Quantum key distribution with realistic states: photon-number statistics in the photon-number splitting attack

Quantum key distribution can be performed with practical signal sources such as weak coherent pulses. One example of such a scheme is the Bennett-Brassard protocol that can be implemented via polarization of the signals, or equivalent signals. It turns out that the most powerful tool at the disposition of an eavesdropper is the photon-number splitting attack. We show that this attack can be extended in the relevant parameter regime such as to preserve the Poissonian photon number distribution of the combination of the signal source and the lossy channel.


I. INTRODUCTION
Quantum Key Distribution (QKD) allows to generate a long secret shared key between two parties, conventionally named Alice and Bob, from a short initial secret key. Part of that newly generated key can then be used up by sending an unconditionally secure secret message via the one-time pad, also called Vernam cipher [1]. The remaining part is retained to repeat the QKD protocol to generate new key. The first complete protocol is that by Bennett and Brassard, BB84 [2], although Wiesner formulated basic ideas earlier [3].
In ideal QKD protocols we are required to use particular states for which the preparation is beyond our present experimental capability, such as single photon states on which we can imprint signals in form of specific polarizations. For example, for the BB84 protocol we would use two pairs of orthogonal polarizations, e.g. horizontal/vertical linear polarization and right/left circular polarization.
Recently it has been proven that one can use realistic signal sources such as weak laser pulses polarized in the four signal polarizations to perform QKD even in the presence of loss and noise in the quantum channel. Indeed, in most experiments demonstrating the technique required for QKD this signal source has been used [4,5,6,7,8,9]. For eavesdropping attacks on such signals, the security of the BB84 protocol in a realistic setting has been explored regarding attacks on individual signals in [10]. The proof of unconditionally security of QKD with the BB84 protocol in this framework has been presented in [11]. It turns out, that the combination of multi-photon signals of the source, such as weak laser pulses, together with loss in the quantum channel in the presence of errors leads to limitations of rate and distance that can be covered by those techniques. These restric- * Electronic address: luetkenhaus@kerr.physik.uni-erlangen.de tions are due not only to the proving techniques but are of fundamental nature [12], at least in a conservative approach to security where all errors and losses are assumed to be due to eavesdropping activity.
The limitation comes from the fact that the combination of multi-photon signals of the source and loss in the transmission line opens the door for a powerful eavesdropping attack, the Photon Number Splitting (PNS) attack that was first mentionend in [13]. The basic step is that a signal consisting of two or more photons (multiphoton signal) can be split via a physical interaction [10] by an eavesdropper (called Eve) such that Eve retains one photon and Bob receives the other photons such that the polarization of both parts remains undisturbed. The photon in Eve's hand will reveal its signal polarization to Eve if she waits long enough until she learns the polarization basis during the public discussion part of the BB84 protocol. In the presence of loss, this attack can put Eve in a position that she knows the complete information about all signals received by Bob and no secure key can be generated. This is the case if the loss is strong enough, such that Bob expects to receive less signals than the signal source prepares multi-photon signals. Then Eve can replace the lossy quantum channel by an ideal one, block all single-photon signals and use only multi-photon signal to match Bob's expectation of non-vacuum pulses. If the loss is not high enough for this, then Eve can block only a fraction b of the single-photon signals, but she can perform some optimal eavesdropping attack on the remaining single-photon pulses. This constitutes her optimal attack [10]. Despite this powerful attack, in this situation, if the error rate is not too high, Alice and Bob can establish a secure key, as has been shown in [10,11], in the standard BB84 protocol where no photon-number statistics is monitored. Note that the PNS attack can be well approximated with linear optics only [14].
One remaining open question is whether Alice and Bob might be able to detect that Eve performed the PNS attack. After all, the photon number statistics changes under the PNS attack as described above. In this paper, we will show that is is possible to extend the PNS attack such that the photon number statistics, as seen by Bob, is indistinguishable from that resulting from weak laser pulses and a lossy channel. This result holds in the relevant paramter regime of mean photon number µ of the Poissonian photon number distribution of the weak laser pulse and of the transmission factor η of the quantum channel. The extension of the PNS attack allows the eavesdropper to remain undetected even if Alice and Bob measure the photon number distribution via coincidence rates in Bob's photodetectors.

II. EXTENDED PNS ATTACK
We consider a photon source emitting signals with a Poissonian photon number distribution with mean value µ. Weak laser pulses are well described by Fock states with this photon number distribution, but our analysis can be extended to other distributions. The quantum channel is described by a single-photon transmission efficiency η. Then we find at Bob's end of the quantum channel again a Poissonian photon number distribution with mean photon number µη, that is On the other hand, the PNS attack described above will give another photon number statistics. Let Eve perform the photon number splitting attack in which she blocks a fraction b of the single-photon signals. Then we find a resulting photon number distribution that is not Poissonian, namely To match the number of vacuum signals, we adjust b such that P loss [0] = P P N S [0]. This leads to the expression We find b match = 0 for η = 1, while b match = 1 for This last point corresponds precisely to the situation where 1 − P loss [0] = 1 − (1 + µ) exp[−µ], that is, the number of non-vacuum signals arriving at the end of the lossy quantum channel is equal to the number of multi-photon signals emanating from the source. For values of η between these two extreme values, b takes on values in the interval (0, 1), and this is the regime we are dealing with.
With this choice the photon number distribution after Eve's attack takes the form This photon number distribution is not Poissonian. The question is whether Eve can make it Poissonian without loosing any advantage of the PNS attack. It is easy to come up with a possible solution: Eve can extract not only one, but two or more photons from pulses depending on the photon number in each pulse. With this method it is possible to redistribute probabilities from higher to lower photon numbers, but not the other way round. Therefore the necessary and sufficient condition for the redistribution to be possible is that is satisfied for all n. This condition that the change of probability from any high-photon number part to a lowphoton number part goes in the right direction. In order to work as an eavesdropping attack, we need to make sure that the number of non-vacuum signals remains unchanged. Indeed, in our extended strategy we will never take 'the last photon' out of a pulse, so the number of non-vacuum signals does not change. This guarantees that the information gain by Eve on the signals remains unchanged. The only change is that of the photon number statistics of the signals arriving at Bob's end of the quantum channel.

III. EVALUATION OF EXTENDED PNS ATTACK
In this section we will show that the conditions (5) is satisfied in a parameter regime that we will show in the following section to be relevant to practical QKD. Thus we show that Eve can mimic Poissonian photon number distribution even while performing the PNS attack via our extension.
We define the d n as the difference of the two probability distributions for given n, so that we have Note that d 0 = 0 due to the matching via the blocking parameter b. We will show that in a relevant paramter regime we find that d n ≤ 0 for n ∈ [1, n l ] and d n ≥ 0 for n ∈ [n l + 1, ∞]. This is sufficient (though not necessary) to fulfill the conditions (5). With other words, with increasing value of n, the difference d n vanishes for n = 0, then takes negative values until for n ≥ n l + 1 it turns positive. Let us first show by induction that once the function turned positive, it will not turn back negative for n ≥ 2 and the parameter regime η ≤ 3/4. Assume that d n ≥ 0 for n ≥ 2. This means transmission efficiency h mean photon number m Then it follows that We do not need to prove directly that there is some d n l ≥ 0 with n l ≥ 2. Instead, we will show that in a suitable parameter regime d 1 ≤ 0. That proves together with the normalization ∞ n=0 d n = 0 and d 0 = 0 that there must be some positive d n for n ≥ 2. With other words, for η < 3/4 we find that d 1 ≤ 0 is a sufficient condition to allow a redistribution of the photon number distribution after the PNS attack to make it Poissonain without changing the flow of information between the parties.
The required condition d 1 ≤ 0 can be analyzed numerically only. It is given after a regrouping as The first term describes the fraction of signals containing 0 or 1 photons after the original PNS attack while the second term describes the target value for this fraction. Note that we fixed the fraction of vacuum signals so that this is, indeed, a statement about the fraction of singlephoton signals. The region where d 1 is negative is plotted in figure 1.
The borderline shown in figure 1 can be evaluated more closely in the typical regime were µ, η ≪ 1. If we expand d 1 in µ, η and neglect terms η k µ l with k + l > 4, then we obtain so that we find that the value η 0 for which d 1 vanishes can be approximated by As we see from Fig. 2, this is a good approximation for low photon numbers. Note that the lowest order of the approximation (10) is given by d 1 ≈ −µ 3 /6 which guarantees that the extended PNS attack is always successful as long as µ and η are small. This is mirrored in the infinitely steep rise of the limiting line shown in figure 2.

IV. APPLICATION TO SECURITY PROOFS AND DISCUSSION
From the security proofs [10,11] we know the optimal choice of the mean photon number µ from the point of view of Alice and Bob. This optimization can be understood starting from the idea that Alice and Bob would like to optimize the gain rate of the QKD process. This gain rate G is bounded in a conservative scenario from above as G ≤ 1 2 (S m − p exp ) with S m as the multi-photon probability of the source and p exp as the fraction of nonvacuum signals detected by Bob. The factor 1/2 comes from a sifting state of the QKD protocol and is specific for the BB84 protocol. For other polarization based protocols such as the six-state protocol [15] we find other factors, however, the reasoning is independent of this factor. For our Poissonian distributed signals, we find (12) and this expression is optimized for small values of η by µ opt ≈ η. As it turns out, that value remains approximately optimal in a detailed analysis taking other error sources into account [10,11]. In typical experiments we find that even higher photon numbers than the optimal ones are used. That pushes the working point even further away from the critical line in figure 1. The statements above are made for a conservative scenario where all loss and all errors are attributed to Eve. It will be desirable to extend this analysis by making assumptions stating that Eve cannot change the dark count rate of Bob's detectors and cannot increase the detection efficiency. It turns out that this extension is not trivial at all. The analysis in our paper, however, puts some bounds on the results of such an analysis. Once Eve can perform an extended PNS attack such that her action mimics a lossy quantum channel both in the transmission efficiency and the Poissonian photon number statistics, and she can block all single-photon signals, then the transmission cannot be secure.
At the heart of our paper is the statement that stochastic processes such as loss in a quantum channel can be ex-plained by a rather cunning strategy of a third party, for example an eavesdropper. It means that the eavesdropper can access some preferred signals while suppressing others such that the resulting action is indistinguishable even in principle from a normal lossy channel for given input signals. It is unclear so far what input signals have to be chosen to make such a situation impossible.

V. ACKNOWLEDGEMENT
We gladly acknowledge stimulating discussion with Mioslav Dušek and John Calsamiglia. N.L. thanks Marcos Curty and Peter van Loock for their critical discussion of this article. This work has been supported under Project NO. 43336 of the Academy of Finland and by the German Reseach Council (DFG) via the Emmy-Noether Programme.