. 4
( 9)


0+1 = .
R S|M = (5.28)
2 2
5 Attack Strategies on QKD Protocols 79

For the Shannon entropy we also get either 0, if Eve guessed the same basis as
Alice and 1 otherwise. This results in a Shannon entropy of

1 1
H S|M = 4 =. (5.29)
8 2

This strategy gives more information to Eve than the naive approach (cf. Eq. 5.16)
or the I&R attack in the Breidbart basis (cf. Eq. 5.25).

5.2.2 Entanglement-Based Attacks BB84-Like Protocols
Another strategy for Eve is to use entanglement to interact with the signal sent by
Alice. In this case Eve prepares a probe for each signal, entangles the probe with
it and then passes only the signal on to Bob. Later on, Eve is able to perform a
measurement or any other quantum operation on the probe in her possession to gain
information about the original signal. As pointed out above, the analysis in this
chapter is restricted to individual attacks only. Thus, we will just look at scenarios
where Eve performs her operation on one single probe. An operation on a subset or
even all of the probes is a coherent measurement, as described above, which will
not be discussed here.
Taking the BB84 protocol [2] which we also referred to in Sect. 5.2.1, a rather
simple strategy for Eve is to use an entangled pair, i.e., one of the Bell states

1 1
|¦ p m = √ |00 ± |11 |Ψ p m = √ |01 ± |10 (5.30)
2 2

and to perform a measurement in the Bell basis on the photon coming from Alice
together with one of the entangled photons. This is equal to a quantum teleportation
scheme [4, 5, 20] where the unknown signal state is teleported onto Eve™s probe

±|H + β|V √ |H H + |V V =
|¦ + ±|H + β|V + |¦ ’ ±|H ’ β|V (5.31)

+ |Ψ + ±|V + β|H + |Ψ ’ ±|V ’ β|H .

Eve is able to keep her probe until Alice reveals her basis choice and measure
it in the correct basis to obtain full information. If we look at the average collision
probability and Eve™s Shannon information about Alice™s bit we see that

Pc = 1 1 ’ H S|M = 1.
and (5.32)
80 S. Schauer

Eve has full information about the bit Alice sent. Nevertheless, the signal, which
Eve has forwarded to Bob is now in a Bell state, i.e., it has lost every information
about Alice™s basis choice and is in a completely mixed state. Bob will obtain a
random result upon a measurement in the H/V as well as in the +/’ basis which is
easy to see from Bob™s average collision probability Pc = 1 . Thus, Alice and Bob
will detect too many errors during their sifting phase (around 50%) and therefore
will abort the protocol.
As we see, regarding the BB84 protocol, Eve gains full information about Alice™s
bit using this attack strategy but the average collision probability is the same com-
pared to the full I&R strategy (cf. Eq. 5.27). Thus, she can gain no additional infor-
mation from this strategy.
But what if Alice and Bob use entangled states for communication as in the Ekert
protocol [15]? A strategy for Eve in this case is to prepare her probes in the state
|H and perform a controlled NOT (CNOT) operation (cf. Eq. 5.33) on the signal
and her probe

CNOT12 = |H H | — I + |V V | — |0 1| + |1 0| . (5.33)

The CNOT operation is a quantum operator acting on two qubits, a source and a
target. If the source is in the state |V , a NOT or ¬‚ip operation is performed on the
target qubit. The subscripts in Eq. 5.33 denote which qubit is the source (¬rst index)
and which is the target (second index). This is convenient if the CNOT operation
is applied on a state consisting of more than two qubits to avoid confusions. The
CNOT operation applied on the signal coming from Alice and Eve™s probe will alter
the state into
CNOT23 |¦ + — |H = √ |H H H + |V V V . (5.34)
The resulting state is a GHZ state [17] which has the special property that if one
of the photons is measured the other two photons immediately collapse into a certain
state depending upon the measurement result. In case of Eq. 5.34 if Alice measures
in the H/V basis, Bob and Eve will obtain the same result as Alice if they also
perform their measurement in the H/V basis. In case Alice uses the +/’ basis,
Bob™s measurement result in the same basis will not correlate with Alice™s result
50% of the times. For the collision probability and Shannon information this means

Pc = 1 1 ’ H S|M = 1
and (5.35)

if Alice and Bob measure in the H/V basis. For a measurement in the +/’ basis,
Bob obtains the same result as Alice with probability Pc = 1 . Therefore, the
overall information Eve obtains on each secret bit is 1 ’ H (S|M) = 0.75, which is
signi¬cantly more compared to the I&R strategies discussed in Sect. 5.2.1. Never-
theless, an error is detected with probability 0.5 every time Alice and Bob use the
+/’ basis. This unbalanced occurrence of errors makes it easy for Alice and Bob
to identify the presence of Eve.
5 Attack Strategies on QKD Protocols 81 ZLG Attack
Besides the Ekert protocol, there are other entanglement-based protocols which
make use of a phenomenon of quantum mechanics called entanglement swapping
[40, 9]. Entanglement swapping is a special case of quantum teleportation where
a completely mixed state is teleported and thus the entanglement between certain
photons is changed. An attack strategy based on entanglement swapping is a rather
theoretical approach because the realization is very complex due to limitations of the
physical apparatus. Nevertheless, attack strategies based on entanglement swapping
have to be considered because Eve could have the physical means to perform such
attacks and some protocols have already been shown to be insecure against them.
An example for a protocol open to an attack based on entanglement swapping is
a protocol presented by Adan Cabello [13]. In this protocol Alice has two entangled
pairs in the state |Ψ ’ 12 and |Ψ + 35 , whereas Bob has one pair in the state |Ψ + 46
(cf. (1) in Fig. 5.4). Alice sends qubit 2 to Bob and performs a Bell state measure-
ment on qubits 1 and 3 in her possession which entangles qubits 2 and 5 due to
entanglement swapping:

|Ψ ’ +
|¦ ’ +
’ |¦ + ’
12 |Ψ = 13 |¦ 13 |¦
35 25 25
2 (5.36)
’ + + ’
+ |Ψ 13 |Ψ ’ |Ψ 13 |Ψ .
25 25

In detail, if qubits 1 and 3 are in the state |Ψ ’ 13 after the Bell state measurement,
Alice knows that qubits 2 and 5 are in the state |Ψ + 25 (cf. (2) and (3) in Fig. 5.4).
After receiving qubit 2 from Alice, Bob also performs a Bell state measurement on
qubits 2 and 4 and obtains, for example, |¦ + 24 . Now, qubits 5 and 6 are in the
entangled state |¦ + 56 (cf. Eq. 5.37 and (4) in Fig. 5.4).

|Ψ + +
|¦ + +
’ |¦ ’ ’
25 |Ψ = 24 |¦ 24 |¦
46 56 56
2 . (5.37)
+ + ’ ’
+ |Ψ 24 |Ψ ’ |Ψ 24 |Ψ
56 56

Bob sends qubit 6 to Alice, who is able to determine the state of qubits 5 and
6 by measuring them in the Bell basis. She publicly announces her result and both
parties are able to calculate the state of qubits 1, 3 and 2, 4, respectively. Alice and
Bob use these two states to agree upon a shared secret key.
In a comment [38] on the Cabello protocol Zhang, Li, and Guo presented an
attack strategy which gives an adversary full information about the key shared
between Alice and Bob (we will call this the ZLG attack further on). The idea is
that Eve prepares an entangled pair |Ψ + 78 and uses qubit 7 to replace qubit 2 ¬‚ying
to Bob (cf. (2) in Fig. 5.5). Since Bob™s measurement on qubits 4 and 7 entangles
qubits 6 and 8, Eve intercepts qubit 6 coming from Bob and performs a Bell state
measurement on it together with qubit 8. As we have seen above, qubits 2 and 5
are in the state |Ψ + 25 according to Alice™s measurement. Based on the outcome
82 S. Schauer

Alice Bob Alice Bob

¦ ¦ +
¦ ¦
35 46

Alice Bob Alice Bob

Ψ’ ¦+
13 13 24
(3) (4)
¦ Ψ+

Alice Bob

13 24

Fig. 5.4 Illustration of the protocol in [13]

Alice Eve Eve
¦’ +
¦ 78
(1) (2)
¦+ ¦+ ¦+ ¦+
35 35 46

Alice Eve Eve Bob
+ +
¦+ 25

Ψ’ ¦+
Ψ 78

13 13 48
(3) (4)

Alice Eve Bob Alice Eve Bob

¦+ Ψ’ ¦+
13 48 13 48
(5) (6)
¦+ ¦+
67 67

Fig. 5.5 Illustration of the ZLG attack scenario [38]
5 Attack Strategies on QKD Protocols 83

of her measurement, Eve knows the exact result of Bob™s measurement (cf. (4) in
Fig. 5.5). Moreover, she also knows how to change the state of qubits 2 and 5 such
that the state of qubits 5 and 6 will correspond to Alice™s and Bob™s result. Therefore,
Eve uses one of the Pauli operators I, σx , σ y , and σz onto qubit 2 to alter the state
|Ψ + 25 (cf. (5) in Fig. 5.5). When Eve returns qubit 2 to Alice, Alice performs her
measurement and will obtain a result correlated to Bob™s measurement outcome,
as it would be expected (compare (5) in Fig. 5.4 and (6) in Fig. 5.5). Since Eve™s
qubits 6 and 8 are in the same state as Bob™s qubits 4 and 7, Eve is able to obtain
full information about the key between the two legitimate communication partners
without being noticed.
As a reaction Cabello published an addendum [14] to his protocol. There he
described a solution to the problem, i.e., a way to secure the protocol in [13] against
the ZLG attack. Cabello suggested to use the Hadamard operation H , which alters
the Bell states as in the following way:

H |¦ ± = √ |¦ “ ± |Ψ ± = |ω±
H |Ψ ± = √ |Ψ “ ± |¦ ± = |χ ± .

In detail, Alice and Bob exchange qubits 2 and 6 as in the original protocol but
they perform their Bell state measurements afterward (cf. (2) and (3) in Fig. 5.6).
Additionally, Alice decides randomly whether or not to perform a Hadamard oper-
ation on qubit 3 in her possession, which alters the state accordingly to

|Ψ ’ +
|¦ ’ +
’ |¦ + ’
12 |χ = 13 |ω 13 |ω
35 25 25
2 (5.39)
’ + + ’
+ |Ψ 13 |χ ’ |Ψ 13 |χ .
25 25

Alice announces her choice together with the result of her measurement on qubits
5 and 6. If Alice does not use the Hadamard operation, both parties follow the
original protocol. Otherwise, Bob also performs a Hadamard operation on qubit
4 to undo the effects of the operation (cf. (4) in Fig. 5.6). Then he performs the
Bell state measurement on qubits 2 and 4. Due to application of the Hadamard
operation, Eve is not able to ¬nd a correct Pauli operation, when performing the
ZLG attack, and thus Alice™s and Bob™s measurement results will not be correlated.
If we take a look at the average collision probability for the ZLG attack, we get
Pc = 0.75, which is equal to the full I&R attack (cf. Eq. 5.27 in Sect.
Eve will be detected with a probability of 1 ’ (0.75)n for n compared bits during
the sifting phase, which can be made arbitrarily close to 1. The average information
Eve learns about the intercepted qubits is the same as in the entanglement attack
using the CNOT operation as described in Sect. In case Alice does not
apply the Hadamard operation, Eve is still able to obtain full information while
staying undetected. Whenever Alice applies the Hadamard operation, Bob will not
84 S. Schauer

Alice Bob


(1) (2)
+ +
¦ ¦ ¦ 46
35 35

Alice Alice Bob

Ψ’ χ+
13 25
¦+ (3) (4)
ω + 46

Alice Bob Alice Bob

Ψ’ Ψ’ ¦+
13 13 24
(5) (6)

Fig. 5.6 Illustration of the revised protocol presented by Cabello [14]

get a correlated result from his measurement in 50% of the times. This gives Eve an
information of 1 ’ H (S|M) = 0.75 for each bit, but she will be detected easily due
to the high and unbalanced occurrence of errors.
In the same year, Adan Cabello presented another protocol [12] for quantum
key distribution and quantum secret sharing which is also open to a similar kind
of attack. In this protocol three parties are involved which are able to distribute a
key among them or share a secret between two of them. Therefore, each party is
in possession of an entangled pair, i.e., |¦ + 12 , |¦ + 4C , |¦ + 5D , and, additionally,
Alice has a GHZ state |‘ 3AB as given in Eq. 5.34 at her side (cf. (1) in Fig. 5.7). She
keeps qubit 3 of the GHZ state and sends the other two qubits to Bob and Charly,
respectively. Then, Alice performs a Bell state measurement on qubits 2 and 3, Bob
performs his measurement on qubits 4 and A, and Charly performs his measurement
on qubits 5 and B (cf. (2) in Fig. 5.7). As a consequence qubits 1, C, and D are now
in a GHZ state due to entanglement swapping. It is assumed that Alice, Bob, and
Charly obtain |¦ + from their respective measurements which leaves qubits 1, C,
and D still in the GHZ state |‘ 1C D , as presented in Fig. 5.7.
Bob and Charly send their remaining qubits C and D back to Alice, who per-
forms a GHZ state measurement and publicly announces the outcome. Based on
5 Attack Strategies on QKD Protocols 85


¦+ 12

‘ 3 AB
Bob Charly
Bob Charly

‘ 3 AB

¦+ ¦+
¦+ ¦+ 4C 5D
4C 5D




¦+ 23

Bob Charly
Bob Charly
¦+ ¦+
4A 5B


‘ 1CD

Fig. 5.7 Illustration of the protocol in [12]

this public result and the results of their own measurements all three parties can
agree on a single classical bit which is later used for the secret key.
It has been shown by Lee et al. [21] that this protocol is also open to the ZLG
attack strategy. In detail, Eve prepares two entangled pairs in the state |¦ + P Q and
|¦ + R S and intercepts qubits A and B coming from Alice. She keeps the qubits
P and R and forwards qubit Q and qubit S to Bob and Charly, respectively. Both
parties perform their measurement as described in the protocol and they return the
qubits C and D. Eve intercepts also these qubits and performs a Bell measurement
on the pairs P, C and R, D. According to the measurement results, Eve is able to
select a Pauli operator and apply it on the qubits A and B that she intercepted from
Alice to preserve the correlation. Since they are still in a GHZ state together with
one qubit from Alice, these operations alter the overall state in a way such that it
corresponds to Alice™s, Bob™s, and Charly™s measurement results. In the end Eve
returns the two qubits to Alice, who performs a GHZ state measurement on them
as described in the protocol. The three legitimate communication parties will not
86 S. Schauer

detect Eve because, due to her Pauli operations, she does not introduce any error in
the protocol.
In their paper [21] Lee et al. also presented a method to secure Cabello™s protocol
against the ZLG attack. In this case Bob and Charly use the quantum Fourier trans-
formation (QFT) to secure the qubits in transit. After they received the qubits from
Alice each of them returns one qubit of the entangled pair to Alice and randomly
applies the QFT on the other one. Then they publicly announce their decision and
Alice performs the inverse QFT on the qubits she received from Bob and Charly
according to their decision. Similar to the addendum to Cabello™s protocol [14]
Eve is not able to overcome the application of the QFT by Bob and Charly. If Eve
follows the attack strategy described in [21] she intercepts the qubits coming from
Alice, Bob, and Charly but she cannot ¬nd a Pauli operation to correct the GHZ
state. Thus, the three legitimate communication parties detect Eve during the sifting
phase of the protocol due to the additional amount of error introduced by her. General Entanglement Swapping Attack
Another protocol, which was presented by Li et al. [22], also uses entangled states
and entanglement swapping to distribute a secret key between two parties. Instead of
three entangled states as in [13] just two entangled pairs are used in this protocol “
both at Alice™s side (cf. (1) in Fig. 5.8). Initially, the two pairs are in the state |¦ + 12
and |¦ + 34 and Alice performs some Pauli operation σ on qubit 1 before she sends
qubits 2 and 4 to Bob. Then, she performs a Bell state measurement on the two

Alice Bob Alice Bob


(1) (2)

Alice Bob Alice Bob

¦+ Ψ+
σx 12 12

(3) (4)
¦+ ¦+
34 34

Alice Bob

Ψ’ ¦’ (5)
13 24

Fig. 5.8 Illustration of the protocol presented in [22]
5 Attack Strategies on QKD Protocols 87

remaining qubits in her possession (cf. (3) and (4) in Fig. 5.8. Due to entanglement
swapping she knows exactly the state qubits 2 and 4 are in (cf. Eq. 5.40):

σ |¦ + +
|¦ + +
+ |¦ ’ ’
12 |¦ = 13 σ |¦ 13 σ |¦
34 24 24
2 . (5.40)
+ + ’ ’
+ |Ψ 13 σ |Ψ + |Ψ 13 σ |Ψ
24 24

Further, Alice is able to compute the state Bob™s qubits would be in if she had not
performed her Pauli operation. This piece of information is called Alice™s imaginary
result by Li et al. in [22]. When Bob performs a Bell state measurement on qubits
2 and 4 he is able to guess Alice™s imaginary result based on his own result. Alice
then publicly reveals her measurement result such that Bob can calculate the exact
operation σ she has applied before. Alice and Bob use their secret results to generate
a classical secret key.
In [35] it has been shown that this protocol is insecure against an attack strategy
based on entanglement swapping. The attack applied in this case is a kind of gen-
eralization of the ZLG attack [38] since it is based on an entangled six-qubit state
|δ (cf. Eq. 5.41) instead of just a single pair and it is also applicable on the original
Cabello protocols presented above [13, 12]

= √ |H H H H H H P Q R ST U + |H H V V H V P Q R ST U
|δ P Q R ST U
+ |H V H V V V P Q RST U + |H V V H V H P Q R ST U (5.41)
+ |V H H V V H + |V H V H V V

+ |V V H H H V + |V V V V H H .

The main idea of this attack is that the six-qubit state preserves the correlations
between the measurement results coming from the entanglement swapping. This
fact allows Eve to stay undetected. Furthermore, Eve is able to keep two qubits of
the six-qubit state which are in the same state as Bob™s qubits after the protocol has
¬nished. Explicitly, that means

|¦ + — |¦ + — |¦ +
|δ =
+ |¦ ’ — |¦ ’ — |¦ ’
+ |Ψ + — |Ψ + — |Ψ +

+ |Ψ ’ — |Ψ ’ — |Ψ ’ .

This gives Eve the same information Bob has at that time. Further, Eve listens
to the public communication between Alice and Bob and thus obtains full infor-
mation about the secret key. Eve will not be detected during the error correction
88 S. Schauer

phase because the correlation between Alice™s and Bob™s results is preserved by the
state |δ .
Regarding the protocol presented in [22] Eve™s attack strategy is the following:
Eve intercepts qubit 2 coming from Alice and qubit 3 coming from Bob (the initial
settings of [22] have been altered in [35] due to a rather simple loophole in the
original protocol). Eve performs a Bell state measurement on qubits 2 and P and
qubits 3 and S and in this way entangles herself with the two communication parties
(cf. (2) and (3) in Fig. 5.9). Eve then sends qubits Q to Bob and R to Alice, such that
all three parties are in possession of two qubits of the six-qubit state |δ . When Bob
performs a Bell state measurement on his two qubits 4 and Q the remaining four
qubits of |δ collapse into two entangled pairs (cf. (6) and (7) in Fig. 5.9). The state
of these pairs is completely determined by Bob™s measurement result. As pointed
out in Eq. 5.42 the two qubits at Eve™s side, T and U , are in the same state as Bob™s
qubits 4 and Q, and the two qubits at Alice™s side, 1 and R, are perfectly correlated
to Bob™s result as it would be expected (cf. (7) in Fig. 5.9).

Alice Eve Bo b Alice Eve Bob
¦ 12

(1) (2)
¦+ +
δ δ 34

Alice Eve Bo b Alice Eve Bob

¦+ 2P
(3) (4)
¦+ ¦+
3S 3S

δ δ

Alice Eve Bo b Alice Eve Bob
¦+ ¦+
2P 2P
(5) (6)
¦+ ¦+
3S 3S

δ δ

Alice Eve Bo b


Ψ +
¦ (7)


Fig. 5.9 Illustration of the attack strategy presented in [35]

It is also described in [35] how the protocol can be secured against such an
attack strategy: it is the same way Cabello secured his protocol in [14] “ by using
a Hadamard operation. In the beginning of the modi¬ed protocol Alice randomly
5 Attack Strategies on QKD Protocols 89

chooses whether to perform the Hadamard operation onto qubit 1 or not. This alters
the initial state of the original protocol to

|ω+ +
|¦ + +
+ |¦ ’ ’
12 |¦ = 13 |ω 13 |ω
34 24 24
2 , (5.43)
+ + ’ ’
+ |Ψ 13 |χ + |Ψ 13 |χ
24 24

where |ω± and |χ ± come from Eq. 5.38. Both parties then follow the protocol as
described above until Alice receives the qubit coming from Bob. Then she publicly
announces her choice on the Hadamard operation and Bob applies the Hadamard
operation on qubit 2, if necessary, to undo it. Both perform their Bell state measure-
ments and their results are correlated as it would be expected and they are able to
extract a classical secret key as described in [22]. Similar to the scenarios described
above, Eve will not be able to preserve the correlation between Alice™s and Bob™s
result and thus will introduce an error every time Alice performs the Hadamard
operation. In detail, Eve™s average collision probability is again Pc = 0.75 as for
the full I&R attack (cf. Eq. 5.27 in Sect.
Thus, Alice and Bob can make the probability of detecting Eve arbitrarily close
to 1, i.e., 1 ’ (0.75)n . As already pointed out in Sect. and, Eve is
still able to perfectly eavesdrop the secret bit whenever Alice does not perform the
Hadamard operation. This gives Eve the average information 1 ’ H (S|M) = 0.75,
which is higher than in the full I&R attack, but she will be detected easily because
of the 50% additional error rate, which is introduced when Alice uses the Hadamard
As it is further described in [35], Eve can ¬nd a state |δ which can compensate
the application of the Hadamard operation. But in this case Eve will introduce the
same amount of error every time Alice™s does not use the Hadamard operation. Thus,
Eve will gain nothing by using |δ instead of |δ .

5.3 Individual Attacks in an Realistic Environment

The protocols and attacks described above are settled in an ideal environment. The
photon sources emit single-photon signals only and the detectors are 100% ef¬cient.
But using today™s technology such a setting is impossible to achieve as we have
discussed in Chap. 6. Detectors are highly sensitive and often detect a signal even if
none was sent (these events are called dark counts). This has to be considered when
performing the error correction and privacy ampli¬cation.
Further, there are no single-photon sources but a normal signal pulse often con-
tains a large number of photons. To solve this problem, weak coherent pulses (WCP)
are used in actual quantum cryptographic devices (cf., for example, [30]), which are
described as

√ |n ,
|± = e (5.44)

90 S. Schauer

which is a superposition of Fock states (states with 0, . . ., n photons). Such pulses
have a rather low mean photon number μ, such that the probability to ¬nd more than
one photon in a pulse follows a Poissonian distribution [16]

μn ’μ
P n, μ = e. (5.45)

The mean photon number μ cannot be made arbitrarily low, because this will
decrease the ef¬ciency of the protocol.
In the following some attack strategies will be presented which make use of such
loopholes given by the physical limitations of QKD protocols.

5.3.1 PNS Attack
The photon number splitting attack (PNS) was ¬rst introduced by Huttner et al.
[18] and later discussed by Brassard et al. [10] and L¨ tkenhaus [25] and is the
most powerful individual attack. It is applied on realistic photon sources emitting
weak coherent pulses which generate single photons only with a certain probability
(see the paragraph above). With a small probability multi-photon pulses are emitted
containing two or more photons having the same polarization. The strategy for Eve
is to intercept these pulses coming from Alice, take one photon of the multi-photon
pulse and send the remaining photon(s) along to Bob. Eve waits until Alice and
Bob publicly compare their measurement bases and then measures the intercepted
photon in the correct basis.
In detail, the PNS attack is a little more complex. According to Eq. 5.45, the
probability that Alice™s source emits a vacuum pulse (containing zero photons) is
very high and the probability of a single-photon pulse is around 10%. Hence, the
probability of a multi-photon pulse is very low (around 5% [16]). Because of this
Eve cannot split a photon off each pulse but she has to check for the multi-photon
pulses. Therefore, she performs a non-demolition measurement to collapse the pulse
into a state containing a ¬xed number of photons. This is accomplished by a pro-
jection onto Fock spaces. If Eve intercepted a multi-photon pulse, she applies an
operator A N , which destructs one photon of the pulse and creates an appropriate
auxiliary state (cf. Eq. 5.46)

A N |N , 0 + |± = |N ’ 1, 0 + |•1
A N |0, N + |± = |0, N ’ 1 + |•2
. (5.46)
A N |N , 0 — |± = |N ’ 1, 0 — |Ψ1
A N |0, N — |± = |0, N ’ 1 — |Ψ2

From her measurement on the auxiliary system together with the information
about Alice™s basis choice, Eve is able to determine the correct value of the secret bit.
Therefore, •1 |•2 and Ψ1 |Ψ2 have to be zero such that they can be distinguished
5 Attack Strategies on QKD Protocols 91

by Eve. As pointed out in [10] such an operator can be described by the Jaynes“
Cummings model.
Using the operator A N Eve is able to obtain full information from multi-photon
signals generated by Alice™s source. But, as we already pointed out, the probability
that a multi-photon signal is emitted is rather small. Only if the probability that
Bob detects a signal is smaller than the probability of a multi-photon signal the
attack becomes a severe problem. In this case Eve suppresses all dark counts in
Bob™s module and the ef¬ciency of his detectors is increased to 100%. Further, Eve
replaces the quantum channel with a perfect channel, i.e., there are no losses due to
the channel. It is a rather paranoid assumption to give Eve the power to do all these
things, since they affect Bob™s hardware directly. But, to be secure, all possible
scenarios have to be considered. For each signal coming from Alice, Eve acts in the
following way: all signals with zero photons are ignored, since dark counts have
been suppressed. All multi-photon signals are attacked using the PNS strategy. This
gives Eve full information about the corresponding bit of the secret key. A fraction
of the single-photon signals is suppressed and the other single-photon signals are
attacked using the I&R strategy (cf. Sect. 5.2.1). Eve chooses the amount of dis-
carded signals such that they are consistent with Bob™s total detection probability.
With a perfect quantum channel and perfect detectors all errors in this scenario are
introduced by Eve™s I&R attack (the PNS attack introduces no error). Bob is not
able to distinguish these errors from the ones he expects due to dark counts and the
lossy channel. In this case the whole communication becomes insecure.
In [26] it has been shown that also the Poisson photon number distribution
can be preserved using the PNS attack, which makes it undetectable as long as
a publicly known signal intensity is used. Therefore, the decoy states method
[19, 23, 37] uses different intensities to make a detection of the PNS attack possi-
ble (cf. “Sect. 4.2.3”). Another way to secure BB84-like protocols against the PNS
attack was presented in [33]. Scarani et al. suggested an alternative sifting procedure
such that Alice does not give away her measurement basis. Instead, she announces
one of four pairs of non-orthogonal states. This leaves Bob with an inconclusive
or ambiguous result and he will have to discard his result for 75% of all signals.
Although the ef¬ciency of this protocol is much lower than for standard BB84 proto-
cols (where about 50% of the signals are discarded), it gives not enough information
to an eavesdropper such that the PNS attack can be applied successfully.

5.3.2 Trojan Horse Attack
Another attack strategy on realistic setups of QKD systems is the Trojan Horse
attack or light injection attack. It has been introduced ¬rst in [32, 6] and was dis-
cussed in more detail in [36] later on. The main idea of this attack strategy is not to
interact with the photons in transit between Alice and Bob but to probe the devices
in Alice™s and Bob™s laboratory by sending some light into them and collecting the
re¬‚ected signal. In this way Eve is able to obtain information about the detectors
92 S. Schauer

and further on which classical bit Bob measured. In detail, Eve is in possession of
a laser and a detection scheme. She sends out light pulses toward Alice™s or Bob™s
setup, which are re¬‚ected and enter the detection scheme when returning to Eve. In
[36] it is assumed that Eve uses homodyne detection for the re¬‚ected pulse and thus
needs a reference pulse. This reference pulse is delayed in an arm of the optical ¬ber
and enters the detection system together with the re¬‚ected pulse.
Eve can use the information of the re¬‚ected signal to detect which basis Alice™s
used for the preparation of the photon. The detection of the correct basis is based on
a phase modulation occurring due to the different ways the re¬‚ected and reference
beams go through [36]. If Eve is able to do this before Alice™s photon reaches Bob,
she can perform a simple I&R attack (cf. Sect. 5.2.1), i.e., intercept the photon in
transit, measure it in the correct basis, and send it on to Bob. This will give her full
information on the secret bit string.
A countermeasure against this kind of attack strategy is implemented in the plug
and play systems (cf. Chap. 6) where the intensity of incoming light is monitored
[32, 6]. The idea is that Bob sends a rather intense beam of light to Alice which is
used for synchronization with a special timing detector at Alice™s setup. This detec-
tor noti¬es the legitimate communication parties when the power of an incoming
signal extends some prede¬ned level. For protocols where light just goes one way
(e.g., out of Alice™s lab into Bob™s lab) a strategy for preventing the attack is to
add components in Alice™s and Bob™s laboratory to block Eve™s injected pulse. This
means, for example, that the laser pulses have to pass through an optical isolator and
a band-pass ¬lter [36] when leaving Alice™s setup. The isolator reduces the signals
coming into Alice™s laboratory to make a light injection attack impossible.

5.3.3 Faked States Attack

The faked states attack is a kind of I&R attack strategy but Eve does not try to
recreate the intercepted state. Instead, Eve manages to send a signal to Bob which
he can only detect in a way totally controlled by Eve. This attack was ¬rst introduced
in [28] and later extended in [27, 29]. In detail, Eve intercepts the signals coming
from Alice using an apparatus similar to Bob™s. Further, she forwards a state to
Bob which can only be detected by him if he chooses the same basis as Eve. She
can achieve this by exploiting the full detector ef¬ciency mismatch [27]. This is a
phenomenon where the signal coming into the detector has a time shift such that it is
outside the detector™s sensitivity curve. Therefore, only one detector can ¬re and the
other one is blinded out. In this way Eve can control the bit value Bob will obtain
from his measurement. The second goal of the faked states attack is to eliminate
the case where Bob performs a measurement in a basis incompatible to Eve™s basis,
thus detecting an error. Eve can achieve that by adding a relative phase to the signal
such that the whole signal is de¬‚ected to the blinded detector and is lost.
For the BB84 protocol [2] the faked states attack works as follows: Eve performs
an I&R attack and obtains some result from her measurement. Then she sends a
5 Attack Strategies on QKD Protocols 93

signal pulse to Bob which has the opposite bit value in the opposite basis compared
to what she has detected. Eve also sets the time shift of the signal such that the
detector for the opposite bit value compared to what she has detected is blinded out.
Thus, if Bob tries to detect the signal in a different basis than Eve, he would not
detect anything. Otherwise, if Bob chooses the same basis as Eve, he will either
detect the same bit as Eve or nothing at all. Therefore, every time Eve measured
Alice™s state in the wrong basis, also Bob will measure it in the wrong basis and the
results will be discarded. If Eve has chosen the right basis, also Bob measured in the
right basis and Eve has full information about this bit of the secret key.
As explained in [27, 29] it has to be stressed that Bob™s detection ef¬ciency is
reduced by the faked states attack since all signals where Bob measured in a dif-
ferent basis compared to Eve and half of the signals where Bob measured in the
same basis are suppressed. Eve can overcome this rather easily using faked states
with a proportionally increased brightness. If Eve is not able to blind one detector
completely, she can only obtain partial information about the key but, nevertheless,
stays undetected [31].
Possible countermeasures to prevent the attack are, for example, to actively mon-
itor the timing of incoming pulses at Bob™s side [27]. This can be achieved through
a random shifting of Bob™s time window or with additional detectors. Alternatively,
Bob can test the characteristics of his detectors over a variety of input signals to
especially check all features of the sensitivity curve. Another countermeasure for
Bob is to introduce random jitter into the detector synchronization to smear the
curves and lower the mismatch.

5.3.4 Time-Shift Attack
An alternative version of the faked states attack is the time-shift attack strategy [31].
The time-shift attack also exploits the detector ef¬ciency mismatch, but, contrary to
the faked state attack [28, 27, 29], it is feasible with today™s technology, as it has
been shown in [39]. The main difference is that Eve does not measure the state in
transit between Alice and Bob but randomly shifts the time of the signal such that
it arrives outside of Bob™s detector™s sensitivity curve. Due to her choice of the time
delay, Eve is able to infer the exact result of Bob™s measurement. As pointed out
in Sect. 5.3.3, if Eve is able to completely blind a detector by her time shift, she
is able to obtain full information about Bob™s measurement result. Otherwise, Eve
will obtain only partial information about the secret key. In both cases, Eve never
introduces any error, since she does not measure or otherwise interact with Alice™s
state in transit.
One difference to the faked states attack is that Eve has to deal with the increased
loss at Bob™s side in another way. Regarding the faked states attack Eve uses a
brighter laser pulse to overcome the losses, as described in Sect. 5.3.3. With respect
to the time-shift attack Eve has to replace the quantum channel by a low-loss version
to compensate Bob™s additional losses.
94 S. Schauer

The countermeasures described in Sect. 5.3.3 will also work here to prevent an
application of the time-shift attack. Additionally, phase shift settings can be applied
to Bob™s phase modulator and the detection rate and the channel loss can be checked
to secure a protocol against the time-shift attack [31].

1. Bennett, C.H.: Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett.
68(21), 3121“3124 (1992) 71
2. Bennett, C.H., Brassard, G.: Public key distribution and coin tossing. In: Proceedings of the
IEEE International Conference on Computers, Systems, and Signal Processing, pp. 175“179.
IEEE Press, New York (1984) 71, 79, 92
3. Bennett, C.H., Brassard, G., Breidbart, S., Wiesner, S.: Quantum Cryptography, or Unforge-
able Subway Tokens. Advances in Cryptology: Proceedings of the Crypto ™82, pp. 267“275
(1982) 77
4. Bennett, C.H., Brassard, G., Crepeau, C., Jozsa, R., Peres, A., Wootters, W.K.: Teleporting
an unknown quantum state via dual classical and EPR channels. Phys. Rev. Lett. 70(13),
1895“1899 (1993) 79
5. Bennett, C.H., Brassard, G., Popescu, S., Schumacher, B., Smolin, J., Wootters, W.K.: Puri¬-
cation of noisy entanglement and faithful teleportation via noisy channels. Phys. Rev. Lett.
76(5), 722“725 (1996) 79
6. Bethune, D.S., Risk, W.P.: An autocompensating fiber-optic quantum cryptography system
based on polarization splitting of light. IEEE J. Quantum Electron. 36(3), 340“347 (2000) 91, 92
7. Biham, E., Boyer, M., Brassard, G., van de Graf, J., Mor, T.: Security of quantum key distri-
bution against all collective attacks. Algorithmica 34(4), 372“388 (2002) 71
8. Biham, E., Mor, T.: Security of quantum cryptography against collective attacks. Phys. Rev.
Lett. 78(11), 2256“2259 (1997) 71
9. Bose, S., Vedral, V., Knight, P.L.: Multiparticle generalization of entanglement swapping.
Phys. Rev. A 57(2), 822“829 (1998) 81
10. Brassard, G., L¨ tkenhaus, N., Mor, T., Sanders, B.C.: Limitations on practical quantum cryp-
tography. Phys. Rev. Lett. 85(6), 1330“1333 (2000) 90, 91
11. Bruss, D.: Optimal eavesdropping in quantum cryptography with six states. Phys. Rev. Lett.
81(14), 3018“3021 (1998) 71
12. Cabello, A.: Multiparty key distribution and secret sharing based on entanglement swapping.
quant-ph/0009025 v1 (2000) 84, 85, 87
13. Cabello, A.: Quantum key distribution without alternative measurements. Phys. Rev. A 61(5),
052,312 (2000) 81, 82, 83, 86, 87
14. Cabello, A.: Reply to “comment on quantum key distribution without alternative measure-
ments”. Phys. Rev. A 63(3), 036,302 (2001) 83, 84, 86, 88
15. Ekert, A.: Quantum cryptography based on Bell™s theorem. Phys. Rev. Lett. 67(6), 661“663
(1991) 71, 80
16. Gisin, N., Ribordy, G., Tittel, W., Zbinden, H.: Quantum cryptography. Rev. Mod. Phys. 74(1),
145 (2002) 90
17. Greenberger, D., Horne, M.A., Zeilinger, A.: Going beyond Bell™s Theorem. In: M. Kafatos
(ed.) Bell™s Theorem, Quantum Theory and Conceptions of the Universe, pp. 69“72. Kluwer,
Dordrecht (1989) 80
18. Huttner, B., Imoto, N., Gisin, N., Mor, T.: Quantum cryptography with coherent states. Phys.
Rev. A 51(3), 1863“1869 (1995) 90
19. Hwang, W.Y.: Quantum key distribution with high loss: Toward global secure communication.
Phys. Rev. Lett. 91(5), 057,901 (2003) 91
5 Attack Strategies on QKD Protocols 95

20. Kim, Y.H., Kulik, S., Shih, Y.: Quantum teleportation of a polarization state with complete
bell state measurement. Phys. Rev. Lett. 86(7), 1370“1373 (2001) 79
21. Lee, J., Lee, S., Kim, J., Oh, S.D.: Entanglement swapping secures multiparty quantum com-
munication. Phys. Rev. A 70(3), 032,305 (2004) 85, 86
22. Li, C., Wang, Z., Wu, C.F., Song, H.S., Zhou, L.: Certain quantum key distribution achieved
by using Bell states. Int. J. Quantum Inf. 4(6), 899“906 (2006) 86, 87, 88, 89
23. Lo, H.K., Ma, X., Chen, K.: Decoy state quantum key distribution. Phys. Rev. Lett. 94(23),
230,504 (2005) 91
24. L¨ tkenhaus, N.: Security against eavesdropping attacks in quantum cryptography. Phys. Rev.
A 54(1), 97“111 (1996) 73
25. L¨ tkenhaus, N.: Security against individual attacks for realistic quantum key distribution.
Phys. Rev. A 61(5), 052,304 (2000) 90
26. L¨ tkenhaus, N., Jahma, M.: Quantum key distribution with realistic states: Photon-number
statistics in the photon-number splitting attack. New J. Phys. 4, 44.1“44.9 (2002) 91
27. Makarov, V., Anisimov, A., Skaar, J.: Effects of detector ef¬ciency mismatch on security of
quantum cryptosystems. Phys. Rev. A 74(2), 022,313 (2006) 92, 93
28. Makarov, V., Hjelme, D.R.: Faked states attack on quantum cryptosystems. J. Mod. Opt. 52(5),
691“705 (2005) 92, 93
29. Makarov, V., Skaar, J.: Faked states attack using detector ef¬ciency mismatch on SARG04,
phase-time, DPSK and Ekert protcols. Quant. Inf. Comp. 8(6&7), 622“635 (2008) 92, 93
30. Poppe, A., Peev, M., Maurhart, O.: Outline of the SECOQC quantum-key-distribution network
in Vienna. Int. J. of Quant. Inf. 6(2), 209“218 (2008) 89
31. Qi, B., Fung, C.H.F., Lo, H.K., Ma, X.: Time-shift attack in practical quantum cryptosystems.
Quant. Inf. Comp. 7(1&2), 73“82 (2007) 93, 94
32. Ribordy, G., Gautier, J.D., Gisin, N., Guinnard, O., Zbinden, H.: Fast and user-friendly quan-
tum key distribution. J. Mod. Optics 47(2&3), 517“531 (2000) 91, 92
33. Scarani, V., Acin, A., Ribordy, G., Gisin, N.: Quantum cryptography protocols robust against
photon number splitting attacks for weak laser pulses implementations. Phy. Rev. Lett. 92(5),
057,901 (2004) 91
34. Scarani, V., Bechmann-Pasquinucci, H., Cerf, N.J., Dusek, M., L¨ tkenhaus, N., Peev, M.: The
Security of Practical Quantum Key Distribution. quant-ph/0802.4155 v2 (2008) 72
35. Schauer, S., Suda, M.: A novel attack strategy on entanglement swapping QKD protocols. Int.
J. Quant. Inf. 6(4), 841“858 (2008) 87, 88, 89
36. Vakahitov, A., Makarov, V., Hjelme, D.R.: Large pulse attack as a method of conventional
optical eavesdropping in quantum cryptography. J. Mod. Opt. 48(13), 2023“2038 (2001) 91, 92
37. Wang, X.B.: Beating the photon-number-splitting attack in practical quantum cryptography.
Phys. Rev. Lett. 94(23), 230,503 (2005) 91
38. Zhang, Y.S., Li, C.F., Guo, G.C.: Comment on “quantum key distribution without alternative
measurements”. Phys. Rev. A 63(3), 036,301 (2001) 81, 82, 87
39. Zhao, Y., Fung, C.H.F., Qi, B., Chen, C., Lo, H.K.: quantum hacking: Experimental demon-
stration of time-shift attack against practical quantum key distribution systems. Phys. Rev. A
78(4), 042,333 (2008) 93
40. Zukowski, M., A., Z., Horne, M.A., Ekert, A.K.: “Event-Ready-Detectors” Bell state mea-
surement via entanglement swapping. Phys. Rev. Lett. 71(26), 4287“4290 (1993) 81
Chapter 6
QKD Systems

M. Suda

6.1 Introduction
This chapter summarizes information about seven QKD systems that have been
developed for SECOQC [58, 1, 26] and which are candidates for further integra-
tion to build up a prototype QKD network. In Chap. 9 the quantum-cryptographic
network of SECOQC is described in detail and Chap. 7 presents a statistical anal-
ysis of the network in a real-life environment. The mentioned seven systems are
in Sect. 6.2.1 the plug and play system (PP), in Sect. 6.2.2 the phase-coding QKD
system or one-way weak coherent pulse QKD system (Toshiba), in Sect. 6.2.3 the
time-coding QKD system or coherent one-way system (COW), in Sect. 6.2.4 the
continuous variables system or QKD with coherent states (CV), in Sect. 6.2.5 the
entanglement-based QKD system (EB), in Sect. 6.2.6 the free-space QKD system
(FS), and ¬nally in Sect. 6.2.7 the low-cost QKD system (LC).
In each section the basic ideas of each system and a more detailed physical
description are presented. Some technical details are given which are supplied by
the experimental groups themselves. Overviews of the underlying physical princi-
ples of the systems and relating quantum protocols can be found, e.g., in [27] and
[18]. Since security is the core business of a QKD network we refer to [71] which
gives an overview of the security of practical QKD.
The theoretical modeling of each system is described and the status of the secu-
rity proofs for various scenarios is mentioned. Implications of the known security
results are demonstrated. For some systems the quantum bit error rate and the secure
key rate as a function of distance between the communicating partners Alice and
Bob are discussed.

M. Suda (B)
Safety & Security Department, Quantum Technologies, AIT Austrian Institute
of Technology GmbH, Donau-City-Straße 1/1220 Vienna, Austria,
martin.suda@ait.ac.at; www.ait.ac.at

Suda, M.: QKD Systems. Lect. Notes Phys. 797, 97“121 (2010)
c Springer-Verlag Berlin Heidelberg 2010
DOI 10.1007/978-3-642-04831-9 6
98 M. Suda

6.2 QKD Systems
In the following, the technical and physical aspects of the 7 QKD systems developed
within SECOQC are described. Their physical modes of operation are explained and
information is given about the capability of the systems and about security aspects
including the quantum bit error rate and the achievable secure bit rate. The applied
quantum protocol is discussed. Appropriate literature references are enclosed.

6.2.1 Plug and Play (PP)

Since the introduction of the BB84 protocol by Bennett and Brassard [6] and the
¬rst realization in 1992 [5], many experiments have been undertaken relating QKD
(see, e.g., [27]). In this section we describe a ¬ber-optic QKD prototype which
works as an auto-compensating plug and play system [76, 59]. The device is a
long-distance (67 km) QKD system employing optical ¬bers and works at telecom
wavelengths (1550 nm) using standard telecom components. The qubits are encoded
in the relative phase between two subsequent pulses and analyzed by an unbalanced
interferometer with active phase modulation. The auto-compensation is related to
polarization rotations in the ¬ber.


1010001 USB
0101001 BS10/90
19 inches box
19 inches box 1001010
0111001 L
Alice Ethernet BS

Fig. 6.1 Sketch of plug and play system; L: laser, C: circulator, BS: 50/50 beam splitter, DL: delay
line, P M B : Bob™s phase modulator, PBS: polarizing beam splitter, B S10/90 : 10/90 beam splitter,
VA: variable attenuator, SL: storage line, P M A : Alice™s phase modulator, FM: Faraday mirror, D:
detector; see text for details

The plug and play system is sketched in Fig. 6.1. Strong linearly polarized pulses
of photons are created by a laser L on Bob™s side. The frequency of the pulses is
5MHz (period of 200 ns). The beam is separated into two parts at the 50/50 beam
splitter BS. The long arm contains a delay line DL of a length of 10 m (50 ns =
20 MHz). The phase modulator PM B is not used at that time. In the shorter arm
the linear polarization is turned by 90—¦ (not visible in Fig. 6.1). Both beams are
recombined at the polarizing beam splitter PBS where they exit Bob™s setup one after
6 QKD Systems 99

another (time delay of 50 ns) by the same port because of the orthogonal polarization
states of the two pulses. Thereby the ¬rst pulse passed the short and the second pulse
the long arm of the interferometer.
The pulses travel down to Alice where they, passing a B S10/90 (90% of the inten-
sity is registered in the detector D A ), are attenuated (variable attenuator VA) and
re¬‚ected on a Faraday mirror FM (here the polarization states are reversed) and are
further attenuated by VA. The storage line SL will be discussed below. Moreover,
Alice applies a phase of 0 or π and π or 3π on the second pulse (thus implementing
2 2
the BB84 protocol) with the phase modulator PM A . At the output of Alice™s setup
the polarizations of the two pulses are again orthogonal to each other, but have
been interchanged because of the FM. Thus, a compensation of all accumulated
polarization rotations (Bob to Alice) can take place on the way back from Alice to
Bob (auto-compensating system).
Arriving at Bob™s interferometer “ because of the changed polarization states “
the ¬rst pulse now enters the long arm where Bob chooses the measurement basis by
applying a 0 or a π phase shift on its way back using PM B . The second pulse takes
the short path. Both pulses arrive at the same time at the BS where they interfere.
Then they are detected either in D1 or, after passing through the circulator C, in D2 .
On the way back from Alice to Bob the plug and play system is a usual QKD
system using phase encoding between coherent pulses. The strong pulses sent from
Bob to Alice do not contain the information about the qubit: the quantum informa-
tion travels only one way, namely from Alice to Bob.
Since the pulses travel back and forth, backscattering light (elastic Rayleigh scat-
tering) can considerably increase the noise. Therefore, Bob™s laser sends trains of
pulses. The length of these trains corresponds to the length of the storage line (SL)
introduced for this purpose behind the VA at Alice™s setup. Therefore, the backward
propagating pulses do no longer cross the bright pulses in the ¬ber. For a length of
the SL of approximately 20 km, a pulse train contains 480 pulses at a frequency of
5 MHz. The 10/90 BS directs most of the incoming light to a detector module D A
which is “ amongst others “ used to synchronize the 5 MHz clock of Bob™s laser
and which guarantees that PM A is activated in time. This synchronized clock allows
Alice to apply a phase shift exactly when the second pulse passes 50 ns after the ¬rst
pulse. This second pulse contains phase information and must be attenuated below
the one-photon-per-pulse level.
As a measure of security, the number of coincident clicks at both detectors D1
and D2 is registered which is important to limit beam-splitting attacks.
The raw key Rraw between Alice, the transmitter, and Bob, the receiver, is

Rraw = q ν μ t AB t B · B · SL ·„ , (6.1)

where the following quantities have been used:
q, depends on the implementation (= 1 for the BB84 protocol)
ν, repetition frequency
μ, average number of photons per pulse (≈ 0.1)
t AB , transmission of the line Alice“Bob (= 10’±d/10 , ± = 0.2 dB/km = absorption,
100 M. Suda

d = distance)
t B , Bob™s internal transmission (≈ 0.6)
· B , Bob™s detection ef¬ciency (≈ 0.1)
· SL , factor because of length l SL of the storage line (= l SL /l SL + d)
·„ , factor because of dead time „ of the detector ( 1).
The second-most important parameter is the quantum bit error rate QBER =
f alse counts
(should be < 10%):
total counts

QBER = QBERopt + QBERdark + QBERafter + QBERstray . (6.2)

QBERopt . . . probability for the photon to hit the wrong detector
QBERdark . . . error rate because of dark counts [77]
QBERafter . . . is the probability to have an after pulse in the detector [77]
QBERstray . . . the errors induced by stray light (Rayleigh backscattering)
Error correction and privacy ampli¬cation lead to the following formula of the
¬nal key rate R¬n [27, 20, 80, 22]:

R¬n ∼ (I AB ’ I AE ) AB Rraw .
= (6.3)

I AB = 1 + D log2 D + (1 ’ D) log2 (1 ’ D), I AE ∼ 0.3 + I2ν and I AB =
1 + D log2 D ’ 2 D, where D = Q B E R. Here I2ν is due to multi-photon pulses

and has values of about 0.06, 0.14, and 0.40 for 5, 10, and 20 dB losses [76].
Security proofs are brie¬‚y alluded: For the BB84 protocol the security proof
GLLP against an arbitrary attack exists [32]. Under weaker assumptions the NSG
proof applies [61]. For the so-called SARG protocol a proof exists for incoherent
attacks [9]. For the decoy-state protocol a security proof against an arbitrary attack
has also been published [32, 49]. In Chap. 5 some attack strategies on QKD proto-
cols are presented.

6.2.2 One-Way Weak Coherent Pulse QKD, Phase Coding

In this section the one-way decoy pulse QKD system is discussed employing a pro-
tocol which involves one-way decoy pulses together with vacuum pulses [19].
QKD affects the secure communication between two remote parties Alice and
Bob where the security of the keys is determined by the laws of quantum mechanics
rather than the use of strong, one-way mathematical functions of encryption [27].
Since the original proposal [6] there has been an amount of work, beginning with
the ¬rst experimental demonstration in 1992 [5], but reliable and compact systems
compatible with existing telecom ¬ber technology are now starting to emerge [76]
In the ideal case the QKD setup should be designed employing a true single
photon source to guarantee immunity against the so-called photon number splitting
(PNS) attacks from a potential eavesdropper (Eve) [83, 49, 12]. However, there is
6 QKD Systems 101

a lack of deterministic and reliable single photon sources. Most of the implemen-
tations use heavily attenuated lasers which emit photon pulses with a Poissonian
number distribution. The PNS attack consists of blocking true single photons in the
quantum channel and removing part of the multi-photon pulses by transmitting the
remaining portion to Bob. Eve can then determine all or part of the key [12]. For
further information on PNS attacks cf. Sect. 5.3.1.
In 2003 Hwang proposed to circumvent the PNS attack using additional (decoy)
pulses sent by Alice [42]. The idea was to intersperse the signal pulses randomly
with some “decoy pulses” that are weaker on average and so very rarely contain
a multi-photon pulse. If Eve attempts a PNS attack, she will therefore transmit a
lower fraction of the decoy pulses to Bob than the signal pulses. Thus, by mon-
itoring the transmission of decoy and signal pulses separately, the attack can be
detected [83] [49]. This means that stronger pulses may be used securely. A proof
of the decoy pulse protocol has been given which also includes realistic experi-
mental assumptions (GLLP) [32]. Recently a promising one-way QKD system was
presented employing a single decoy pulse [85].
For now it is instructive to describe the method of phase coding in two interfer-
ometers (shown in Fig. 6.2). In the BB84 protocol Alice prepares randomly four

Fig. 6.2 Sketch of the optical layout of the one-way weak coherent pulse QKD system (phase-
coding). The system represents a BB84 phase encoding protocol including weak + vacuum decoy
states. Atten.: attenuator, IM: intensity modulator, PC: polarization controller, WDM: wavelength
division multiplexer, FS: ¬ber stretcher, APD: avalanche photo diodes, FPGA: ¬eld programmable
gate array
102 M. Suda

states using a ¬rst interferometer where the two arms have different lengths in order
to produce suf¬cient time delays between the pulses. In one of the arms a phase
shifter ± is inserted. The phase shift ¦ in Fig. 6.2 at Alice™s box represents the
quantity ± used in the formalism here. The principle of the BB84 protocol can
easily be understood for the idealized case where a single input photon (state |1 |0 ,
including the vacuum port |0 ), is given. Inside the interferometer four states are
generated which belong to two mutually orthogonal bases √2 (±|1 |0 + e±± |0 |1 )

where ± = 0, π (bits 0 and 1 in the X basis) or ± = π , 3π (bits 0 and 1 in the
2 2
Y basis). Time separation (or “ equivalently “ space separation of the pulses) is
not included in the formalism in order to simplify matters. For time separation a
complete wave packet description of the phase-coding protocol BB84 is necessary
[78]. In short, the delay lines at Alice and Bob have to be equal in order to have
interference between photons which take, e.g., in the ¬rst interferometer the short
path and in the second interferometer the long path or vice versa. Only these events
are indistinguishable from a quantum mechanical point of view [59].
But let™s continue our prior considerations. The state behind Alice™s interferom-
eter can be expressed as 1 [(e±± ’ 1)|1 |0 + ±(e±± + 1)|0 |1 ] describing the two
outputs [25]. The probabilities of the two outputs are sin2 ( ± ) and cos2 ( ± ) , respec-
√ 2 2
tively. If a coherent state | μ |0 is considered as input, the two outputs behind the
√ √
μ ±± ± μ ±±
interferometer can be described by the product state | 2 (e ’ 1) | 2 (e + 1)
where μ is the mean photon number of the pulse to be considered. The probabilities
of the outcomes are in this case μ sin2 ( ± ) and μ cos2 ( ± ) . Bob, receiving the corre-
2 2
sponding state, has a similar interferometer and detects in the X(Y) basis by phase
shift β = 0 (β = π ). The phase shift ¦ in Fig. 6.2 at Bob™s box represents the
quantity β used in the formalism here. His interferometer has two output detectors.
If, e.g., he sets β = 0 and Alice has taken ± = 0 or ± = π, one of his detectors
obtains a conclusive result which determines bit 0 or 1 (basis X ). In case of β = 0
and ± = π or 3π the detectors of Bob click by chance [Alice (Y ) and Bob (X ) use
2 2
different bases]. A complementary process happens for β = π . Having consistent
bases Alice and Bob retain their data while discarding the other ones. This completes
the process of data sifting in the protocol BB84. Both bases correspond thus to an
interferometric measurement.
In Fig. 6.2 a one-way ¬ber-optic QKD system with phase encoding is used.
Two Mach“Zehnder phase encoding interferometers are applied. Alice and Bob
are linked by a 20 km ¬ber spool through which the signal (an optical pulse with
wavelength » = 1.55 μm) is transmitted at a repetition rate of about 7 MHz. The
clock pulses (» = 1.3 μm), which do not overlap the signal pulses, have a dura-
tion of 5 ns each and deploy as synchronization. An intensity modulator is used in
order to produce signal and decoy pulses of different intensities at random times
whereas vacuum decoy pulses are produced by omitting trigger pulses to the sig-
nal laser. The signal and decoy pulses are strongly attenuated to the single photon
level, while a strong clock pulse is then multiplexed with them to provide syn-
chronization. Bob™s detectors are two single photon InGaAs avalanche photodiodes
6 QKD Systems 103

The weak coherent pulse (WCP) decoy state + vacuum state BB84 protocol
mentioned above was implemented [42]. The mean number of photons per pulse
for signal and decoy states has to be chosen to be μ = 0.55 and ν = 0.10, respec-
tively. The optimal probabilities of the various pulses are signal Nμ = 0.93, decoy
Nν = 0.06, vacuum N0 = 0.01.
The properties of the detectors are carefully adjusted in order to avoid so-called
fake-state attacks [55, 54, 56] and time-shift attacks [66, 86]. For further details on
these kinds of attacks cf. Sect. 5.3.3 and 5.3.4, respectively.
A secure bit rate of greater than 10 kbps over 60 h was observed. This is approxi-
mately two orders of magnitude higher than what can be achieved at a ¬ber distance
of 20 km without decoy states [30]. It is assumed that such a system could be very
useful to be placed in a real-world environment such as a quantum network with
¬ber links of around a few tens of kilometers.
It should be mentioned that phase-coding QKD was demonstrated using an opti-
cally excited, triggered single photon source (SPS) emitting at a wavelength of
» = 1.3 μm [44]. The SPS (quantum dot source) shows a tenfold reduction in
multi-photon emission compared to a laser and has been used to distribute keys
secure from the PNS attack over 35 km along an optical ¬ber [32].

6.2.3 Coherent One-Way System, Time Coding (COW)

The coherent one-way QKD system COW was developed by GAP (Group of
Applied Physics, University of Geneva) [75, 28, 74]. A sketch of the con¬guration
is drawn in Fig. 6.3. The COW protocol described below is based to a certain extent
on the well-known BB84 protocol [6, 27].
In the previous section the BB84 protocol has been described. Two mutu-
ally orthogonal bases, X and the Y , have been applied. However, a third basis
{|1 |0 , |0 |1 }, called Z, can be used in principle, where applying this basis means

Fig. 6.3 Conceptual scheme of the quantum channel for implemented BB84 protocol with time-
coding (coherent one-way-system COW); the left (right) box belongs to Alice (Bob); the trans-
mission coef¬cient t B to Bob™s detector D B amounts to 0.9, the transmission coef¬cient for the
interferometer line is (1 ’ t B ) and has a value of 0.1; see text for details


. 4
( 9)