2. Quantum hacking in QKD systems

In ideal conditions, QKD protocols' security is based on the attributes of quantum mechanics, as it makes eavesdropping activities detectable in the middle of the quantum channel [1, 7]. But the technological implementation brings serious concerns as most of the QKD systems have vulnerabilities to quantum hacking due to loopholes in the optical detection system [8–18]. Given this condition, it is necessary to develop new QKD protocols that are able to resist different attacks due to such vulnerabilities as the photon number splitting (PNS) and the intercept and resend with faked states (IRFS) attacks [19, 20].

A variety of attacks have been conceived of as exploiting the security of BB84-based systems, either theoretically or technologically. The photon number splitting (PNS) attack belongs to the first category. In the second class, commonly referred to as quantum hacking, the intercept resend with faked states (IRFS) attack can be included, which exploits loopholes in the avalanche photo diodes (APDs) of the electronic detection system. We will briefly describe each of them.

1. In the PNS attack the eavesdropper blocks the 1-photon states but she stores the multiphoton states allowing at least one photon to reach Bob's detection system. Ideally, in the BB84 protocol [1], the quantum states sent by Alice to Bob contain single photons. Nevertheless, perfect single photon sources are not technologically available nowadays [21], so, to get the implementation of QKD, laser pulses attenuated to very low levels have been used. Such laser pulses contain very short numbers of photons, in average typically around 0.2 photons per pulse in a Poissonian distribution; that means that most pulses contain no photons, a few pulses contain just one photon, and a really short amount of pulse contains two or more photons. If a pulse contains more than one photon, Eve can get from it the extra photons and transmit a single photon to Bob. Eve can store the photons she obtained from the multi-photonic pulses and wait until Bob reveals the measurement basis he has applied. Then Eve can measure the photons she stored by using the same measurement basis as Bob did. In this way she obtains information about the key without being noticed by Alice and Bob. This is called the photon number splitting (PNS) attack, and some related references with security proofs of the PNS attack can be found in [1, 7, 22–24].

whole process will be discarded before a key can be established [2]. On the other hand, if no eavesdropping activity is detected, the quantum measurements are used to derive the secret key. When the transmission is finished, Alice and Bob compare a fraction of the exchanged key in order to detect any transmission errors caused by eavesdropping. Experimentally, QKD systems have been proved using dedicated optical fibers, across free space, weak laser pulses

Figure 1. The BB84 qubits are the non-orthogonal states: the measurement bases, Z and X, are shown as vertical and horizontal lines, correspondingly. When basis X (Z) is used by Bob, to measure Alice's state ∣iXi jð iÞ iZ , the result gotten by Bob is bit i ið Þ <sup>¼</sup> <sup>0</sup>; <sup>1</sup> ; otherwise, if basis X Zð Þ is applied to measure <sup>∣</sup>iZ<sup>i</sup> (∣iXi) the probability to get <sup>i</sup> reduces to <sup>1</sup>

2. So, if Bob

We propose a new approach for QKD protocols called quantum flows where the transmitter interleaves pairs of quantum states, referred to here as parallel and orthogonal (non-orthogonal) states, while the receiver applies active basis selection to perform state measurement. In a study by Lizama et al. [4], a brand new QKD protocol, called ack-state and referred to also as ack-QKD, is introduced. This protocol uses weak coherent states and active basis measurement and has the capability to detect photon number splitting (PNS) eavesdropping activity, and its strengths against the PNS attack are discussed by Lizama-Pérez et al. [5]. The ack-state protocol was extended by Lizama-Pérez et al. [6] to the dual protocol known as nack state protocol in order to have an analysis of its security when facing an intercept and resend with faked states

One of the main advantages of these protocols is that they protect against the PNS and the IRFS attacks without requiring any changes in the hardware; only software changes are

In ideal conditions, QKD protocols' security is based on the attributes of quantum mechanics, as it makes eavesdropping activities detectable in the middle of the quantum channel [1, 7]. But the technological implementation brings serious concerns as most of the QKD systems have vulnerabilities to quantum hacking due to loopholes in the optical detection system [8–18]. Given this condition, it is necessary to develop new QKD protocols that are able to resist different attacks due to such vulnerabilities as the photon number splitting (PNS) and the intercept and

or single photons, entangled photon pairs, or continuous variables [3].

measures the ∣0Xi state with Z basis, he has the same probability to obtain ∣0Zi or ∣1Zi.

38 Advanced Technologies of Quantum Key Distribution

(IRFS) attack.

required.

2. Quantum hacking in QKD systems

resend with faked states (IRFS) attacks [19, 20].

To overcome the PNS attack a few protocols have been developed: Decoy QKD [18], SARG04 [25], the differential phase shift (DPSK) [26], and coherent one way (COW) [27]. One of the most promissory alternatives is the decoy QKD. In this protocol Alice prepares a set of quantum states in addition to the typical states of the BB84 protocol. These extra states are called decoy states. Decoy states are used only with the purpose to detect the eavesdropping activity, rather than establishing the key. In order to produce the decoy states, Alice randomly uses different mean photon numbers on the photonic source. For example, she could send the first pulse with a mean photonic pulse of μ ¼ 0:1, the second pulse with μ ¼ 0:4, the third pulse with μ ¼ 0:05, and so on. To each mean photon number a different probability of producing more than one photon in the correlated pulse corresponds. The difference between the standards BB84 states and the decoy states is the mean photon numbers. Given this, Eve is not able to distinguish a decoy state from a quantum key related state and the only information she gets is the number of photons in a pulse. Thus, decoy states can be introduced to secure the BB84 protocol from PNS attacks, allowing at the same time high key rates. In both, BB84 and decoy QKD protocols, a single photonic gain in the quantum channel is established. Lamentably, Eve can set successful attacks to the decoy QKD if it is able to set the QBER to zero by adjusting the gain of the quantum channel.

2. Intercept Resend (IR) attack: In this attack, Eve measures each photon pulse sent by Alice and replaces it with a different pulse prepared in the quantum state that she has previously measured. In 50% of the measurements, Eve successfully chooses the correct measurement basis, while Bob chooses the same basis as her half of the time. Given that, she generates a quantum bit error rate (QBER) of 50% � 50% ¼ 25% (see Figure 2 and a study by Bennett et al. [7]).

3. Intercept resend with faked states (IRFS) attack.

In the intercept resend with faked states (IRFS) attack, the eavesdropper does not want to reconstruct the original states. Instead, it produces pulses of light controlled by her that are detectable by Bob as she stays unnoticed in the quantum channel. Due to imperfections in their optical system, Alice and Bob assume that the quantum states they are detecting are the original ones while they are actually detecting light pulses generated by the eavesdropper. Those light pulses are known as faked states [10]. There are several weaknesses in Bob's detector than can be exploited to perform this attack such as time shift [11–13] or quantum blinding [10–12]. When using quantum blinding (quantum blinding attack), the QKD system is controlled by an eavesdropper who uses bright photon pulses during the linear mode operation of the APDs. Using this attack, Eve can eavesdrop on the full secret key but it will not increase the QBER of the protocol. To do this, Eve sends bright pulses to Bob and those are detected by the APD. It will then operate like a classical photo diode instead of operating in Geiger mode and allowing Eve to obtain the key [14, 15].

Resulting from this, as shown in Figure 3a, when Bob selects the same measurement basis Eve has chosen, a detection event occurs in the corresponding APD detector. On the other hand, if Bob measures using the opposite basis, as in Figure 3b, the two detectors get a part of the optical power and no event is detected. In this way, the eavesdropper blinds Bob's APD detectors and makes them work as classical photo diodes. In the final stage of the protocol, Eve uses the announcements made by Bob on the public channel to execute the classical post-processing, getting the same secret bit as Alice and Bob.

It is important to note that the IRFS attack works dangerously well on widely used QKD protocols, namely SARG04, BB84, coherent one way (COW), differential phase shift (DPSK), Ekert [12], and the decoy state method, as described by Wiechers et al. [16] and Sun et al. [28]. The attack shows an extra 3 dB loss due to the basis of mismatch between Eve and Bob. In the practice, Eve compensates it easily as she can use better detector efficiencies and surpass the loss in the channel. Demonstrations of blinding attacks on detectors have been implemented in two commercially available QKD systems [14]. Reports show that Eve obtains the entire secret key for the time she remains unnoticed by the legitimate parties [15]. We should finally remark that due to control detector attacks with active basis selection, the gain from Eve to Bob is

Figure 3. In the intercept resend with faked states (IRFS) and quantum blinding attack, Eve and Bob use the same optical receiver unit so that she can detect Alice's states in a random basis. Then, Eve prepares the quantum states but sends them to Bob as bright light pulses instead of quantum pulses. (a) Bob and Eve are using the same basis; (b) the basis Bob is using

Quantum Flows for Secret Key Distribution http://dx.doi.org/10.5772/intechopen.75964 41

Consider a BB84-based protocol encoding a classical bit that uses one of the four non-orthogonal quantum states ∣þXi, ∣�Xi, ∣þZi, and ∣�Zi (see Figure 1). When using the SARG04 protocol [25], Alice produces one of the four BB84 quantum states she will send to Bob, it means, she produces a state associated with two conjugate basis (X and Z). Classical bits on SARG04

reduced by a half compared to the gain from Alice to Bob.

3. The ack-state protocol

is the opposite to ve.

i. For Bob's basis choice matching Eve's, the detector clicks deterministically and.

ii. For Bob's basis choice not matching Eve's, the faked state is not detected.

A watchdog detector that can detect bright faked states can be used as a very simple countermeasure and it can be applied in the electronic detection system [16]. In the University of Singapore an intercept resend attack with faked states and quantum blinding over a commercial QKD system was for the first time implemented [15].

Figure 2. An intercept resend (IR) attack toward the BB84 protocol causes a quantum bit error rate (QBER) of 25% that can be detected. The figure shows Alice sending a ∣0Zi state to Bob. In the middle of the quantum channel is Eve applying an X basis measurement and she gets ∣1Xi. Consequently, she makes a copy of that state and sends it to Bob who gets ∣1Zi as he used the Z basis measurement. The process introduces an error in the secret bit given that Alice expects Bob to get ∣0Zi.

Figure 3. In the intercept resend with faked states (IRFS) and quantum blinding attack, Eve and Bob use the same optical receiver unit so that she can detect Alice's states in a random basis. Then, Eve prepares the quantum states but sends them to Bob as bright light pulses instead of quantum pulses. (a) Bob and Eve are using the same basis; (b) the basis Bob is using is the opposite to ve.

It is important to note that the IRFS attack works dangerously well on widely used QKD protocols, namely SARG04, BB84, coherent one way (COW), differential phase shift (DPSK), Ekert [12], and the decoy state method, as described by Wiechers et al. [16] and Sun et al. [28]. The attack shows an extra 3 dB loss due to the basis of mismatch between Eve and Bob. In the practice, Eve compensates it easily as she can use better detector efficiencies and surpass the loss in the channel. Demonstrations of blinding attacks on detectors have been implemented in two commercially available QKD systems [14]. Reports show that Eve obtains the entire secret key for the time she remains unnoticed by the legitimate parties [15]. We should finally remark that due to control detector attacks with active basis selection, the gain from Eve to Bob is reduced by a half compared to the gain from Alice to Bob.

