Open access peer-reviewed chapter

Quantum Flows for Secret Key Distribution

By Luis A. Lizama-Pérez, J. Mauricio López and Eduardo de Carlos Lopez

Submitted: August 1st 2017Reviewed: February 26th 2018Published: May 30th 2018

DOI: 10.5772/intechopen.75964

Downloaded: 702


Despite the unconditionally secure theory of quantum key distribution (QKD), several attacks have been successfully implemented against commercial QKD systems. Those systems have exhibited some flaws, as the secret key rate of corresponding protocols remains unaltered, while the eavesdropper obtains the entire secret key. We propose a new theoretical approach called quantum flows to be able to detect the eavesdropping activity in the channel without requiring additional optical components different from the BB84 protocol because the system can be implemented as a high software module. In this approach, the transmitter interleaves pairs of quantum states, referred to here as parallel and orthogonal (non-orthogonal) states, while the receiver uses active basis selection.


  • quantum key distribution
  • photon number splitting attack
  • intercept resend faked states attack

1. Introduction

Quantum key distribution (QKD) is a technique to distribute securely a cryptographic key between two remote users, usually called Alice and Bob. The first QKDmethod was conceived by Charles Bennett and Gilles Brassard in 1984, usually referred to in literature as BB84[1]. Figure 1 shows a simplified representation of the two-dimensional Bloch sphere, the quantum states, and the measurement bases of BB84.

Figure 1.

TheBB84qubits are thenon-orthogonalstates: the measurement bases,ZandX, are shown as vertical and horizontal lines, correspondingly. When basisX(Z) is used by Bob, to measure Alice’s stateiXiZ, the result gotten by Bob is bitii=01; otherwise, if basisXZis applied to measureiZ(iX) the probability to getireduces to12. So, if Bob measures the0Xstate withZbasis, he has the same probability to obtain0Zor1Z.

QKD systems are designed to serve the purpose of generating secret bits, usable to encrypt plain-text messages based on a simple X – Orlogical function between the message and a secret key. The use of this system provides the availability to detect any eavesdropper, commonly called Eve, trying to intercept the quantum channel to get the key. In this case, the whole process will be discarded before a key can be established [2]. On the other hand, if no eavesdropping activity is detected, the quantum measurements are used to derive the secret key. When the transmission is finished, Alice and Bob compare a fraction of the exchanged key in order to detect any transmission errors caused by eavesdropping. Experimentally, QKDsystems have been proved using dedicated optical fibers, across free space, weak laser pulses or single photons, entangled photon pairs, or continuous variables [3].

We propose a new approach for QKDprotocols called quantum flows where the transmitter interleaves pairs of quantum states, referred to here as paralleland orthogonal(non-orthogonal) states, while the receiver applies active basis selection to perform state measurement. In a study by Lizama et al. [4], a brand new QKDprotocol, called ack-stateand referred to also as ack-QKD, is introduced. This protocol uses weak coherent states and active basis measurement and has the capability to detect photon number splitting (PNS)eavesdropping activity, and its strengths against the PNSattack are discussed by Lizama-Pérez et al. [5]. The ack-stateprotocol was extended by Lizama-Pérez et al. [6] to the dual protocol known as nack stateprotocol in order to have an analysis of its security when facing an intercept and resend with faked states (IRFS)attack.

One of the main advantages of these protocols is that they protect against the PNSand the IRFSattacks without requiring any changes in the hardware; only software changes are required.


2. Quantum hacking in QKDsystems

In ideal conditions, QKD protocols’ security is based on the attributes of quantum mechanics, as it makes eavesdropping activities detectable in the middle of the quantum channel [1, 7]. But the technological implementation brings serious concerns as most of the QKDsystems have vulnerabilities to quantum hacking due to loopholes in the optical detection system [818]. Given this condition, it is necessary to develop new QKDprotocols that are able to resist different attacks due to such vulnerabilities as the photon number splitting (PNS) and the intercept and resend with faked states (IRFS) attacks [19, 20].

A variety of attacks have been conceived of as exploiting the security of BB84-based systems, either theoretically or technologically. The photon number splitting (PNS) attack belongs to the first category. In the second class, commonly referred to as quantum hacking, the intercept resend with faked states (IRFS) attack can be included, which exploits loopholes in the avalanche photo diodes (APDs) of the electronic detection system. We will briefly describe each of them.

  1. In the PNSattack the eavesdropper blocks the 1-photon states but she stores the multi-photon states allowing at least one photon to reach Bob’s detection system. Ideally, in the BB84protocol [1], the quantum states sent by Alice to Bob contain single photons. Nevertheless, perfect single photon sources are not technologically available nowadays [21], so, to get the implementation of QKD, laser pulses attenuated to very low levels have been used. Such laser pulses contain very short numbers of photons, in average typically around 0.2 photons per pulse in a Poissonian distribution; that means that most pulses contain no photons, a few pulses contain just one photon, and a really short amount of pulse contains two or more photons. If a pulse contains more than one photon, Eve can get from it the extra photons and transmit a single photon to Bob. Eve can store the photons she obtained from the multi-photonic pulses and wait until Bob reveals the measurement basis he has applied. Then Eve can measure the photons she stored by using the same measurement basis as Bob did. In this way she obtains information about the key without being noticed by Alice and Bob. This is called the photon number splitting (PNS) attack, and some related references with security proofs of the PNSattack can be found in [1, 7, 2224].

    To overcome the PNS attack a few protocols have been developed: Decoy QKD [18], SARG04 [25], the differential phase shift (DPSK) [26], and coherent one way (COW) [27]. One of the most promissory alternatives is the decoy QKD. In this protocol Alice prepares a set of quantum states in addition to the typical states of the BB84 protocol. These extra states are called decoy states. Decoy states are used only with the purpose to detect the eavesdropping activity, rather than establishing the key. In order to produce the decoy states, Alice randomly uses different mean photon numbers on the photonic source. For example, she could send the first pulse with a mean photonic pulse of μ=0.1, the second pulse with μ=0.4, the third pulse with μ=0.05, and so on. To each mean photon number a different probability of producing more than one photon in the correlated pulse corresponds. The difference between the standards BB84 states and the decoy states is the mean photon numbers. Given this, Eve is not able to distinguish a decoy state from a quantum key related state and the only information she gets is the number of photons in a pulse. Thus, decoy states can be introduced to secure the BB84 protocol from PNS attacks, allowing at the same time high key rates. In both, BB84 and decoy QKD protocols, a single photonic gain in the quantum channel is established. Lamentably, Eve can set successful attacks to the decoy QKD if it is able to set the QBER to zero by adjusting the gain of the quantum channel.

  2. Intercept Resend (IR) attack: In this attack, Eve measures each photon pulse sent by Alice and replaces it with a different pulse prepared in the quantum state that she has previously measured. In 50% of the measurements, Eve successfully chooses the correct measurement basis, while Bob chooses the same basis as her half of the time. Given that, she generates a quantum bit error rate (QBER) of 50%×50%=25%(see Figure 2 and a study by Bennett et al. [7]).

  3. Intercept resend with faked states (IRFS) attack.

    In the intercept resend with faked states (IRFS) attack, the eavesdropper does not want to reconstruct the original states. Instead, it produces pulses of light controlled by her that are detectable by Bob as she stays unnoticed in the quantum channel. Due to imperfections in their optical system, Alice and Bob assume that the quantum states they are detecting are the original ones while they are actually detecting light pulses generated by the eavesdropper. Those light pulses are known as faked states [10]. There are several weaknesses in Bob’s detector than can be exploited to perform this attack such as time shift [1113] or quantum blinding [1012]. When using quantum blinding (quantum blinding attack), the QKD system is controlled by an eavesdropper who uses bright photon pulses during the linear mode operation of the APDs. Using this attack, Eve can eavesdrop on the full secret key but it will not increase the QBER of the protocol. To do this, Eve sends bright pulses to Bob and those are detected by the APD. It will then operate like a classical photo diode instead of operating in Geiger mode and allowing Eve to obtain the key [14, 15].

    Resulting from this, as shown in Figure 3a, when Bob selects the same measurement basis Eve has chosen, a detection event occurs in the corresponding APD detector. On the other hand, if Bob measures using the opposite basis, as in Figure 3b, the two detectors get a part of the optical power and no event is detected. In this way, the eavesdropper blinds Bob’s APD detectors and makes them work as classical photo diodes. In the final stage of the protocol, Eve uses the announcements made by Bob on the public channel to execute the classical post-processing, getting the same secret bit as Alice and Bob.

    A watchdog detector that can detect bright faked states can be used as a very simple countermeasure and it can be applied in the electronic detection system [16]. In the University of Singapore an intercept resend attack with faked states and quantum blinding over a commercial QKD system was for the first time implemented [15].

Figure 2.

An intercept resend (IR) attack toward theBB84protocol causes a quantum bit error rate (QBER) of 25% that can be detected. The figure shows Alice sending a0Zstate to Bob. In the middle of the quantum channel is Eve applying anXbasis measurement and she gets1X. Consequently, she makes a copy of that state and sends it to Bob who gets1Zas he used theZbasis measurement. The process introduces an error in the secret bit given that Alice expects Bob to get0Z.

Figure 3.

In the intercept resend with faked states (IRFS) and quantum blinding attack, Eve and Bob use the same optical receiver unit so that she can detect Alice’s states in a random basis. Then, Eve prepares the quantum states but sends them to Bob as bright light pulses instead of quantum pulses. (a) Bob and Eve are using the same basis; (b) the basis Bob is using is the opposite to ve.

It is important to note that the IRFSattack works dangerously well on widely used QKD protocols, namely SARG04, BB84, coherent one way (COW), differential phase shift (DPSK), Ekert [12], and the decoy statemethod, as described by Wiechers et al. [16] and Sun et al. [28]. The attack shows an extra 3 dB loss due to the basis of mismatch between Eve and Bob. In the practice, Eve compensates it easily as she can use better detector efficiencies and surpass the loss in the channel. Demonstrations of blinding attacks on detectors have been implemented in two commercially available QKDsystems [14]. Reports show that Eve obtains the entire secret key for the time she remains unnoticed by the legitimate parties [15]. We should finally remark that due to control detector attacks with active basis selection, the gain from Eve to Bob is reduced by a half compared to the gain from Alice to Bob.

  1. For Bob’s basis choice matching Eve’s, the detector clicks deterministically and.

  2. For Bob’s basis choice not matching Eve’s, the faked state is not detected.

3. The ack-stateprotocol

Consider a BB84-based protocol encoding a classical bit that uses one of the four non-orthogonalquantum states +X,X,+Z, and Z(see Figure 1). When using the SARG04protocol [25], Alice produces one of the four BB84quantum states she will send to Bob, it means, she produces a state associated with two conjugate basis (Xand Z). Classical bits on SARG04protocol are encoded as follows: 0 is coded with+Zand Zand 1 is coded with +Xand X(see Figure 4) where black dots in the bidimensional Bloch sphere represent the qubits (the non-orthogonalstates are right angled and the orthogonalstates are represented as diametrically opposed and the parallelstates have the same position in the sphere). The basis measurement Xand Zappear as horizontal and vertical lines, respectively. In contraposition, the BB84protocol encodes the bit 0 as +Zand Xand the bit 1 with Zand +X.

Figure 4.

Thenon-orthogonalstates used in theSARG04protocol encodes the bit 0 with the states+ZandZand the bit 1 is encoded with+XandX.

In the sifting phase of the SARG04protocol, the basis used by Alice is not revealed as this would reveal the bit. As a substitute, she declares to which sifting set the state belongs in accordance with the following four sifting sets: S++=+X+Z, S+=+XZ, S+=X+Z, and S=XZ. For instance, consider that Alice sends +Xand she announces the set S++. Bob makes his measurements on the Xbasis and he gets the result +X; and as this result can be obtained for both states in the set S++; he needs to dispose of the bit 1 from +X. In case Bob measures using the Zbasis measurement and obtains +Z, once more, he is not able to distinguish the state sent by Alice. In the opposite way, if he measures in the Zbasis and gets Z, he is sure Alice sent +Xand adds a 0 to his key. On her side, Eve needs to perform a measurement using the conjugate basis Xand Zto obtain the same secret bit as Bob, demanding multi-photonic pulses with at least three photons.

Similar to the BB84, in the ack-stateprotocol, Alice encodes a classical bit as: 0 is encoded with +Zand Xand 1 is encoded with Zand +X. And also, in the same manner as the SARG04protocol, the ack-stateuses the four sets of non-orthogonalstates S++=+X+Z, S+=+XZ, S+=X+Z, and S=XZ. But in the ack-stateprotocol the set Alice used, S++,S+,S+or S, is never revealed. As an illustration, suppose Alice chooses the set S++=+X+Zrather than transmitting one of the two states, say +X, and publishing the sifting instance, S++, she transmits the two states +Xand +Z. At that point, Bob measures the states using the same basis, Xor Z, one by one, as the two states reach successively. If Bob measures with the Xbasis, he surely will obtain +X(after he measures the first state) but he can obtain +Xor Xon the second measurement, with a probability of 0.5 for each event. If Bob obtains +XXafter the second measurement, the result is unclear to him and he has to discard it. On the other hand, if he gets +X+Xthe result is unambiguous and he should add a bit 1 to his key. With the purpose of allowing Alice to recover the same bit, Bob makes the announcement of the basis measurement Xand the matching condition in accordance with the following criterion: 2Mif the two detection events make clicks on the same detector; it includes the cases +X+X,XX,+Z+Z,ZZand (2nM) if the detection event makes clicks on the opposite detectors, for example, +XX,X+X,+ZZ,Z+Z. Alice obtains the secret bit given that the +X+Zstates she sent, the Xbasis, and the 2Mmeasurement result permit her to conclude that Bob definitely got +X+X(consider the cases depicted in Table 1).

Alice sendsBob obtains a 2MSecret bit

Table 1.

Using the Xbasis, Bob measures the two states sent by Alice and he obtains a (2M) result.

Contrarily, in the case Bob measured the two states +Xand +Zwith the Zbasis, he would acquire one of the two possible results: 2M=+Z+Zor 2nM=Z+Z. In the first case, he publishes the Zbasis and the 2Mresult; then Alice and Bob add a 0 to the key. In the second case, Bob makes the announcement of the Zbasis and the 2nMresult but in this case, they discard the result. When using the ack-stateprotocol the 2Mresults can be used to distill secret bits but 2nMis unclear causing those measurement outcomes to be useless and so they have to be discarded.

The ack-stateprotocol was introduced in [4]. In such a reference, the non-orthogonalstates are called protocolstates while parallelstates are named decoystates. The ack-stateprotocol encodes one classical bit using two quantum states. Such encoding is done by means of non-orthogonalor parallelstates. In quantum physics, if X=0X1Xand Z=0Z1Zare orthonormal bases, then the magnitude of each basis vector is the unity and any vector in such a space can be written as a linear combination of such basis. For instance, 0Xcan be rewritten as 120Z+121Z. Two qubits 0Xand 0Zare non-orthogonalif the inner product between them is different from zero, symbolically 0X0Z0. In consequence, 0X0Z=121+120and 0X0Z=12. The inner product of orthogonalqubits is zero, for example, 0X1X=0and identical (or parallel) qubits produce the unity under the inner product; thus, 0X0X=1.

Using this protocol, Alice chooses at random between sending a pair of parallelor non-orthogonalstates. At the opposite side, Bob makes the measurement of the two successive pulses he receives with the same basis measurement, Xor Z(see Figure 5). In this context, the pair of quantum states sent by Alice is called biqubit. Parallelbiqubits define the parallelquantum flow and non-orthogonalbiqubits define the non-orthogonalquantum flow. Summarizing the ack-stateprotocol with non-orthogonaland parallelstates, we have the following:

  1. Alice randomly selects between a non-orthogonalbiqubit and a parallelbi-qubit. In case she selects a non-orthogonalbiqubit, she has to select at random one of the following states: 0X0Z0X1Z1X0Z1X1Z, where the order between states Xor Zis as well picked at random. In case she selects a parallelbiqubit, she should randomly choose a biqubit from the set: 0X0X1X1X0Z0Z1Z1Z. and then she gets it ready and transmits it to Bob.

  2. At random, Bob chooses the basis Xor Zto measure the received biqubit.

  3. Bob’s basis of measurement is announced by him over the public channel and he also declares if the result obtained is either a double-detected event (2Mor 2nM), a single-detected event (S-1 or S-2), or a lost biqubit 2L(see the discussion below).

  4. After analyzing those results, Alice tells Bob which cases to discard.

Figure 5.

In this representation, two concentric circles define the order in which the states are prepared and sent. Therefore, the state that is first sent is contained in the inner circle state, and the outer circle state is prepared and transmitted. Alice at random interleavesorthogonal(non-orthogonal) andparallelstates, given that she can verify the matching cases after Bob measurements. In theack-stateprotocol, Bob uses the basisXZto measure the two Alice’snon-orthogonalstatesiXjZ. He effectively gets the bitijprovided he measuresiXiXorjZjZwhich occurs with12probability. For instance, if Bob uses theZbasis to measure the incoming states0X1Zhe can obtain0Z1Zor1Z1Zwith the same probability. Alice decides to send at random two consecutivenon-orthogonalstates from the set:0X0Z0X1Z0Z1X1Z1X. Bob will measure those states using the same measurement basis (XorZ). Theparallelbiqubits involve the following states:0X0X1X1X0Z0Z1Z1Z. In thenack-stateprotocol Alice chooses randomly two consecutiveparallelstates as the case depicted in (c)1Z1Z. They produce a compatible measurement if Bob chooses,XforiXorZforiZwherei=0,1. We represent in (b) the case of quantumorthogonalstates. Two cases are possible here:0X1X0Z1Z.

Table 2 shows the results after Bob measures two consecutive states. Thus, one of the following detection events can be obtained:

  1. The states generate a double-detection event:The symbol ++is used to designate the photonic gain in a double-detection event. When both events are registered in a same detector, we call it a double-matching 2Mdetection event. If the results of the measurements of the states are opposite, then we face a double non-matching 2Mdetection event. Whereas 2Mnon-orthogonaloutcomes are useful to distill secret bits, the 2Mresults cannot be used and are disposed. When we have a 2Mdetection event, we may say that the second measurement is the acknowledgment (the ack) of the first measurement. In Figure 5 (top-right) the qubit 0Xis the first one sent by Alice and then she sends the qubit 0Z. As the Xbasis is used by Bob to measure both qubits, the qubit 0Xis measured as 0Xbut the qubit 0Zis measured as 0Xor 1Xwith an equal probability of 50%. When Bob’s measurement generates 0X, we say that this measurement is the ackof the first 0Xstate. Vice versa, if Bob gets 1X, we say that 1Xis the negative acknowledgment (the nack) of 0X.

    In a channelwith losses, we have two more possible results.

  2. The single-detection eventoccurs when one state is lost and Bob obtains only one detection event. The symbol ±is used to designate the single-detection event. More specifically, Bob uses the symbol Sito represent the single-detection event, where ican be 1 or 2, depending on the state number that makes clicks after the basis measurement Xor Zis applied to the two consecutive incoming states. This way, the number iwill be published by Bob.

  3. The two pulses are lost.This case is denoted as or alternatively as 2L.

Alice’s bi-qubitBob’s side
basis usedDetection eventPublic disclosureResult

Table 2.

Alice sends to Bob the non-orthogonalstates 0X0Zand it shows all the possible measurement results at Bob’s side.

When applying the ack-stateprotocol, two consecutive non-orthogonalstates are used by Alice and Bob to distill one secret bit. The basis measurement Xor Zis declared publicly by Bob along with the sifting instances; he obtained 2M, 2M, S1, S2, and 2L. Furthermore, the bits acquired from the single-detection events S1and S2are used by Alice to confirm the single photonic gain of the quantum channel.

4. The nack-stateprotocol

The nack-stateprotocol is the dual version of the ack stateprotocol discussed in [5]. Both protocols constitute a generalization of the well-known BB84. The nack stateprotocol uses couples of paralleland orthogonalstates rather than just single non-orthogonalstates utilized as a part of BB84. This straightforward distinction makes the nack statestrong when facing the IRFSattack, as we will demonstrate later on. We selected the nackprefix to indicate that, provided Alice transmits two quantum states to Bob, the second measurement behaves as the negative acknowledgment (nack) of the one before, since it yields the opposite bit result.

The pair of quantum states is denoted as a biqubit. More specifically, the following biqubits are defined in the nack stateprotocol: four parallelbiqubits 0X0X,0Z0Z,1X1X,1Z1Zand two orthogonalbiqubits 0X1X,0Z1Z. The paralleland orthogonalbiqubits are interleaved at random by Alice. The performance of the protocol is not altered by order of the quantum states within the biqubit (see Figure 5). On the opposite side of the quantum channel, Bob measures two incoming states of a biqubit utilizing the same measurement basis (Xor Z). The following steps depict the nack stateprotocol:

  1. Alice is equipped with a photon source with an expected photon number μshowing Poisson distribution. A parallelor an orthogonalbiqubit is selected at random by Alice, and she arranges the biqubit to be sent to Bob through the quantum channel.

  2. The biqubit (two incoming pulses) is measured by Bob using the same measurement basis X(or Z) that he selects haphazardly (in a further section, we discuss the convenience of avoiding consecutiveness of states and how it can be prevented if Alice forwards a burst of the first states of each pair, followed by a burst of the second states of each pair).

  3. Bob declares publicly his measurement basis decisions.

  4. Alice and Bob perform sifting utilizing single compatible events and double compatible matching detection events (from parallelstates) in order to share secret bits. Likewise, sifting is applied to the double-detection events that contain a single compatible detection event. With this aim, Bob indicates if the single detection is the first or the second inside the biqubit.

Table 3 exhibits a case of the nack stateprotocol. Here, two biqubits are transmitted to Bob from Alice. The first biqubit is the orthogonalpair 0X1X, and the second biqubit is the parallelpair 1Z1Z. In case the two states sent by Alice reach Bob’s detection system with no failure, a double-detection event is generated. In the situation that just one of the two states of the biqubit reaches Bob’s station, he gets a single-detection event.

X0X,1XX,2nMCompatible double non-matching, useful
As two compatible single-detection events
X0X,X,S1Compatible single matching, useful
X,1XX,S2Compatible single matching, useful
X,X, LostBiqubit lost
Z0Z,0ZZ,2MNon-compatible double matching, useless
Z1Z,1ZZ,2MNon-compatible double matching, useless
0X,1XZ0Z,1ZZ,2MNon-compatible double non-matching, useless
Z1Z,0ZZ,2MNon-compatible double non-matching, useless
Z0Z,Z,S1Non-compatible single matching, useless
Z1Z,Z,S1Non-compatible single matching, useless
Z,0ZZ,S2Non-compatible single matching, useless
Z,1ZZ,S2Non-compatible single matching, useless
Z,Z, LostBiqubit lost
Z1Z,1ZZ,2MCompatible double matching, useful
Z1Z,Z,S1Compatible single matching, useful
Z,1ZZ,S2Compatible single matching, useful
Z,Z, LostBiqubit lost
X0X,0XZ,2MNon-compatible double matching, useless
X1X,1XZ,2MNon-compatible double matching, useless
1Z,1ZX0X,1XZ,2nMNon-compatible double non-matching, useless
X1X,0XZ,2nMNon-compatible double non-matching, useless
X0X,X,S1Non-compatible single matching, useless
X1X,X,S1Non-compatible single matching, useless
X,0XX,S2Non-compatible single matching, useless
X,1XX,S2Non-compatible single matching, useless
X,X, LostBiqubit lost

Table 3.

The nack-stateprotocol running without blunders in the quantum channel is shown with each of the possible measurement results at Bob’s detectors.

We expect Alice to send the biqubits 0X,1Xand 1Z,1Z; at that point, every conceivable measurement result at Bob’s detector is written. We exhibit the detection event and Bob’s corresponding advertisement over the public channel according to Bob’s basis selection. Notice that the number of the single detections inside the biqubit, first or second, is openly declared by Bob.

The nack-stateprotocol has been conceived of to use the same optical hardware of the BB84protocol; thus, it can be configured in most QKDsystems as a software module application. However, two additional tasks must be implemented: the random computation of biqubits before preparing and sending the quantum states and the sifting stage of the protocol, which must include (1) sifting of single matching (compatible or non-compatible), where Bob announces the number of the single-detections inside the biqubit and (2) sifting of double detection, matching or non-matching, from parallelor orthogonalstates. The error correction and privacy amplification stages of the QKDprotocol do not require changes.

5. The photon number splitting attack

In the PNSattack, the eavesdropper captures no less than one photon from each of the multi-photon states with the purpose of storing them in quantum memory, at the same time that she hinders the single photon states in the quantum channel. When Bob has uncovered over public channels the measurement basis he has used, the eavesdropper executes the same measurements on the quantum states she has stored [25].

When the PNSattack is applied to the ack-stateprotocol, the eavesdropper captures no less than one photon of the multi-photon states (paralleland non-orthogonal), and she stands by Bob’s declarations about the measurement bases he has utilized with the aim of applying the same measurements on her stored states. In Bob’s side, a distribution over the following sifting events is achieved 2M, 2nM, S1, S2and 2L, where every one may originate in parallelor non-orthogonalstates; however, just Alice knows those outcomes.

After Bob declares both the measurement bases (Xor Z) and the sifting occurrences, Eve executes the measurements utilizing the same measurement bases and she gets the same bits from the multi-photonic single sifting instances: S1and S2, paralleland non-orthogonal. Moreover, the same outcomes from the 2Mmeasurements of the paralleland (a half of the) non-orthogonalmulti-photonic states are acquired by the eavesdropper. However, she cannot acquire the secret bits from the 1-state Siand 2Msifting occurrences, given that the eavesdropped cannot discriminate paralleland non-orthogonalstates.

In order to get the secret bits, Eve obstructs the 1-photon states which incorporate single and double-detection events from paralleland non-orthogonalstates. In doing that, an error gain in the photonic gain of the single and double-detection events is introduced by Eve. At that point, Eve executes a channel substitution expanding the transmittance of the channel. The fiber channel transmittance among Alice and Bob is written as TAB=10αl10where αis the loss coefficient measured in dB/kmand the length lis measured in km. Moreover, the local transmittance at Bob’s side, ηB, is defined as tBηDwhere tBis the internal transmittance of optical components and ηDis the quantum efficiency of Bob’s detectors. Then, the general transmission and detection efficiency at Bob’s side ηBTis computed as ηBT=tBηDTAB[18]. A mathematical description of the gain of detection events will be presented in the following section.

5.1. The gain of detection events

In Table 4 (upper part), the gain of the single-detection events is depicted with the Q+symbol. According to Ma et al. [18], the gain of detection events is acquired from two origins: the photon source and the quantum channel. The photon source presents an expected photon number μ, and it adopts Poisson distribution. Contrastively, the quantum channel exhibits a distribution that is computed for every iphotons’ state (where iis the quantity of photons in each pulse) that is named yield. The gain Qiof iphotons’ state is the product of the probability of Alice sending an iphotons’ state (that adopts Poisson distribution) and the yield of iphotons’ state (and background states). It will generate a gain at Bob’s side provoked by the detection of events corresponding to the relation Qi=Yiμii!eμwhere Yiis the yield of iphotons’ state.

Photonic-GainAliceAlice − BobEve − Bob

Table 4.

The background noise is defined as the gain of the single (non-empty) and empty pulses, Q+and Q, respectively, where μis the expected photon number of the source and Y0.

Here, ηBTand ηETare the overall efficiency of Bob and Eve, respectively. In the IRFSattack, Eve remains undetected given that she meets the condition ηETln2eμηBTY01μ. At the lower part of the table, the gain of the double ++-detection events is shown, which is denoted as Q++, and the gain of single ±detection events is represented as Q±. In the IRFSattack, Eve can effectively forward half of her biqubits to Bob’s detectors. The “” symbol denotes multiplication inside the Q±relation. The factor of 1/2 is a result of Bob using an active basis choice, compelling Eve to blind his detector when his basis differs from her own (half the time), and considering that each pair of pulses is detected in the same basis, Bob will always be blinded by Eve for both pulses or neither pulses, resulting in the same factor 1/2 for both single and double-detection events

The yield Yiis computed across the following steps:

  1. The fiber channel transmittance among Alice and Bob is denoted as TAB=10αl10where αis the loss coefficient measured in dB/km, and the length lis measured in km. Moreover, the local transmittance at Bob’s side, ηB, is written as tBηDwhere tBis the internal transmittance of optical components and ηDis the quantum efficiency of Bob’s detectors. Then, the overall transmission and detection efficiency at Bob’s side, ηBT, is computed as ηBT=tBηDTABand typically ηBTranges to 103[18];

  2. The transmittance ηiof iphotons’ state at Bob’s, that is, ηBTi=11ηBTifor i=0,1,, assuming independence among the iphotons of the iphotons’ state;

  3. The yield Yiof the iphotons’ state is acquired from two sources, the background noise Y0and the true signal. Presuming that the background counts are independent from the signal photon detection, Yiis given by Yi=Y0+ηBTiY0ηBTi. However, assuming Y0is small (around 105) and ηBT103, the above equation can be reduced to YiY0+ηBTi.

The overall gain Q+is the summation of each Qicontribution, thus: Q+=i=1Qi=i=1Yiμii!eμ, which leads to the relation Y0+1eμηBT. Finally, the quantum bit error rate (QBER) between Alice and Bob has been derived by Ma et al. [18] through the relation QBERAB=0.5Y0+ed1eμηBTY0+1eμηBT, where edis the error probability of the detector ed102.

With the aim to obtain the gain of double-detection events Q, Q±, and Q++, we consider that each gain has independence of any other, that is, Q=Q×Q, Q+=Q+×Q, Q+Q+, and Q++=Q+×Q+. From the previous discussion, we know that the gain of the double-detection events decreases quadratically: Q++Q+2. In practical implementations of QKD, the single-matching events have the order of 105, while the double-matching events reach the order of 1010.

5.2. Detecting the photon number splitting attack

In replacing TAB, the photonic gain of the single-detection events or the double-detection events can be adjusted by Eve but not both at the same time. In contrast, Alice utilizes the double-matching detection events 2Mand the Sisifting instances which are consistent with the states she fixed, to verify corresponding photonic gains, paralleland non-orthogonal.

As mentioned before, the one-photon states are blocked by eavesdropper and she performs a channel substitution to adjust the transmittance of the channel, TAB. Nevertheless, this activity produces error gains in the single- and double-detection events that Alice can verify.

The QPEGafter Eve blocks the one-photon states and can be written as ΔQ=Q1where Q1is the gain of the one-photon states and it must be computed for the single- and the double-detection events. The error gain is ΔQ++=Q1+2=Q12and ΔQ±=Q1Qfor double-detection events and single-detection events, respectively, where Q1+=Y0+ηY0ημeμ, Q=eμηY0, ηis the transmittance of the channel, and the detectors at Bob’s side of the one-photon states and Y0is the background noise according to Ma et al. [18].

The eavesdropper must adjust the transmittance, TAB, in order to remain hidden in the channel to achieve the two reference photonic gains, Q++and Q±, for the double-detection events and single-detection events, respectively. Given Q++Q±Eve can adjust TABto Q12or Q1Qbut not both simultaneously. In other words, she is not able to fulfill the conditions ΔQ++=0and ΔQ±=0; in this manner, the attack becomes detectable. If the eavesdropper adjusts TABto make it produce a photonic deviation in one or in both gains, she will introduce a detectable QBERto the system.

Consequently, Eve knows that she must be careful and makes no changes in TAB; otherwise, she will be detected. Now, the QBERthat Eve produces is 0.5Q0+0.52Q1+0.53Q2+Q0+Q1+Q2+because the QBERof single-detection events is 0.52as in BB84. In contrast, when no attack is produced the QBERof the system is given by 0.5Q0+edQ1+Q2+Q3+Q0+Q1+Q2+where edis the detection error according to Ma et al. [18].

Given that the probability of obtaining a (compatible) matching measurement from the non-orthogonaldouble-detection events is 0.52, we derived the error rate of the non-orthogonaldouble-detection events as 0.5Q0+Q1+0.52Q2+0.53Q3+Q0+Q1+Q2+. The QBERfrom the multi-photonic non-orthogonalstates decreases one-half for each copy of quantum states in Eve’s memory. In contrast, no contribution is made by the multi-photonic parallelstates to increase the QBERbecause Bob makes public the basis measurements used by him.


6. The IRFSattack

What should Alice and Bob expect from the nonappearance of the IRFSattack? For illustrative purposes, consider the situation where μ=0.2, ηBT=0.8, which is the general efficiency among Alice and Bob and zero dark counts Y0=0. In such a case, the great majority of the total biqubits sent by Alice to Bob ends up in Bob’s station as lost biqubits 72.61%; single-detection events are 25.2%, and just 0.0219%of the measurement cases are double-detection events. Despite the double-detection gain being very low, it ought not be viewed as insignificant given that the amount of pulses sent by Alice is high (10111013[29]), and the transmission interim can be legitimately upgraded. However, for practical purposes, we will presume that the secret bits in the nack stateprotocol are delivered by single-detection events, and the key rate is at most the BB84key rate. Nevertheless, we assert that double-detection events can be utilized to identify the IRFSattack, so in this section, we defend the security of the protocol, in spite of Eve’s endeavors to enhance her attack.

6.1. Detecting the IRFSattack with blinding pulses and quantum channel substitution

Within the sight of the IRFSattack with blinding pulses, Eve is amid the quantum channel utilizing an optical detection system comparable to Bob’s station. Eve is challenged to reproduce gains of single- and double-detection events at Bob’s side to pass unnoticed in the quantum channel. However, the gain of the single-detection events decreases directly with the channel efficiency, but the double-detection gain drops quadratically. In the next section we demonstrate that, for practical parameters of the quantum channel, the two gains cannot be adjusted by the eavesdropper at the same time. Eve cannot control the two gains because of the fact that:

  1. the transmittance of the channel can be adjusted to a unique value by the eavesdropper either to adjust the single or the double-detection gain and

  2. Eve’s station receives Alice’s optical pulses sequentially. In this manner, once a pulse is detected in the eavesdropper station, she is not able to know whether the next pulse will be likewise detected or lost. That is, Eve has no form to know when a single or a double-detection event will occur.

Eve still has the possibility to adjust the efficiency of the quantum channel to the gain of the double-detection events. Therefore, with the purpose of removing the excess of the single-detection gain, Eve could eliminate pulses in proportion to some probability (e.g., 0.5). However, in accordance with the second statement given previously in this section, the eavesdropper would lose double-detection pulses (a quarter in this example). Eve could be more selective discarding only single-detection events on which the detection occurred in the second pulse. By using this scheme, the double-detection gain is unaltered for Eve. However, given that the number of single detections inside the biqubit, first or second (see Table 3), is announced by Bob publicly, the presence of Eve becomes evident.

Both strategies could be combined by Eve to increase the efficiency of the channel to produce an overabundance of the double-detection gain, but it would also increase the single-detection gain. The issue for Eve is that once a strategy to remove pulses is chosen, it affects equally the single- and the double-detection gains. Such gains obey diverse rates: while the first decreases linearly, the second fluctuates quadratically with the transmittance of the channel. Moreover, at the receiver station, the single- and double-detection events are registered as haphazard interleaved events.

In the following sections, a convenient method to compute the photon gain deviation caused by the IRFSattack at a practical level is discussed.

6.2. Detecting the IRFSattack with quantum channel substitution

It is expected that the eavesdropper would endeavor to adjust both gains, from single- and double-detection events, applying a quantum channel substitution and tuning it to a specific transmittance. We define the quantum photon error gain (QPEGor simply ΔQ) as the deviation from the reference gain that is caused by Eve’s apparatus at Bob’s receiver station when she performs the IRFSattack. In ordinary conditions, it is ideally expected that ΔQ0, for the single- and the double-detection events.

QPEGof double ++-detection events is written as ΔQ++, while we denote the QPEGof single ±-detection events as ΔQ±. ΔQ++is computed as the difference Q++ABQ++EBwhere the symbol ++ABdefines the reference gain of the double-detection events and ++EBdenotes the gain of the double-detection events at Bob’s side but in the presence of Eve. Similarly, ΔQ±is computed as Q±ABQ±EB, where we apply the sub-index of ±ABand ±EBwith the same intention.

Using the relations of Table 4, the possibility of the eavesdropper to fulfill simultaneously the conditions ΔQ++=0and ΔQ±=0can be established. Allow Eve to adjust freely ηBTand ηET. Thus, the eavesdropper’s goal is to make ΔQ++AB=ΔQ++EBand ΔQ±AB=ΔQ±EB. The following equation system is obtained:


Solving the system for ηET, we get lnY0μand ln1+Y0μ, which, in the practice, cannot be satisfied, given that the second relation yields ηETas negative and the first relation cannot be fulfilled for typical parameters, for example, Y0=105, μ=0.1produces ηET=1.15. Consider also the cases depicted in Figure 6.

Figure 6.

The deviation from the reference gain is shown on they-axis. The upper and bottom left graphs represent double detections, while the right graphs correspond to single detections. Considering thatηBT=0.001and Eve usesηET=0.0014, she accomplishes in (a),ΔQ++=0, however, in (b),ΔQ±0. Conversely, if Eve adjustsηET=0.002, she gets in (d))ΔQ±=0, but in (c), she provokes simultaneously thatΔQ++0.

6.3. The photon and the vacuum ratios

We will introduce a convenient method to detect the presence of the eavesdropper without requiring one to compute deviations from the reference gain, that is, ΔQ++=0or ΔQ±=0. For this purpose, let us define the photon ratio Ras the relation between the gains QEBQABwhere the subscript EBdenotes the presence of the eavesdropper and ABindicates its absence. For double-detection events, we represent Ras Q++EBQ++AB, while Q±EBQ±ABfor single-detection events. In addition, we will define the vacuum ratio ras eμηETY0eμηBTY0.If the eavesdropper adjusts the channel to achieve Q++AB=Q++EB, then Eq. (2) is satisfied. We get that R±=r2, but r=eμηETY0eμηBTY0and ηETηBT; thus, r1and R±12. To discard Eve’s presence, it is not necessary to verify that ΔQ±=0, but it must be confirmed that R±>12. Contrarily, if Eve modifies the channel to achieve Q±AB=Q±EB, we get that R++=2r2. Since r1, we obtain that the IRFSattack causes R++2. To make sure that the system is protected against the IRFSattack, it is not necessary to check ΔQ++=0but it is enough verifying its equivalent R++<2.

6.4. The QBERof one-photon states

As quoted previously, in the nack stateprotocol, the great majority of the pulses sent by Alice to Bob behave as BB84signal pulses. Each time a compatible basis measurement is applied by Bob, the result, either from single detection or double detection, is useful as in BB84. Thus, for practical purposes, the nack stateprotocol has an efficiency comparable to the BB84. However, a partial reduction of the bit rate can be expected, as Alice reduces the optical pulse rate to avoid the eavesdropper to record double-detection events. In this way, Eve is detected if she stays waiting for double-detection events before she can forward them.

Given that it decreases quadratically, the rate of the double-detection event is small. Nevertheless, at the same time, it is extraordinary that the QBERof the double-matching detection events from paralleland orthogonalstates also decreases quadratically. To see this, let us recall that in the BB84protocol, the probability to get the correct bit is pc=1+V/2, and the probability to obtain an erroneous bit is pe=1V/2, where Vis the visibility of the optical system. To calculate the QBERof the one-photon states, the relation QBER=pe/pe+pcis applied [31].

Now, suppose that the two parallelstates are sent by Alice 1Z1Zto Bob who measures them using the Zbasis. Those states are depicted in Figure 7a. The probability to get the two states 1Z1Zis pc2, and the probability to get the opposite values 0Z0Zis pe2, case II of Figure 7a. Since the measurement cases 0Z1Zand 1Z0Z, Cases III and IV of Figure 7a, are always disposed because they are non-matching cases, the final probabilities are pcparallel=pc2pc2+pe2and peparallel=pe2pc2+pe2. The same reasoning can be applied to the orthogonalbiqubits case as depicted in Figure 7b.

Figure 7.

TheQBERofparallelandorthogonalstates: Cases III and IV of (a) and (b) can be discarded by Alice, so they do not produce errors.

Those relations forward us to the QBERof the paralleland orthogonalstates QBER=1V21V2+1+V2. Figure 8 gives an illustration of the QBERof one-photon states of such protocols. Considering the QBERof the nack stateis lower than BB84, it is interesting to acknowledge that the double-detection gain could be increased by future technologies. Even though there is not yet a formal derivation of the secret key rate for double-detection events, we can expect that the small QBERwould lead to reaching longer QKDdistances.

Figure 8.

Thenack stateprotocol uses pairs ofparallelandorthogonalstates. TheQBERofparallelandorthogonalstates is derived using the probabilities of two consecutiveBB84measurements.

6.5. The non-structured nack-stateprotocol

In the argument of Point 2 of Section 6.1, it is implicit that Eve uses only a single station, but this is not a practical restriction. Eve could use two stations, one near to Alice to detect and one near to Bob to generate fake pulses. In the event that quantum channel utilizes optical fibers (the most widely recognized useful channel for ground-based QKD), everything required by Eve is a radio connection between her two stations to “catch up” with the quantum link. Even assuming a low source rate of 1 MHz, the time delay between pulses is only 1 microsecond, which can be easily compensated using a 600 m link (traveling in free space takes 2 microseconds; traveling in fiber takes 3 microseconds). Any practical QKDsystem will operate over distances greater than 600 m, making it entirely achievable for Eve to detect both pulses of a pair before transmitting her fake state to Bob using a second station.

A 100 km link in optical fiber would limit the source rate to 6 kHz, and much less if the fiber is not straight, which is almost always the case. To truly be secure the period between two pulses would have to be the full travel time of the pulse over the quantum channel. For 100 km, it would be 500 microseconds, forcing a source rate of 2 kHz. Given the conservative fiber link loss of 0.2 dB/km the detection rate after 100 km (20 dB) would be less than 20/s, not counting detection efficiency. Shorter distances would be more favorable, but this implies the protocol is limited to short distances. There also is not any point in randomly adding delays as Eve would still be able to perfectly replicate the gains when the delay is insufficient and could choose to simply not intercept when the delay is too long, giving her partial information without any hint of her presence.

Unfortunately for Eve, Alice can apply a reduction in the optical pulse rate forcing Eve to introduce a delay in the arrival time of the pulses at Bob’s station. As a matter of fact, Alice could adjust such delay sending slow pulses as a random burst. Furthermore, slowing pulses can enhance the double-detection rate at Bob’s side by reducing after-pulsing errors.

However, there is no reason why each pair must be sent in sequence. We call this protocol the non-structured nack-state. If Alice were to transmit a burst of the first states of each pair, followed by a burst of the second states of each pair, she would create a separation between the pairs equal to the length of the bursts and she would not reduce the pulse rate. Consider a 100 km fiber optic link; it would be able to send the first states of each pair for 500 microseconds, followed by the second state of each pair for the next 500 microseconds, with Bob rechoosing the same basis for both 500 microsecond bursts. Since the 500 microsecond delay is at least the full travel time in the quantum channel, Eve would always be compelled to fake the first state of each pair before receiving the second. If there is no issue with this approach, the authors can use it to justify Point 2 of Section 6.1, which in turn justifies Point 1 of the same section.

6.6. Faking double-detection events

Another possibility for the eavesdropper is to fake double-detection events. After all, we may inquire why Eve cannot fake double-detection events as she stays covered up in the channel. First of all, let us recall that Alice knows which biqubits contain parallelor orthogonalstates. Second, consider the cases portrayed in Table 5. Assume the 0Z0Zbiqubit has been sent to Bob by Alice. The first pulse reaches Eve’s station, who measures it with the X(or Z) basis, but the second pulse arrives as a vacuum state either by the effect of the quantum channel, the detection system, or the photon source. Thus, Eve gets a single-detection event. In this moment, Eve determines to fake the second state, but she realizes that there are six potential outcomes to fake the 0Z0Zbiqubit; such cases are listed in Table 5. Additionally, one of those cases is erroneous because no orthogonalmeasurement can be derived from parallelstates. In this example, 1Z0Zcannot be obtained from 0Z0Z. Likewise, 0Z0Zcannot be derived from 1Z0Z. Consequently, if Eve tries to fake a double-detection event, she will produce a bit error of 16. In this situation, a bit error is produced when Alice expects a double non-matching event but Bob announces a double-matching event or vice versa.

Alice’s BiqubitEve’s BasisEve’s DetectionForwarded StatesEve’s Result

Table 5.

As soon as Eve detects the first state of a biqubit, she tries to fake the second state.

However, she can use six possible states, but one of them is erroneous, so she introduces an error probability of 16. Here, the six choices for 0Z0Zand 1Z0Zbiqubits are shown

According to Collins et al. [30], Bob’s visibility of Alice’s quantum state is computed as VAB=PsignalPtotalwhere Psignal=TAB×η×Voptand Ptotal=TAB×η+1TAB×η×2×Y0. Here, Voptis the optical visibility with a perfect source and detectors; ηis the probability of detecting the photon when it arrives; TABis the transmittance between Alice and Bob; and Y0is the background noise. On practical experimental parameters: α=0.25dBkm1, η=0.3, Y0=104, and Vopt=0.99. Figure 9 shows the visibility as a function of the distance.

Figure 9.

The error rate of double-detection events caused by theIRFSattack is16. When it is compared to theQBERof the quantum channel, the maximum secure distance to detect theIRFSattack is 176 km. In the presence of theIRFSattack, perfect visibility and zero dark counts are assumed in the link between Alice and Eve and from her to Bob.

On the other hand, the QBERin BB84can be computed as QBER=pepe+pc, where pc(pe) is the probability to get, correctly or erroneously, the quantum bit sent by Alice, respectively. If we write such probabilities as a function of the optical visibility V, we have pc=1+V/2and pe=1V/2.

Therefore, pc=pc2pc2+pe2and pe=pe2pc2+pe2, and we derived the QBERof the paralleland orthogonalstates as QBER=1V21V2+1+V2.

If QBERof double-detection events produced by the quantum channel is compared against the 16error rate caused by the eavesdropper, we can find that the maximum secure distance for detecting the IRFSattack when the eavesdropper fakes double-detection events is 176km, which is within the range of the BB84key rate, as it appears in Figure 9.

7. Conclusions

In the quantum flows approach, the transmitter interleaves pairs of quantum states, paralleland orthogonal(non-orthogonal), while the receiver applies active basis selection to perform state measurement. The QKDprotocols based on quantum flows uses the same optical hardware of the BB84protocol, and they can be implemented in most QKDsystems as a software module application.

The ack-QKDprotocol can be useful to detect the PNSattack. If the eavesdropper adjusts the transmittance TABof the channel it produces a deviation in one or in both photonic gains; thus, she will introduce a detectable QBERto the system.

On the other side the intercept resend with faked (blinding) states (IRFS) attack is detected by the nack-stateprotocol using the gain of single- and double-detection events where the QBERof double-detection events of the quantum channel is compared against the 16error rate caused by the eavesdropper, so the maximum secure distance results in 176km.

Although double-detection events represent a small fraction of the total detection events, they are useful to detect the IRFSattack. In addition, the smaller QBERcan be useful in future implementations to distill secret bits at longer distances.


We would like to mention that a major portion of this chapter has been borrowed from our previous publications: “Quantum Flows for Secret Key Distribution in the Presence of the Photon Number Splitting Attack” [5] and “Quantum Key Distribution in the Presence of the Intercept-Resend with Faked States Attack” [6].

© 2018 The Author(s). Licensee IntechOpen. This chapter is distributed under the terms of the Creative Commons Attribution 3.0 License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite and reference

Link to this chapter Copy to clipboard

Cite this chapter Copy to clipboard

Luis A. Lizama-Pérez, J. Mauricio López and Eduardo de Carlos Lopez (May 30th 2018). Quantum Flows for Secret Key Distribution, Advanced Technologies of Quantum Key Distribution, Sergiy Gnatyuk, IntechOpen, DOI: 10.5772/intechopen.75964. Available from:

chapter statistics

702total chapter downloads

1Crossref citations

More statistics for editors and authors

Login to your personal dashboard for more detailed statistics on your publications.

Access personal reporting

Related Content

This Book

Next chapter

The Role of Quantumness of Correlations in Entanglement Resource Theory

By Tiago Debarba

Related Book

First compact

Partition-Based Trapdoor Ciphers

By Arnaud Bannier and Eric Filiol

We are IntechOpen, the world's leading publisher of Open Access books. Built by scientists, for scientists. Our readership spans scientists, professors, researchers, librarians, and students, as well as business professionals. We share our knowledge and peer-reveiwed research papers with libraries, scientific and engineering societies, and also work with corporate R&D departments and government entities.

More About Us