# Quantum Key Distribution with High Loss: Toward Global Secure Communication

###### Abstract

We propose a decoy-state method to overcome the photon-number-splitting attack for Bennett-Brassard 1984 quantum key distribution protocol in the presence of high loss: A legitimate user intentionally and randomly replaces signal pulses by multi-photon pulses (decoy-states). Then they check the loss of the decoy-states. If the loss of the decoy-states is abnormally less than that of signal pulses, the whole protocol is aborted. Otherwise, to continue the protocol, they estimate loss of signal multi-photon pulses based on that of decoy-states. This estimation can be done with an assumption that the two losses have similar values, that we justify.

###### pacs:

03.67.DdInformation processing with quantum systems enables certain tasks that seems to be impossible with its classical counterparts, e.g. quantum cryptography [2, 3, 4, 5], quantum computation [6], and quantum metrologies [7, 8, 9, 10]. In addition to the practical importance, this fact has large theoretical and even philosophical implications.

Bennett-Brassard 1984 (BB84) Quantum key distribution (QKD) protocol [3, 11] is one of the most promising quantum information processing. It is expected that it will be the first practical quantum information processor [11].

However, a bottleneck in practical realization of QKD for global secure communications is distance-limit: Implementation of QKD has been successful at order of tens-kilometers [11]. However, like in classical case, quantum signals are vulnerable to noise or decoherence. For long-distance QKD, therefore, it is desired that quantum signals be amplified in the intermediate locations in the channel. However, due to the no-cloning theorem [12, 13, 14], the task cannot be done in such a simple manner. Fortunately, however, quantum signals can be transported even under noisy environments to a remote site by quantum repeaters [15]. However, it is difficult to realize the quantum repeaters with current technologies. Therefore, we need to relax the distance-limit in QKD without quantum repeaters. One of the most promising candidate for this is to use surface-to-satellite free-space BB84 QKD [16, 17, 18, 19]. However, the surface-to-satellite scheme would suffer high loss. High loss is a serious threat to the BB84 protocol, due to photon number splitting (PNS) attack [20, 21, 22, 23, 24]. Thus there have been a study [22] and a proposal [25] on how to overcome the PNS attack.

The purpose of this paper is to propose decoy-state method to overcome the PNS attack for BB84 protocol in the presence of high loss. This paper is organized as follows. First we will briefly review how PNS attack renders the BB 84 protocol with high loss insecure. Next we decribe the decoy-state method. Next we argue why we can assume that the loss of decoy-states is similar to that of other signal pulses. Then we derive a condition for security of the proposed protocol. Finally we discuss and conclude.

Let us briefly describe the PNS attack [20, 21, 22, 23, 24]. Unless perfect single-photon sources are used, BB84 protocol with loss is vulnerable to the following attack of Eve (an eavesdropper). Let us assume that Alice (one legitimate participant) uses the following photon sources in BB84 protocol [3]. Emits a pulse that contains a single-photon with, for example, 90 % probability, and emits a pulse that contains multi-photons with 10 % probability. The problem here is that multi-photons are inadvertantly generated and thus we do not know when they have been emitted. Also assume that the channel loss is, for example, 90 %, or it has 10 % yield . Here and corresponds to in Ref. [24]. Here we assume that Bob (the other legitimate participant) uses more practical detectors that are insensitive to photon numbers. A more rigorous definition of the yield will be given later. Eve’s attacking method is the followings. First, Eve measures the number of photons of each pulse. When it is one, she just blocks it. When it is more than one, she splits the photons. (Our discussion here is valid for general photon sources because ”Alice can dephase the states to create a mixture of Fock states [23, 24]”, as described later.) Then she preserves one and sends the other photons via an ideal lossless channel to Bob. As usual, we assume that Eve has unlimited technological and computational power. She is only limited by laws of Nature. Then what Bob observes is that only 10 % of photon pulses arrive at him, as expected. However, Eve can get full information about the key by measuring each of the preserved photons in a proper basis that is publically announced later by Alice. We adopt the best case assumption for Eve as usual, that all multi-photon pulses were used for the PNS attacks. Then we can see that if the yield is less than the probability of multi-photon generations then the scheme is totally insecure due to the PNS attacks. In other words, yield must be greater than the probability of multi-photon generations in order that the scheme be secure [24],

(1) |

Here the probability of multi-photon generations is a parameter for quality of (imperfect) single-photon sources. The smaller it is, the higher the quality is. For a single-photon source with a given quality, the loss that can be tolerated is determined by Eq. (1).

Therefore, when yield is very low, almost perfect single photon generator is required [23, 24]. This fact motivated current developements of single-photon sources and demonstration of QKD with them [26]. However, the problem is that the sources cannot be perfect single-photons in practice [27]. In the case of surface-to-surface free-space BB84 protocol, this condition seems to be barely satisfied [17]. However, the loss in surface-to-satellite scheme must be higher than that in the surface-to-surface scheme, because in the former case one party is moving fast and more far apart. Moreover, security of surface-to-satellite protocol in which a satellite plays a role of a legimate user is based on physical security of the satellite. That is, we must assume that Eve cannot secretly observe inside of the satellite. However, it is not easy to justify the assumption. Thus we propose to use (possibly geostationary) satellite with mirrors that connect users on the surface. (The refection-protocol has been proposed in the context of multi-users QKD [19].) In this case, it is clear that the loss will be much higher. This means that it is difficult to implement secure scheme with current technologies.

Thus we need methods to directly detect the PNS attack. One possibility is to monitor photon-number statistics that might have been disturbed by Eve’s PNS attack. This possibility has been studied in the case of weak coherent states [22]; Simple minded PNS attack disturbs the photon-number statistics of the pulses thus it can be detected by Bob. However, Eve can launch a sophisticated PNS attack that preserves the photon-number statistics [22]. Thus we need another method against the PNS attack.

The basic idea of the decoy-state method is the followings. In PNS attack, Eve selectively transports subsets of multi-photons to Bob. Thus the yield of multi-photon pulses must be abnormally higher than that of single photon pulses. Let us assume that Alice had intentionally and randomly replaces photon pulses from signal sources by multi-photon pulses (the decoy states). Since Eve cannot distinguish multi-photon pulses of signal source from those of decoy source, the yields of the two pulses must be similar. Thus Alice and Bob can detect the PNS attack by checking the yield of decoy source.

Before we give the decoy-state method, let us describe preliminaries more precisely. Let us consider a source that emitts a pulse that contains photons (in the same polarization state) with a probabity . Here and . Each pulse is used to encode one bit of key. Let us also consider a source that generates a coherent state [23, 24, 25]. By randomizing the phase , the state reduces to a mixed state . However, this state is equivalent to mixture of Fock state , with Poissonian distribution . In other words, the source that emits pulses in coherent states is, after phase randomization, equivalent to a source that emits an n-photon state with a probability .

Alice adopts two photon sources, that is, singal source and decoy source . Signal source is used to distribute key. Decoy source is used to detect the PNS attack. Let us first consider the most practical case where both sources are generators of coherent states. For signal source , we adopt , that is, it mostly emitts single-photon pulses. For decoy source , we adopt , that is, it mostly emitts multi-photon pulses. The polarization of the pulses of the decoy source is randomized such that it cannot be distingushied from those of the signal source as long as photon numbers of the pulses are the same.

We assume that Bob uses practical photon detectors that are insensitive to photon numbers. The yield and are relative frequencies that n-photon pulses from the signal and decoy sources are registered by Bob’s detector, respectively. Here . It is notable that the yields can be unity even if some photons in a pulse are lost. It is because Bob’s detector does not count number of ’lost photons’ in a pulse that is detected. Yield of signal source and that of the decoy source are, respectively, given by

(2) |

Here and can be directly detected by Bob. We also consider yield of only multi-photon pulses from singal source, , that is given by,

(3) |

This quantity cannot be directly measured but it can be bounded based on other yields. Normalized yield of multi-photon pulses from singal source, , is given by,

(4) |

Now let us describe the protocol more precisely. In the decoy-state method, Alice performs BB84 protocol with signal source . However, Alice randomly replaces the signal source by the decoy source with a probability . After Bob announces that he has received all photon pulses, Alice announces which pulses are from the decoy source. By public discussion, they estimate the total yield of signal source and that of decoy source . If is too larger than , they abort the whole protocol. Otherwise, they continue the protocol by estimating yield of multi-photon pulses from singal source, , using the yield of decoy source in the following way.

Eve cannot distinguish multi-photon pulses of singal source from those of decoy source. Thus we can expect that the normalized yield of multi-photon pulses from signal source is similar to that of decoy source that mainly composes of multi-photon pulses. Let us discuss it in more detail. First, we can see that the yields and cannot be different. That is,

(5) |

It is because, for a given pulse with a certain photon number, Eve can get no more information about which source the pulse is from, than what she obtains from the Bayes’s law. The only way for Eve to take advantage of the Bayes’s law is to control values of as she like.

From Eqs. (2) and (5), it is easy to obtain

(6) |

Now the problem is how is bounded by Eq. (6). Eve’s goal is to make as large as possible, for a given yield of decoy source . In other words, it is to make the ratio as large as possible. Let us now note that, for as we will choose,

(7) |

It is because . We can see that the ratio is bounded as,

(8) |

It is because Here we have used Eq. (7) and . The equality is achieved when and , where .

Thus this is Eve’s best choice. This can be interpreted as follows. The larger the number of photons of a given pulse is, the more probable it is that the pulse is from the decoy source, by the Bayes’s law and the property of the Poissonian distribution. Eve had better not to make Bob’s detector register when it is more probable that the pulse is from the decoy source. Thus Eve’s optimal choice is to block pulses containing more than 2 photons.

By Eqs. (3), (6) and (8), we can get

(9) |

The normalized one, , is given by,

(10) |

and are of orders of unity in reasonable regions of and , for example, and . Thus we get the expected result that and have the same order of magnitudes.

The condition for security in Eq. (1) expresses the following. In order that the protocol be secure, the total number of pulses that are detected must be greater than that of attacked ones. In the case of the decoy-state method, the number of attacked pulses is . Thus the condition reduces to

(11) |

where the maximun is taken all strategies by Eve. From Eqs. (10) and (11), we obtain a condition for security

(12) |

Let us roughly estimate the quantities in our case where both signal and decoy sources are generators of coherent states with Poissonian statistics and of photon numbers , respectively. In normal operations of the protocol, that is, when Eve does not disturb the communication, will be larger than by a factor of . Then the condition reduces to

(13) |

For a given , Eq. (13) is satisfied when is small enough, because . For example, when and the lefthand-side of Eq. (13) is around 0.604.

One might say that the mean photon number of signal source, , should still be quite smaller than unity even with decoy-state method and thus there is no improvement over usual protocols without decoy-state method. However, this is not the case: Eq. (13) does not contain a term that amounts to channel loss, in contrast with the case of Eq. (1). Thus the condition for security can be satisfied no matter how high the loss is in the normal opertations.

Our analysis above can be generalized to sources with any probability distribution . For example, let us consider almost perfect single photon generator with a particular photon number distribution and where , is a certain constant satisfying , and . Using the same decoy source , the condition for security in this case is

(14) |

Eq. (14) is satisfied by a large margin when is small enough. However, key generation rate would be proportional to the margin. Thus, key generation rate can be larger than that of the case where weak-coherent-states are used as signal source.

In general, the more similar forms the photon-number statistics of the signal source and decoy source have in a region of multi-photons, the more efficient the decoy- state method is. Let us also consider the following extreme case. Consider an almost-perfect single-photon generator with a photon number distribution, and , where and is a number quite larger than 2, for example, 10. In this case, Eve selectively attacks the photon pulses, making it more difficult to satisfy the corresponding security condition, if we adopt the same decoy source with Poissonian distribution . Thus a general stategy in a design of a pair of signal and decoy sources is to make the forms of the photon number statistics of the two sources as similar as possible, in the region of multi-photons.

The proposed method is based on the basic idea of random sampling. Thus we believe that the security of the proposed protocol against the most general attacks can be shown later, possibly extending methods developed in recent literatures [28, 29, 30].

Conditions for security of protocols with more practical settings, e.g. non-zero dark count rate and misalignment of basis, should also be analyzed later.

The only way to address certain imperfection so far is to assume the best-case for Eve [28, 29, 30]. For non-zero error rates, for example, we assume that it is entirely due to Eve’s attack. Decoy-state method, however, is an example where we can relax this kind of assumptions without loss security in a proper way. It will be worthwhile to look for similar ideas that can address other imperfections.

In conclusion, we have proposed a decoy-state method to overcome the photon-number-splitting attack for BB84 QKD protocol in the presence of high loss: A legitimate user intentionally and randomly replaces the signal pulses by multi-photon pulses (the decoy states). Then they check the yield of the decoy-states. If the yield of the decoy-states is abnormally higher than that of other signal pulses, the whole protocol is aborted. Otherwise, to continue the protocol, they estimate yield of signal multi-photon pulses based on that of decoy-states. This estimation can be done with an assumption that the two losses have similar values, that we justified. We have demonstrated that the estimation can be made indeed in the pratical case of coherent pulses sources. However, the analysis can be generalized to arbitrary case.

I am very grateful to Prof. Horace Yuen for encouragement. I am also grateful to Prof. Norbert Lütkenhaus for helpful comments.

## References

- [*] Email address:
- [2] S. Wiesner, Sigact News 15(1), 78 (1983).
- [3] C.H. Bennett and G. Brassard, Proc. IEEE Int. Conf. on Computers, systems, and signal processing, Bangalore (IEEE, New York, 1984) p.175.
- [4] L. Goldenberg, L. Vaidman, and S. Wiesner, Phys. Rev. Lett. 82, 3356 (1999).
- [5] W.-Y. Hwang, D. Ahn, and S. W. Hwang, Phys. Rev. A 64, 064302 (2001); W.-Y. Hwang and K. Matsumoto, Phys. Rev. A 66, 052311 (2002).
- [6] P. Shor, Proc. 35th Ann. Symp. on Found. of Computer Science. (IEEE Comp. Soc. Press, Los Alomitos, CA, 1994) p. 124.
- [7] J.P. Dowling, Phys. Rev. A 57, 4736 (1998).
- [8] A. Delgado, W.P. Schleich, and G. Süssmann, New J. Phys. 4, 37.1 (2002).
- [9] H.P. Yuen, Phys. Rev. Lett. 51, 719 (1983).
- [10] L. Viola and R. Onofrio, New J. Phys. 5, 5.1 (2003).
- [11] N. Gisin, G. Ribordy, W. Tittel, H. Zbinden, Rev. Mod. Phys. 74, 145 (2002), references therein.
- [12] D. Dieks, Phys. Lett. A 92, 271 (1982).
- [13] W.K. Wootters and W.H. Zurek, Nature 299, 802 (1982).
- [14] H. P. Yuen, Phys. Lett. A 113, 405 (1986).
- [15] H.-J. Briegel, W. Dur, J.I. Cirac, and P. Zoller, Phys. Rev. Lett. 81, 5932 (1998).
- [16] J. G. Rarity, R. P. Tapster, P. M. Gorman, and P. Knight, New J. Phys. 4, 82 (2002).
- [17] R. J. Hughes, J. E. Nordholt, D. Derkacs, and C. G. Peterson, New J. Phys. 4, 43 (2002).
- [18] C. Kurtsiefer, P. Zarda, M. Halder, H. Weinfurter, P. M. Gorman, P. R. Tapster, and J. G. Rarity, Nature 419, 450 (2002).
- [19] E. Klarreich, Nature 418, 270 (2002).
- [20] B. Huttner, N. Imoto, N. Gisin, and T. Mor, Phys. Rev. A 51, 1863 (1995).
- [21] H. P. Yuen, Quantum. Semiclassi. Opt. 8, 939 (1996).
- [22] N. Lütkenhaus and M. Jahma, New J. Phys. 4, 44 (2002).
- [23] N. Lütkenhaus, Phys. Rev. A 61, 052304 (2000).
- [24] G. Brassard, N. Lütkenhaus, T. Mor, and B. C. Sanders, Phys. Rev. Lett. 85, 1330 (2000).
- [25] V. Scarani, A. Acin, N. Gisin, and G. Ribordy, quant-ph/0211131.
- [26] A. Beveratos, R. Brouri, T. Gacoin, A. Villing, J.-P. Poizat, and P. Grangier, Phys. Rev. Lett. 89, 187901 (2002), references therein.
- [27] E. Waks, C. Santori, and Y. Yamamoto, Phys. Rev. A 66, 042315 (2002).
- [28] H. Inamori, N. Lütkenhaus, D. Mayers, quant-ph/0107017.
- [29] M. Koashi and J. Preskill, Phys. Rev. Lett. 90, 057902 (2003).
- [30] D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, quant-ph/0212066.