+

+

¦ ¦ +

+

¦ ¦

46

35 46

35

Alice Bob Alice Bob

Ψ+

Ψ’ ¦+

Ψ’

25

13 13 24

(3) (4)

+

¦ Ψ+

46

56

Alice Bob

¦+

Ψ’

13 24

(5)

+

Ψ

56

Fig. 5.4 Illustration of the protocol in [13]

Bob

Bob

Alice Eve Eve

Alice

¦’

12

¦+

¦’ +

¦ 78

12

78

(1) (2)

¦+ ¦+ ¦+ ¦+

35 35 46

46

Alice Eve Eve Bob

Alice

Bob

+ +

Ψ Ψ

¦+ 25

25

’

Ψ’ ¦+

Ψ 78

¦+

13 13 48

(3) (4)

67

¦+

46

Alice Eve Bob Alice Eve Bob

Ψ+

25

’

¦+ Ψ’ ¦+

Ψ I

13 48 13 48

(5) (6)

¦+ ¦+

+

Ψ

67 67

25

Fig. 5.5 Illustration of the ZLG attack scenario [38]

5 Attack Strategies on QKD Protocols 83

of her measurement, Eve knows the exact result of Bob™s measurement (cf. (4) in

Fig. 5.5). Moreover, she also knows how to change the state of qubits 2 and 5 such

that the state of qubits 5 and 6 will correspond to Alice™s and Bob™s result. Therefore,

Eve uses one of the Pauli operators I, σx , σ y , and σz onto qubit 2 to alter the state

|Ψ + 25 (cf. (5) in Fig. 5.5). When Eve returns qubit 2 to Alice, Alice performs her

measurement and will obtain a result correlated to Bob™s measurement outcome,

as it would be expected (compare (5) in Fig. 5.4 and (6) in Fig. 5.5). Since Eve™s

qubits 6 and 8 are in the same state as Bob™s qubits 4 and 7, Eve is able to obtain

full information about the key between the two legitimate communication partners

without being noticed.

As a reaction Cabello published an addendum [14] to his protocol. There he

described a solution to the problem, i.e., a way to secure the protocol in [13] against

the ZLG attack. Cabello suggested to use the Hadamard operation H , which alters

the Bell states as in the following way:

1

H |¦ ± = √ |¦ “ ± |Ψ ± = |ω±

2

(5.38)

1

H |Ψ ± = √ |Ψ “ ± |¦ ± = |χ ± .

2

In detail, Alice and Bob exchange qubits 2 and 6 as in the original protocol but

they perform their Bell state measurements afterward (cf. (2) and (3) in Fig. 5.6).

Additionally, Alice decides randomly whether or not to perform a Hadamard oper-

ation on qubit 3 in her possession, which alters the state accordingly to

1

|Ψ ’ +

|¦ ’ +

’ |¦ + ’

12 |χ = 13 |ω 13 |ω

35 25 25

2 (5.39)

’ + + ’

+ |Ψ 13 |χ ’ |Ψ 13 |χ .

25 25

Alice announces her choice together with the result of her measurement on qubits

5 and 6. If Alice does not use the Hadamard operation, both parties follow the

original protocol. Otherwise, Bob also performs a Hadamard operation on qubit

4 to undo the effects of the operation (cf. (4) in Fig. 5.6). Then he performs the

Bell state measurement on qubits 2 and 4. Due to application of the Hadamard

operation, Eve is not able to ¬nd a correct Pauli operation, when performing the

ZLG attack, and thus Alice™s and Bob™s measurement results will not be correlated.

If we take a look at the average collision probability for the ZLG attack, we get

Pc = 0.75, which is equal to the full I&R attack (cf. Eq. 5.27 in Sect. 5.2.1.3).

Eve will be detected with a probability of 1 ’ (0.75)n for n compared bits during

the sifting phase, which can be made arbitrarily close to 1. The average information

Eve learns about the intercepted qubits is the same as in the entanglement attack

using the CNOT operation as described in Sect. 5.2.2.1. In case Alice does not

apply the Hadamard operation, Eve is still able to obtain full information while

staying undetected. Whenever Alice applies the Hadamard operation, Bob will not

84 S. Schauer

Alice

Alice Bob

Bob

¦’

12

’

¦

H

12

¦+

(1) (2)

+

+ +

¦ ¦ ¦ 46

46

35 35

Bob

Alice Alice Bob

¦’

12

Ψ’ χ+

13 25

¦+ (3) (4)

ω + 46

35

¦+

46

Alice Bob Alice Bob

ω+

Ψ’ Ψ’ ¦+

24

13 13 24

(5) (6)

+

+

Ψ

Ψ H

56

56

Fig. 5.6 Illustration of the revised protocol presented by Cabello [14]

get a correlated result from his measurement in 50% of the times. This gives Eve an

information of 1 ’ H (S|M) = 0.75 for each bit, but she will be detected easily due

to the high and unbalanced occurrence of errors.

In the same year, Adan Cabello presented another protocol [12] for quantum

key distribution and quantum secret sharing which is also open to a similar kind

of attack. In this protocol three parties are involved which are able to distribute a

key among them or share a secret between two of them. Therefore, each party is

in possession of an entangled pair, i.e., |¦ + 12 , |¦ + 4C , |¦ + 5D , and, additionally,

Alice has a GHZ state |‘ 3AB as given in Eq. 5.34 at her side (cf. (1) in Fig. 5.7). She

keeps qubit 3 of the GHZ state and sends the other two qubits to Bob and Charly,

respectively. Then, Alice performs a Bell state measurement on qubits 2 and 3, Bob

performs his measurement on qubits 4 and A, and Charly performs his measurement

on qubits 5 and B (cf. (2) in Fig. 5.7). As a consequence qubits 1, C, and D are now

in a GHZ state due to entanglement swapping. It is assumed that Alice, Bob, and

Charly obtain |¦ + from their respective measurements which leaves qubits 1, C,

and D still in the GHZ state |‘ 1C D , as presented in Fig. 5.7.

Bob and Charly send their remaining qubits C and D back to Alice, who per-

forms a GHZ state measurement and publicly announces the outcome. Based on

5 Attack Strategies on QKD Protocols 85

Alice

Alice

¦+

¦+ 12

12

(2)

(1)

‘ 3 AB

Bob Charly

Bob Charly

‘ 3 AB

¦+ ¦+

¦+ ¦+ 4C 5D

4C 5D

Alice

Alice

(4)

‘

(3)

1CD

¦+

¦+ 23

23

Bob Charly

Bob Charly

¦+ ¦+

4A 5B

¦+

¦+

4A

5B

‘ 1CD

Fig. 5.7 Illustration of the protocol in [12]

this public result and the results of their own measurements all three parties can

agree on a single classical bit which is later used for the secret key.

It has been shown by Lee et al. [21] that this protocol is also open to the ZLG

attack strategy. In detail, Eve prepares two entangled pairs in the state |¦ + P Q and

|¦ + R S and intercepts qubits A and B coming from Alice. She keeps the qubits

P and R and forwards qubit Q and qubit S to Bob and Charly, respectively. Both

parties perform their measurement as described in the protocol and they return the

qubits C and D. Eve intercepts also these qubits and performs a Bell measurement

on the pairs P, C and R, D. According to the measurement results, Eve is able to

select a Pauli operator and apply it on the qubits A and B that she intercepted from

Alice to preserve the correlation. Since they are still in a GHZ state together with

one qubit from Alice, these operations alter the overall state in a way such that it

corresponds to Alice™s, Bob™s, and Charly™s measurement results. In the end Eve

returns the two qubits to Alice, who performs a GHZ state measurement on them

as described in the protocol. The three legitimate communication parties will not

86 S. Schauer

detect Eve because, due to her Pauli operations, she does not introduce any error in

the protocol.

In their paper [21] Lee et al. also presented a method to secure Cabello™s protocol

against the ZLG attack. In this case Bob and Charly use the quantum Fourier trans-

formation (QFT) to secure the qubits in transit. After they received the qubits from

Alice each of them returns one qubit of the entangled pair to Alice and randomly

applies the QFT on the other one. Then they publicly announce their decision and

Alice performs the inverse QFT on the qubits she received from Bob and Charly

according to their decision. Similar to the addendum to Cabello™s protocol [14]

Eve is not able to overcome the application of the QFT by Bob and Charly. If Eve

follows the attack strategy described in [21] she intercepts the qubits coming from

Alice, Bob, and Charly but she cannot ¬nd a Pauli operation to correct the GHZ

state. Thus, the three legitimate communication parties detect Eve during the sifting

phase of the protocol due to the additional amount of error introduced by her.

5.2.2.3 General Entanglement Swapping Attack

Another protocol, which was presented by Li et al. [22], also uses entangled states

and entanglement swapping to distribute a secret key between two parties. Instead of

three entangled states as in [13] just two entangled pairs are used in this protocol “

both at Alice™s side (cf. (1) in Fig. 5.8). Initially, the two pairs are in the state |¦ + 12

and |¦ + 34 and Alice performs some Pauli operation σ on qubit 1 before she sends

qubits 2 and 4 to Bob. Then, she performs a Bell state measurement on the two

Alice Bob Alice Bob

¦+

¦+

12

12

(1) (2)

¦+

¦+

34

34

Alice Bob Alice Bob

¦+ Ψ+

σx 12 12

(3) (4)

¦+ ¦+

34 34

Alice Bob

Ψ’ ¦’ (5)

13 24

Fig. 5.8 Illustration of the protocol presented in [22]

5 Attack Strategies on QKD Protocols 87

remaining qubits in her possession (cf. (3) and (4) in Fig. 5.8. Due to entanglement

swapping she knows exactly the state qubits 2 and 4 are in (cf. Eq. 5.40):

1

σ |¦ + +

|¦ + +

+ |¦ ’ ’

12 |¦ = 13 σ |¦ 13 σ |¦

34 24 24

2 . (5.40)

+ + ’ ’

+ |Ψ 13 σ |Ψ + |Ψ 13 σ |Ψ

24 24

Further, Alice is able to compute the state Bob™s qubits would be in if she had not

performed her Pauli operation. This piece of information is called Alice™s imaginary

result by Li et al. in [22]. When Bob performs a Bell state measurement on qubits

2 and 4 he is able to guess Alice™s imaginary result based on his own result. Alice

then publicly reveals her measurement result such that Bob can calculate the exact

operation σ she has applied before. Alice and Bob use their secret results to generate

a classical secret key.

In [35] it has been shown that this protocol is insecure against an attack strategy

based on entanglement swapping. The attack applied in this case is a kind of gen-

eralization of the ZLG attack [38] since it is based on an entangled six-qubit state

|δ (cf. Eq. 5.41) instead of just a single pair and it is also applicable on the original

Cabello protocols presented above [13, 12]

1

= √ |H H H H H H P Q R ST U + |H H V V H V P Q R ST U

|δ P Q R ST U

22

+ |H V H V V V P Q RST U + |H V V H V H P Q R ST U (5.41)

+ |V H H V V H + |V H V H V V

P Q RST U P Q R ST U

+ |V V H H H V + |V V V V H H .

P Q RST U P Q R ST U

The main idea of this attack is that the six-qubit state preserves the correlations

between the measurement results coming from the entanglement swapping. This

fact allows Eve to stay undetected. Furthermore, Eve is able to keep two qubits of

the six-qubit state which are in the same state as Bob™s qubits after the protocol has

¬nished. Explicitly, that means

1

|¦ + — |¦ + — |¦ +

|δ =

P Q RST U PR QS TU

2

+ |¦ ’ — |¦ ’ — |¦ ’

PR QS TU

(5.42)

+ |Ψ + — |Ψ + — |Ψ +

PR QS TU

+ |Ψ ’ — |Ψ ’ — |Ψ ’ .

PR QS TU

This gives Eve the same information Bob has at that time. Further, Eve listens

to the public communication between Alice and Bob and thus obtains full infor-

mation about the secret key. Eve will not be detected during the error correction

88 S. Schauer

phase because the correlation between Alice™s and Bob™s results is preserved by the

state |δ .

Regarding the protocol presented in [22] Eve™s attack strategy is the following:

Eve intercepts qubit 2 coming from Alice and qubit 3 coming from Bob (the initial

settings of [22] have been altered in [35] due to a rather simple loophole in the

original protocol). Eve performs a Bell state measurement on qubits 2 and P and

qubits 3 and S and in this way entangles herself with the two communication parties

(cf. (2) and (3) in Fig. 5.9). Eve then sends qubits Q to Bob and R to Alice, such that

all three parties are in possession of two qubits of the six-qubit state |δ . When Bob

performs a Bell state measurement on his two qubits 4 and Q the remaining four

qubits of |δ collapse into two entangled pairs (cf. (6) and (7) in Fig. 5.9). The state

of these pairs is completely determined by Bob™s measurement result. As pointed

out in Eq. 5.42 the two qubits at Eve™s side, T and U , are in the same state as Bob™s

qubits 4 and Q, and the two qubits at Alice™s side, 1 and R, are perfectly correlated

to Bob™s result as it would be expected (cf. (7) in Fig. 5.9).

Alice Eve Bo b Alice Eve Bob

¦+

+

¦ 12

12

(1) (2)

¦+ +

¦

34

δ δ 34

PQRSTU PQRSTU

Alice Eve Bo b Alice Eve Bob

¦+

¦+ 2P

2P

(3) (4)

¦+ ¦+

3S 3S

δ δ

1QR4TU 1QR4TU

Alice Eve Bo b Alice Eve Bob

σx

¦+ ¦+

2P 2P

(5) (6)

¦+ ¦+

3S 3S

δ δ

1QR4TU 1QR4TU

Alice Eve Bo b

+

¦

2P

¦’

’

Ψ +

¦ (7)

Q4

1R

3S

¦’

TU

Fig. 5.9 Illustration of the attack strategy presented in [35]

It is also described in [35] how the protocol can be secured against such an

attack strategy: it is the same way Cabello secured his protocol in [14] “ by using

a Hadamard operation. In the beginning of the modi¬ed protocol Alice randomly

5 Attack Strategies on QKD Protocols 89

chooses whether to perform the Hadamard operation onto qubit 1 or not. This alters

the initial state of the original protocol to

1

|ω+ +

|¦ + +

+ |¦ ’ ’

12 |¦ = 13 |ω 13 |ω

34 24 24

2 , (5.43)

+ + ’ ’

+ |Ψ 13 |χ + |Ψ 13 |χ

24 24

where |ω± and |χ ± come from Eq. 5.38. Both parties then follow the protocol as

described above until Alice receives the qubit coming from Bob. Then she publicly

announces her choice on the Hadamard operation and Bob applies the Hadamard

operation on qubit 2, if necessary, to undo it. Both perform their Bell state measure-

ments and their results are correlated as it would be expected and they are able to

extract a classical secret key as described in [22]. Similar to the scenarios described

above, Eve will not be able to preserve the correlation between Alice™s and Bob™s

result and thus will introduce an error every time Alice performs the Hadamard

operation. In detail, Eve™s average collision probability is again Pc = 0.75 as for

the full I&R attack (cf. Eq. 5.27 in Sect. 5.2.1.3).

Thus, Alice and Bob can make the probability of detecting Eve arbitrarily close

to 1, i.e., 1 ’ (0.75)n . As already pointed out in Sect. 5.2.2.1 and 5.2.2.2, Eve is

still able to perfectly eavesdrop the secret bit whenever Alice does not perform the

Hadamard operation. This gives Eve the average information 1 ’ H (S|M) = 0.75,

which is higher than in the full I&R attack, but she will be detected easily because

of the 50% additional error rate, which is introduced when Alice uses the Hadamard

operation.

As it is further described in [35], Eve can ¬nd a state |δ which can compensate

the application of the Hadamard operation. But in this case Eve will introduce the

same amount of error every time Alice™s does not use the Hadamard operation. Thus,

Eve will gain nothing by using |δ instead of |δ .

5.3 Individual Attacks in an Realistic Environment

The protocols and attacks described above are settled in an ideal environment. The

photon sources emit single-photon signals only and the detectors are 100% ef¬cient.

But using today™s technology such a setting is impossible to achieve as we have

discussed in Chap. 6. Detectors are highly sensitive and often detect a signal even if

none was sent (these events are called dark counts). This has to be considered when

performing the error correction and privacy ampli¬cation.

Further, there are no single-photon sources but a normal signal pulse often con-

tains a large number of photons. To solve this problem, weak coherent pulses (WCP)

are used in actual quantum cryptographic devices (cf., for example, [30]), which are

described as

∞

±n

’|±|2

√ |n ,

|± = e (5.44)

2

n!

n=0

90 S. Schauer

which is a superposition of Fock states (states with 0, . . ., n photons). Such pulses

have a rather low mean photon number μ, such that the probability to ¬nd more than

one photon in a pulse follows a Poissonian distribution [16]

μn ’μ

P n, μ = e. (5.45)

n!

The mean photon number μ cannot be made arbitrarily low, because this will

decrease the ef¬ciency of the protocol.

In the following some attack strategies will be presented which make use of such

loopholes given by the physical limitations of QKD protocols.

5.3.1 PNS Attack

The photon number splitting attack (PNS) was ¬rst introduced by Huttner et al.

[18] and later discussed by Brassard et al. [10] and L¨ tkenhaus [25] and is the

u

most powerful individual attack. It is applied on realistic photon sources emitting

weak coherent pulses which generate single photons only with a certain probability

(see the paragraph above). With a small probability multi-photon pulses are emitted

containing two or more photons having the same polarization. The strategy for Eve

is to intercept these pulses coming from Alice, take one photon of the multi-photon

pulse and send the remaining photon(s) along to Bob. Eve waits until Alice and

Bob publicly compare their measurement bases and then measures the intercepted

photon in the correct basis.

In detail, the PNS attack is a little more complex. According to Eq. 5.45, the

probability that Alice™s source emits a vacuum pulse (containing zero photons) is

very high and the probability of a single-photon pulse is around 10%. Hence, the

probability of a multi-photon pulse is very low (around 5% [16]). Because of this

Eve cannot split a photon off each pulse but she has to check for the multi-photon

pulses. Therefore, she performs a non-demolition measurement to collapse the pulse

into a state containing a ¬xed number of photons. This is accomplished by a pro-

jection onto Fock spaces. If Eve intercepted a multi-photon pulse, she applies an

operator A N , which destructs one photon of the pulse and creates an appropriate

auxiliary state (cf. Eq. 5.46)

A N |N , 0 + |± = |N ’ 1, 0 + |•1

A N |0, N + |± = |0, N ’ 1 + |•2

. (5.46)

A N |N , 0 — |± = |N ’ 1, 0 — |Ψ1

A N |0, N — |± = |0, N ’ 1 — |Ψ2

From her measurement on the auxiliary system together with the information

about Alice™s basis choice, Eve is able to determine the correct value of the secret bit.

Therefore, •1 |•2 and Ψ1 |Ψ2 have to be zero such that they can be distinguished

5 Attack Strategies on QKD Protocols 91

by Eve. As pointed out in [10] such an operator can be described by the Jaynes“

Cummings model.

Using the operator A N Eve is able to obtain full information from multi-photon

signals generated by Alice™s source. But, as we already pointed out, the probability

that a multi-photon signal is emitted is rather small. Only if the probability that

Bob detects a signal is smaller than the probability of a multi-photon signal the

attack becomes a severe problem. In this case Eve suppresses all dark counts in

Bob™s module and the ef¬ciency of his detectors is increased to 100%. Further, Eve

replaces the quantum channel with a perfect channel, i.e., there are no losses due to

the channel. It is a rather paranoid assumption to give Eve the power to do all these

things, since they affect Bob™s hardware directly. But, to be secure, all possible

scenarios have to be considered. For each signal coming from Alice, Eve acts in the

following way: all signals with zero photons are ignored, since dark counts have

been suppressed. All multi-photon signals are attacked using the PNS strategy. This

gives Eve full information about the corresponding bit of the secret key. A fraction

of the single-photon signals is suppressed and the other single-photon signals are

attacked using the I&R strategy (cf. Sect. 5.2.1). Eve chooses the amount of dis-

carded signals such that they are consistent with Bob™s total detection probability.

With a perfect quantum channel and perfect detectors all errors in this scenario are

introduced by Eve™s I&R attack (the PNS attack introduces no error). Bob is not

able to distinguish these errors from the ones he expects due to dark counts and the

lossy channel. In this case the whole communication becomes insecure.

In [26] it has been shown that also the Poisson photon number distribution

can be preserved using the PNS attack, which makes it undetectable as long as

a publicly known signal intensity is used. Therefore, the decoy states method

[19, 23, 37] uses different intensities to make a detection of the PNS attack possi-

ble (cf. “Sect. 4.2.3”). Another way to secure BB84-like protocols against the PNS

attack was presented in [33]. Scarani et al. suggested an alternative sifting procedure

such that Alice does not give away her measurement basis. Instead, she announces

one of four pairs of non-orthogonal states. This leaves Bob with an inconclusive

or ambiguous result and he will have to discard his result for 75% of all signals.

Although the ef¬ciency of this protocol is much lower than for standard BB84 proto-

cols (where about 50% of the signals are discarded), it gives not enough information

to an eavesdropper such that the PNS attack can be applied successfully.

5.3.2 Trojan Horse Attack

Another attack strategy on realistic setups of QKD systems is the Trojan Horse

attack or light injection attack. It has been introduced ¬rst in [32, 6] and was dis-

cussed in more detail in [36] later on. The main idea of this attack strategy is not to

interact with the photons in transit between Alice and Bob but to probe the devices

in Alice™s and Bob™s laboratory by sending some light into them and collecting the

re¬‚ected signal. In this way Eve is able to obtain information about the detectors

92 S. Schauer

and further on which classical bit Bob measured. In detail, Eve is in possession of

a laser and a detection scheme. She sends out light pulses toward Alice™s or Bob™s

setup, which are re¬‚ected and enter the detection scheme when returning to Eve. In

[36] it is assumed that Eve uses homodyne detection for the re¬‚ected pulse and thus

needs a reference pulse. This reference pulse is delayed in an arm of the optical ¬ber

and enters the detection system together with the re¬‚ected pulse.

Eve can use the information of the re¬‚ected signal to detect which basis Alice™s

used for the preparation of the photon. The detection of the correct basis is based on

a phase modulation occurring due to the different ways the re¬‚ected and reference

beams go through [36]. If Eve is able to do this before Alice™s photon reaches Bob,

she can perform a simple I&R attack (cf. Sect. 5.2.1), i.e., intercept the photon in

transit, measure it in the correct basis, and send it on to Bob. This will give her full

information on the secret bit string.

A countermeasure against this kind of attack strategy is implemented in the plug

and play systems (cf. Chap. 6) where the intensity of incoming light is monitored

[32, 6]. The idea is that Bob sends a rather intense beam of light to Alice which is

used for synchronization with a special timing detector at Alice™s setup. This detec-

tor noti¬es the legitimate communication parties when the power of an incoming

signal extends some prede¬ned level. For protocols where light just goes one way

(e.g., out of Alice™s lab into Bob™s lab) a strategy for preventing the attack is to

add components in Alice™s and Bob™s laboratory to block Eve™s injected pulse. This

means, for example, that the laser pulses have to pass through an optical isolator and

a band-pass ¬lter [36] when leaving Alice™s setup. The isolator reduces the signals

coming into Alice™s laboratory to make a light injection attack impossible.

5.3.3 Faked States Attack

The faked states attack is a kind of I&R attack strategy but Eve does not try to

recreate the intercepted state. Instead, Eve manages to send a signal to Bob which

he can only detect in a way totally controlled by Eve. This attack was ¬rst introduced

in [28] and later extended in [27, 29]. In detail, Eve intercepts the signals coming

from Alice using an apparatus similar to Bob™s. Further, she forwards a state to

Bob which can only be detected by him if he chooses the same basis as Eve. She

can achieve this by exploiting the full detector ef¬ciency mismatch [27]. This is a

phenomenon where the signal coming into the detector has a time shift such that it is

outside the detector™s sensitivity curve. Therefore, only one detector can ¬re and the

other one is blinded out. In this way Eve can control the bit value Bob will obtain

from his measurement. The second goal of the faked states attack is to eliminate

the case where Bob performs a measurement in a basis incompatible to Eve™s basis,

thus detecting an error. Eve can achieve that by adding a relative phase to the signal

such that the whole signal is de¬‚ected to the blinded detector and is lost.

For the BB84 protocol [2] the faked states attack works as follows: Eve performs

an I&R attack and obtains some result from her measurement. Then she sends a

5 Attack Strategies on QKD Protocols 93

signal pulse to Bob which has the opposite bit value in the opposite basis compared

to what she has detected. Eve also sets the time shift of the signal such that the

detector for the opposite bit value compared to what she has detected is blinded out.

Thus, if Bob tries to detect the signal in a different basis than Eve, he would not

detect anything. Otherwise, if Bob chooses the same basis as Eve, he will either

detect the same bit as Eve or nothing at all. Therefore, every time Eve measured

Alice™s state in the wrong basis, also Bob will measure it in the wrong basis and the

results will be discarded. If Eve has chosen the right basis, also Bob measured in the

right basis and Eve has full information about this bit of the secret key.

As explained in [27, 29] it has to be stressed that Bob™s detection ef¬ciency is

reduced by the faked states attack since all signals where Bob measured in a dif-

ferent basis compared to Eve and half of the signals where Bob measured in the

same basis are suppressed. Eve can overcome this rather easily using faked states

with a proportionally increased brightness. If Eve is not able to blind one detector

completely, she can only obtain partial information about the key but, nevertheless,

stays undetected [31].

Possible countermeasures to prevent the attack are, for example, to actively mon-

itor the timing of incoming pulses at Bob™s side [27]. This can be achieved through

a random shifting of Bob™s time window or with additional detectors. Alternatively,

Bob can test the characteristics of his detectors over a variety of input signals to

especially check all features of the sensitivity curve. Another countermeasure for

Bob is to introduce random jitter into the detector synchronization to smear the

curves and lower the mismatch.

5.3.4 Time-Shift Attack

An alternative version of the faked states attack is the time-shift attack strategy [31].

The time-shift attack also exploits the detector ef¬ciency mismatch, but, contrary to

the faked state attack [28, 27, 29], it is feasible with today™s technology, as it has

been shown in [39]. The main difference is that Eve does not measure the state in

transit between Alice and Bob but randomly shifts the time of the signal such that

it arrives outside of Bob™s detector™s sensitivity curve. Due to her choice of the time

delay, Eve is able to infer the exact result of Bob™s measurement. As pointed out

in Sect. 5.3.3, if Eve is able to completely blind a detector by her time shift, she

is able to obtain full information about Bob™s measurement result. Otherwise, Eve

will obtain only partial information about the secret key. In both cases, Eve never

introduces any error, since she does not measure or otherwise interact with Alice™s

state in transit.

One difference to the faked states attack is that Eve has to deal with the increased

loss at Bob™s side in another way. Regarding the faked states attack Eve uses a

brighter laser pulse to overcome the losses, as described in Sect. 5.3.3. With respect

to the time-shift attack Eve has to replace the quantum channel by a low-loss version

to compensate Bob™s additional losses.

94 S. Schauer

The countermeasures described in Sect. 5.3.3 will also work here to prevent an

application of the time-shift attack. Additionally, phase shift settings can be applied

to Bob™s phase modulator and the detection rate and the channel loss can be checked

to secure a protocol against the time-shift attack [31].

References

1. Bennett, C.H.: Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett.

68(21), 3121“3124 (1992) 71

2. Bennett, C.H., Brassard, G.: Public key distribution and coin tossing. In: Proceedings of the

IEEE International Conference on Computers, Systems, and Signal Processing, pp. 175“179.

IEEE Press, New York (1984) 71, 79, 92

3. Bennett, C.H., Brassard, G., Breidbart, S., Wiesner, S.: Quantum Cryptography, or Unforge-

able Subway Tokens. Advances in Cryptology: Proceedings of the Crypto ™82, pp. 267“275

(1982) 77

4. Bennett, C.H., Brassard, G., Crepeau, C., Jozsa, R., Peres, A., Wootters, W.K.: Teleporting

an unknown quantum state via dual classical and EPR channels. Phys. Rev. Lett. 70(13),

1895“1899 (1993) 79

5. Bennett, C.H., Brassard, G., Popescu, S., Schumacher, B., Smolin, J., Wootters, W.K.: Puri¬-

cation of noisy entanglement and faithful teleportation via noisy channels. Phys. Rev. Lett.

76(5), 722“725 (1996) 79

6. Bethune, D.S., Risk, W.P.: An autocompensating fiber-optic quantum cryptography system

based on polarization splitting of light. IEEE J. Quantum Electron. 36(3), 340“347 (2000) 91, 92

7. Biham, E., Boyer, M., Brassard, G., van de Graf, J., Mor, T.: Security of quantum key distri-

bution against all collective attacks. Algorithmica 34(4), 372“388 (2002) 71

8. Biham, E., Mor, T.: Security of quantum cryptography against collective attacks. Phys. Rev.

Lett. 78(11), 2256“2259 (1997) 71

9. Bose, S., Vedral, V., Knight, P.L.: Multiparticle generalization of entanglement swapping.

Phys. Rev. A 57(2), 822“829 (1998) 81

10. Brassard, G., L¨ tkenhaus, N., Mor, T., Sanders, B.C.: Limitations on practical quantum cryp-

u

tography. Phys. Rev. Lett. 85(6), 1330“1333 (2000) 90, 91

11. Bruss, D.: Optimal eavesdropping in quantum cryptography with six states. Phys. Rev. Lett.

81(14), 3018“3021 (1998) 71

12. Cabello, A.: Multiparty key distribution and secret sharing based on entanglement swapping.

quant-ph/0009025 v1 (2000) 84, 85, 87

13. Cabello, A.: Quantum key distribution without alternative measurements. Phys. Rev. A 61(5),

052,312 (2000) 81, 82, 83, 86, 87

14. Cabello, A.: Reply to “comment on quantum key distribution without alternative measure-

ments”. Phys. Rev. A 63(3), 036,302 (2001) 83, 84, 86, 88

15. Ekert, A.: Quantum cryptography based on Bell™s theorem. Phys. Rev. Lett. 67(6), 661“663

(1991) 71, 80

16. Gisin, N., Ribordy, G., Tittel, W., Zbinden, H.: Quantum cryptography. Rev. Mod. Phys. 74(1),

145 (2002) 90

17. Greenberger, D., Horne, M.A., Zeilinger, A.: Going beyond Bell™s Theorem. In: M. Kafatos

(ed.) Bell™s Theorem, Quantum Theory and Conceptions of the Universe, pp. 69“72. Kluwer,

Dordrecht (1989) 80

18. Huttner, B., Imoto, N., Gisin, N., Mor, T.: Quantum cryptography with coherent states. Phys.

Rev. A 51(3), 1863“1869 (1995) 90

19. Hwang, W.Y.: Quantum key distribution with high loss: Toward global secure communication.

Phys. Rev. Lett. 91(5), 057,901 (2003) 91

5 Attack Strategies on QKD Protocols 95

20. Kim, Y.H., Kulik, S., Shih, Y.: Quantum teleportation of a polarization state with complete

bell state measurement. Phys. Rev. Lett. 86(7), 1370“1373 (2001) 79

21. Lee, J., Lee, S., Kim, J., Oh, S.D.: Entanglement swapping secures multiparty quantum com-

munication. Phys. Rev. A 70(3), 032,305 (2004) 85, 86

22. Li, C., Wang, Z., Wu, C.F., Song, H.S., Zhou, L.: Certain quantum key distribution achieved

by using Bell states. Int. J. Quantum Inf. 4(6), 899“906 (2006) 86, 87, 88, 89

23. Lo, H.K., Ma, X., Chen, K.: Decoy state quantum key distribution. Phys. Rev. Lett. 94(23),

230,504 (2005) 91

24. L¨ tkenhaus, N.: Security against eavesdropping attacks in quantum cryptography. Phys. Rev.

u

A 54(1), 97“111 (1996) 73

25. L¨ tkenhaus, N.: Security against individual attacks for realistic quantum key distribution.

u

Phys. Rev. A 61(5), 052,304 (2000) 90

26. L¨ tkenhaus, N., Jahma, M.: Quantum key distribution with realistic states: Photon-number

u

statistics in the photon-number splitting attack. New J. Phys. 4, 44.1“44.9 (2002) 91

27. Makarov, V., Anisimov, A., Skaar, J.: Effects of detector ef¬ciency mismatch on security of

quantum cryptosystems. Phys. Rev. A 74(2), 022,313 (2006) 92, 93

28. Makarov, V., Hjelme, D.R.: Faked states attack on quantum cryptosystems. J. Mod. Opt. 52(5),

691“705 (2005) 92, 93

29. Makarov, V., Skaar, J.: Faked states attack using detector ef¬ciency mismatch on SARG04,

phase-time, DPSK and Ekert protcols. Quant. Inf. Comp. 8(6&7), 622“635 (2008) 92, 93

30. Poppe, A., Peev, M., Maurhart, O.: Outline of the SECOQC quantum-key-distribution network

in Vienna. Int. J. of Quant. Inf. 6(2), 209“218 (2008) 89

31. Qi, B., Fung, C.H.F., Lo, H.K., Ma, X.: Time-shift attack in practical quantum cryptosystems.

Quant. Inf. Comp. 7(1&2), 73“82 (2007) 93, 94

32. Ribordy, G., Gautier, J.D., Gisin, N., Guinnard, O., Zbinden, H.: Fast and user-friendly quan-

tum key distribution. J. Mod. Optics 47(2&3), 517“531 (2000) 91, 92

33. Scarani, V., Acin, A., Ribordy, G., Gisin, N.: Quantum cryptography protocols robust against

photon number splitting attacks for weak laser pulses implementations. Phy. Rev. Lett. 92(5),

057,901 (2004) 91

34. Scarani, V., Bechmann-Pasquinucci, H., Cerf, N.J., Dusek, M., L¨ tkenhaus, N., Peev, M.: The

u

Security of Practical Quantum Key Distribution. quant-ph/0802.4155 v2 (2008) 72

35. Schauer, S., Suda, M.: A novel attack strategy on entanglement swapping QKD protocols. Int.

J. Quant. Inf. 6(4), 841“858 (2008) 87, 88, 89

36. Vakahitov, A., Makarov, V., Hjelme, D.R.: Large pulse attack as a method of conventional

optical eavesdropping in quantum cryptography. J. Mod. Opt. 48(13), 2023“2038 (2001) 91, 92

37. Wang, X.B.: Beating the photon-number-splitting attack in practical quantum cryptography.

Phys. Rev. Lett. 94(23), 230,503 (2005) 91

38. Zhang, Y.S., Li, C.F., Guo, G.C.: Comment on “quantum key distribution without alternative

measurements”. Phys. Rev. A 63(3), 036,301 (2001) 81, 82, 87

39. Zhao, Y., Fung, C.H.F., Qi, B., Chen, C., Lo, H.K.: quantum hacking: Experimental demon-

stration of time-shift attack against practical quantum key distribution systems. Phys. Rev. A

78(4), 042,333 (2008) 93

40. Zukowski, M., A., Z., Horne, M.A., Ekert, A.K.: “Event-Ready-Detectors” Bell state mea-

surement via entanglement swapping. Phys. Rev. Lett. 71(26), 4287“4290 (1993) 81

Chapter 6

QKD Systems

M. Suda

6.1 Introduction

This chapter summarizes information about seven QKD systems that have been

developed for SECOQC [58, 1, 26] and which are candidates for further integra-

tion to build up a prototype QKD network. In Chap. 9 the quantum-cryptographic

network of SECOQC is described in detail and Chap. 7 presents a statistical anal-

ysis of the network in a real-life environment. The mentioned seven systems are

in Sect. 6.2.1 the plug and play system (PP), in Sect. 6.2.2 the phase-coding QKD

system or one-way weak coherent pulse QKD system (Toshiba), in Sect. 6.2.3 the

time-coding QKD system or coherent one-way system (COW), in Sect. 6.2.4 the

continuous variables system or QKD with coherent states (CV), in Sect. 6.2.5 the

entanglement-based QKD system (EB), in Sect. 6.2.6 the free-space QKD system

(FS), and ¬nally in Sect. 6.2.7 the low-cost QKD system (LC).

In each section the basic ideas of each system and a more detailed physical

description are presented. Some technical details are given which are supplied by

the experimental groups themselves. Overviews of the underlying physical princi-

ples of the systems and relating quantum protocols can be found, e.g., in [27] and

[18]. Since security is the core business of a QKD network we refer to [71] which

gives an overview of the security of practical QKD.

The theoretical modeling of each system is described and the status of the secu-

rity proofs for various scenarios is mentioned. Implications of the known security

results are demonstrated. For some systems the quantum bit error rate and the secure

key rate as a function of distance between the communicating partners Alice and

Bob are discussed.

M. Suda (B)

Safety & Security Department, Quantum Technologies, AIT Austrian Institute

of Technology GmbH, Donau-City-Straße 1/1220 Vienna, Austria,

martin.suda@ait.ac.at; www.ait.ac.at

Suda, M.: QKD Systems. Lect. Notes Phys. 797, 97“121 (2010)

c Springer-Verlag Berlin Heidelberg 2010

DOI 10.1007/978-3-642-04831-9 6

98 M. Suda

6.2 QKD Systems

In the following, the technical and physical aspects of the 7 QKD systems developed

within SECOQC are described. Their physical modes of operation are explained and

information is given about the capability of the systems and about security aspects

including the quantum bit error rate and the achievable secure bit rate. The applied

quantum protocol is discussed. Appropriate literature references are enclosed.

6.2.1 Plug and Play (PP)

Since the introduction of the BB84 protocol by Bennett and Brassard [6] and the

¬rst realization in 1992 [5], many experiments have been undertaken relating QKD

(see, e.g., [27]). In this section we describe a ¬ber-optic QKD prototype which

works as an auto-compensating plug and play system [76, 59]. The device is a

long-distance (67 km) QKD system employing optical ¬bers and works at telecom

wavelengths (1550 nm) using standard telecom components. The qubits are encoded

in the relative phase between two subsequent pulses and analyzed by an unbalanced

interferometer with active phase modulation. The auto-compensation is related to

polarization rotations in the ¬ber.

Optical

FM PMA VA

Bob

fiber

SL

1010001 USB

0101001 BS10/90

DA

0100101

19 inches box

19 inches box 1001010

0110001

0111001 L

DL

USB D2

PBS

PMB C D1

Alice Ethernet BS

Fig. 6.1 Sketch of plug and play system; L: laser, C: circulator, BS: 50/50 beam splitter, DL: delay

line, P M B : Bob™s phase modulator, PBS: polarizing beam splitter, B S10/90 : 10/90 beam splitter,

VA: variable attenuator, SL: storage line, P M A : Alice™s phase modulator, FM: Faraday mirror, D:

detector; see text for details

The plug and play system is sketched in Fig. 6.1. Strong linearly polarized pulses

of photons are created by a laser L on Bob™s side. The frequency of the pulses is

5MHz (period of 200 ns). The beam is separated into two parts at the 50/50 beam

.

splitter BS. The long arm contains a delay line DL of a length of 10 m (50 ns =

20 MHz). The phase modulator PM B is not used at that time. In the shorter arm

the linear polarization is turned by 90—¦ (not visible in Fig. 6.1). Both beams are

recombined at the polarizing beam splitter PBS where they exit Bob™s setup one after

6 QKD Systems 99

another (time delay of 50 ns) by the same port because of the orthogonal polarization

states of the two pulses. Thereby the ¬rst pulse passed the short and the second pulse

the long arm of the interferometer.

The pulses travel down to Alice where they, passing a B S10/90 (90% of the inten-

sity is registered in the detector D A ), are attenuated (variable attenuator VA) and

re¬‚ected on a Faraday mirror FM (here the polarization states are reversed) and are

further attenuated by VA. The storage line SL will be discussed below. Moreover,

Alice applies a phase of 0 or π and π or 3π on the second pulse (thus implementing

2 2

the BB84 protocol) with the phase modulator PM A . At the output of Alice™s setup

the polarizations of the two pulses are again orthogonal to each other, but have

been interchanged because of the FM. Thus, a compensation of all accumulated

polarization rotations (Bob to Alice) can take place on the way back from Alice to

Bob (auto-compensating system).

Arriving at Bob™s interferometer “ because of the changed polarization states “

the ¬rst pulse now enters the long arm where Bob chooses the measurement basis by

applying a 0 or a π phase shift on its way back using PM B . The second pulse takes

2

the short path. Both pulses arrive at the same time at the BS where they interfere.

Then they are detected either in D1 or, after passing through the circulator C, in D2 .

On the way back from Alice to Bob the plug and play system is a usual QKD

system using phase encoding between coherent pulses. The strong pulses sent from

Bob to Alice do not contain the information about the qubit: the quantum informa-

tion travels only one way, namely from Alice to Bob.

Since the pulses travel back and forth, backscattering light (elastic Rayleigh scat-

tering) can considerably increase the noise. Therefore, Bob™s laser sends trains of

pulses. The length of these trains corresponds to the length of the storage line (SL)

introduced for this purpose behind the VA at Alice™s setup. Therefore, the backward

propagating pulses do no longer cross the bright pulses in the ¬ber. For a length of

the SL of approximately 20 km, a pulse train contains 480 pulses at a frequency of

5 MHz. The 10/90 BS directs most of the incoming light to a detector module D A

which is “ amongst others “ used to synchronize the 5 MHz clock of Bob™s laser

and which guarantees that PM A is activated in time. This synchronized clock allows

Alice to apply a phase shift exactly when the second pulse passes 50 ns after the ¬rst

pulse. This second pulse contains phase information and must be attenuated below

the one-photon-per-pulse level.

As a measure of security, the number of coincident clicks at both detectors D1

and D2 is registered which is important to limit beam-splitting attacks.

The raw key Rraw between Alice, the transmitter, and Bob, the receiver, is

Rraw = q ν μ t AB t B · B · SL ·„ , (6.1)

where the following quantities have been used:

q, depends on the implementation (= 1 for the BB84 protocol)

2

ν, repetition frequency

μ, average number of photons per pulse (≈ 0.1)

t AB , transmission of the line Alice“Bob (= 10’±d/10 , ± = 0.2 dB/km = absorption,

100 M. Suda

d = distance)

t B , Bob™s internal transmission (≈ 0.6)

· B , Bob™s detection ef¬ciency (≈ 0.1)

· SL , factor because of length l SL of the storage line (= l SL /l SL + d)

·„ , factor because of dead time „ of the detector ( 1).

The second-most important parameter is the quantum bit error rate QBER =

f alse counts

(should be < 10%):

total counts

QBER = QBERopt + QBERdark + QBERafter + QBERstray . (6.2)

QBERopt . . . probability for the photon to hit the wrong detector

QBERdark . . . error rate because of dark counts [77]

QBERafter . . . is the probability to have an after pulse in the detector [77]

QBERstray . . . the errors induced by stray light (Rayleigh backscattering)

Error correction and privacy ampli¬cation lead to the following formula of the

¬nal key rate R¬n [27, 20, 80, 22]:

I

R¬n ∼ (I AB ’ I AE ) AB Rraw .

= (6.3)

I AB

I AB = 1 + D log2 D + (1 ’ D) log2 (1 ’ D), I AE ∼ 0.3 + I2ν and I AB =

=

1 + D log2 D ’ 2 D, where D = Q B E R. Here I2ν is due to multi-photon pulses

7

and has values of about 0.06, 0.14, and 0.40 for 5, 10, and 20 dB losses [76].

Security proofs are brie¬‚y alluded: For the BB84 protocol the security proof

GLLP against an arbitrary attack exists [32]. Under weaker assumptions the NSG

proof applies [61]. For the so-called SARG protocol a proof exists for incoherent

attacks [9]. For the decoy-state protocol a security proof against an arbitrary attack

has also been published [32, 49]. In Chap. 5 some attack strategies on QKD proto-

cols are presented.

6.2.2 One-Way Weak Coherent Pulse QKD, Phase Coding

(Toshiba)

In this section the one-way decoy pulse QKD system is discussed employing a pro-

tocol which involves one-way decoy pulses together with vacuum pulses [19].

QKD affects the secure communication between two remote parties Alice and

Bob where the security of the keys is determined by the laws of quantum mechanics

rather than the use of strong, one-way mathematical functions of encryption [27].

Since the original proposal [6] there has been an amount of work, beginning with

the ¬rst experimental demonstration in 1992 [5], but reliable and compact systems

compatible with existing telecom ¬ber technology are now starting to emerge [76]

[29].

In the ideal case the QKD setup should be designed employing a true single

photon source to guarantee immunity against the so-called photon number splitting

(PNS) attacks from a potential eavesdropper (Eve) [83, 49, 12]. However, there is

6 QKD Systems 101

a lack of deterministic and reliable single photon sources. Most of the implemen-

tations use heavily attenuated lasers which emit photon pulses with a Poissonian

number distribution. The PNS attack consists of blocking true single photons in the

quantum channel and removing part of the multi-photon pulses by transmitting the

remaining portion to Bob. Eve can then determine all or part of the key [12]. For

further information on PNS attacks cf. Sect. 5.3.1.

In 2003 Hwang proposed to circumvent the PNS attack using additional (decoy)

pulses sent by Alice [42]. The idea was to intersperse the signal pulses randomly

with some “decoy pulses” that are weaker on average and so very rarely contain

a multi-photon pulse. If Eve attempts a PNS attack, she will therefore transmit a

lower fraction of the decoy pulses to Bob than the signal pulses. Thus, by mon-

itoring the transmission of decoy and signal pulses separately, the attack can be

detected [83] [49]. This means that stronger pulses may be used securely. A proof

of the decoy pulse protocol has been given which also includes realistic experi-

mental assumptions (GLLP) [32]. Recently a promising one-way QKD system was

presented employing a single decoy pulse [85].

For now it is instructive to describe the method of phase coding in two interfer-

ometers (shown in Fig. 6.2). In the BB84 protocol Alice prepares randomly four

Fig. 6.2 Sketch of the optical layout of the one-way weak coherent pulse QKD system (phase-

coding). The system represents a BB84 phase encoding protocol including weak + vacuum decoy

states. Atten.: attenuator, IM: intensity modulator, PC: polarization controller, WDM: wavelength

division multiplexer, FS: ¬ber stretcher, APD: avalanche photo diodes, FPGA: ¬eld programmable

gate array

102 M. Suda

states using a ¬rst interferometer where the two arms have different lengths in order

to produce suf¬cient time delays between the pulses. In one of the arms a phase

shifter ± is inserted. The phase shift ¦ in Fig. 6.2 at Alice™s box represents the

quantity ± used in the formalism here. The principle of the BB84 protocol can

easily be understood for the idealized case where a single input photon (state |1 |0 ,

including the vacuum port |0 ), is given. Inside the interferometer four states are

generated which belong to two mutually orthogonal bases √2 (±|1 |0 + e±± |0 |1 )

1

where ± = 0, π (bits 0 and 1 in the X basis) or ± = π , 3π (bits 0 and 1 in the

2 2

Y basis). Time separation (or “ equivalently “ space separation of the pulses) is

not included in the formalism in order to simplify matters. For time separation a

complete wave packet description of the phase-coding protocol BB84 is necessary

[78]. In short, the delay lines at Alice and Bob have to be equal in order to have

interference between photons which take, e.g., in the ¬rst interferometer the short

path and in the second interferometer the long path or vice versa. Only these events

are indistinguishable from a quantum mechanical point of view [59].

But let™s continue our prior considerations. The state behind Alice™s interferom-

eter can be expressed as 1 [(e±± ’ 1)|1 |0 + ±(e±± + 1)|0 |1 ] describing the two

2

outputs [25]. The probabilities of the two outputs are sin2 ( ± ) and cos2 ( ± ) , respec-

√ 2 2

tively. If a coherent state | μ |0 is considered as input, the two outputs behind the

√ √

μ ±± ± μ ±±

interferometer can be described by the product state | 2 (e ’ 1) | 2 (e + 1)

where μ is the mean photon number of the pulse to be considered. The probabilities

of the outcomes are in this case μ sin2 ( ± ) and μ cos2 ( ± ) . Bob, receiving the corre-

2 2

sponding state, has a similar interferometer and detects in the X(Y) basis by phase

shift β = 0 (β = π ). The phase shift ¦ in Fig. 6.2 at Bob™s box represents the

2

quantity β used in the formalism here. His interferometer has two output detectors.

If, e.g., he sets β = 0 and Alice has taken ± = 0 or ± = π, one of his detectors

obtains a conclusive result which determines bit 0 or 1 (basis X ). In case of β = 0

and ± = π or 3π the detectors of Bob click by chance [Alice (Y ) and Bob (X ) use

2 2

different bases]. A complementary process happens for β = π . Having consistent

2

bases Alice and Bob retain their data while discarding the other ones. This completes

the process of data sifting in the protocol BB84. Both bases correspond thus to an

interferometric measurement.

In Fig. 6.2 a one-way ¬ber-optic QKD system with phase encoding is used.

Two Mach“Zehnder phase encoding interferometers are applied. Alice and Bob

are linked by a 20 km ¬ber spool through which the signal (an optical pulse with

wavelength » = 1.55 μm) is transmitted at a repetition rate of about 7 MHz. The

clock pulses (» = 1.3 μm), which do not overlap the signal pulses, have a dura-

tion of 5 ns each and deploy as synchronization. An intensity modulator is used in

order to produce signal and decoy pulses of different intensities at random times

whereas vacuum decoy pulses are produced by omitting trigger pulses to the sig-

nal laser. The signal and decoy pulses are strongly attenuated to the single photon

level, while a strong clock pulse is then multiplexed with them to provide syn-

chronization. Bob™s detectors are two single photon InGaAs avalanche photodiodes

(APD™s).

6 QKD Systems 103

The weak coherent pulse (WCP) decoy state + vacuum state BB84 protocol

mentioned above was implemented [42]. The mean number of photons per pulse

for signal and decoy states has to be chosen to be μ = 0.55 and ν = 0.10, respec-

tively. The optimal probabilities of the various pulses are signal Nμ = 0.93, decoy

Nν = 0.06, vacuum N0 = 0.01.

The properties of the detectors are carefully adjusted in order to avoid so-called

fake-state attacks [55, 54, 56] and time-shift attacks [66, 86]. For further details on

these kinds of attacks cf. Sect. 5.3.3 and 5.3.4, respectively.

A secure bit rate of greater than 10 kbps over 60 h was observed. This is approxi-

mately two orders of magnitude higher than what can be achieved at a ¬ber distance

of 20 km without decoy states [30]. It is assumed that such a system could be very

useful to be placed in a real-world environment such as a quantum network with

¬ber links of around a few tens of kilometers.

It should be mentioned that phase-coding QKD was demonstrated using an opti-

cally excited, triggered single photon source (SPS) emitting at a wavelength of

» = 1.3 μm [44]. The SPS (quantum dot source) shows a tenfold reduction in

multi-photon emission compared to a laser and has been used to distribute keys

secure from the PNS attack over 35 km along an optical ¬ber [32].

6.2.3 Coherent One-Way System, Time Coding (COW)

The coherent one-way QKD system COW was developed by GAP (Group of

Applied Physics, University of Geneva) [75, 28, 74]. A sketch of the con¬guration

is drawn in Fig. 6.3. The COW protocol described below is based to a certain extent

on the well-known BB84 protocol [6, 27].

In the previous section the BB84 protocol has been described. Two mutu-

ally orthogonal bases, X and the Y , have been applied. However, a third basis

{|1 |0 , |0 |1 }, called Z, can be used in principle, where applying this basis means

Fig. 6.3 Conceptual scheme of the quantum channel for implemented BB84 protocol with time-

coding (coherent one-way-system COW); the left (right) box belongs to Alice (Bob); the trans-

mission coef¬cient t B to Bob™s detector D B amounts to 0.9, the transmission coef¬cient for the

interferometer line is (1 ’ t B ) and has a value of 0.1; see text for details