Quantum Flows for Secret Key Distribution

1. Introduction

Quantum key distribution (QKD) is a technique to distribute securely a cryptographic key between two remote users, usually called Alice and Bob. The first QKD method was conceived by Charles Bennett and Gilles Brassard in 1984, usually referred to in literature as BB84 [1]. Figure 1 shows a simplified representation of the two-dimensional Bloch sphere, the quantum states, and the measurement bases of BB84.

QKD systems are designed to serve the purpose of generating secret bits, usable to encrypt plain-text messages based on a simple X – Or logical function between the message and a secret key. The use of this system provides the availability to detect any eavesdropper, commonly called Eve, trying to intercept the quantum channel to get the key. In this case, the whole process will be discarded before a key can be established [2]. On the other hand, if no eavesdropping activity is detected, the quantum measurements are used to derive the secret key. When the transmission is finished, Alice and Bob compare a fraction of the exchanged key in order to detect any transmission errors caused by eavesdropping. Experimentally, QKD systems have been proved using dedicated optical fibers, across free space, weak laser pulses or single photons, entangled photon pairs, or continuous variables [3].

We propose a new approach for QKD protocols called quantum flows where the transmitter interleaves pairs of quantum states, referred to here as parallel and orthogonal (non-orthogonal) states, while the receiver applies active basis selection to perform state measurement. In a study by Lizama et al. [4], a brand new QKD protocol, called ack-state and referred to also as ack-QKD, is introduced. This protocol uses weak coherent states and active basis measurement and has the capability to detect photon number splitting (PNS) eavesdropping activity, and its strengths against the PNS attack are discussed by Lizama-Pérez et al. [5]. The ack-state protocol was extended by Lizama-Pérez et al. [6] to the dual protocol known as nack state protocol in order to have an analysis of its security when facing an intercept and resend with faked states (IRFS) attack.

One of the main advantages of these protocols is that they protect against the PNS and the IRFS attacks without requiring any changes in the hardware; only software changes are required.

2. Quantum hacking in QKD systems

In ideal conditions, QKD protocols’ security is based on the attributes of quantum mechanics, as it makes eavesdropping activities detectable in the middle of the quantum channel [1, 7]. But the technological implementation brings serious concerns as most of the QKD systems have vulnerabilities to quantum hacking due to loopholes in the optical detection system [8–18]. Given this condition, it is necessary to develop new QKD protocols that are able to resist different attacks due to such vulnerabilities as the photon number splitting (PNS) and the intercept and resend with faked states (IRFS) attacks [19, 20].

A variety of attacks have been conceived of as exploiting the security of BB84-based systems, either theoretically or technologically. The photon number splitting (PNS) attack belongs to the first category. In the second class, commonly referred to as quantum hacking, the intercept resend with faked states (IRFS) attack can be included, which exploits loopholes in the avalanche photo diodes (APDs) of the electronic detection system. We will briefly describe each of them.

1. In the PNS attack the eavesdropper blocks the 1-photon states but she stores the multi-photon states allowing at least one photon to reach Bob’s detection system. Ideally, in the BB84 protocol [1], the quantum states sent by Alice to Bob contain single photons. Nevertheless, perfect single photon sources are not technologically available nowadays [21], so, to get the implementation of QKD, laser pulses attenuated to very low levels have been used. Such laser pulses contain very short numbers of photons, in average typically around 0.2 photons per pulse in a Poissonian distribution; that means that most pulses contain no photons, a few pulses contain just one photon, and a really short amount of pulse contains two or more photons. If a pulse contains more than one photon, Eve can get from it the extra photons and transmit a single photon to Bob. Eve can store the photons she obtained from the multi-photonic pulses and wait until Bob reveals the measurement basis he has applied. Then Eve can measure the photons she stored by using the same measurement basis as Bob did. In this way she obtains information about the key without being noticed by Alice and Bob. This is called the photon number splitting (PNS) attack, and some related references with security proofs of the PNS attack can be found in [1, 7, 22–24].

   To overcome the PNS attack a few protocols have been developed: Decoy QKD [18], SARG04 [25], the differential phase shift (DPSK) [26], and coherent one way (COW) [27]. One of the most promissory alternatives is the decoy QKD. In this protocol Alice prepares a set of quantum states in addition to the typical states of the BB84 protocol. These extra states are called decoy states. Decoy states are used only with the purpose to detect the eavesdropping activity, rather than establishing the key. In order to produce the decoy states, Alice randomly uses different mean photon numbers on the photonic source. For example, she could send the first pulse with a mean photonic pulse of μ=0.1, the second pulse with μ=0.4, the third pulse with μ=0.05, and so on. To each mean photon number a different probability of producing more than one photon in the correlated pulse corresponds. The difference between the standards BB84 states and the decoy states is the mean photon numbers. Given this, Eve is not able to distinguish a decoy state from a quantum key related state and the only information she gets is the number of photons in a pulse. Thus, decoy states can be introduced to secure the BB84 protocol from PNS attacks, allowing at the same time high key rates. In both, BB84 and decoy QKD protocols, a single photonic gain in the quantum channel is established. Lamentably, Eve can set successful attacks to the decoy QKD if it is able to set the QBER to zero by adjusting the gain of the quantum channel.

2. Intercept Resend (IR) attack: In this attack, Eve measures each photon pulse sent by Alice and replaces it with a different pulse prepared in the quantum state that she has previously measured. In 50% of the measurements, Eve successfully chooses the correct measurement basis, while Bob chooses the same basis as her half of the time. Given that, she generates a quantum bit error rate (QBER) of 50%×50%=25% (see Figure 2 and a study by Bennett et al. [7]).

3. Intercept resend with faked states (IRFS) attack.

   In the intercept resend with faked states (IRFS) attack, the eavesdropper does not want to reconstruct the original states. Instead, it produces pulses of light controlled by her that are detectable by Bob as she stays unnoticed in the quantum channel. Due to imperfections in their optical system, Alice and Bob assume that the quantum states they are detecting are the original ones while they are actually detecting light pulses generated by the eavesdropper. Those light pulses are known as faked states [10]. There are several weaknesses in Bob’s detector than can be exploited to perform this attack such as time shift [11–13] or quantum blinding [10–12]. When using quantum blinding (quantum blinding attack), the QKD system is controlled by an eavesdropper who uses bright photon pulses during the linear mode operation of the APDs. Using this attack, Eve can eavesdrop on the full secret key but it will not increase the QBER of the protocol. To do this, Eve sends bright pulses to Bob and those are detected by the APD. It will then operate like a classical photo diode instead of operating in Geiger mode and allowing Eve to obtain the key [14, 15].

   Resulting from this, as shown in Figure 3a, when Bob selects the same measurement basis Eve has chosen, a detection event occurs in the corresponding APD detector. On the other hand, if Bob measures using the opposite basis, as in Figure 3b, the two detectors get a part of the optical power and no event is detected. In this way, the eavesdropper blinds Bob’s APD detectors and makes them work as classical photo diodes. In the final stage of the protocol, Eve uses the announcements made by Bob on the public channel to execute the classical post-processing, getting the same secret bit as Alice and Bob.

   A watchdog detector that can detect bright faked states can be used as a very simple countermeasure and it can be applied in the electronic detection system [16]. In the University of Singapore an intercept resend attack with faked states and quantum blinding over a commercial QKD system was for the first time implemented [15].

It is important to note that the IRFS attack works dangerously well on widely used QKD protocols, namely SARG04, BB84, coherent one way (COW), differential phase shift (DPSK), Ekert [12], and the decoy state method, as described by Wiechers et al. [16] and Sun et al. [28]. The attack shows an extra 3 dB loss due to the basis of mismatch between Eve and Bob. In the practice, Eve compensates it easily as she can use better detector efficiencies and surpass the loss in the channel. Demonstrations of blinding attacks on detectors have been implemented in two commercially available QKD systems [14]. Reports show that Eve obtains the entire secret key for the time she remains unnoticed by the legitimate parties [15]. We should finally remark that due to control detector attacks with active basis selection, the gain from Eve to Bob is reduced by a half compared to the gain from Alice to Bob.

1. For Bob’s basis choice matching Eve’s, the detector clicks deterministically and.

2. For Bob’s basis choice not matching Eve’s, the faked state is not detected.

3. The ack-state protocol

Consider a BB84-based protocol encoding a classical bit that uses one of the four non-orthogonal quantum states ∣+X⟩,∣−X⟩,∣+Z⟩, and ∣−Z⟩ (see Figure 1). When using the SARG04 protocol [25], Alice produces one of the four BB84 quantum states she will send to Bob, it means, she produces a state associated with two conjugate basis (X and Z). Classical bits on SARG04 protocol are encoded as follows: 0 is coded with∣+Z⟩ and ∣−Z⟩ and 1 is coded with ∣+X⟩ and ∣−X⟩ (see Figure 4) where black dots in the bidimensional Bloch sphere represent the qubits (the non-orthogonal states are right angled and the orthogonal states are represented as diametrically opposed and the parallel states have the same position in the sphere). The basis measurement X and Z appear as horizontal and vertical lines, respectively. In contraposition, the BB84 protocol encodes the bit 0 as ∣+Z⟩ and ∣−X⟩ and the bit 1 with ∣−Z⟩ and ∣+X⟩.

In the sifting phase of the SARG04 protocol, the basis used by Alice is not revealed as this would reveal the bit. As a substitute, she declares to which sifting set the state belongs in accordance with the following four sifting sets: S++=+X⟩+Z⟩, S+−=+X⟩−Z⟩, S−+=−X⟩+Z⟩, and S−−=−X⟩−Z⟩. For instance, consider that Alice sends ∣+X⟩ and she announces the set S++. Bob makes his measurements on the X basis and he gets the result ∣+X⟩; and as this result can be obtained for both states in the set S++; he needs to dispose of the bit 1 from ∣+X⟩. In case Bob measures using the Z basis measurement and obtains ∣+Z⟩, once more, he is not able to distinguish the state sent by Alice. In the opposite way, if he measures in the Z basis and gets ∣−Z⟩, he is sure Alice sent ∣+X⟩ and adds a 0 to his key. On her side, Eve needs to perform a measurement using the conjugate basis X and Z to obtain the same secret bit as Bob, demanding multi-photonic pulses with at least three photons.

Similar to the BB84, in the ack-state protocol, Alice encodes a classical bit as: 0 is encoded with ∣+Z⟩ and ∣−X⟩ and 1 is encoded with ∣−Z⟩ and ∣+X⟩. And also, in the same manner as the SARG04 protocol, the ack-state uses the four sets of non-orthogonal states S++=+X⟩+Z⟩, S+−=+X⟩−Z⟩, S−+=−X⟩+Z⟩, and S−−=−X⟩−Z⟩. But in the ack-state protocol the set Alice used, S++,S+−,S−+ or S−−, is never revealed. As an illustration, suppose Alice chooses the set S++=+X⟩+Z⟩ rather than transmitting one of the two states, say ∣+X⟩, and publishing the sifting instance, S++, she transmits the two states ∣+X⟩ and ∣+Z⟩. At that point, Bob measures the states using the same basis, X or Z, one by one, as the two states reach successively. If Bob measures with the X basis, he surely will obtain ∣+X⟩ (after he measures the first state) but he can obtain ∣+X⟩ or ∣−X⟩ on the second measurement, with a probability of 0.5 for each event. If Bob obtains +X⟩−X⟩ after the second measurement, the result is unclear to him and he has to discard it. On the other hand, if he gets +X⟩+X⟩ the result is unambiguous and he should add a bit 1 to his key. With the purpose of allowing Alice to recover the same bit, Bob makes the announcement of the basis measurement X and the matching condition in accordance with the following criterion: 2M if the two detection events make clicks on the same detector; it includes the cases +X⟩+X⟩,−X⟩−X⟩,+Z⟩+Z⟩,−Z⟩−Z⟩ and (2nM) if the detection event makes clicks on the opposite detectors, for example, +X⟩−X⟩,−X⟩+X⟩,+Z⟩−Z⟩,−Z⟩+Z⟩. Alice obtains the secret bit given that the +X⟩+Z⟩ states she sent, the X basis, and the 2M measurement result permit her to conclude that Bob definitely got +X+X (consider the cases depicted in Table 1).

Contrarily, in the case Bob measured the two states ∣+X⟩ and ∣+Z⟩ with the Z basis, he would acquire one of the two possible results: 2M=+Z⟩+Z⟩ or 2nM=−Z⟩+Z⟩. In the first case, he publishes the Z basis and the 2M result; then Alice and Bob add a 0 to the key. In the second case, Bob makes the announcement of the Z basis and the 2nM result but in this case, they discard the result. When using the ack-state protocol the 2M results can be used to distill secret bits but 2nM is unclear causing those measurement outcomes to be useless and so they have to be discarded.

The ack-state protocol was introduced in [4]. In such a reference, the non-orthogonal states are called protocol states while parallel states are named decoy states. The ack-state protocol encodes one classical bit using two quantum states. Such encoding is done by means of non-orthogonal or parallel states. In quantum physics, if X=0X⟩1X⟩ and Z=0Z⟩1Z⟩ are orthonormal bases, then the magnitude of each basis vector is the unity and any vector in such a space can be written as a linear combination of such basis. For instance, ∣0X⟩ can be rewritten as 12∣0Z⟩+12∣1Z⟩. Two qubits ∣0X⟩ and ∣0Z⟩ are non-orthogonal if the inner product between them is different from zero, symbolically 0X∣0Z≠0. In consequence, 0X∣0Z=121+120 and 0X∣0Z=12. The inner product of orthogonal qubits is zero, for example, 0X∣1X=0 and identical (or parallel) qubits produce the unity under the inner product; thus, 0X∣0X=1.

Using this protocol, Alice chooses at random between sending a pair of parallel or non-orthogonal states. At the opposite side, Bob makes the measurement of the two successive pulses he receives with the same basis measurement, X or Z (see Figure 5). In this context, the pair of quantum states sent by Alice is called biqubit. Parallel biqubits define the parallel quantum flow and non-orthogonal biqubits define the non-orthogonal quantum flow. Summarizing the ack-state protocol with non-orthogonal and parallel states, we have the following:

1. Alice randomly selects between a non-orthogonal biqubit and a parallel bi-qubit. In case she selects a non-orthogonal biqubit, she has to select at random one of the following states: 0X0Z0X1Z1X0Z1X1Z, where the order between states X or Z is as well picked at random. In case she selects a parallel biqubit, she should randomly choose a biqubit from the set: 0X0X1X1X0Z0Z1Z1Z. and then she gets it ready and transmits it to Bob.

2. At random, Bob chooses the basis X or Z to measure the received biqubit.

3. Bob’s basis of measurement is announced by him over the public channel and he also declares if the result obtained is either a double-detected event (2M or 2nM), a single-detected event (S-1 or S-2), or a lost biqubit 2L (see the discussion below).

4. After analyzing those results, Alice tells Bob which cases to discard.

Table 2 shows the results after Bob measures two consecutive states. Thus, one of the following detection events can be obtained:

1. The states generate a double-detection event: The symbol ++ is used to designate the photonic gain in a double-detection event. When both events are registered in a same detector, we call it a double-matching 2M detection event. If the results of the measurements of the states are opposite, then we face a double non-matching 2M detection event. Whereas 2M non-orthogonal outcomes are useful to distill secret bits, the 2M results cannot be used and are disposed. When we have a 2M detection event, we may say that the second measurement is the acknowledgment (the ack) of the first measurement. In Figure 5 (top-right) the qubit ∣0X⟩ is the first one sent by Alice and then she sends the qubit ∣0Z⟩. As the X basis is used by Bob to measure both qubits, the qubit ∣0X⟩ is measured as ∣0X⟩ but the qubit ∣0Z⟩ is measured as ∣0X⟩ or ∣1X⟩ with an equal probability of 50%. When Bob’s measurement generates ∣0X⟩, we say that this measurement is the ack of the first ∣0X⟩ state. Vice versa, if Bob gets ∣1X⟩, we say that ∣1X⟩ is the negative acknowledgment (the nack) of ∣0X⟩.

   In a channel with losses, we have two more possible results.

2. The single-detection event occurs when one state is lost and Bob obtains only one detection event. The symbol ±∓ is used to designate the single-detection event. More specifically, Bob uses the symbol S‐i to represent the single-detection event, where i can be 1 or 2, depending on the state number that makes clicks after the basis measurement X or Z is applied to the two consecutive incoming states. This way, the number i will be published by Bob.

3. The two pulses are lost. This case is denoted as −− or alternatively as 2L.

When applying the ack-state protocol, two consecutive non-orthogonal states are used by Alice and Bob to distill one secret bit. The basis measurement X or Z is declared publicly by Bob along with the sifting instances; he obtained 2M, 2M, S‐1, S‐2, and 2L. Furthermore, the bits acquired from the single-detection events S‐1 and S‐2 are used by Alice to confirm the single photonic gain of the quantum channel.

4. The nack-state protocol

The nack-state protocol is the dual version of the ack state protocol discussed in [5]. Both protocols constitute a generalization of the well-known BB84. The nack state protocol uses couples of parallel and orthogonal states rather than just single non-orthogonal states utilized as a part of BB84. This straightforward distinction makes the nack state strong when facing the IRFS attack, as we will demonstrate later on. We selected the nack prefix to indicate that, provided Alice transmits two quantum states to Bob, the second measurement behaves as the negative acknowledgment (nack) of the one before, since it yields the opposite bit result.

The pair of quantum states is denoted as a biqubit. More specifically, the following biqubits are defined in the nack state protocol: four parallel biqubits 0X⟩0X⟩,0Z⟩0Z⟩,1X⟩1X⟩,1Z⟩1Z⟩ and two orthogonal biqubits 0X⟩1X⟩,0Z⟩1Z⟩. The parallel and orthogonal biqubits are interleaved at random by Alice. The performance of the protocol is not altered by order of the quantum states within the biqubit (see Figure 5). On the opposite side of the quantum channel, Bob measures two incoming states of a biqubit utilizing the same measurement basis (X or Z). The following steps depict the nack state protocol:

1. Alice is equipped with a photon source with an expected photon number μ showing Poisson distribution. A parallel or an orthogonal biqubit is selected at random by Alice, and she arranges the biqubit to be sent to Bob through the quantum channel.

2. The biqubit (two incoming pulses) is measured by Bob using the same measurement basis X (or Z) that he selects haphazardly (in a further section, we discuss the convenience of avoiding consecutiveness of states and how it can be prevented if Alice forwards a burst of the first states of each pair, followed by a burst of the second states of each pair).

3. Bob declares publicly his measurement basis decisions.

4. Alice and Bob perform sifting utilizing single compatible events and double compatible matching detection events (from parallel states) in order to share secret bits. Likewise, sifting is applied to the double-detection events that contain a single compatible detection event. With this aim, Bob indicates if the single detection is the first or the second inside the biqubit.

Table 3 exhibits a case of the nack state protocol. Here, two biqubits are transmitted to Bob from Alice. The first biqubit is the orthogonal pair 0X⟩1X⟩, and the second biqubit is the parallel pair 1Z⟩1Z⟩. In case the two states sent by Alice reach Bob’s detection system with no failure, a double-detection event is generated. In the situation that just one of the two states of the biqubit reaches Bob’s station, he gets a single-detection event.

The nack-state protocol has been conceived of to use the same optical hardware of the BB84 protocol; thus, it can be configured in most QKD systems as a software module application. However, two additional tasks must be implemented: the random computation of biqubits before preparing and sending the quantum states and the sifting stage of the protocol, which must include (1) sifting of single matching (compatible or non-compatible), where Bob announces the number of the single-detections inside the biqubit and (2) sifting of double detection, matching or non-matching, from parallel or orthogonal states. The error correction and privacy amplification stages of the QKD protocol do not require changes.

5. The photon number splitting attack

In the PNS attack, the eavesdropper captures no less than one photon from each of the multi-photon states with the purpose of storing them in quantum memory, at the same time that she hinders the single photon states in the quantum channel. When Bob has uncovered over public channels the measurement basis he has used, the eavesdropper executes the same measurements on the quantum states she has stored [25].

When the PNS attack is applied to the ack-state protocol, the eavesdropper captures no less than one photon of the multi-photon states (parallel and non-orthogonal), and she stands by Bob’s declarations about the measurement bases he has utilized with the aim of applying the same measurements on her stored states. In Bob’s side, a distribution over the following sifting events is achieved 2M, 2nM, S‐1, S‐2 and 2L, where every one may originate in parallel or non-orthogonal states; however, just Alice knows those outcomes.

After Bob declares both the measurement bases (X or Z) and the sifting occurrences, Eve executes the measurements utilizing the same measurement bases and she gets the same bits from the multi-photonic single sifting instances: S‐1 and S‐2, parallel and non-orthogonal. Moreover, the same outcomes from the 2M measurements of the parallel and (a half of the) non-orthogonal multi-photonic states are acquired by the eavesdropper. However, she cannot acquire the secret bits from the 1-state S‐i and 2M sifting occurrences, given that the eavesdropped cannot discriminate parallel and non-orthogonal states.

In order to get the secret bits, Eve obstructs the 1-photon states which incorporate single and double-detection events from parallel and non-orthogonal states. In doing that, an error gain in the photonic gain of the single and double-detection events is introduced by Eve. At that point, Eve executes a channel substitution expanding the transmittance of the channel. The fiber channel transmittance among Alice and Bob is written as TAB=10−αl10 where α is the loss coefficient measured in dB/km and the length l is measured in km. Moreover, the local transmittance at Bob’s side, ηB, is defined as tBηD where tB is the internal transmittance of optical components and ηD is the quantum efficiency of Bob’s detectors. Then, the general transmission and detection efficiency at Bob’s side ηBT is computed as ηBT=tBηDTAB [18]. A mathematical description of the gain of detection events will be presented in the following section.

6. The IRFS attack

What should Alice and Bob expect from the nonappearance of the IRFS attack? For illustrative purposes, consider the situation where μ=0.2, ηBT=0.8, which is the general efficiency among Alice and Bob and zero dark counts Y0=0. In such a case, the great majority of the total biqubits sent by Alice to Bob ends up in Bob’s station as lost biqubits ∼72.61%; single-detection events are ∼25.2%, and just ∼0.0219% of the measurement cases are double-detection events. Despite the double-detection gain being very low, it ought not be viewed as insignificant given that the amount of pulses sent by Alice is high (1011−1013 [29]), and the transmission interim can be legitimately upgraded. However, for practical purposes, we will presume that the secret bits in the nack state protocol are delivered by single-detection events, and the key rate is at most the BB84 key rate. Nevertheless, we assert that double-detection events can be utilized to identify the IRFS attack, so in this section, we defend the security of the protocol, in spite of Eve’s endeavors to enhance her attack.

6.2. Detecting the IRFS attack with quantum channel substitution

It is expected that the eavesdropper would endeavor to adjust both gains, from single- and double-detection events, applying a quantum channel substitution and tuning it to a specific transmittance. We define the quantum photon error gain (QPEG or simply ΔQ) as the deviation from the reference gain that is caused by Eve’s apparatus at Bob’s receiver station when she performs the IRFS attack. In ordinary conditions, it is ideally expected that ΔQ∼0, for the single- and the double-detection events.

QPEG of double ++-detection events is written as ΔQ++, while we denote the QPEG of single ±∓-detection events as ΔQ±∓. ΔQ++ is computed as the difference Q++AB−Q++EB where the symbol ++AB defines the reference gain of the double-detection events and ++EB denotes the gain of the double-detection events at Bob’s side but in the presence of Eve. Similarly, ΔQ±∓ is computed as Q±∓AB−Q±∓EB, where we apply the sub-index of ±∓AB and ±∓EB with the same intention.

Using the relations of Table 4, the possibility of the eavesdropper to fulfill simultaneously the conditions ΔQ++=0 and ΔQ±∓=0 can be established. Allow Eve to adjust freely ηBT and ηET. Thus, the eavesdropper’s goal is to make ΔQ++AB=ΔQ++EB and ΔQ±∓AB=ΔQ±∓EB. The following equation system is obtained:

2e−μηBT−Y0Y0+1−e−μηBT=e−μηET−Y0Y0+1−e−μηETE1

Y0+1−e−μηBT2=12Y0+1−e−μηET2E2

Solving the system for ηET, we get lnY0−μ and ln1+Y0−μ, which, in the practice, cannot be satisfied, given that the second relation yields ηET as negative and the first relation cannot be fulfilled for typical parameters, for example, Y0=10−5, μ=0.1 produces ηET=1.15. Consider also the cases depicted in Figure 6.

6.4. The QBER of one-photon states

As quoted previously, in the nack state protocol, the great majority of the pulses sent by Alice to Bob behave as BB84 signal pulses. Each time a compatible basis measurement is applied by Bob, the result, either from single detection or double detection, is useful as in BB84. Thus, for practical purposes, the nack state protocol has an efficiency comparable to the BB84. However, a partial reduction of the bit rate can be expected, as Alice reduces the optical pulse rate to avoid the eavesdropper to record double-detection events. In this way, Eve is detected if she stays waiting for double-detection events before she can forward them.

Given that it decreases quadratically, the rate of the double-detection event is small. Nevertheless, at the same time, it is extraordinary that the QBER of the double-matching detection events from parallel and orthogonal states also decreases quadratically. To see this, let us recall that in the BB84 protocol, the probability to get the correct bit is pc=1+V/2, and the probability to obtain an erroneous bit is pe=1−V/2, where V is the visibility of the optical system. To calculate the QBER of the one-photon states, the relation QBER=pe/pe+pc is applied [31].

Now, suppose that the two parallel states are sent by Alice 1Z⟩1Z⟩ to Bob who measures them using the Z basis. Those states are depicted in Figure 7a. The probability to get the two states 1Z⟩1Z⟩ is pc2, and the probability to get the opposite values 0Z⟩0Z⟩ is pe2, case II of Figure 7a. Since the measurement cases 0Z⟩1Z⟩ and 1Z⟩0Z⟩, Cases III and IV of Figure 7a, are always disposed because they are non-matching cases, the final probabilities are pcparallel=pc2pc2+pe2 and peparallel=pe2pc2+pe2. The same reasoning can be applied to the orthogonal biqubits case as depicted in Figure 7b.

Those relations forward us to the QBER of the parallel and orthogonal states QBER=1−V21−V2+1+V2. Figure 8 gives an illustration of the QBER of one-photon states of such protocols. Considering the QBER of the nack state is lower than BB84, it is interesting to acknowledge that the double-detection gain could be increased by future technologies. Even though there is not yet a formal derivation of the secret key rate for double-detection events, we can expect that the small QBER would lead to reaching longer QKD distances.

6.6. Faking double-detection events

Another possibility for the eavesdropper is to fake double-detection events. After all, we may inquire why Eve cannot fake double-detection events as she stays covered up in the channel. First of all, let us recall that Alice knows which biqubits contain parallel or orthogonal states. Second, consider the cases portrayed in Table 5. Assume the 0Z⟩0Z⟩ biqubit has been sent to Bob by Alice. The first pulse reaches Eve’s station, who measures it with the X (or Z) basis, but the second pulse arrives as a vacuum state either by the effect of the quantum channel, the detection system, or the photon source. Thus, Eve gets a single-detection event. In this moment, Eve determines to fake the second state, but she realizes that there are six potential outcomes to fake the 0Z⟩0Z⟩ biqubit; such cases are listed in Table 5. Additionally, one of those cases is erroneous because no orthogonal measurement can be derived from parallel states. In this example, 1Z⟩0Z⟩ cannot be obtained from 0Z⟩0Z⟩. Likewise, 0Z⟩0Z⟩ cannot be derived from 1Z⟩0Z⟩. Consequently, if Eve tries to fake a double-detection event, she will produce a bit error of 16. In this situation, a bit error is produced when Alice expects a double non-matching event but Bob announces a double-matching event or vice versa.

Alice’s Biqubit	Eve’s Basis	Eve’s Detection	Forwarded States	Eve’s Result
0Z⟩0Z⟩	Z	−0Z⟩	0Z⟩0Z⟩	Hidden
			1Z⟩0Z⟩	Detected
	X	−0X⟩	0X⟩0X⟩	Hidden
			1X⟩0X⟩	Hidden
		−1X⟩	0X⟩1X⟩	Hidden
			1X⟩1X⟩	Hidden
1Z⟩0Z⟩	Z	−0Z⟩	0Z⟩0Z⟩	Detected
			1Z⟩0Z⟩	Hidden
	X	−0X⟩	0X⟩0X⟩	Hidden
			1X⟩0X⟩	Hidden
		−1X⟩	0X⟩1X⟩	Hidden
			1X⟩1X⟩	Hidden

Table 5.

As soon as Eve detects the first state of a biqubit, she tries to fake the second state.

However, she can use six possible states, but one of them is erroneous, so she introduces an error probability of 16. Here, the six choices for 0Z⟩0Z⟩ and 1Z⟩0Z⟩ biqubits are shown

According to Collins et al. [30], Bob’s visibility of Alice’s quantum state is computed as VAB=PsignalPtotal where Psignal=TAB×η×Vopt and Ptotal=TAB×η+1−TAB×η×2×Y0. Here, Vopt is the optical visibility with a perfect source and detectors; η is the probability of detecting the photon when it arrives; TAB is the transmittance between Alice and Bob; and Y0 is the background noise. On practical experimental parameters: α=0.25 dB⋅ km−1, η=0.3, Y0=10−4, and Vopt=0.99. Figure 9 shows the visibility as a function of the distance.

On the other hand, the QBER in BB84 can be computed as QBER=pepe+pc, where pc (pe) is the probability to get, correctly or erroneously, the quantum bit sent by Alice, respectively. If we write such probabilities as a function of the optical visibility V, we have pc=1+V/2 and pe=1−V/2.

Therefore, pc=pc2pc2+pe2 and pe=pe2pc2+pe2, and we derived the QBER of the parallel and orthogonal states as QBER=1−V21−V2+1+V2.

If QBER of double-detection events produced by the quantum channel is compared against the 16 error rate caused by the eavesdropper, we can find that the maximum secure distance for detecting the IRFS attack when the eavesdropper fakes double-detection events is 176 km, which is within the range of the BB84 key rate, as it appears in Figure 9.

7. Conclusions

In the quantum flows approach, the transmitter interleaves pairs of quantum states, parallel and orthogonal (non-orthogonal), while the receiver applies active basis selection to perform state measurement. The QKD protocols based on quantum flows uses the same optical hardware of the BB84 protocol, and they can be implemented in most QKD systems as a software module application.

The ack-QKD protocol can be useful to detect the PNS attack. If the eavesdropper adjusts the transmittance TAB of the channel it produces a deviation in one or in both photonic gains; thus, she will introduce a detectable QBER to the system.

On the other side the intercept resend with faked (blinding) states (IRFS) attack is detected by the nack-state protocol using the gain of single- and double-detection events where the QBER of double-detection events of the quantum channel is compared against the 16 error rate caused by the eavesdropper, so the maximum secure distance results in 176 km.

Although double-detection events represent a small fraction of the total detection events, they are useful to detect the IRFS attack. In addition, the smaller QBER can be useful in future implementations to distill secret bits at longer distances.

Acknowledgments

We would like to mention that a major portion of this chapter has been borrowed from our previous publications: “Quantum Flows for Secret Key Distribution in the Presence of the Photon Number Splitting Attack” [5] and “Quantum Key Distribution in the Presence of the Intercept-Resend with Faked States Attack” [6].