Alma Mater Studiorum · Università di Bologna

Scuola di Scienze
Dipartimento di Fisica e Astronomia
Corso di Laurea in Fisica

Advancements in Quantum Key

Distribution: Achieving Secure
Communication.

Relatore: Presentata da:

Prof.ssa Elisa Ercolessi Andrea Turci

Anno Accademico 2022/2023

 Abstract

Questa tesi fornisce una panoramica sul funzionamento del sistema di Quantum Key
Distribution, nel contesto della crittografia quantistica, come una delle prime implemen-
tazioni della meccanica quantistica attraverso protocolli specifici. In particolare, viene
esaminato il modello BB84 che, tanto semplice quanto efficace, fornisce sicurezza in-
condizionata al problema della crittografia in condizioni tecnologiche ideali, grazie alle
leggi infrangibili della meccanica quantistica - tra cui il Principio di Indeterminazione
e il Teorema di No-Cloning quantistico. Queste premesse teoriche - come la creazione
di singoli fotoni perfetti, rivelatori con un’efficienza del 100%, canali senza perdite - si
traducono tutte in ostacoli nell’implementazione sperimentale del protocollo BB84 con le
tecnologie attuali: vengono analizzati i problemi e le limitazioni che ne derivano, esam-
inando le potenziali vulnerabilitá di sicurezza, come gli attacchi PNS. Di conseguenza,
con l’obiettivo di fornire una prova di sicurezza definitiva, la seguente tesi si propone di
analizzare una possibile soluzione, il Decoy State Method, che fornisce simultaneamente
sicurezza incondizionata ed elevate prestazioni. Per concludere, allo scopo di evidenziare
la praticitá del modello, i concetti introdotti vengono applicati al caso Weak and Vacuum
Decoy State, per il quale si ottiene una distanza massima per una comunicazione sicura
di 140.55 km, leggermente inferiore a quella dell’Asymptotic Case del Decoy State.
 Abstract

This thesis provides an overview of the workings of the Quantum Key Distribution sys-
tem, in the context of quantum cryptography, as one of the first implementations of
quantum mechanics through specific protocols. In particular, the BB84 model is ex-
plored, which, as simple as it is effective, provides the ultimate security to the encryp-
tion problem under ideal technological conditions, thanks to the unbreakable laws of
quantum mechanics - including the Uncertainty Principle and the No-Cloning Theorem.
These ideal assumptions - such as the la creation of perfect single-photons, 100% effi-
ciency detector, channels without loss - all translate into obstacles in the experimental
implementation of the BB84 protocol with current technologies: the problems and lim-
itations involved are analyzed, examining the potential security vulnerabilities, like the
PNS attacks. Consequently, with the goal of providing an ultimate security proof, the
following thesis aims to analyze a possible solution, the Decoy State Method, which
simultaneously provides unconditional security and strong performances. To conclude,
with the purpose of highlighting the practicality of the model, the introduced concepts
are applied to the Weak and Vacuum Decoy State case, for which a maximum distance
for secure communication of 140.55km is obtained, slightly lower than the Asymptotic
Case of the Decoy State.
Contents

Introduction 1

1 Introduction to Quantum Mechanics and Information Theory 5

1.1 Qubit States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Measurements and Density Matrices . . . . . . . . . . . . . . . . . . . . 9
1.3 Uncertainty Principle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4 No-Cloning Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5 Theory of Information Related Quantities . . . . . . . . . . . . . . . . . 16
1.6 Entanglement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

2 Quantum Key Distribution 21

2.1 Prepare-and-Measure Protocols . . . . . . . . . . . . . . . . . . . . . . . 22
2.2 Entanglement-Based Protocols . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3 Quantum Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3 BB84 Protocol 27
3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.2 Quantum Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.3 Classical Stage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
3.4 Intercept-Resend Technique . . . . . . . . . . . . . . . . . . . . . . . . . 34

4 Eavesdropping Strategies and Attacks Classification 37

4.1 Attacks Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
4.2 Individual Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

iii
 iv CONTENTS

4.3 Collective and Coherent Attacks . . . . . . . . . . . . . . . . . . . . . . . 42

5 Practical Implementations and Limitations 45

5.1 Source: Coherent States . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
5.2 Channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.3 Detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.4 Photon-Number-Splitting Attack (PNS) . . . . . . . . . . . . . . . . . . 49

6 Decoy State Method 55

6.1 Model Description and Security . . . . . . . . . . . . . . . . . . . . . . . 56
6.2 Advantages in Key Rate Generation . . . . . . . . . . . . . . . . . . . . . 60
6.2.1 Optimal Intensity Value . . . . . . . . . . . . . . . . . . . . . . . 61
6.2.2 Two Decoy States and One Signal State . . . . . . . . . . . . . . 62

Conclusions 67

Bibliography 71
Introduction

Cryptography, from ancient Greek κρυπτóς “hidden, secret” and γραϕϵιν “to write”
is the scientific discipline of transforming information so that it is unintelligible and there-
fore useless to those who are not meant to have access to it.
Historically, the Caesar Cipher encryption method is mentioned among the earliest at-
tempts at cryptography. From simple and breakable models, over the centuries encryp-
tion protocols have become more sophisticated; one of the most notorious examples of
cryptographic algorithms was developed by the Germans in World War II, and broken
by Alan Turing’s Enigma machine.
The role of cryptography as a point of contact between scientific, social and political dis-
ciplines began to emerge. With the advent of computers and communication networks
in the 20th century, this synergy was strengthened, and attempts to create effective en-
cryption methods that corresponded to the new requirements led to the development of
the RSA model in the 1970s (named after the inventors: Rivest, Shamir and Adleman).
Basing its safety on the problem of factoring large prime numbers, the RSA algorithm is
a mathematically asymmetric protocol that has ensured security in modern cryptography
for the past 50 years. Due to the computationally challenging mathematical issue, the
safety of this method is strictly bond both with the calculation power of the eavesdropper
computer and with the conviction that a more efficient and fast algorithm to solve the
problem won’t be developed. Hence, the RSA algorithm possesses points of weakness
since it is breakable, in principle.
Quantum computing has recently been paid a lot of attention following the rapid develop-
ment of new disruptive technologies based on the most powerful features and resources of
quantum mechanics - such as quantum entanglement, teleportation, and the No-Cloning

1
 2 INTRODUCTION

Theorem. The forthcoming development of quantum computers constitutes a real threat

to classical cryptography techniques, and the institutions are already aware of it: citing
the U.S. National Security Agency “If realizable, a cryptographically relevant quantum
computer would be capable of undermining the widely deployed public key algorithms”.
More specifically, the greatest threat comes from the Shor’s algorithm. Based upon a
classical algorithm with a quantum subprocedure, it would employ the quantum Fourier
transform to factorize keys in a few minutes instead of billions of years with the present
technology.
In 2012 it was estimated that a billion physical qubits would be needed to break RSA en-
cryption, but in 2019 after further technological breakthroughs the estimate plummeted
to only 20 million physical qubits. Looking at the state of IBM’s quantum computers,
only thousands of qubits are available nowadays but the trend appears to be exponential:
as a consequence, this reduces the issue to a matter of when these two trends will inter-
sect, involving the disruption of cryptographic systems in telecommunications networks,
financial and health care systems as well as government and military ones.
The threats of quantum computers are not just limited to the near future, but are already
relevant because of the Store Now Decrypt Later principle that makes the transition to
quantum-resistant cryptography necessary.
One possible approach can be offered by the post-quantum cryptography, that would
offer systems that are robust against already known quantum algorithm, thus creating
only temporary solutions.
Therefore, the best currently known technique for executing quantum cryptography op-
erations is the Quantum Key Distribution (QKD), performed through appropriate pro-
tocols, which is the main topic of the following study. By restoring security based on the
basic principles of quantum mechanics and resulting from unbreakable laws of nature,
such as the Uncertainty Principle and the No-Cloning Theorem, it provides the ultimate
solution to the encryption issue.
In particular, this thesis focuses its analysis on the BB84 protocol, which, as simple as
it is effective, was proposed in 1984 by Charles Bennett of IBM and Gilles Brassard of
The University of Montréal, with particular emphasis on the technological issues and
the in-field implementations. Taking into account the vulnerabilities that arise from the
INTRODUCTION 3

practical implementations, such as PNS attacks, the Decoy State Method is analyzed as
a possible solution to the above-mentioned problems, both from a security and perfor-
mance perspective.
In particular, this thesis aims to examine the special case of the Weak and Vacuum
Decoy State, comparing its key generation rate with that of the Asymptotic Case. The
goal is to argue the reasons why the Decoy State is an excellent candidate to become the
international standard in Quantum Cryptography.

The thesis is structured as follows. In Chapter 1 the profound principles that underlie
quantum mechanics and information theory are explored, laying a solid foundation for the
subsequent analysis. In Chapter 2, the functioning and classification of QKD protocols
are examined. Chapter 3 is assigned to an analytical description of the workings of
the BB84 protocol, while the classification of the eavesdropper strategies to hack the
communication channel are analyzed in Chapter 4. Chapter 5 focuses on the practical
implementations of the BB84 protocol leading to the limitations of its security, and the
PNS attack is examined. To conclude, Chapter 6 examines the Decoy State Method
applied to the BB84 protocol as a possible solution to the aforementioned problems,
with special attention to its safety and its performances.
4 INTRODUCTION
Chapter 1

Introduction to Quantum Mechanics

and Information Theory

In this chapter, the profound principles that underlie quantum mechanics and infor-
mation theory are explored, laying a solid foundation for the subsequent investigation
into quantum cryptography and, in particular, the BB84 protocol.
Quantum mechanics, conceived in the early 20th century, revolutionized the comprehen-
sion of the microscopic world, defying classical intuitions and revealing a plethora of new
phenomena.
Central to this framework are quantum bits, or qubits, which possess exceptional at-
tributes, including superposition and entanglement. By delving into the nature of qubits,
we aim to gain a deeper understanding of their behavior when subjected to measurements
and the inherent uncertainty that Heisenberg’s Uncertainty Principle captures. More-
over, the powerful framework of density matrices is explored, which provides a compre-
hensive formalism for characterizing the probabilistic nature and interrelationships of
quantum states. Furthermore, the profound implications of the No-Cloning Theorem is
investigated, a fundamental principle that prohibits the exact replication of arbitrary
quantum states. This theorem assumes a pivotal role in establishing the security foun-
dations of quantum cryptographic protocols.
After unveiling these concepts in a methodical manner, a detailed analysis of the BB84
protocol will be provided in the following chapters.

5
 6 1. Introduction to Quantum Mechanics and Information Theory

1.1 Qubit States

The concept of qubit is crucial to describe and explain quantum cryptography, since
it represents the quantum extension of the basic unit to store and transmit information.
It is described as a vector in the two-dimensional Hilbert space H = C2 , superposition
of a binary system made of two vectors, written in the Dirac notation
" #
1
|0⟩ =
0
" # (1.1)
0
|1⟩ =
1

which represent the orthonormal basis of H, also called computational basis.

The qubit can exist in either a pure state or a mixed state.
A pure qubit is represented by a precise wave function in probabilistic sense as a super-
position of the basis elements:
|ψ⟩ = α |0⟩ + β |1⟩ (1.2)

where α and β are two complex coefficients, called probability amplitudes. They satisfy
the normalization condition |α|2 +|β|2 = 1, with |α|2 and |β|2 representing the probability
that a measure of ψ yields the value |0⟩ and |1⟩ respectively, according to the Born rule.
Thanks to that, it is possible to write α and β using the Hopf coordinates:
 
iδ θ
α = e cos (1.3)
2
 
i(δ+φ) θ
β=e sin (1.4)
2
where θ ∈ ]0; π[ and φ ∈ ]0; 2π[. In addition, since the factor eiδ is shared, it does not
affect measures of observables; thus the probability amplitudes become:
   
θ iφ θ
α = cos , β = e sin (1.5)
2 2

Therefore, |ψ⟩ = cos 2θ |0⟩ + eiφ sin 2θ |1⟩ [1]. Then, each qubit is depicted as a point

on the two-dimensional surface of the so-called Bloch sphere, or Poincaré sphere, shown
1.1 Qubit States 7

Figure 1.1: Visual representation of the Bloch sphere with the qubit states |0⟩, |1⟩, |+⟩,
|−⟩, |+i⟩ and |−i⟩. [2]

in Figure 1.1.

In particular, if the value θ = π/2 is chosen, the vectors lying on the equatorial
plane of the above-mentioned sphere are obtained; among those, four are of particular
importance for many protocols of quantum cryptography, like the BB84 protocol which
will be analysed in the following sections, that are achievable for appropriate choices of
the θ angle [3]:
" #
1 1 |0⟩ + |1⟩
|+⟩ = √ = √ if φ = 0 (1.6)
2 1 2

" #
1 1 |0⟩ − |1⟩
|−⟩ = √ = √ if φ = π (1.7)
2 −1 2

" #
1 1 |0⟩ + i |1⟩ π
|+i⟩ = √ = √ if φ = (1.8)
2 i 2 2

" #
1 1 |0⟩ − i |1⟩ 3π
|−i⟩ = √ = √ if φ = (1.9)
2 −i 2 2
 8 1. Introduction to Quantum Mechanics and Information Theory

Using the Pauli formalism, it is necessary to introduce the following matrices:

" # " # " #
1 0 0 1 0 −i
σz = , σx = , σy = , (1.10)
0 −1 1 0 i 0

and the two-dimensional identity matrix:

" #
1 0
I= (1.11)
0 1

Thus, we have that M1 = {|0⟩ , |1⟩} contains eigenstates of σz and it is called Z basis, or
computational basis, M2 = {|+⟩ , |−⟩} contains eigenstates σx and it is called X basis, or
Hadamard basis, M3 = {|+i⟩ , |−i⟩} contains eigenstates of σy and it is called Y basis.
M1 , M2 and M3 are called mutually unbiased bases (MUB), because if a state is prepared
in one of the bases Mi and it is later measured in a basis Mj with i ̸= j, both the possible
outcomes are predicted with the same probability [3].
Formally, given two MUB belonging to a p−dimensional Hilbert space {φ1 , φ2 , ..., φp }
and {ϕ1 , ϕ2 , ..., ϕp }, the following result comes after [4, 5]:
1
|⟨φi |ϕj ⟩|2 = ∀i, j (1.12)
p
Our case of interest treats the easier situation of a two-dimensional Hilbert space with
p = 2.
In the relevant case here treated, the photons constitute the physical support of quantum
cryptography, in which information is carried by means of polarization of light that is
represented by the qubit ψ of the physical system taken into consideration. In particular,
the polarization of photons is described by two independent polarization states. For the
linear vertical and horizontal states, the Z basis is used, with |0⟩ = |H⟩ and |1⟩ = |V ⟩,
where H and V refer to the directions of the electromagnetic field oscillation. Vice versa,
the vectors belonging to the X basis describe linear diagonal states, perpendicular to each
other, |+⟩ = |D⟩ and |−⟩ = |A⟩. Finally, the vectors of the Y basis |i⟩ and |−i⟩ describe
circular states, clockwise and anti-clockwise respectively: |i⟩ = |R⟩ and |−i⟩ = |L⟩ [3].
As previously stated, the security yielded from quantum cryptography is not guaranteed
by the inability of the current computational power to break an algorithm, instead it
is insured by physical principles which act at a quantum-mechanical level, given its
1.2 Measurements and Density Matrices 9

probabilistic and non-deterministic nature. Among those, the Heisenberg Uncertainty

Principle and the No-Cloning Theorem, which will be analyzed in the following sections.

1.2 Measurements and Density Matrices

In a quantum cryptography protocol, the act of measurement is essential to exchange
information between legitimate parties. It turns out that it is necessary to formalize the
concept of measurement [1, 6].

Definition 1.2.1. Given Mx : B(H) → B(H), the measurement is defined as a set

{Mx } of operators, where the possible results are indexed by the variable x ∈ X . These
operators respect the so-called completeness relation:
X
Mx† Mx = I (1.13)
x∈X

Applying the measurement act to a system that lies in the pure state |ψ⟩, the outcome
x ∈ X is yielded with probability [1]

P ψ (x) = ⟨ψ|Mx† Mx |ψ⟩ . (1.14)

Therefore, resulting from the measurement, the state is [7]:

Mx |ψ⟩
|ψf ⟩ = p (1.15)
⟨ψ|Mx† Mx |ψ⟩

In quantum cryptography protocols, a useful example is considering the measurements

operators standing for the measurement of a qubit in the Z basis, which has two possible
results, 0 and 1:
M0 = |0⟩ ⟨0| M1 = |1⟩ ⟨1| (1.16)

Considering the density matrix formalism, the explanation of measurements is straight-

forward to broaden.
Overall, we could not possess full understanding of the actual physical state but rather
a collection of states, each of which has a particular likelihood of occurring. Let’s
take a quantum system that is defined by a statistical combination of state vectors
 10 1. Introduction to Quantum Mechanics and Information Theory

|ψ1 ⟩ , |ψ2 ⟩ , ..., |ψp ⟩ ∈ H that have probability to occur respectively of p1 , p2 , ..., pp satis-
fying the condition of pi=1 pi = 1 with pi ⩾ 0 ∀i ∈ {1, ..., p}.
P

The whole ensemble {pi ; |ψi ⟩}1,...,p therefore describes the system’s state, and the expec-
tation value of |ψi ⟩ with probability pi is interpreted as the equivalent density matrix of
the system, which is:
p
X
ρ= pi |ψi ⟩ ⟨ψi | (1.17)
i=1

Formally, the density matrix is defined as follows.

Definition 1.2.2. A density matrix ρ, also known as a density operator, is an operator

on the Hilbert space H that meets the requirements listed below:

1. T r(ρ) = 1, that means it is normalized;

2. ρ† = ρ, that means it is Hermitian;

3. ⟨ψ|ρ|ψ⟩ ⩾ 0, ∀ |ψ⟩ ∈ H, that means it is positive semi-definite.

Each system is associated with one and only one density matrix, but each density
matrix is not associated with one and only one quantum system.
Using the Pauli representation, it is possible to write the density operator as:

1
ρ = I + n̄ · σ̄ (1.18)
2

where σ̄ = {σx , σy , σz } and n̄ is a Bloch vector of unitary modulus for a pure qubit state.
If the state taken into consideration is a pure state, then it’s possible to claim to know
the system exactly. In this case the summation of equation (1.17) collapses to a single
term; in the case where p1 = 1 and pi = 0 ∀i ̸= 1, the density matrix is:

ρ = |ψ1 ⟩ ⟨ψ1 | (1.19)

The ensemble is considered to exist in a mixed state if the summation contains many
terms. In addition, the following theorem holds true as a necessary and sufficient condi-
tion for ρ to be a pure state.
1.2 Measurements and Density Matrices 11

Theorem 1.2.1. A density matrix represents a pure state if and only if

ρ2 = ρ (1.20)

which means it is idempotent.

Similarly, it is possible to differentiate between pure and mixed states using the def-
inition of purity.

Definition 1.2.3. Given a density matrix ρ, the purity P (ρ) is defined as:

P (ρ) = T r ρ† ρ = T r ρ2



(1.21)

In this way, the purity of a pure state is P (ρ) = 1, and the purity of a mixed state
is P (ρ) ⩽ 1.

Provided the set of operators {Mx }, we require to execute a measurement. Starting

with an initial state |ψi ⟩, the outcome x ∈ X is yielded with probability

P ψi (x) = ⟨ψi |Mx† Mx |ψi ⟩ = T r Mx† Mx |ψi ⟩ ⟨ψi | = T r Mx† Mx ρψi

(1.22)

while examining the complete ensemble, the probability is

X X
P ρ (x) = pi P ψi (x) = pi T r Mx† Mx |ψi ⟩ ⟨ψi | = T r Mx† Mx ρ



(1.23)
i i

and the final state after the act of measurement is

Mx ρMx†
ρf =   (1.24)
†
T r Mx Mx ρ

Making a distinction between quantum states through measurements is a significant issue

in quantum information theory. It is always possible to design a projected measurement
that permits us to differentiate between each state given a collection of orthogonal quan-
tum states. Given a collection of orthonormal quantum states {|ψi ⟩}, the measurement
operator Mi is defined to be
Mi = |ψi ⟩ ⟨ψi | ∀i (1.25)
 12 1. Introduction to Quantum Mechanics and Information Theory

and one additional measurement operator

X
M0 = I − |ψi ⟩ ⟨ψi | (1.26)
i̸=0

As well as the completeness relation, these operators follow the following property:

P ψi (i) = ⟨ψi |Mi |ψi ⟩ = 1 (1.27)

There is no quantum measurement that is capable of accurately determining the states

in the case that they are not orthonormal. Therefore, treating a general case, the mathe-
matical formalism of a positive operator-valued measure (POVM) turns out to be useful,
including the fact that measurement outcomes are frequently what are of interest rather
than the system’s final state after the measurement [1]. A POVM is formally defined as
follows [7, 8]:

Definition 1.2.4. Given a finite outcome collection X , a positive operator-valued mea-

sure (POVM) is a set E of operators Ex , with x ∈ X , which follow the relations
X
∀x ∈ X : Ex ⩾ 0, Ex = I (1.28)
x∈X

Using a density-operator system ρ it is possible to recover the previous relations using

the POVM definition:
P ρ (x) = T r (ρEx ) (1.29)

As an example, let’s consider the case where the sender of the information, called Alice,
|0⟩+|1⟩
can select between |ψ0 ⟩ = |0⟩ and |ψ1 ⟩ = |+⟩ = √
2
.
The POVM components are [1]:
√
2
E0 = √ |1⟩ ⟨1| (1.30)
2+1

√
2 (|0⟩ − |1⟩)(⟨0| − ⟨1|)
E1 = √ (1.31)
2+1 2

E2 = I − E0 − E1 (1.32)
1.3 Uncertainty Principle 13

Thus, with three measures, we can create a POVM that sometimes differentiates the
two states without ever incorrectly identifying either one. Indeed, if the measurement
outcome is 0, the only possible measured state is |ψ1 ⟩, because ⟨ψ0 |E0 |ψ0 ⟩ = 0. Analo-
gously, if the measurement outcome is 1, the only possible measured state is |ψ0 ⟩ because
⟨ψ1 |E1 |ψ1 ⟩ = 0. However, if the outcome is 2, it is not possible to gain information about
the state since ⟨ψ0 |E2 |ψ0 ⟩ = ⟨ψ1 |E2 |ψ1 ⟩ = 21 .

1.3 Uncertainty Principle

Quantum cryptography is supported by the generalized Uncertainty Principle, for
which the measurement of a quantum system leads the wave function that describes it
to collapse, and disturbs the system, implying the impossibility to gain total information
about how the system before the measurement was.
In its broadest sense, Heisenberg’s Uncertainty Principle refers to the measurement error
(or variance) of so-called non-commuting variables [9].
It asserts that, given two observables represented by Hermitian operators  and B̂,

1 h i 2
σA2 σB2 ⩾ ⟨ Â; B̂ ⟩ (1.33)
2i

where  h i

 ⟨Â⟩ = ⟨ψ|Â|ψ⟩ = T r ρψ Â


σA2 = ⟨(Â − ⟨Â⟩)ψ|(Â − ⟨Â⟩)ψ⟩ (1.34)

 h i

 Â; B̂ = ÂB̂ − B̂ Â

correspond respectively to the expectation value of the observable Â, the standard devi-
ation of observable  and to the commutator between operators  and B̂.
The importance in the subject matter of quantum cryptography is the following: the
measurement of the photons polarization according to the Mi basis and according to the
Mj basis with i ̸= j correspond to two non-commuting operators. This implies that mea-
suring in Mi basis and later in Mj basis yields a different outcome, instead of executing
the measurement in Mj basis only, since uncertainty on the “Mi basis polarization” is
added.
 14 1. Introduction to Quantum Mechanics and Information Theory

Formally, the operators which correspond to the measurement of polarization in Z and

X bases are respectively:
P̂Z = |0⟩ ⟨0| − |1⟩ ⟨1| (1.35)

P̂X = |+⟩ ⟨+| − |−⟩ ⟨−| (1.36)

In this way, |0⟩ and |1⟩ are eigenstates of the P̂Z operator, with eigenvalues λ|0⟩ = +1
and λ|1⟩ = −1, representing respectively the case of transmission and reflection of the
photon. Analogously, |+⟩ and |−⟩ are eigenstates of the P̂X operator, with λ|+⟩ = +1
and λ|−⟩ = −1. If the |1⟩ state were measured in the X basis, one would obtain:

1 1
P̂X = |+⟩ ⟨+|1⟩ − |−⟩ ⟨−|1⟩ = √ |+⟩ ⟨+|+⟩ − √ |+⟩ ⟨+|−⟩
2 2
(1.37)
1 1 1 1
− √ |−⟩ ⟨−|+⟩ + √ |−⟩ ⟨−|−⟩ = √ |+⟩ + √ |−⟩
2 2 2 2
This shows the importance for the legitimate parties to use the same basis in the com-
munication procedure in order to transmit a qubit deterministically.
As will be analysed later, coherent states are crucial in the analysis of practical real-life
quantum key protocols. They are defined as particular quantum states of the harmonic
oscillator that exhibit classical motion [10], and are given by the following expression:
∞
X z n − |z|2
|z⟩ = |n⟩ √ e 2 z∈C (1.38)
n=0 n!

They saturate the levels of the Uncertainty Principle for the particle’s measure of position
and momentum, making the inequality in (1.33) an equality: ∆pz ∆qz = ℏ2 .

1.4 No-Cloning Theorem

Because of the “destructive” nature of quantum mechanics, the No-Cloning Theorem
is of paramount importance in ensuring security of principle for quantum encryption
protocols, as it guarantees the eavesdropper failure.
It asserts that it is impossible to create an independent and identical copy of an arbitrary
unknown quantum state. Indeed, it is wanted a machine that takes as input a state |ψ⟩A
in the so-called data slot A, and copy it in the target slot B, where the initial pure state
1.4 No-Cloning Theorem 15

|X⟩B is prepared. The systems A and B share the same Hilbert space: H = HA = HB .
Hence, the copying machine starts out with the state

|ψ⟩A ⊗ |X⟩B (1.39)

and wants to end up with the state

|ψ⟩A ⊗ |ψ⟩B (1.40)

The quantum operator that acts on the composite system belonging to H⊗H is a unitary
operator U ; it affects the evolution of the system in the following way:

U
|ψ⟩A ⊗ |X⟩B −
→ U (|ψ⟩A ⊗ |X⟩B ) = |ψ⟩A ⊗ |ψ⟩B (1.41)

Let’s suppose that the states ψ1 and ψ2 are successfully cloned:

U (|ψ1 ⟩A ⊗ |X⟩B ) = |ψ1 ⟩A ⊗ |ψ1 ⟩B (1.42)

U (|ψ2 ⟩A ⊗ |X⟩B ) = |ψ2 ⟩A ⊗ |ψ2 ⟩B (1.43)

Given that unitary transformations preserve inner products, from the previous relations
one gets:
⟨ψ1 |ψ2 ⟩ = |⟨ψ1 |ψ2 ⟩|2 (1.44)

that yields either |⟨ψ1 |ψ2 ⟩| = 0 or |⟨ψ1 |ψ2 ⟩| = 1, which means that either |ψ1 ⟩ and
|ψ2 ⟩ are equal (just a phase difference) or they are orthonormal. We conclude that the
machine is able to copy only orthonormal states and not general ones.
Thus, it is possible to clone eigenstates with the respect to a certain basis, such as |ψ1 ⟩ =
|0⟩ and |ψ2 ⟩ = |1⟩ for Z, but it is not possible to do so with nontrivial linear combinations.
For example, in the physical case of our interest, it results in the impossibility of cloning
|0⟩+|1⟩
|ψ1 ⟩ = |0⟩ and |ψ2 ⟩ = √
2
because they are not orthogonal to each other.
Moreover, this is the reason why the sender and receiver of the information must use the
same basis to communicate, while an eavesdropper who does not know the bases used
fails to clone the information.
 16 1. Introduction to Quantum Mechanics and Information Theory

1.5 Theory of Information Related Quantities

A fundamental concept for information theory, and thus for quantum cryptography,
is the Shannon entropy.

Definition 1.5.1. Given a random variable X, which can have outcomes X1 , X2 , ..., Xn ,
with probabilities p1 , p2 , ..., pn respectively, the Shannon entropy for variable X is defined
as [7]:
X
H(X) = X(p1 , p2 , ..., pn ) = − pi log pi (1.45)
i

It can be seen that the Shannon entropy does not depend on the type of outcomes
that the variable X can take, but on their output probabilities, and thus ultimately on
the probability distribution p1 , ..., pn . To better understand its meaning, the Shannon
entropy measures the amount of information we typically learn when we discover the
outcome value Xi of the variable X. The greater the probability pi of obtaining the
outcome Xi , without any other prior information about it, the less the information
gained after the outcome occurs will be. Indeed, given a set of possible outcomes Xi ,
i ∈ {1, ..., n} with probability pi the definition of the corresponding information is Qi =
− log pi , measured in bits, and the Shannon entropy corresponds to the expectation value
of Q [11]:
X X
S = ⟨Q⟩ = Qi pi = − pi log pi (1.46)
i i
The Shannon entropy also quantifies the degree of uncertainty around X before we
find its value, thanks to the knowledge of the probability distribution. The greater the
probability pi the less will be the uncertainty of the outcome Xi and vice versa.
These two ways of viewing entropy as mean information obtained and as uncertainty
associated with an outcome overlap.
In cryptography, the random variable X to be considered often has only two possible
outcomes, i.e. the 0 and 1 classical bits, or the |0⟩ and |1⟩ qubits. In this case it is
possible to define the binary Shannon Entropy [1]:

Definition 1.5.2. The binary Shannon Entropy is defined as follows

H bin (p) = −p log p − (1 − p) log (1 − p) (1.47)

1.5 Theory of Information Related Quantities 17

where p is the probability of the first outcome and 1 − p of the second one.

The graph of H bin (p) is shown in Figure 1.2 where it can be seen that it has the
maximum value for p = 1/2.

Figure 1.2: Representation of the binary Shannon Entropy as a function of p.

Definition 1.5.3. Given two random variables X and Y , the conditional entropy H(X|Y )
is defined as follows:
XX 1
H(X|Y ) = P (x, y) log = H(X, Y ) − H(Y ) (1.48)
x∈X y∈Y
P (x|y)

that is the entropy of a source X given the information of source Y .

P (x, y) is the joint probability of X and Y while P (x|y) the conditional probability of
X given Y .

Definition 1.5.4. Given two random variables X and Y , the mutual information I(X, Y )
is defined as follows:
XX P (x, y)
I(X, Y ) = P (x, y) log = H(X) − H(X|Y ) (1.49)
x∈X y∈Y
P1 (y)P2 (y)

and it is a measure of the correlation between the two variables X and Y that follow the
joint probability distribution P (x, y).
 18 1. Introduction to Quantum Mechanics and Information Theory

1.6 Entanglement
At the heart of the differences between classical and quantum physics lies the concept
of quantum entanglement. Concept existing only in quantum mechanics, it asserts that
an entangled system is such that it cannot be expressed as a factorization of its elements:
there are no individual separate components but an inseparable ensemble, causing what
Einstein referred to as “spooky action at distance.”
There are additional conceivable states in the composite Hilbert space besides product
states, in particular states with interesting features that do not display such a product
shape. Quantum correlations can be seen when two (or more) parties that are separated
in space share the same quantum state. Entanglement is the term given to this phenom-
ena.
Formally, the following definition of entanglement is provided:

Definition 1.6.1. If a pure bipartite state |ψ⟩AB cannot be expressed as a product state
|ϕ⟩A ⊗ |η⟩B for every combination of states |ϕ⟩A and |η⟩B , it is said to be entangled.
Otherwise, it is said to be separable.

In addition, we can give the definition of maximally entangled states as follows:

Definition 1.6.2. Given a bipartite system HA ⊗HB such that dim(HA ) = dim(HB ) = d
with orthonormal basis respectively {|j⟩A } and {|j⟩B }, the maximally entangled system
is
d
1 X
|Ψ⟩ = √ |jj⟩ (1.50)
d j=1

To conclude, a useful theorem is provided in order to examine pure bipartite states.

Theorem 1.6.1 (Schmidt Decomposition). Given |ψ⟩ ∈ HA ⊗ HB , thus

d
X
|ψ⟩ = λj |j⟩A |j⟩B (1.51)
j=1

with {|j⟩A } and {|j⟩B } the orthonormal basis for the system A and B respectively. The
amplitudes λj , that are strictly positive, real, satisfying j λ2j = 1, are called Schmidt
P
1.6 Entanglement 19

coefficients. The Schmidt rank d corresponds to the number of λj and the following
relation holds:
d ⩽ min{dim(HA ), dim(HB )} (1.52)

An example of entangled state is given by the Bell states, that are four maximally
entangled two-qubits Bell states, which create a maximally entangled basis (Bell basis)
of the four-dimensional Hilbert space (two qubits). They are defined as follows:
1  
Φ+ = √ |0⟩A ⊗ |0⟩B + |1⟩A ⊗ |1⟩B
2
− 1  
Φ = √ |0⟩A ⊗ |0⟩B − |1⟩A ⊗ |1⟩B
2
(1.53)
1  
Ψ+ = √ |0⟩A ⊗ |1⟩B + |1⟩A ⊗ |0⟩B
2
1  
Ψ− = √ |0⟩A ⊗ |1⟩B − |1⟩A ⊗ |0⟩B
2
The concept of quantum entanglement plays a crucial role in quantum cryptography,
particularly in the implementation of entanglement-based protocols in quantum key dis-
tribution (QKD), enabling secure key distribution between two distant parties, as will
be examined in further sections.
20 1. Introduction to Quantum Mechanics and Information Theory
Chapter 2

Quantum Key Distribution

The quantum key distribution (QKD) process is the best currently known method
for performing quantum cryptography operations, which is implemented through suit-
able protocols. The QKD offers the ultimate solution to the cryptography problem, in
contrast to post-quantum cryptography that would offer systems that are robust against
already known quantum algorithm. Indeed, since the latter would expose the infor-
mation to undiscovered quantum algorithms, the QKD restores the security basing on
fundamental laws of quantum mechanics and resulting from unbreakable principles of
nature, like the above-mentioned Uncertainty Principle and No-Cloning Theorem [3].
Therefore, unlike classical cryptography, this key generating mechanism is demonstrably
secure from every attack that an eavesdropper might launch.
Each QKD protocol aims to provide a shared secret key that can be used to encrypt and
decrypt messages between two authorized parties which is known only to them by means
of a public communication channel.
A quantum key distribution technique may generally be split into two distinct sections:
the quantum transmission stage taking up the first section, in which Alice and Bob send
and/or measure quantum states. The second stage is the classical post-processing phase,
where two sets of safe keys are created from the bit strings produced in the quantum
stage [1, 12].
The transmission of information by qubits according to QKD can take place in two dif-
ferent types of protocols, which differ in the properties they use. They are prepare-and-

21
 22 2. Quantum Key Distribution

measure protocols that require a quantum channel to transmit the information, which
is then measured, and entanglement-based protocols, in which the legitimate parties ob-
tain a pair of entangled qubits and extract the key by measuring their subsystems. It is
possible to demonstrate [7] that each prepare-and-measure procedure corresponds to an
entanglement-based method. Since entanglement-based protocols tend to be simpler to
evaluate because they do not include quantum channels, this equivalence is very benefi-
cial for security demonstrations.

2.1 Prepare-and-Measure Protocols

The legitimate parties, the sender (Alice) and the receiver (Bob), possess two com-
munication channels available. The first is a quantum channel, in which the sender sends
qubits (often polarized photons), after preparing them, to Bob, who then measures them.
This quantum transmission is one-way, and there is no restriction whatsoever on the pos-
sibility that a third party (Eve) is performing eavesdropping of any kind.
The second communication channel is a classical authenticated channel [13, 14, 15], i.e.
the internet or the telephone, in which classical information is exchanged. Authenticated
means that the legitimate parties are sure that they are communicating with each other
and not sending the information to a third party. In this channel Eve is only able to read
the information, but not to retain or modify it in any way. This is a two-way channel,
and information can flow from Alice to Bob and vice versa.

Figure 2.1: Schematic of the operating principle in the Prepare-and-Measure protocols.

2.2 Entanglement-Based Protocols 23

Examples of prepare-and-measure protocols are the BB84 protocol, which will be

analysed in more detail in the next sections, the Six-State protocol, a variant of BB84,
and the SARG04 protocol.

2.2 Entanglement-Based Protocols

In this type of protocol, Alice and Bob receive qubits from an external source, which
distributes a pair of entangled states between them. There are no limitations on where
the source can be located: it can be at Alice’s lab, or at Bob’s lab, it can be a third
party (Charlie), or even Eve. As a result, it is usual to designate the source as untrusted,
taking the worst case in which Eve controls the source. Again, the legitimate parties
share a classical authenticated channel in which to perform post-processing operations
on the raw keys [7].

Figure 2.2: Schematic of the operating principle in the Entanglement-Based protocols.

It is possible to note that in this case Alice and Bob do not communicate via a
quantum channel. This implies significant simplifications in that it makes entanglement-
based protocols easier to analyse from a security perspective; it also makes attacks by
Eve much more difficult to accomplish.
However, they possess significant practical limitations, such as the ability to realize
 24 2. Quantum Key Distribution

sources that prepare perfect entangled qubits with a sufficiently high rate, which prevent
implementation in current quantum cryptosystems.
An example of entanglement-based protocols is the Ekert91 protocol.

2.3 Quantum Channel

The dynamics in a quantum cryptosystem take place within the so-called quantum
channel, as introduced earlier. Mathematically we denote the quantum channel as E, and
it is an operator that maps states belonging to a Hilbert space HA to states belonging
to a Hilbert space HB . First, it is necessary to introduce some definitions to describe the
quantum channel [7, 16]:

Definition 2.3.1 (Convex - Linearity). A map E : B(HA ) → B(HB ) is convex-linear if

the following condition is satisfied:
!
X X
E pi ρi = pi E(ρi ), (2.1)
i i

with HA and HB Hilbert spaces, {ρi } ∈ B(HA ) density operators.

Definition 2.3.2 (Complete Positivity). A linear map E : B(HA ) → B(HB ) is said to

be completely positive if the map

E ⊗ idn : B(HA ) ⊗ B(Cn ) → B(HB ) ⊗ B(Cn ) (2.2)

is positive ∀n ∈ N, where idn represents the identity map in Cn .

Definition 2.3.3 (Trace Preserving). During the transmission in the quantum channel,
the trace of the state must not change:

T r (ρA ) = T r (E(ρA )) , ρA ∈ B(HA ) (2.3)

This is a necessary condition in order to ensure that the quantum channel transforms
density operators into density operators.

Given the three above-mentioned definitions, the quantum channel is defined as fol-
lows:
2.3 Quantum Channel 25

Definition 2.3.4 (Quantum Channel). The quantum channel is defined as a map

E : B(HA ) → B(HB ) that it is convex-linear, completely positive and trace-preserving.

It is important that the map is completely positive, and not simply positive. Taking
as an example the following map applying the transpose operation on a single qubit state

T : ρ →ρT
" # " #
a b a c (2.4)
→
c d b d
and considering as qubit the state
|00⟩ + |11⟩
Φ+ = √ (2.5)
2
the density operator is ρΦ+ = |Φ+ ⟩ ⟨Φ+ |, and it yields:
   
1 0 0 1 1 0 0 0
   
0 0 0 0 −
1  T ⊗id 1 0 0 1 0
−−→   (2.6)
2 0 0 0 0

 20 1 0 0

1 0 0 1 0 0 0 1

The eigenvalues of the final matrix include λ = −1/2, which implies that the matrix is
not positive and therefore is not a good density operator [7].
Below the Choi-Kraus Theorem is stated, which allows the quantum channel to be de-
scribed in terms of its Kraus decompositions. For a proof see [17].

Theorem 2.3.1. The Kraus decomposition of a map E : HA → HB is

d
X
E(ρA ) = Kj ρA Kj† (2.7)
j=1

if and only if the map is linear, completely positive and trace preserving, where
ρA ∈ B(HA ), Kj : HA → HB ∀j ∈ {1, ..., d} and
d
X
Kj† Kj = IA (2.8)
j=1

with d < dim(HA ) · dim(HB )

 26 2. Quantum Key Distribution

If the system is closed, the quantum channel is defined by a unitary operator U :

H → H with the property that:

ρf = U ρi U † = U(ρi ) (2.9)

where ρf and ρi are respectively the final and initial state.

In this case, it is also possible to perform the reverse procedure by creating the reversed
channel, via the adjoint map U † :

(U † ◦ U)(ρ) = U † U ρU † U = ρ (2.10)
Chapter 3

BB84 Protocol

In this chapter the workings of the BB84 protocol are analysed, a pioneering method
for secure key distribution in the realm of quantum cryptography. Proposed by Charles
H. Bennett and Gilles Brassard in 1984, the BB84 protocol represents one of the most
widely used protocols in QKD because it is easy to implement and guarantees security
against eavesdropping proven on many occasions [18].
Through a meticulous exploration, it is provided a comprehensive understanding of the
key components and operational principles of the protocol. By elucidating the steps
involved in key generation, transmission, and reconciliation, the mechanisms that ensure
secure communication between two parties is explored.
This opens the way to the insights of its strengths, limitations, and potential avenues for
future advancements, that will be examined in later chapters in the thesis.

3.1 Description
Like any QKD protocol, the BB84 protocol can be divided into two stages; in the first
“quantum” stage the sender (called Alice) and the receiver (Bob) use a quantum channel
to exchange quantum states and thus create the raw encryption key, while in the second
“classical” stage, through already existing information channels, they perform a classical
post-processing operation on the sifted key and the actual exchange of information.
The BB84 protocol bases its working principle on the polarization of photons to com-

27
 28 3. BB84 Protocol

Figure 3.1: Schematic of the operating principle in Quantum Key Distribution protocols.

Figure 3.2: Correspondence between

Figure 3.3: Rectilinear and Diagonal
the polarization of photons and binary
bases used in the BB84 protocol.
meaning in the BB84 protocol.

municate information, assuming that the emitted signal is composed of single photons;
this is an assumption difficult to implement in practice, and in the next sections it will be
analysed how to take into account the practical impossibility of obtaining single photon
sources, arriving at the description of the Decoy State Method.
The quantum states used here are the qubits (1.1)(1.6)(1.7) of the Z and X bases [12],
which in this case are denoted by rectilinear and diagonal bases, respectively. A graphical
representation of the qubits is given in Figures 3.2 3.3 [19].
The classical bits 0 and 1 can be represented either in the rectilinear (+) or diagonal
(×) basis, according to the following convention:
3.2 Quantum Stage 29

Basis + Basis ×
Bit 0 0◦ 45◦
Bit 1 90◦ −45◦

Table 3.1: Convention used in order to communicate the binary message.

3.2 Quantum Stage

The first “quantum” stage can be schematized as follows [12]:

Bit Generation. Alice randomly generates a series of bases (rectilinear or diagonal)

and pairs it with equally long series of randomly generated classical bits (0 and 1).

Bit Preparation and Communication. Alice then prepares a series of photons, i.e.
a string of qubits based on Table 3.1 and sends them to Bob through the quantum
channel.

Bit Measurement. Similarly, Bob randomly extracts a similar string of × and + bases,
and reads the qubits received in the selected basis. Since × and + are mutually
unbiased bases, if the sender and the receiver used the same basis, and this happens
statistically half the time, the qubit Bob receives is the same as the one Alice sent,
assuming perfect calibration of the experimental apparatus. Therefore, Bob has
1/2 chance of reading the same bit sent by Alice and 1/2 chance of reading the
opposite bit.
At this point the legitimate parties both have a string of bits kAraw and kB
raw
called
raw quantum keys and which do not coincide in general.

The protocol is based on a fundamental principle: Alice and Bob’s choice of bases is
completely autonomous and unknown to any third party, such as a possible eavesdropper
Eve, who tries to obtain the bit without being discovered using the most basic intercept-
resend strategy in which she receives the information from Alice and sends it to Bob.
 30 3. BB84 Protocol

Indeed, an eavesdropper cannot perfectly replicate or measure the prepared states thanks
to the non-orthogonality criterion. This is accurate because, according to the No-Cloning
Theorem, she is unable to duplicate a particle with an unknown state. She cannot
properly decode the information encoded by Alice since the × and + bases are mutually
unbiased, and her activity disturbs the quantum states in a way that can be seen by
authorized users. Without knowing the basis used, statistically, half the time Eve chooses
a different basis than Alice, and among those half of the time she measures the incorrect
bit [20, 21].

3.3 Classical Stage

At this point the second “classical” stage begins, in which Alice and Bob communicate
through a classical channel, and so Eve can only read the information, but not modify
it or send her own to the sender. It can be schematized in the following way [12]:

Announcement. Alice and Bob communicate to each other the strings of × and +
bases used. It is important to emphasize that there is no exchange regarding the
corresponding bits, sent by Alice or received by Bob. This occurs for the reasons
mentioned above, being that only in the case where the legitimate parties have the
same basis they are able to transmit bits to each other deterministically.

Key Extraction. At this point, from the strings kAraw and kB

raw
the sender and the
receiver retain only those bits for which they have the same basis, eliminating the
remainders. This process, called extraction, leads to the creation of two new bit
strings kAsif ted and kB
sif ted
. They constitute the extracted keys, which should be
identical in principle. However, there are two cases in which they may differ. The
first concerns the presence of noise in the quantum transmission channel, which
must be taken into account, and secondly, the presence of an eavesdropper, which,
measuring in a different basis than Alice’s can lead, for the reasons mentioned
above, to changes in the bits measured by Bob. These are the two main sources
of errors that lead to kAsif ted ̸= kB
sif ted
, while we go on to neglect the presence of
3.3 Classical Stage 31

absorption in the communication channel.

In a noiseless situation, the presence of an error would unequivocally indicate the
presence of an observer. In this situation, clients have the option to terminate
all ongoing communications, throw away the key, and start new ones. However,
given the flaws in physical implementations, noise is always present in real-world
situations. It is tempting to think that one can describe the problems in the
physical channel and assume that any “extra” errors are caused by Eve. Alice and
Bob would not be able to discern between legitimate errors (i.e. not attributable to
Eve) and errors caused by her interference, assuming that Eve can actually replace
the channel with one free of noise.
If the protocol were to be interrupted every time an error is detected, Alice and
Bob would never be able to create a secure key. Therefore, the challenge is less
about identifying an eavesdropper and more about determining how to derive a
private key in the presence of an eavesdropper.
Using current technology, errors in sifted keys are about a few percent of the key
length, realistically, as opposed to about 10−9 error rate in the current classical key
distribution mechanism [15].
As a result, legitimate parties need to perform the processes of error correction and
then privacy amplification on the keys, that will be described below.

Error Rate Estimation and Creation of Secret Keys. Let’s consider P (X, Y, Z) the
joint probability distribution of three discrete random variables X, Y, Z of Alice,
Bob and Eve respectively. The sender and the receiver only have access to P (X, Y )
and with this they want to place constraints on the information Eve possesses by
going to place constraints on P (X, Y, Z).
Knowing P (X, Y, Z), there is no necessary and sufficient condition to have a secret-
key rate S(X : Y ||Z) > 0. However, it is possible to provide a lower bound on
S(X : Y ||Z) in the following way, taking into account that if Eve knows about one
random variable of the legitimate parties, then the secret-key rate must be higher
[15, 22]:
n o
S(X : Y ||Z) ⩾ max I(X, Y ) − I(X, Z); I(X, Y ) − I(Y, Z) (3.1)
 32 3. BB84 Protocol

where I(X, Y ) is the mutual information between the variables X and Y . The limit
of equality is reached when it comes to one-way communication, for example, from
Alice to Bob. In two-way communication, a secret-key agreement can be reached
even when the condition (3.1) is not satisfied, which means that Eve possesses more
information than Bob. Verifying this condition is therefore necessary.
In order to establish a secret-key, Alice selects a subset of bits from the sifted key,
and compare them with Bob using the public channel in order to get the error rate
estimation. Then they discard those bits from the sifted key and verify whether
the condition (3.1) is satisfied or not. In the first case they proceed to the next
step, otherwise they abort the protocol.

Error Correction. To see the presence of errors, they usually take kAsif ted as the ref-
sif ted
erence. To detect and, consequently, correct errors present in kB they apply
error correction codes, which end with a procedure called “verification.” Among
the most commonly used error correction codes, worth mentioning are linear error
correction codes, and in particular low-density parity-check codes (LDPC)[12]. At
the end of this procedure legitimate parties obtain kAver = kB
ver
with a high level of
probability.
A simple error correction protocol can be executed in the following way [15]; Alice
and Bob choose same pairs of bits from the sifted keys and both announce their
XOR value, i.e., their exclusive disjunction, which is an operator that is false if
and only if its arguments are the same: see Table 3.2.

Bit 1 Bit 2 XOR value Bit 1 ⊕ Bit 2

1 1 0
1 0 1
0 1 1
0 0 0

Table 3.2: Exclusive disjunction operation between two bits values.

If Bob’s XOR value matches Alice’s XOR value, he announces “accepted,” and
they both keep the first bit of the pair and discard the second. If Bob’s value does
3.3 Classical Stage 33

not match Alice’s one, he announces “rejected” and both bits are discarded.
Eventually the legitimate parties keep sharing the same keys.

Recognition of the Eavesdropper Presence and Level of Eavesdropping. In er-

ror analysis, if the error rate obtained through the study of the communication
channel exceeds a certain threshold level established a priori, the key extraction
protocol is aborted, as errors are attributed not to the noise or channel loss but to
the presence of an eavesdropper.

Privacy Amplification. Subsequent to error correction, Alice and Bob obtained an

identical copy of the key. However, Eve may possess fractional information about
them, and to avoid this scenario the privacy amplification technique is applied, so
as to reduce the information gained by Eve by an arbitrary level.
To do this, the legitimate parties use functions that allow the mapping of data
with arbitrary size to values with defined size, the so-called hash functions [12, 23],
and they do this in the following way: Alice chooses a given hash function, and
sends it to Bob via the classical channel. They both apply it to their extracted
ver
keys kAver and kB , and obtain two keys of smaller but identical length, kAf in = kB
f in
,
called final keys. With this procedure the eavesdropper has a lower level of gained
information about the keys than before; in particular, this level can be made as
small as desired. If Eve has a large amount of information about the sifted keys,
the required privacy amplification process should make the final keys very short,
so that Eve’s level of gained information about the keys is greatly diminished, and
vice versa.
Users calculate the required amount of Privacy Amplification based on the per-
centage of errors found in their experiment, or “quantum bit error rate” (QBER)
which will be formally described in the later sections. Therefore, the hunt for the
ultimate security proof simply entails finding the optimal plan of action Eve may
use to obtain the maximum information gain, given the level of QBER observed.
Picking up on the use of XOR value seen earlier, a simple privacy amplification
protocol might be the following: Alice chooses a pair of bits and computes their
XOR value. Unlike before, Alice does not tell Bob the XOR value, but the position
 34 3. BB84 Protocol

of the bits on which she performed the procedure. Both of them, at this point,
replace the pair of bits with their XOR value. In this way, the length of the key
is decreased without the possibility of introducing errors, and consequently, Eve’s
knowledge about the key is decreased. In fact, if it has partial information about
the bits, the information about their XOR values is even less. For example, if she
knows the first bit but not the second one, she has no information about the XOR
value. Otherwise, if Eve knows the value of both bits with 70% probability, she
knows the XOR value with 0.72 + 0.32 = 58% probability.

This last point ends the “classical” stage, and thus the BB84 protocol with the production
of the encryption key.

3.4 Intercept-Resend Technique

Let us see how the eavesdropper is able to obtain information through the intercept-
resend technique by introducing noise, and how the ideal situation in which the maximum
possible information is obtained is Bob’s.
Suppose that in the first quantum stage Alice sends a |ψ⟩ state. Eve intercepts it and
projects it along the state |θ⟩ = cos 2θ |0⟩ + eiϕ sin 2θ |1⟩ and onto the state orthogonal

to it θ⊥ . At this point it is her intention to deduce the state |ψ⟩ after the classical
stage announcement, using Bayes’ theorem [1, 24]:




P |θ⟩ | |ψ⟩ · P |ψ⟩
P |ψ⟩ | |θ⟩ = P

(3.2)
j P |θ⟩ | |ψj ⟩ · P |ψj ⟩

However, after the announcement phase the possible values of |ψj ⟩ can be either |ψ⟩ or
ψ ⊥ , hence:




P |θ⟩ | |ψ⟩ · P |ψ⟩
P |ψ⟩ | |θ⟩ =



(3.3)
P |θ⟩ | |ψ⟩ · P |ψ⟩ + P |θ⟩ | |ψ ⊥ ⟩ · P |ψ ⊥ ⟩

For the reasons mentioned above, P |ψ⟩ = P ψ ⊥ = 1/2, and the expression becomes






P |ψ⟩ | |θ⟩ = P |θ⟩ | |ψ⟩ .
3.4 Intercept-Resend Technique 35

In the special case where |ψ⟩ = |1⟩, when Alice uses the Z basis,
    2

2 θ iϕ θ
P |1⟩ | |θ⟩ = |⟨1|θ⟩| = cos ⟨1|0⟩ + e sin ⟨1|1⟩
2 2
  (3.4)
2 θ
= sin
2

On the other hand, if Alice uses the X basis, in the case where |ψ⟩ = |+⟩, we have:
    2

2 θ 1 iϕ θ 1
P |+⟩ | |θ⟩ = |⟨+|θ⟩| = cos √ ⟨0|0⟩ + e sin √ ⟨1|1⟩
2 2 2 2 (3.5)
1 sin θ cos ϕ
= +
2 2
Eve’s uncertainty on Alice’s encoding is measured by Shannon’s entropy, depending on
the basis used; thus, we have [3]:
         
2 θ 2 θ 2 θ 2 θ
HEve = − cos
Z
· log2 cos − sin · log2 sin (3.6)
2 2 2 2
 
1 + sin θ cos ϕ 1 + sin θ cos ϕ
HEve = −
X
· log2
2 2
  (3.7)
1 − sin θ cos ϕ 1 − sin θ cos ϕ
− · log2
2 2
It is possible to see that if the eavesdropper uses θ = 0 then HEve
Z
= 0, and the un-
certainty in the measurement is minimized in the case where the sender uses Z basis;
however, this induces a maximum value of HEve
X
, i.e. the case where Alice uses X basis.
Decreasing the uncertainty for HEve
Z
increases the uncertainty for HEve
X
, and vice versa.
This agrees with the fact that X and Z are two mutually unbiased bases, in which,
measuring in one basis, maximizing information gain maximizes the uncertainty for the
complementary basis.
The only way to minimize both uncertainties for HEve
Z
and HEve
X
is to use two different
bases for measuring the polarization of photons, which should match Alice’s choices; one
solution might be to randomly choose the bases and discard the events for which they
do not match: this is exactly Bob’s situation.
The legitimate parties exchange maximal information, while Eve has a gain information
of 1/2. If the eavesdropper makes a measurement using Z basis, while Alice and Bob
 36 3. BB84 Protocol

use X basis, the probability that Eve records the same bit sent by Alice is 50%, and the
probability that Bob receives the same bit as Eve is 50%. Consequently, the legitimate
parties detect a 25% error in their keys. However, Eve can apply her strategy to a small
number of bits sent by Alice, such as 10%. In this way Eve gets information of about
5%, but the error rate will be approximately 2.5% [3].
In addition, it is possible to consider the case where θ = π/4, since we have HEve
Z
= HEve
X
.
Assuming that the sender and the receiver use Z basis, then Eve projects Alice’s qubit
to |θ⟩ with probability cos2 (π/8) and to θ⊥ with probability sin2 (π/8). In the former
case Bob measures the erroneous qubit with probability sin2 (π/8), in the latter with
probability cos2 (π/8). To conclude, the error rate is 2 cos2 (π/8) sin2 (π/8) = 0.25, as in
the previous case.

In summary, from the physical point of view the BB84 protocol is based on 4 principles
and ideal assumptions:

• The sources create perfect single photons;

• The channel has no loss, but there is noise present that disrupts the signal, and on
which the eavesdropper relies to leak the information without being detected;

• Bob’s (and therefore Eve’s) detector has a detection efficiency of 100%.

• The alignment between the sender and the receiver is perfect. This implies that
the rectilinear and diagonal bases are perfectly rotated at 45◦ to each other.

With these starting assumptions, several security proofs of the BB84 method have been
formulated that ensure safety against eavesdropping. Among these, worth mentioning
are the security proofs of Mayers, Biham et al., Ben-Or and Shor-Preskill.
However, these are unrealistic assumptions, and we will see how to account for a weak-
ening of some of the starting assumptions by taking into account the state of current
technology, so as to see how to arrive at a secure model of quantum cryptography that
is at the same time also practical for the means at hand.
Chapter 4

Eavesdropping Strategies and

Attacks Classification

Regarding certain quantum cryptosystems, the main goal of eavesdropping evaluation

is to discover the most thorough and useful proofs of security. Since the eavesdropper
employs not just the most advanced technology currently available, but also any hypo-
thetical future technology, “ultimate proofs” ensure safety from all kinds of eavesdropping
assaults.
After seeing the working principle of the intercept-and-resend technique performed by
the eavesdropper to obtain information, we proceed by analyzing the more general case
of an attack launched by Eve on the BB84 protocol. Similarly, it shows the close corre-
lation between the level of information obtained from the attack and the disturbance of
the physical system involved in the measurement.
In this section [7] is used as the main reference.

37
 38 4. Eavesdropping Strategies and Attacks Classification

Formally, let’s denote the qubit states (1.1)(1.6)(1.7) as follows:

|ψ00 ⟩ = |0⟩
|ψ10 ⟩ = |1⟩
|0⟩ + |1⟩ (4.1)
√
|ψ01 ⟩ = |+⟩ =
2
|0⟩ − |1⟩
|ψ11 ⟩ = |−⟩ = √
2
An eavesdropper might evaluate about connecting an ancilla, E, to Alice’s qubit and
causing them to interact in an effort to gather information. E represents a quantum
system that could be bigger than a qubit in size. As this interaction is qubit state
independent and abides by the laws of quantum mechanics, it may be characterized by
applying a unitary operator U to the composite system.
Considering for hypothesis the case in which the eavesdropper performs the measurement
of Alice’s and Bob’s states without introducing disturbance, we want to analyse which
is the level of information possessed by Eve. To do this, let’s consider the attack on two
states that are not orthogonal, like |ψ10 ⟩ and |ψ01 ⟩; it yields [7]:
U |ψ10 ⟩ |E⟩ = |ψ10 ⟩ |Eψ10 ⟩
(4.2)
U |ψ01 ⟩ |E⟩ = |ψ01 ⟩ |Eψ01 ⟩
where |Eψ10 ⟩ and |Eψ01 ⟩ represent the ancilla’s state after the unitary operation on |ψ10 ⟩
and |ψ01 ⟩ respectively.
Since the unitary operator preserves the scalar product, multiplying the two relationships
in (4.2) gives:
⟨ψ10 |ψ01 ⟩ ⟨E|E⟩ = ⟨ψ10 |ψ01 ⟩ ⟨E10 |E01 ⟩ (4.3)
and since ⟨E|E⟩ = 1, then ⟨E10 |E01 ⟩ = 1. This implies that |E10 ⟩ and |E01 ⟩ represent
the same state, and consequently the eavesdropper did not get any information from
Alice’s states. In conclusion, if Eve does not disturb the system, she does not get any
information.
Therefore, let’s consider the case in which a disturbance is introduced into Alice’s states
after the eavesdropper attaches the ancilla:
′
U |ψ10 ⟩ |E⟩ = |ψ10 ⟩ |Eψ10 ⟩
(4.4)
′
U |ψ01 ⟩ |E⟩ = |ψ01 ⟩ |Eψ01 ⟩
4.1 Attacks Classification 39

Hence:
′ ′
⟨ψ10 |ψ01 ⟩ = ⟨ψ10 |ψ01 ⟩ ⟨Eψ10 |Eψ01 ⟩ (4.5)
′ ′
Given a fixed value of ⟨ψ10 |ψ01 ⟩, the smaller ⟨Eψ10 |Eψ01 ⟩ is, the bigger ⟨ψ10 |ψ01 ⟩ is, meaning
that the states are more distinguishable, and vice versa. It implies that the more the
eavesdropper gather information the bigger the disturbance will be, resulting to Eve’s
detection.

4.1 Attacks Classification

The types of attacks that the eavesdropper can perform are divided into three cate-
gories, in order of their power: individual attacks, collective attacks, and coherent attacks
[15]. The first two categories include attacks in which Eve has a limited ability to act
on qubits, conversely, it is assumed that in coherent attacks she has unlimited compu-
tational capacity, resources and technology, and thus is constrained only by the laws of
quantum mechanics. Considering only the first two attacks can often be sufficient to give
a simple security proof of the quantum cryptography protocol, however, coherent attacks
must also be analyzed to outline a complete security proof. The eavesdropper possesses
ideal technology; she is just constrained by the limitations of quantum mechanics and
not in any way by existing technology. Eve is specifically prohibited from cloning qubits
because doing so would violate the principles of quantum mechanics but she is allowed
to employ a unitary interaction among qubits and an ancillary system she choices. Ad-
ditionally, after the interaction, Eve can maintain her auxiliary system in total isolation
from the outside world for an indefinite amount of time without being disturbed. She is
able to make the measurement she chooses on her system after hearing the entire public
exchange involving Alice and Bob, again being constrained solely by the principles of
quantum physics.
In order to gain information, the eavesdropper generally execute the following steps: she
attaches an ancillary system in the initial state |E⟩E ⟨E| to the state that the sender
forwards, which is ρA . After performing the unitary operation on the composite system
via the unitary operator U , the ancillary system is in the state:

ρE = T rA U † ρA |E⟩E ⟨E| U


(4.6)
 40 4. Eavesdropping Strategies and Attacks Classification

After that, the eavesdropper measures the ancillary system, which is given by a POMV
M = {Mi } where the outcome Mi of measuring a generic state ρ comes out with proba-
bility Pi = T r(Mi ρ).
Let’s consider the case of individual attacks, in which Eve attaches individual probes to
each qubit and performs a measurement to her probes one at the time. Alice sends n
states, labelled ρ1A , ρ2A , ..., ρnA and Eve attaches the ancillary system |E⟩E ⟨E| to each ρiA ,
i ∈ {1, ..., n}. She then performs the unitary operation via the unitary operator U , and
after that, the ancillary state in this case is expressed as:

ρiE = T rA U † ρiA ⊗ |E⟩E ⟨E| U

(4.7)

for each state the sender forwards.

In collective attacks, the operating principle is similar, except that the eavesdropper
collectively measures the states from Alice; however, she is only able to attach individual
ancillary systems to the states. Even though the same unitary is utilized in each state,
a global POVM provides the measurement, therefore ρiE follows equation (4.7).
Regarding the coherent attacks, Eve attaches a single ancilla to the tensor product of
Alice’s states ρ1A ⊗ ρ2A ⊗ ... ⊗ ρnA . After that she applies a single unitary operator Utot
to the total system. Therefore, after this step, before the measurement, the ancilla is
described by: h i
†
ρ1A ⊗ ... ⊗ ρnA ⊗ |E⟩E ⟨E| Utot


ρE = T rA Utot (4.8)

Joint attacks, which are the most common coherent attacks, are based on the assumption
that Eve attaches a single probe to each qubit, like in individual attacks, yet is capable
of measuring multiple probes coherently, like in coherent attacks.

4.2 Individual Attacks

During individual attacks, or incoherent attacks, the eavesdropper attaches single
qubit states individually in the same manner. The purpose is to describe analytically
the amount of information obtained in this way, using the concepts of mutual information,
introduced earlier, particularly between Alice and Eve.
4.2 Individual Attacks 41

With this type of strategy, the only degree of freedom is the unit operation via the U
operator that is applied on the composite system. Considering the computational basis
M1 = {|0⟩ ; |1⟩} for Alice, then we have:
√ √
U |0⟩ |E⟩ = F |0⟩ |E00 ⟩ + 1 − F |1⟩ |E01 ⟩
√ √ (4.9)
U |1⟩ |E⟩ = F |1⟩ |E11 ⟩ + 1 − F |0⟩ |E10 ⟩

where |E⟩ represents the initial state of the ancilla, and |E10 ⟩ |E00 ⟩ |E01 ⟩ |E11 ⟩ its possible
final states. F is a coefficient, called fidelity that represents the probability that Bob,
working in the same M1 basis as Alice, will get the correct qubit, that is, the one actually
sent to him; 1 − F thus represents the probability of measuring the wrong qubit. Also,
in this case, F coincides with the definition of fidelity between Alice’s initial state, |ψin ⟩,
and the final state that Bob obtains, ρB :

Definition 4.2.1. Given two quantum states σ, ρ ∈ B(H) the fidelity is defined as
follows:  q 2
1 1
F (σ, ρ) = T r σ 2 ρσ 2 (4.10)

In this case, the sender’s state is a pure state, thus σ = |ψin ⟩ ⟨ψin |, and consequently
the definition is simplified to:
h p i2
F (|ψin ⟩ , ρ) = T r |ψin ⟩ ⟨ψin | ρ |ψin ⟩ ⟨ψin |
 p 2
= ⟨ψin |ρ|ψin ⟩ T r |ψin ⟩ ⟨ψin | (4.11)

= ⟨ψin |ρ|ψin ⟩

and if ρ is a pure state too, with ρ = |ϕ⟩ ⟨ϕ|, hence F (σ, ρ) = |⟨ϕ|ψin ⟩|2 .
For the BB84 protocol, it was shown [25] that the mutual information between Alice
and Eve and between Alice and Bob is expressed in terms of the so-called disturbance
D = 1 − F , which is a measure of the unwanted changes or alterations that occur to a
quantum system during its transmission in cryptographic protocols. Since the fidelity
quantifies the similarity between the input state and the output state of a cryptographic
operation, hence representing the probability of successfully transmitting or receiving the
information without any undesired alterations, the disturbance represents the probability
 42 4. Eavesdropping Strategies and Attacks Classification

of alterations occurring: a disturbance value of 1 implies that the quantum system

has been completely disturbed or altered, while a disturbance value of 0 indicates no
unwanted changes have occurred.
Studying the disturbance caused by an eavesdropper who attempts to gain information,
it has been demonstrated in [25] that the mutual information between Alice and Eve and
between Alice and Bob can be expressed in the following way:
1    1   
I(A, E) = 1 + f (D) log 1 + f (D) + 1 − f (D) log 1 − f (D) (4.12)
2 2
   
I(A, B) = 1 + D log D + 1 − D log 1 − D (4.13)
p
where f (D) = 2 D(1 − D).
I(A, E) and I(A, B) are depicted in Figure 4.1. The sender and the receiver are able to
extract information if and only if I(A, B) > I(A, E), according to the Csiszar-Korner
analysis [22] which asserts that when the legitimate parties have an edge against Eve with
regard to of the shared information, they can derive the secret key. Hence, the quantity
I(A, B) − I(A, E) is expressed in function of D as shown in Figure 4.2, and when it
becomes negative it is not possible for the legitimate parties to exchange information.
As a result, the mutual information functions from equations (4.12)(4.13) intersect at a
particular error rate D0 [15]:

I(A, E) = I(A, B) ⇐⇒ D = D0 ≃ 14.6% (4.14)

Therefore, the BB84 protocol’s safety requirement against individual attacks becomes:

BB84 secure ⇐⇒ D < D0 ≃ 14.6% (4.15)

4.3 Collective and Coherent Attacks

In the case of collective and coherent attacks, the proof on the conditions for the
security of quantum cryptography protocols is much more complicated. This is especially
true for coherent attacks in which the Hilbert space to be considered has a much larger
dimension, since the eavesdropper interacts with the tensor product of the states sent
4.3 Collective and Coherent Attacks 43

Figure 4.1: Representation of the mutual Figure 4.2: Representation of the dif-
information between Alice and Bob, and ference in mutual information I(A, B) −
Alice and Eve. The threshold value is I(A, E). It becomes negative when D =
D = 14.6%. 14.6%

by Alice: ρ1A ⊗ ρ2A ⊗ ... ⊗ ρnA .

Theorems delineating upper bounds on safe conditions, such as the quantum De Finetti
theorem [26], are often used. For the BB84 protocol, the analysis against this kind of
attack is provided in [27].
It was seen earlier that, considering individual attacks, the limit value for the disturbance
corresponds to D = D0 ≃ 14.6%. However, reporting the analysis in [15] Eve might
potentially handle numerous qubits coherently, thus we now consider coherent attacks.
Dominic Mayers (1996b) provided the key concepts for demonstrating security in 1996.
Afterwards, two significant publications were made available (Mayers, 1998; Lo and
Chau, 1999). Due to the studies of Shor and Preskill (2000), Inamori et al. (2001), and
Biham et al. (1999), these proofs are now widely recognized as correct.
The necessary requirement for the disturbance D is obtained as follows [15]:
    1
D log D + 1 − D log 1 − D ⩽ (4.16)
2
that is satisfied for D = D0 ⩽ 11%.
After Shor and Preskill improved the demonstration for coherent attacks in 2000, the
found threshold of D0 ⩽ 11% is exactly the one that Mayers’ demonstration yielded in
1996, thus reinforcing the result obtained.
 44 4. Eavesdropping Strategies and Attacks Classification

The aforementioned demonstration is only legitimate and appropriate if the key is signifi-
cantly longer than the total amount of coherently attacked qubits, therefore the Shannon
information employed constitutes averages over a large number of independent realiza-
tions of classical random variables [15]. This means that the legitimate parties are able
to use the aforementioned demonstration to protect keys considerably longer than n0
bits, providing Eve can coherently attack a huge yet finite number n0 of qubits.
Chapter 5

Practical Implementations and

Limitations

In this section, practical implementations of the BB84 model are analyzed. As previ-
ously seen, the analysis so far has been based on ideal assumptions, such as transmission
of perfect single photons, no loss in the communication channel, 100% efficiency in the
detectors, and perfect alignment of the experimental apparatus.
In the practice of the experiment, however, with a view to extending quantum com-
munication to the commercial level, it is necessary to analyze the security of protocols
with these limitations. It will be seen in the following paragraphs that in order to avoid
security problems, the BB84 protocol can be implemented in the Decoy State Method,
which provides in-principle security of communication.

5.1 Source: Coherent States

Despite the BB84 as described in the previous sections might be used with single
photons, it has several practical drawbacks and limitations. Current systems rely on
weak pulses of coherent states, with an average of much less than one photon per pulse,
because they are difficult to obtain by experiments. This shows that the light generator
uses a mixture of the so-called Fock states to emit photons exactly in the polarization
required by the legitimate parties. Coherent states are defined as follows:

45
 46 5. Practical Implementations and Limitations

Definition 5.1.1. A coherent state, emitted by a practical source of light in a given

polarization, is defined as
∞
−
|α|2 X αj
|α⟩ = e 2 √ |j⟩ (5.1)
j=0
j!

where |j⟩, with j ∈ N, is the so called Fock-state or number state, representing the state
with a number of j photons, and α = |α|eiφ with |α| and φ called respectively amplitude
and phase of the coherent pulse.

The parameter of the coherent state is α ∈ C, while the pulse intensity is defined to
√
be µ = |α|2 , thus α = µeiφ .
The method asks for a random phase shift of the coherent state for every pulse. This is
done by either attaching an additional component to the sender’s optical device that is
connected to a generator of random numbers and modifies the phase (active randomiza-
tion) or by using a laser mode of operation (passive randomization)[12]. Since the phase
gets uniformly distributed, a pulse state is therefore described by the density matrix:
Z 2π
1
ρSource = |α|eiφ |α|eiφ dφ
2π 0
Z 2π ∞ ′
1 −|α|2
X |α|j+j iφ(j−j ′ )
= e √ ′ e |j⟩ ⟨j ′ | dφ (5.2)
2π 0 j,j ′ =0
j!j !
∞ 2j ∞
X
−|α|2 |α|
X µj
= e |j⟩ ⟨j| = e−µ |j⟩ ⟨j|
j=0
j! j=0
j!

As a result, the eavesdropper and the receiver measure a superposition of coherent states
defined in equation (5.1).
Therefore, the state containing j photons is transmitted with a probability of [3]:

µj
pj = e−µ (5.3)
j!
Because of this, the variable µ that is the average photon number of the pulse follows
the Poisson distribution. These pulses are known as weak coherent pulses since µ ≪ 1
is usually selected.
Considering that the laser closely follows the Poisson photon statistic, a weak laser pulse
with µ ≪ 1 nevertheless possesses a probability of producing more than one photon in a
5.2 Channel 47

single pulse [28].

Usually, the average photon number of the Poisson distribution in a weak laser pulse
is µ = 0.1 [15]. The vast majority of the pulses in this scenario are vacuum signals.
P (0) = e−µ ≃ 90.5% indicates the probability that zero photons will be transmit-
ted. In addition, the probability that a single photon will be delivered is precisely
P (1) = µe−µ ≃ 9%, and the scenario in which multiple photons will be transmitted has
a probability of P (n > 1) = 1 − (1 + µ)e−µ ≃ 0.5% [7].
Thus, using a low value of µ to lower the probability of two or more photons being sent
implies the drawback of having a high probability that the signal contains no photons.

5.2 Channel
Earlier it has been stated that the channel does not possess loss and that noise
remains the only factor that can disturb the signal, allowing Eve to quietly leak data. It
is important to remember that this is an ideal assumption and channel loss needs to be
considered while using any QKD protocol.
The variable α, represented in dB/km, and the fiber characteristic length l, can be
employed to determine the loss rate of the quantum channel in QKD protocols based on
optical-fiber. The channel’s transmittance, tAB , is defined as follows [29]:

αl
tAB = 10− 10 (5.4)

In signal transmission, the choice of wavelength is crucial, and in general there are
two possibilities. The first choice is a wavelength of about 800nm, which is the wave-
length for which commercially available photon detectors are efficient; in this case the
medium for communication must be either free-space or a special type of optical fiber,
which, however, is not the one used in today’s telecommunications optical fibers.
The second choice is a wavelength between 1300nm and 1550nm, as it is compatible with
existing and already used optical fibers. However, in this case there would be a need to
develop new detectors sensitive to this type of wavelength, as silicon semiconductors are
transparent to signals above 1000nm.
 48 5. Practical Implementations and Limitations

Taking the above into account, let’s analyze the absorption of the fibers in the two
cases. With wavelengths of 1300nm and 1550nm, the attenuation is 0.35dB/km and
0.20dB/km, respectively, so there is a 50% loss of signal after 9km and 15km; on the
other hand, with wavelengths of 800nm, the channel loss is 2 dB/km, so 50% attenuation
after just 1.5 km.
In optical fibers, channel loss as a function of signal wavelength is depicted in Figure 5.1,
[15].

Figure 5.1: Representation of the channel loss expressed in dB/km as a function of the
signal wavelength, for optical fibers (Gisin et al., 2002, pp. 158).

Choosing free-space as a communication channel implies the use of 800nm wavelength,

which coincides with the region of the spectrum where absorption is low; however, it must
be taken into account that in free-space it is necessary to always have air-line connections.

5.3 Detector
The detector, which is the final element in the transmission process, is flawed as well.
It demonstrates that the detection efficiency of Bob’s (and consequently Eve’s) detector
5.4 Photon-Number-Splitting Attack (PNS) 49

is below 100%.
Taking the variable ηB denoting the transmittance in Bob’s side, considering the trans-
mittance of the optical components tB and the efficiency of the detector ηD [29],

ηB = tB ηD (5.5)

Therefore, the overall transmission and detection efficiency η between Alice and Bob is
determined by
η = tAB ηB (5.6)

The idea of a threshold detector in the receiver’s component is quite common. Bob’s
sensor is consequently assumed to be able to tell the difference between a vacuum and
a non-vacuum scenario. It is hard to figure out the specific number of photons in the
pulse in the case it contains more than one photon.
It is plausible to suppose that the actions of the i photons in i−photon states are inde-
pendent of one another. In regard to a threshold detector, the transmittance associated
with the i−photon state ηi thus gets provided by [30]

ηi = 1 − (1 − η)i , for i = 0, 1, 2... (5.7)

In addition, detector efficiency induces the possibility of so-called dark-counts: Bob de-
tects photons in the signal even though it does not contain them. It has been seen
above how with µ = 0.1 the probability that the signal does not contain photons is
P (0) ≃ 90.5%; therefore, the effect of an efficiency η ̸= 1 has a great impact on the key
production and signal transmission, and must be taken into account in the discussion.

5.4 Photon-Number-Splitting Attack (PNS)

Let’s consider the BB84 protocol with weak coherent pulses source instead of perfect
single-photons signals. The case in which single photons are transmitted in the commu-
nication channel is brought back to the case of the ideal BB84 protocol, and thus does
not lead to any problems; on the other hand, the case of no photons being sent only
 50 5. Practical Implementations and Limitations

results in a decrease in the signal rate, since Eve cannot obviously obtain useful informa-
tion if no photons are sent. The problematic situation arises in the case where multiple
photons are transmitted, and, if there is loss in the transmission channel as in practical
implementations, Eve is capable of performing the so-called Photons-Number-Splitting
(PNS) attacks against the BB84 protocol under those realistic conditions.
If the sender sends weak coherent state with Poisson distribution parameter µ and the
communication channel possesses a transmittance η, then the receiver will observe sig-
nals with photons distributed according to the Poisson statistic with parameter µ · η,
under the assumption that both µ and η are known. Thus, the probability of observing
a non-vacuum signal with at least one photon inside is equal to Pnon−vac = 1 − e−µ·η .
The eavesdropper must extract information from the signal sent by Alice, but at the
same time it must ensure that Bob receives coherent states with the same expectation
value of getting non-vacuum signals: if Bob receives non-vacuum signals with a fraction
different from the expected one, Eve will be detected.
In order to provide an ultimate security proof for cryptographic protocols, highlighting
all possible future critical issues arising from technological advancement, let’s consider
the case where the eavesdropper has unlimited technological capabilities (such as the
ability to perform quantum non-demolition measurements or store photons in a quan-
tum memory) and is limited only by the laws of quantum mechanics.
After establishing Eve’s inability to copy photons received from Alice due to the No-
Cloning Theorem, Eve can only retain photons, with the consequence that Bob will
observe signals with decreased parameter µ. If µ · η needs to remain constant, Eve re-
places the communication channel with an ideal one with zero loss, or at least with a
more efficient one.
Afterwards it performs the so-called quantum non-demolition measurements on the sig-
nals coming from Alice, so it is able to count the number of photons within a signal
without disturbing their polarization. At this point, Eve acts differently depending on
the number of photons present within each signal [7]:

• The vacuum states are transmitted to Bob without being retained, since Eve is
unable to extract information from them.

• If she receives multi-photon signals, she retains one photon and transmits the
5.4 Photon-Number-Splitting Attack (PNS) 51

remaining ones to Bob through the channel without altering their polarization.
However, Eve does not immediately measure the polarization of the photon she
kept, but waits for the moment in the protocol in which Alice reveals to Bob the
bases used through the public channel. In this way she is able to perform the
correct measurement and extract information. In this step, it is assumed that
the eavesdropper has such a technology that it can store photons in a quantum
memory.

• From the signals that contain a single photon, Eve blocks a portion of them so as to
ensure that Bob gets detection events with the probability he expects: Pnon−vac =
1 − e−µ·η . Instead, the remaining ones are retained by Eve, on which she performs
any kind of attack to extract information.
The quantity of losses rises as a consequence of the eavesdropper stopping certain
pulses, which may be seen by the rightful parties. In order to replicate the amount
of loss that occurs naturally, it is thus assumed that the eavesdropper is able to
substitute the communication channel and the sensors with ideal ones in order to
stop the maximum number of single-photon signals as feasible. The greater number
of single-photon pulses Eve can block, the greater the degree of intrinsic losses
will be. The eavesdropper would acquire complete knowledge of the information
without adding noise in the event the channel’s intrinsic losses were so great that
she could stop all single-photon states from occurring [12]. This is because all the
pulses that arrive to Bob would be multi-photon pulses.

A schematic representation of this attack is depicted in Figure 5.2.

Thus, under the assumptions of realistic implementation of the BB84 protocol, the
eavesdropper is able to obtain information without introducing perturbation and satisfy-
ing the expectation values of the sender, which instead attributes the channel loss effect
to the transmittance.
Recent years have seen an increase in interest in quantum nondemolition attacks. The
issue is still open to debate. It is a common idea to believe that assuming an eavesdrop-
per capacity of performing optimal quantum nondemolition attacks may be unreasonable
or perhaps unphysical. She actually has to be able to measure the photon numbers in
quantum nondemolition first. This is a valid hypothesis even if it is unattainable with
 52 5. Practical Implementations and Limitations

Figure 5.2: Schematic of Eve’s behaviour according to the number of photons present
within each signal coming from Alice.

current techniques [31]. Afterward, she has to hold the photon as long as the legitimate
parties declare the basis used in the communication. In theory, a loop with an ideal
and lossless channel might accomplish this [15]. The eavesdropper might also be able to
associate the photon with a quantum memory.
Although a quantum memory doesn’t exist at the moment, it may well be available at a
later time. Knowing that the legitimate parties might potentially wait for minutes before
revealing the bases, it should be noted that the quantum memory requires basically infi-
nite decoherence time. Furthermore, the eavesdropper has to connect to a channel that
is lossless, or with smaller losses than the channel employed by the legitimate parties.
The most difficult part could be that.
The technical capabilities of communications fibers have already been reached. Rayleigh
scattering, that is inevitable when the Schrödinger equation is solved in an inhomoge-
neous material, is the primary cause of the loss [15].
Ideal lossless fibers are challenging to envision if the discrepancies are brought on by the
medium’s molecular structure. The minimum value of 0.18 dB/km in silica fibers with a
wavelenght of 1550 nm is determined more by physics than by technology. The attenu-
ation at telecommunications wavelengths is fairly significant, therefore using air is not a
practical approach. Because of diffraction, another necessary physical phenomenon, vac-
5.4 Photon-Number-Splitting Attack (PNS) 53

uum, the only environment in which Rayleigh scattering cannot occur, has constraints
as well. The eavesdropper appears to have just two options remaining at this point. She
can either employ teleport or change the photons’ wavelength without disturbing the
qubit. These two approaches seem unlikely to be implemented in the near future.
However, in an ultimate security proof the realistic implementation of the BB84 method
is not secure since vulnerable to PNS attacks; a possible solution to that problem could
be found in the Decoy State Method, described in the following section.
54 5. Practical Implementations and Limitations
Chapter 6

Decoy State Method

Since it is necessary to take into account the vulnerabilities that arise from practical
implementations of Quantum Key Distribution protocols such as BB84, arising from the
use of coherent source of light and loss in the communication channels, it is required
to ask whether they can be remedied by effective countermeasures to counter possible
actions of eavesdroppers.
The solution to the weaknesses brought by Photon-Number-Splitting attacks performed
by Eve, for the BB84 protocol, is provided by the Decoy State Method, which is analyzed
in this section.
As will be pointed out later, implementing the Decoy State Method on a protocol such as
the BB84 with coherent source of light is easy in terms of technology [7, 30]; moreover,
the Decoy State Method guarantees excellent performances from the point of view of
the communication transmission, obtaining estimates on the maximal secure distance
for communication that exceeds the best values reported in the literature for protocols,
such as BB84, without the Decoy State.
Consequently, since the Decoy State BB84 QKD protocol has been examined in detail
both from a theoretical [32, 33, 34] and a practical [35, 36] point of view, including
Russian internal systems [37], considering its high level of security and the possibility of
having a very high key generation rate at large distances, it is an excellent candidate to
become the protocol implemented in commercial applications as an international stan-
dard.

55
 56 6. Decoy State Method

The references [30] and [29] are used in this section.

6.1 Model Description and Security

The main idea behind the Decoy State Method is that Alice does not send coherent
states of light with the same parameter µ of the Poissonian distribution, but instead
sends pulses in two different coherent states: the signal states, which are the conven-
tional BB84 protocol states, and the decoy states.
These two types of states must necessarily have the same spatial and temporal charac-
teristics, such as wavelength and time information, so that they are indistinguishable to
a hypothetical eavesdropper. Their difference lies in the corresponding parameters of the
Poisson statistic: denoted by µS and µD the average number of photons per pulse of the
signal state and decoy state respectively, they are chosen so that µS ≪ µD .
The signal states are used for the unique purpose of creating the encryption key in the
QKD, while the decoy states are used for the unique purpose of detecting eavesdropping
attacks.
Alice randomly sends decoy states to Bob among signal states with a probability α. The
eavesdropper is only able to distinguish pulses based on the number of photons they
contain; therefore, since it is unable to differentiate decoys from signal states, it per-
forms the attack strategy described in the previous paragraph (PNS attack) by treating
the signals it receives equally, and in particular by treating signal and decoy states that
possess the same number of photons equally.
However, only after Bob has received the signals Alice declare the position of the decoy
and signal states in the announcement phase in the classical stage of the BB84 protocol.
At this point, legitimate parties are able to evaluate the variables that characterize the
communication channel, such as the signal gain and quantum bit error rate (QBER),
which will be better defined in the next section. In the case of an attack from an eaves-
dropper, the values of these quantities deviate from their expectation value; in particular,
since µS ≪ µD , in the case of a PNS attack Bob would discover a significantly bigger loss
than expected in the signal states, as a result of Eve’s attempt to preserve the incorrect
6.1 Model Description and Security 57

percentage of detection and no detection events.

With the intent of providing a better mathematical description of the Decoy State
Method, it is necessary to introduce some variables to describe the signals and the
communication channel in the absence of an eavesdropper [30, 29].

Yield. The yield Yn of the n−photon state is defined as the conditional probability that
Bob’s detector has a detection event if Alice sends an n−photon state.
Consider the yield Yn for a realistic setup, differentiating the cases according to
the value of n.

n = 0. In this case, the probability that Bob has a detection event with 0 photons
sent by Alice is denoted by Y0 , and is given by the probability pdark , i.e.
the background rate due to background contribution and background noise:
Y0 = pdark , and therefore it is such that Y0 ⩾ 0.
n ⩾ 1. The probability of having a detection event for an n−photon state can be
caused either by a background event pdark or by an actual reception of the
n−photon state signal, the rate of which is provided by ηn , defined in equation
(5.7).
Thus, we have:

Yn = ηn + pdark − ηn · pdark ≃ ηn + pdark (6.1)

where the last approximation is justified by the fact that ηn · pdark is an

infinitesimal of lower order, being ηn on the order of 10−3 , and pdark on the
order of 10−5 [29].
Moreover, it allows us to perform another approximation: taking the definition
of the overall transmission efficiency from equation (5.7), we have that ηn ≃
n · η, and consequently, since ηn ≫ pdark we have

Yn ≃ ηn ≃ n · η (6.2)

Gain. The gain is a variable that quantifies the transmission efficiency of coherent states
used in quantum key distribution protocols, and it plays a key role in determin-
ing the quality of the encryption key that is generated: high values of the gain
 58 6. Decoy State Method

correspond to high communication efficiency, thus high key quality that allows in-
formation to be transmitted over large distances.
The gain of an n−photon coherent state is defined as the product of Alice’s proba-
bility of sending an n−photon coherent state and the conditional probability that
Bob will have a detection event if Alice sends an n−photon state:
µn
Qn = Yn pn = Yn e−µ (6.3)
n!
The total gain is the sum over n, number of possible photons in the coherent states,
of the Qn ’s:
∞ ∞
X X µn
Qµ = Qn = Yn e−µ = Y0 + 1 − e−ηµ (6.4)
n=0 n=0
n!

where 1−e−ηµ corresponds to the probability Pnon−vac of receiving a detection event.

Quantum Bit Error Rate (QBER). The Quantum Bit Error Rate is a variable that
quantifies the errors that happen in the transfer of qubits in a QKD protocol, and
it represents an important factor that establishes the level of quality of the encryp-
tion key that is created.
Some of those qubits might get damaged or lost in the communication as a con-
sequence of the noisy channel, leading to mistakes. As a result, the QBER is
expressed as the percentage of mistakes to all qubits sent during transmission.
Therefore, the QBER must be maintained as low as feasible to guarantee the in-
tegrity of the key.
Let the QBER relative to an n−photon state be defined as follows [29]:
e0 Y0 + edetector ηn
en = (6.5)
Yn
where e0 and Y0 are, respectively, the QBER and the yield of the 0−photon state,
Yn the yield of the n−photon state, and edetector is a constant value, independent of
n that indicates the probability of the signal hitting an erroneous detector . With
this definition, contributions to en of both erroneous detections and background
contributions are taken into account.
Supposing that the background event rates of the two detectors are equal, the result
6.1 Model Description and Security 59

is completely random and the error rate is 50% [30]. In other words, e0 = 1/2 is
the QBER value for the vacuum state.
The total QBER for a coherent state is Eµ and the following relationship holds:
∞
X µn −µ
Qµ Eµ = en Yn e = e0 Y0 + edetector (1 − e−ηµ ) (6.6)
n=0
n!

As mentioned above, the eavesdropper cannot distinguish decoy states from signal
states, since they possess the same characteristics (such as wavelength and timing in-
formation) and is only capable of counting the number of photons per pulse. From the
definitions above, it can be seen that the yield Yn and the QBER en do not depend on
the signal intensity µ, and thus on the distribution of the number of photons, but only
on the number of photons in the signal state. We thus arrive at the essence of the Decoy
State Method, which can be set forth in the following two equations [30]:

Yn (decoy) =Yn (signal) = Yn

(6.7)
en (decoy) =en (signal) = en

In a general and ideal situation Alice can vary the intensity of the pulses µ by creat-
ing, as a result, an infinite number of decoy states with different Poissonian parameter
than the signal state. In the next sections it will be shown how few decoy states are
actually sufficient. When these signals arrive to Bob, the legitimate parties are able
to experimentally determine the specifications of the communication channel, then to
determine the overall QBER Eµ and gain Qµ .
From the equations (6.4) and (6.6) it is possible to see how the relationships between
Qµ ’s and Yn ’s and between Eµ ’s and en ’s, respectively, are linear.
Consequently, given the set of variables Qµ ’s and Eµ ’s that the legitimate parties obtain
experimentally, Alice and Bob are able to determine with a high level of confidence the
range within which the solution sets {Y0 , Y1 , ..., Yn } and {e0 , e1 , ..., en } lie, then to find a
range of acceptance of Yn ’s and en ’s, simultaneously and for each n.
As mentioned earlier, if Alice and Bob use the Decoy State BB84 Method, any attempt
by Eve to perform a PNS attack would involve a change in the values of Yn ’s and en ’s
that would necessarily be detected by Alice and Bob, implying Eve being detected and
 60 6. Decoy State Method

the protocol to abort. For Yn ’s and en ’s to fall within the expectation range of the legit-
imate parties following a PNS attack, Eve has very little power to act, which is useless
for the purpose of decrypting the information.
This shows how the Decoy State Method may represent a solution to the problem of
PNS attacks in the case of real implementations of the BB84 protocol.

6.2 Advantages in Key Rate Generation

The Decoy State is a method that can also provide excellent performances in the
amount of information transmitted per unit time, thus making it an excellent candidate
for future implementations.
In this regard, a fundamental variable analyzing the security proof is the Key Rate. In
quantum cryptography, the key rate refers to the rate at which secret key bits can be
generated and securely shared between two parties over a quantum communication chan-
nel. It represents the speed at which the parties can establish a secure cryptographic
key that can be used for encrypting and decrypting their communication.
The key rate is influenced by various factors, including the properties of the quantum
channel, the efficiency of the quantum cryptographic protocol being used, and the pres-
ence of any potential eavesdroppers. The goal is to achieve a high key rate while ensuring
the security of the key against any potential attacks.
In practical terms, the key rate is typically measured in bits per second (bps) and repre-
sents the number of secure key bits that can be generated and exchanged in a given time
period. Higher key rates are desirable as they allow for faster establishment of secure
communication channels, enabling real-time secure communication between parties.
Regarding the Decoy State Method, a detailed analysis of the key generation rate has
been provided by Gottesman, Lo, Lutkenhaus and Preskill, commonly known as GLLP
result [38], that gives the following formula for the key generation rate R:
n  o
R ⩾ q −Qµ f (Eµ )H(Eµ ) + Q1 1 − H(e1 ) (6.8)

where q is a constant that depends on the protocol used (for the BB84 protocol it is 1/2
since in half of the cases Alice and Bob generate discordant bases in the first phase);
6.2 Advantages in Key Rate Generation 61

Eµ and Qµ are respectively the overall QBER and gain of the signal state that has µ as
its relative intensity; Q1 and e1 are respectively the gain and QBER for single photon
states; H(p) is the binary Shannon Entropy defined in equation (1.47) and, finally, f (x)
is the efficiency of bi-direction error correction (for an example, see [39]) as a function
of Eµ : normally f (x) ⩾ 1 with Shannon limit f (x) = 1 [29].

6.2.1 Optimal Intensity Value

In this section we are interested in finding the optimal value µ of the signal intensity,
in order to maximize the value of the key generation rate R of the Decoy State Method.
Therefore, on one hand it is necessary to maximize the value Q1 , that is the gain of
single photon states, which is associated with the probability of Alice emitting single
photons; in particular, since the probability follows the Poissonian statistic, we obtain a
maximum value for Q1 when µ = 1.
However, the overall gain Qµ is also a function of µ: increasing µ also Qµ increases. Since
Qµ is associated with multi-photon states, it must be kept low.
Consequently, the ratio Q1 /Qµ must be high. Thus it is reasonable to assume that
 
µ ∈ 0; 1 (6.9)

Let’s consider a realistic situation in which Y0 ≪ η and η ≪ 1, being the realistic values
Y0 ≃ 10−5 and η ≃ 10−3 .
In this situation we have 

 η1 = η





 Y1 = η


Qµ = ηµ (6.10)






 Eµ = e1 = edetector


Q1 = ηµe−µ


Then the key generation rate, with q ≃ 1 for a generic QKD protocol, becomes:
n o
−µ

R ≃ q −ηµf (edetector )H(edetector ) + ηµe 1 − H(edetector ) (6.11)
 62 6. Decoy State Method

Therefore:

∂R
f (edetector )H(edetector )
=0 ⇒ e−µopt 1 − µopt = (6.12)
∂µ µ=µopt 1 − H(edetector )

Afterwards, considering the parameters taken from some recent experiments [40, 41]
provided in Table 6.1, we may solve this equation and determine that µGY
opt
S
≃ 0.54 for
f (e) = 1 and µGY S
opt ≃ 0.48 for f (e) = 1.22 [29].

Experiment λ[nm] α[dB/km] edetector [%] Y0 ηBob f

GY S[40] 1550 0.21 3.3 1.7 · 10−6 0.045 2M Hz
−4
KT H[41] 1550 0.2 1 4 · 10 0.143 0.1M Hz

Table 6.1: Parameters of decoy state experiments.

6.2.2 Two Decoy States and One Signal State

After finding the optimal values for the intensity µ of the signal state, we proceed to
maximize the value of the key rate R with the decoy states. Looking at the equation
 
(6.8), one realizes that the only term that depends on {Yi } and {ei } is Q1 1 − H(e1 ) ,
the term one must work on in order to maximize R.
Accordingly, we must proceed to find the lower bound for Y1 , and the upper bound for
e1 .
As is shown in [30, 42] a few decoy states are sufficient to obtain good results for R, and
here the case with two decoy states is analyzed.
Let us consider two decoy states with intensities ν1 and ν2 such that

0 ⩽ ν2 < ν1 and ν1 + ν2 < µ (6.13)

with µ intensity of the signal state.

6.2 Advantages in Key Rate Generation 63

Lower Bound for Y1

The overall gains for the decoy states are defined as

∞ ∞
X ν1i −ν1 X ν2i −ν2
Qν1 = Yi e and Qν2 = Yi e (6.14)
i=0
i! i=0
i!

Consequently, by taking ν1 Qν2 − ν2 Qν1 we are able to obtain the lower bound for the
background rate Y0 :
 
ν2 ν1 Y2 Y3 2 2
ν1 Qν2 e − ν2 Qν1 e = (ν1 − ν2 )Y0 − ν1 ν2 (ν1 − ν2 ) + (ν1 − ν2 ) + ...
2! 3! (6.15)
⩽ (ν1 − ν2 )Y0

Therefore
ν1 Qν2 eν2 − ν2 Qν1 eν1
 
Y0 ⩾ = max Y0L ;0 (6.16)
ν1 − ν2
where the equality holds when ν2 = 0, that is when one decoy state is a vacuum state.
We now proceed to calculate the lower bound for Y1 . For contributions from multi-photon
states of signal states, the following relation holds:
∞
X µi
Yi = Qµ eµ − Y0 − Y1 µ (6.17)
i=2
i!

As a result we get:
∞ ∞
ν1 ν2
X Yi X Yi
Qν1 e − Qν2 e = (ν1i − ν2i ) = Y1 (ν1 − ν2 ) + (ν1i − ν2i )
i=0
i! i=2
i!
∞ (6.18)
X Yi ν1i ν2i i
= Y1 (ν1 − ν2 ) + ( − )µ
i=2
i! µi µi

At this point we use the property for which ai − bi ⩽ a2 − b2 if 0 < a + b < 1 and i ⩾ 2,
ν1 ν2 ν1i ν2i
where in this case a = µ
, b= µ
, and ai = µi
, bi = µi
. Thus
∞
ν1 ν2 ν12 − ν22 X µi
Qν1 e − Qν2 e ⩽ Y1 (ν1 − ν2 ) + Yi
µ2 i=2
i!
ν2 − ν2 h i
(6.19)
= Y1 (ν1 − ν2 ) + 1 2 2 Qµ eµ − Y0 − Y1 µ
µ
2
ν − ν2 h i
⩽ Y1 (ν1 − ν2 ) + 1 2 2 Qµ eµ − Y0L − Y1 µ
µ
 64 6. Decoy State Method

Therefore the lower bound for Y1 is given by

ν12 − ν22
 
L,ν1 ,ν2 µ ν1 ν2 µ L


Y1 ⩾ Y1 = Qν1 e − Qν2 e − Qµ e − Y0 (6.20)
µ(ν1 − ν2 ) − ν12 + ν22 µ2
and the lower bound for the gain of the single-photon Q1 = Y1 µe−µ is given by
µ2 e−µ ν12 − ν22
 
L,ν1 ,ν2 ν1 ν2 µ L


Q1 ⩾ Q1 = Qν1 e − Qν2 e − Qµ e − Y0 (6.21)
µ(ν1 − ν2 ) − ν12 + ν22 µ2
where Y0L is given by the equation (6.16).

Upper Bound for e1

The following relationships hold for QBERs

∞
X ν1i
Eν1 Qν1 eν1 = e0 Y0 + e1 ν1 Y1 + ei Yi (6.22)
i=2
i!
∞
ν2
X ν2i
Eν2 Qν2 e = e0 Y0 + e1 ν2 Y1 + ei Yi (6.23)
i=2
i!
Consequently, with calculations similar to those mentioned above, we obtain the upper
bound for e1 :
Eν1 Qν1 eν1 − Eν2 Qν2 eν2
e1 ⩽ eU,ν
1
1 ,ν2
= (6.24)
(ν1 − ν2 )Y1L,ν1 ,ν2

In this way the legitimate parties are able to obtain a lower bound for Y1 and an up-
per bound for e1 and consequently they are able to compute the key generation rate by
substituting their values:
n h io
L,ν1 ,ν2 U,ν1 ,ν2
R ⩾ q −Qµ f (Eµ )H(Eµ ) + Q1 1 − H(e1 ) (6.25)

Once this result is obtained, it is possible to proceed analyzing the quality of the bounds
found, and consequently the performance of the model with two decoy states.
It is possible to examine the special case, called the Asymptotic Case, in which ν1 → 0
and ν2 → 0, with ν2 < ν1 ≪ µ = O(1). Taking the above limits yields the following
results [29]:
e0 Y0 + edetector η
Y1L,ν1 ,ν2 = Y0 + η and eU,ν
1
1 ,ν2
= (6.26)
ν1 ,ν2 →0 ν1 ,ν2 →0 Y1
6.2 Advantages in Key Rate Generation 65

Since in this limit the formulas (6.1)(6.5) are obtained again, the Asymptotic Case of the
model with two decoy states is as good as the most general possible protocol, analyzed
above, with an infinite number of decoy states. However, the Asymptotic Case has
the disadvantage that in practice it is necessary to have at least one between ν1 and
ν2 with a finite value. Moreover [29] shows how, fixing a finite value of ν1 , the key
generation rate is maximized when ν2 = 0, that is, when the second decoy state is
a vacuum state. Consequently, we come to establish the fundamental importance in
practical developments held by the model Weak and Vacuum Decoy State, proposed in
[30].

Weak and Vacuum Decoy State

The Weak and Vacuum Decoy State is a special case of the Two Decoy State with
ν2 → 0. Presented in [30] and analyzed in [43], it provides excellent values for the
performances in communication, achieving high values of key generation rate for long-
distance communication.
Alice is able to generate the vacuum state by simply turning off its photon source. For
the vacuum state the legitimate parties are able to estimate:
1
Qvac = Y0 and Evac = e0 = (6.27)
2
The second decoy state that Alice realizes has a small but finite intensity value ν. For
the weak decoy state the legitimate parties are able to compute the lower bound for Y1
and gain Q1 , and the upper bound for e1 by taking the limit with ν2 → 0 respectively of
the formulas (6.20) (6.21) (6.24):
ν2
 
µ
Y1L,ν,0 Y1L,ν,ν2 ν µ L


Y1 ⩾ = = Qν e − 2 Qµ e − Y0 (6.28)
ν2 →0 µν − ν 2 + µ
µ2 e−µ ν2
 
Q1 ⩾ QL,ν,0 = QL,ν,ν ν µ L


1 1
2
= Qν e − 2 Qµ e − Y0 (6.29)
ν2 →0 µν − ν 2 + µ
Eν Qν eν − e0 Y0
e1 ⩽ eU,ν,0
1 = eU,ν,ν
1
2
= (6.30)
ν2 →0 νY1L,ν,0
This gives the lower bound for the key generation rate R:
n h
io
L L,ν,0 U,ν,0
R = q −Qµ f (Eµ )H(Eµ ) + Q1 1 − H e1 (6.31)
 66 6. Decoy State Method

Taking into consideration the data from the GYS experiment given in Table 6.1, the
optimal value of the signal state intensity µ = 0.48 for f (e) = 1.22, ν = 0.05, and
looking at the BB84 model for which q = 1/2, we obtain the lower bound of the key
generation rate as a function of distance, the graph of which is depicted in Figure 6.1.

Figure 6.1: The red dashed line represents the lower bound of R in the Asymptotic Case
situation, following equation (6.8) for which the maximum safety distance is 142.05km.
The black continuous line represents the Weak and Vacuum Decoy State situation, fol-
lowing equation (6.31) with µ = 0.48, f (e) = 1.22, ν1 = 0.05 and ν2 = 0. The other
variables are taken from the GY S experiment reported in Table 6.1. ([29])

As can be seen, this yields a maximum distance for which communication is secure of
140.55km [29], a value slightly lower than the Asymptotic Case, which concerns the most
generic case with an infinite number of decoy states (hence with the best performances),
for which a maximum distance of 142.05km is obtained.
Conclusions

The present study set itself the goal to present an analysis in the field of quantum
cryptography, and in particular an analytical description of the implications to con-
sider when technological limitations arise in the application of quantum key distribution
(QKD) protocols.
The QKD process is the best currently known method for performing quantum cryptog-
raphy operations, which is implemented through suitable protocols. Indeed, it offers the
ultimate solution to the cryptography problem, in contrast to post-quantum cryptogra-
phy that would offer systems that are robust against already known quantum algorithm,
thus creating only temporary solutions. While the latter would expose the information to
undiscovered quantum algorithms, the QKD restores the security basing on fundamental
laws of quantum mechanics and resulting from unbreakable principles of nature, like the
Uncertainty Principle and No-Cloning Theorem.
The BB84 model is the protocol taken as a reference, which, as simple as effective, is
demonstrably secure from every attack that an eavesdropper might launch. Proposed
in 1984 by Charles Bennett of IBM and Gilles Brassard of The University of Montréal,
it bases its security in the exchange of communication between the legitimate parties
on the laws of quantum mechanics mentioned above; however, the procedures for the
creation of the encryption key require ideal assumptions that are difficult to implement
in practice: the creation of perfect single-photon source, channel without loss, 100%
detector efficiency. These assumptions all translate into obstacles in the experimental
implementation of the BB84 protocol with current technologies, especially if the goal is
to realize secure communication networks, commercial and financial applications and the
protection of sensitive infrastructures, where both security and communication perfor-

67
 68 CONCLUSIONS

mances are essential.

The Photon-Number-Splitting attack was examined as a possible vulnerability to the
BB84 protocol that arises from the coexistence of weak coherent states and noise in
the quantum channel. Although the eavesdropper must possess advanced and currently
inaccessible technologies to implement it, such as quantum memories or the ability to
perform non-demolition measurements, they may be available in the future.
To mitigate the consequences resulting from realistic experimental apparatus, the Decoy
State Method can provide a solution to possible future critical issues arising from tech-
nological advancement, such as PNS attacks. It is a method implementable on any type
of quantum key distribution protocol: in this review it has been applied on the BB84
model.
As a result to this analysis, the Decoy State guarantees excellent performances from both
a qualitative, concerning its security, and a quantitative point of view, concerning the
amount of information and distance that can be achieved in communication; however, at
the same time it is a straightforward model for experimental implementation, since the
sender of the information only needs to modulate the intensity µ of the Poisson statistic
between the signal and decoy states values.
Consequently, it has been seen that using even only two decoy states is sufficient to
ensure a high level of security, and in particular the key generation rate is maximized
when one of the two decoy states is a vacuum state: to produce a vacuum state, it is
sufficient to turn off the photon source.
Examining the lower bound of the key generation rate in detail, it has been analysed
that, in the Weak and Vacuum Decoy State case, the maximum distance for a secure
communication is 140.55km, a value slightly lower than the Asymptotic Case, which
concerns the most generic case with an infinite number of decoy states, for which a max-
imum distance of 142.05km is obtained. Thus, if an eavesdropper attempted to hack the
communication channel, the legitimate parties would notice both different values of the
quantities characterizing the quantum channel and a value of the key generation rate
lower than the lower bound.
Because of these considerations, the Decoy State Method, applied to a model such as the
BB84 protocol, is an excellent candidate for being used in commercial implementations
6.2 Advantages in Key Rate Generation 69

of quantum cryptography protocols. In fact, in recent years it has been examined in

detail from both a theoretical and practical point of view, and has been given attention
as a possible international standard.
In addition to the reasons mentioned above, the Decoy State is of particular utility in
today’s situation in which technologies such as quantum networks based on quantum
repeaters or perfectly entangled particles, which would enable long-distance communi-
cation, or quantum digital signatures, which would ensure that the authenticity and
integrity of the message, are inaccessible.
Despite the Decoy State approach and QKD protocols seem to be the most advanced
quantum technologies now accessible, both theoretical and practical research meet a
number of challenges and open questions. There is still a big need for more dependable
QKD techniques that can go farther and faster.
Theoretically, one of the main challenges concerns providing more rigorous security proofs
in the Decoy State Method. While it has been shown to be secure in specific scenarios,
developing a comprehensive security analysis that accounts for various potential attacks
and imperfections in practical implementations remains an ongoing challenge. In addi-
tion, the choice of the optimal decoy state configurations for a given scenario, such as the
intensities and types of states, significantly affects the security and performance of the
protocol and it is a complex problem that requires theoretical analysis and optimization
techniques, as well as the analysis of the statistical fluctuations and finite-size effects.
In order to implement quantum cryptography and quantum key distribution techno-
logically, it is necessary to take into account how they will integrate with the existing
classical infrastructure and create layers of security while solving issues concerning sys-
tem integration, stability, and scalability.
Before QKD can be regarded as a completely safe quantum technology, many types of
vulnerabilities must be carefully considered. These weaknesses will become more evi-
dent as quantum cryptography develops as a field of science. However, the Decoy State
Method could provide the solution to the raised problems, and research is already setting
the path to implement systems that are capable of solving the threats brought by the
power of quantum computers before they are even developed, in order to smooth the
transition to a quantum reality.
70 CONCLUSIONS
Bibliography

[1] M. Nielsen, I. Chuang, “Quantum Computation and Quantum Information: 10th

Anniversary Edition”. Cambridge: Cambridge University Press (2010). DOI:https:
//doi.org/10.1017/CBO9780511976667

[2] W. Smythe, March 15, 2021. “The Bloch sphere and eigenstates with their super-
positions” [Online]. Available from: https://logosconcarne.com/2021/03/15/
qm-101-bloch-sphere/[Accessed 23 June 2023].

[3] S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D.

Englund, T. Gehring, C. Lupo, C. Ottaviani, J. L. Pereira, M. Razavi, J. Shamsul
Shaari, M. Tomamichel, V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden,
“Advances in quantum cryptography,” Advances in Optics and Photonics 12, 1012
(2020). DOI:https://doi.org/10.48550/arXiv.1906.01645

[4] I. Bengtsson, “Three Ways to Look at Mutually Unbiased Bases”, AIP Conference
Proceedings 889, 40-51 (2007). DOI:https://doi.org/10.1063/1.2713445

[5] M. Planat, H.C. Rosu, S. Perrine, “A Survey of Finite Algebraic Geo-

metrical Structures Underlying Mutually Unbiased Quantum Measurements”.
Foundations of Physics 36, 1662-1680 (2006). DOI:https://doi.org/10.1007/
s10701-006-9079-3

[6] K. Jacobs, “Quantum Measurement Theory and its Applications”. Cambridge Uni-
versity Press (2014). DOI:https://doi.org/10.1017/CBO9781139179027

[7] R. Wolf, “Quantum Key Distribution”, Springer (2021). DOI:https://doi.org/

10.1007/978-3-030-73991-1

71
 72 BIBLIOGRAPHY

[8] R. Griffiths “Quantum Channels, Kraus Operators, POVMs” (2012). Available

from: https://quantum.phys.cmu.edu/QCQI/qitd412.pdf

[9] D. Griffiths, D. Schroeter, “Introduction to Quantum Mechanics (3rd ed.)”, Cam-

bridge: Cambridge University Press (2018). DOI:10.1017/9781316995433

[10] M. G. A. Crawford, “Generalized coherent states and classical limits in quantum

mechanics” (2000). URI:http://hdl.handle.net/10012/550

[11] S.J. Blundell, and K.M. Blundell, “Concepts in Thermal Physics”, Oxford Univer-
sity Press (2009). DOI:10.1093/acprof:oso/9780199562091.001.0001

[12] A.S. Trushechkin, E.O. Kiktenko, D.A. Kronberg, A.K. Fedorov. “Security of the de-
coy state method for quantum key distribution”, Uspekhi Fizicheskikh Nauk Journal.
Phys. Usp. 64, 88 (2021). DOI:https://doi.org/10.48550/arXiv.2101.10128.

[13] C.-H. F. Fung, X. Ma, H. F. Chau. “Practical issues in quantum-key-distribution

post-processing”, American Physical Society. Phys. Rev. A 81, 012318 (2009).
DOI:https://doi.org/10.48550/arXiv.0910.0312

[14] E. Kiktenko, A. Trushechkin, Y. Kurochkin and A. Fedorov. “Post-processing proce-

dure for industrial quantum key distribution systems”. Journal of Physics: Confer-
ence Series 741, 012081 (2016). DOI:https://doi.org/10.1088/1742-6596/741/
1/012081

[15] N. Gisin, G. Ribordy, W. Tittel, H. Zbinden, “Quantum cryptography”, American

Physical Society. Rev. Mod. Phys. 74, 145-195 (2002). DOI:10.1103/RevModPhys.
74.145

[16] S. Attal “Lecture 6 Quantum Channels”. Available from http://math.

univ-lyon1.fr/~attal/Quantum_Channels.pdf

[17] M. M. Wilde “From Classical to Quantum Shannon Theory”, Cambridge University

Press (2019). DOI:https://doi.org/10.1017/9781316809976.001
BIBLIOGRAPHY 73

[18] IEEE Computer Society, Indian institute of science (Bangalore), IEEE Circuits
and Systems Society “International Conference on Computers, Systems Signal
Processing”, Steering Committee (1984). DOI:https://books.google.com/books?
id=JZetpwAACAAJ

[19] H. S. Singh, D. S. Gupta, A. K. Singh, “Quantum Key Distribution Protocols: A

Review ”, IOSR Journal of Computer Engineering 16, 01-09 (2014). DOI:10.9790/
0661-162110109.

[20] W. Wootters, W. Zurek, “A single quantum cannot be cloned ”, Nature 299, 802-803
(1982). DOI:https://doi.org/10.1038/299802a0.

[21] J. Ortigoso “Twelve years before the quantum no-cloning theorem”, American Jour-
nal of Physics 86, 201-205 (2018). DOI:https://doi.org/10.1119/1.5021356

[22] I. Csiszar and J. Korner. “Broadcast channels with confidential messages”, IEEE
Transactions on Information Theory 24, 339-348 (1978). DOI:10.1109/TIT.1978.
1055892

[23] Y.-G. Yang, P. Xu, R. Yang, Y.-H. Zhou, W.-M. Shi, “Quantum Hash function
and its application to privacy amplification in quantum key distribution, pseudo-
random number generation and image encryption”, Scientific Reports 6, 19788
(2016). DOI:10.1038/srep19788.

[24] D. Pegg, S. Barnett, J. Jeffers. “Quantum theory of preparation and measurement”,

Journal of Modern Optics 49, 913-924 (2002). DOI:10.1080/09500340110109412

[25] C.A. Fuchs, N. Gisin, R. B. Griffiths, C-S Niu, A. Peres, “Optimal eavesdropping
in quantum cryptography. I. Information bound and optimal strategy”, American
Physical Society, Phys. Rev. A 56, 1163 (1997). DOI:10.1103/PhysRevA.56.1163

[26] C.M. Caves, C.A. Fuchs, R. Schack, “Unknown quantum states: The quantum
de Finetti representation”, Journal of Mathematical Physics 43, 4537 (2002).
DOI:https://doi.org/10.1063/1.1494475
 74 BIBLIOGRAPHY

[27] J.I Cirac, N Gisin, “Coherent eavesdropping strategies for the four state quantum
cryptography protocol ”, Physics Letters A 229, 1-7 (1997). DOI:https://doi.org/
10.1016/S0375-9601(97)00176-X

[28] A. A. Gaidash, V. I. Egorov, A. V. Gleim “Revealing of photon-number splitting at-

tack on quantum key distribution system by photon-number resolving devices”. Jour-
nal of Physics: Conference Series 735, 012072 (2016). DOI:10.1088/1742-6596/
735/1/012072

[29] X. Ma, B. Qi, Y. Zhao, H.-K. Lo, “Practical decoy state for quantum key distribu-
tion”, American Physical Society. Phys. Rev. A 72, 012326 (2005). DOI:10.1103/
PhysRevA.72.012326

[30] H.-K. Lo, X. Ma, K. Chen, Kai. “Decoy State Quantum Key Distribution”, American
Physical Society. Phys. Rev. Lett. 94, 230504 (2005). DOI:10.1103/PhysRevLett.
94.230504

[31] G. Nogues, A. Rauschenbeutel, S. Osnaghi, et al. “Seeing a single photon without

destroying it”, Nature 400, 239-242 (1999). DOI:https://doi.org/10.1038/22275

[32] M. K. Bochkov and A. S. Trushechkin, “Security of quantum key distribution with

detection-efficiency mismatch in the single-photon case: Tight bounds”, American
Physical Society, Phys. Rev. A 99, 032308 (2019). DOI:10.1103/physreva.99.
032308

[33] Z. Zhang, Q. Zhao, M. Razavi, X. Ma, “Improved key-rate bounds for practical decoy-
state quantum-key-distribution systems”, American Physical Society, Phys. Rev. A
95, 012333 (2017). DOI: 10.1103/physreva.95.012333

[34] A. S. Trushechkin, E. O. Kiktenko, A. K. Fedorov, “Practical issues in decoy-state

quantum key distribution based on the central limit theorem”, American Physical
Society, Phys. Rev. A 96, 022316 (2017). DOI: 10.1103/PhysRevA.96.022316
BIBLIOGRAPHY 75

[35] E. Diamanti, H.-K. Lo, B. Qi, Z. Yuan, “Practical challenges in quantum key distri-
bution”, Springer Science and Business Media, npj Quantum Information 2, 16025
(2016). DOI: 10.1038/npjqi.2016.25

[36] H.-K. Lo, M. Curty, K. Tamaki, “Secure quantum key distribution”, Springer Science
and Business Media, Nature Photonics 8, 595-604 (2014). DOI: 10.1038/nphoton.
2014.149

[37] A. V. Duplinskiy, E. O. Kiktenko, N. O. Pozhar, M. N. Anufriev, R. P. Ermakov,

A. I. Kotov, A. V. Brodskiy, R. R. Yunusov, V. L. Kurochkin, A. K. Fedorov, Y.
V. Kurochkin, “Quantum-Secured Data Transmission in Urban Fiber-Optics Com-
munication Lines”, Springer Science and Business Media, Journal of Russian Laser
Research 39, 113-119 (2018). DOI: 10.1007/s10946-018-9697-1

[38] D. Gottesman, H.-K. Lo, N. Lutkenhaus, J. Preskill, “Security of quantum key dis-
tribution with imperfect devices”, International Symposium on Information Theory,
Quant.Inf.Comput. 5, 325-360 (2004). DOI: 10.1109/ISIT.2004.1365172

[39] G. Brassard, L. Salvail, “Secret-Key Reconciliation by Public Discussion”, Springer

Berlin Heidelberg, Advances in Cryptology - EUROCRYPT ’93 765, 410-423 (1994).
DOI: 10.1007/3-540-48285-7_35

[40] C. Gobby, Z. L. Yuan, A. J. Shields, “Quantum key distribution over 122 km of

standard telecom fiber ”, Applied Physics Letters 84, 3762-3764(2004). DOI: 10.
1063/1.1738173

[41] M. Bourennane, F. Gibson, A. Hening, A. Karlsson, P. Jonsson, T. Tsegaye, D.

Ljunggren, E. Sundberg, “Experiments on long wavelength (1550 nm) “plug and
play” quantum cryptography systems”, Technical Digest. Summaries of Papers Pre-
sented at the Quantum Electronics and Laser Science Conference, 112-113 (1999).
DOI: 10.1109/QELS.1999.807380

[42] J. W. Harrington, J. M. Ettinger, R. J. Hughes, J. E. Nordholt, “Enhancing practical

security of quantum key distribution with a few decoy states”, arXiv: Quantum
Physics (2005). DOI: https://doi.org/10.48550/arXiv.quant-ph/0503002
 76 CONCLUSIONS

[43] X.-B. Wang, “Decoy-state protocol for quantum cryptography with four different
intensities of coherent light”, American Physical Society, Physical Review A 72,
012322 (2005). DOI: 10.1103/physreva.72.012322