Decoy State Quantum Key Distribution (QKD)

Hoi-Kwong Lo
Center for Quantum Information and Quantum Control
Dept. of Electrical & Comp. Engineering (ECE); &
Dept. of Physics
University of Toronto

Joint work with:

Xiongfeng Ma
Kai Chen
[Paper in preparation]

Supported by CFI, CIPI, CRC program, NSERC, OIT, and PREA.

1
Center for Quantum Information & Quantum Control
(CQIQC) University of Toronto

Faculty: Paul Brumer, Daniel Lidar, Hoi-Kwong Lo,

Aephraim Steinberg.
Postdocs: ~10
Graduate Students: ~20
Visitors are most welcome! 2
 Members of my group
• Faculty:
Hoi-Kwong Lo

• Postdocs:
Kai Chen°
Kiyoshi Tamaki *
Bing Qi

• Grad Students:
Benjamin Fortescu, Fred Fung*, Leilei Huang*,
Xiongfeng Ma, Jamin Sheriff*, Yi Zhao*

• Research Assistant:
Ryan Bolen° * Joining this Fall 3
° Leaving this Fall
 QUESTION:
Is there a tradeoff between security
and performance in a real-life
quantum key distribution system?

General Consensus: YES.

This Work: NOT NECESSARILY.

4
 Killing two birds with one stone

We present new QKD protocols that can, rather

surprisingly, with only current technology:

• Achieve unconditional security---Holy Grail of

Quantum Crypto.

• Surpass performance of all fiber-based experiments

done in QKD so far.

Conclusion: Security and Performance go hand in hand!

5
 Outline
1. Motivation and Introduction
2. Problem
3. Our Solution and its significance

Decoy state idea was first proposed in:

W.-Y. Hwang, Phys. Rev. Lett., 91, 057901 (2003)

6
1. Motivation and Introduction

7
Commercial Quantum Crypto products
available on the market Today!

MAGIQ TECH.

• Distance over 100 km of

commercial Telecom fibers.

ID QUANTIQUE

8
 Bad News (for theorists)
Up till now, theory of quantum key distribution
(QKD) has lagged behind experiments.

Opportunity:
By developing theory, one can bridge gap between
theory and practice.

9
Theory and Experiment go hand in hand.
10
 Key Distribution Problem

Eve

Alice Bob

Alice and Bob would like to communicate in absolute

security in the presence of an eavesdropper, Eve.

To do so, they need to share a common random string

of number----key

11
 Bennett and Brassard’s scheme (BB84)

Alice Bob
ASSSUMPTIONS:
1. Source: Emits perfect single photons. (No multi-photons)
2. Channel: noisy but lossless. (No absorption in channel)
3. Detectors: a) Perfect detection efficiency. (100 %)
4. Basis Alignment: Perfect. (Angle between X and Z basis
is exactly 45 degrees.)
Assumptions lead to security proofs:
Mayers (BB84), Lo and Chau (quantum-computing protocol),
Biham et al. (BB84), Ben-Or (BB84), Shor-Preskill (BB84), …

Conclusion: QKD is secure in theory. 12

 Reminder: Quantum No-cloning Theorem

• An unknown quantum state CANNOT be cloned.

Therefore, eavesdropper, Eve, cannot have the same
information as Bob.
• Single-photon signals are secure.

a a a

IMPOSSIBLE
13
Photon-number splitting attack against multi-photons
A multi-photon signal CAN be split. (Therefore, insecure.)

a a
a

Bob

Splitting attack

a
Alice
Eve
Summary: Single-photon good.
Multi-photon bad.

14
 QKD : Practice
Reality:
1. Source: (Poisson photon number distribution)
Mixture. Photon number = n with probability:  n
e
Some signals are, in fact, double photons! n!
2. Channel: Absorption inevitable. (e.g. 0.2 dB/km)
3. Detectors:
(a) Efficiency ~15% for Telecom wavelengths
(b) “Dark counts”: Detectors will claim to have
detected signals with some probability even
when the input is a vacuum.
4. Basis Alignment: Minor misalignment inevitable.

Question: Is QKD secure in practice?

15
 What type of security do we want?

• We consider unconditional security (paranoid

security) and allow Eve to do anything allowed by
quantum mechanics within a well-defined
mathematical model.

• In particular, Eve has quantum computers, can

change Bob’s channel property, detection
efficiency and dark counts rate, etc, etc.

• Unconditional security is the Holy Grail of quantum

crypto.

• We are as conservative as we possibly can. 16

 Prior art on BB84 with imperfect devices

1. Inamori, Lutkenhaus, Mayers (ILM)

2. Gottesman, Lo, Lutkenhaus, Preskill (GLLP)

GLLP: Under (semi-) realistic assumptions,

if imperfections are sufficiently small,
then BB84 is unconditionally secure.

Question: Can we go beyond these results

17
2. Problem

18
 Big Problem: Nice guys come last
Alice:

Problems: 1) Multi-photon signals (bad guys) can be split.

2) Eve may suppress single-photon signals (Good guys).

Bob:

Eve:

Eve may disguise herself as absorption in channel.

QKD becomes INSECURE as Eve has whatever Bob has.
Signature of this attack: Multi-photons are much
more likely to reach Bob than single-photons.
(Nice guys come last). 19
 Yield as a function of photon number
Let us define Yn = yield
= conditional probability that a signal
will be detected by Bob, given that it is
emitted by Alice as an n-photon state.

Bob:

Eve:

For example, with photon number splitting attack:

Y2 = 1 : all two-photon states are detected by Bob.

Y1 = 0 : all single-photon states are lost.
20
 Figures of merits in QKD

• Number of Secure bits per signal (emitted

by Alice).
How long is the final key that Alice and
Bob can generate?

• (Maximal) distance of secure QKD.

How far apart can Alice and Bob be
from each other?

21
 Prior Art Result
Worst case scenario: all multi-photons sent by
Alice reach Bob.
Need to prove that some single photons, , still
reach Bob.

Consider channel transmittance η.

Use weak Poisson photon number distribution:
with average photon number μ = O (η).

Secure bits per signal S = O (η2).

22
 Big Gap between theory and practice of BB84
Theory Experiment
Key generation rate: S = O (η2). S= O (η).
Maximal distance: d ~ 40km. d >130km.
Prior art solutions (All bad):
1) Use Ad hoc security: Defeat main advantage of Q. Crypto. :
unconditional security. (Conservative Theorists unhappy .)
2) Limit experimental parameters: Substantially reduce performance.
(Experimentalists unhappy .)
3) Better experimental equipment (e.g. Single-photon source. Low-
loss fibers. Photon-number-resolving detectors): Daunting
experimental challenges. Impractical in near-future. (Engineers
unhappy .)

Question: How to make everyone except eavesdroppers happy ?

23
 (Recall) Problem: Photon number splitting attack
Let us define Yn = yield
= conditional probability that a signal
will be detected by Bob, given that it is
emitted by Alice as an n-photon state.

Bob:

Eve:

For example, with photon number splitting attack:

Y2 = 1 : all two-photon states are detected by Bob.
Y1 = 0 : all single-photon states are lost.

Yield for multi-photons may be much higher than single-photons.

Is there any way to detect this? 24

 A solution: Decoy State (Toy Model)
Goal: Design a method to test experimentally the yield
(i.e. transmittance) of multi-photons.

Method: Use two-photon states as decoys and test their yield.

Alice: N signals

Bob: x signals

Alice sends N two-photon signals to Bob.

Alice and Bob estimate the yield Y2 = x/N.
If Eve selectively sends multi-photons, Y2 will be abnormally large.
Eve will be caught!

25
 Procedure of Decoy State QKD (Toy Model).
A) Signal state: Poisson photon number distribution μ (at Alice).
B) Decoy state: = two-photon signals

1) Alice randomly sends either a signal state or decoy state

to Bob.
2) Bob acknowledges receipt of signals.
3) Alice publicly announces which are signal states and
which are decoy states.
4) Alice and Bob compute the transmission probability for
the signal states and for the decoy states respectively.

If Eve selectively transmits two-photons, an abnormally high

fraction of the decoy state B) will be received by Bob. Eve will
be caught.
26
 Practical problem with toy model

• Problem: Making perfect two-photon states is

hard, in practice

• Solution (Hwang): Make another mixture of

good and bad guys with a different weight.

27
 Hwang’s original decoy state idea

1) Signal state: Poisson photon number distribution: α

(at Alice). Mixture 1.
2) Decoy state: Poisson photon number distribution: μ~ 2
(at Alice). Mixture 2

W.-Y. Hwang, Phys. Rev. Lett., 91, 057901 (2003)

• If Eve lets an abnormally high fraction of multi-photons go to

Bob, then decoy states (which has high weight of multi-
photons) will have an abnormally high transmission
probability.
• Therefore, Alice and Bob can catch Eve!

28
 Drawback of Hwang’s original idea

1. Hwang’s security analysis was heuristic, rather than

rigorous.

2. ``Dark counts’’---an important effect---are not

considered.

3. Final Results (distance and key generation rate) are

unclear.

29
 Can we make
things rigorous?

YES!

30
3. Our solution:

31
 Experimental observation
2 n
Yield: Q( )  Y0e 
 Y1e   Y2e (
 
)  ...  Yne (

)  ....
2 n!
2 n
Error Rate: Q( ) E( )  Y0e e0  Y1e e1  Y2e ( )e2  ...  Yne (

)en  ....
2 n!

If Eve cannot treat the decoy state any differently from a signal state

Yn(signal)=Yn(decoy), en(signal)=en(decoy)

Yn: yield of an n-photon signal

en : quantum bit error rate (QBER) of an n-photon signal.

N.B. Yield and QBER can depend on photon number only. 32

 IDEA

Try every Poisson distribution μ!

We propose that Alice switches power of her laser
up and down, thus producing as decoy states
Poisson photon number distributions, μ’s for all
possible values of μ’s.
Each μ gives Poisson photon number distribution:

Q( ), E (  )  Yn , enn

33
 Our Contributions
1. Making things rigorous (Combine with entanglement distillation
approach in Shor-Preskill’s proof.)

2. Constraining dark counts (Using vacuum as a decoy state to

constrain the “dark count” rate---probability of false alarm.)

3. Constructing a general theory (Infering all Yn, en.)

Q( ), E (  )  Yn , enn

Conclusion: We severely limit Eve’s eavesdropping strategies.

Any attempt by Eve to change any of Yn, en ‘s will, in principle
be caught.

34
 Old Picture
Theory Experiment
Secure bits per signal: S = O (η2). S= O (η).
Maximal distance: d ~ 40km. d >130km.

There is a big gap between theory and practice of BB84.

35
 NEW Picture
Theory Experiment
Secure bits per signal: S = O (η). S= O (η).
Maximal distance: d >130 km. d >130km.

Security and performance go hand in hand.

36
 Bonus
• The optimal average photon number μ of signal state
can be rather high (e.g. μ = 0.5).

• Experimentalists usually take μ = 0.1 in an ad hoc

manner.

• Using decoy state method, we can surpass current

experimental performance.

Conclusion: Better Theory Better Experiments

37
 Compare results with and without decoy states
The key generation rate as a function of distance
-2
10

-3
10 Key parameters:
-4
GYS Wavelength: 1550nm
10
Channel loss: 0.21dB/km
Signal error rate: 3.3%
Key generate rate

-5
10
Dark count: 8.5*10-7 per pulse
-6
10 Receiver loss and detection
-7
10
efficiency: 4.5%
Error correction ineffiency:
Without Decoy Decoy
-8
10 f(e)=1.22
-9
10
0 20 40 60 80 100 120 140 160 180 200
Transmission distance [km]

The experiment data for the simulation come from the recent paper:
C. Gobby, Z. L. Yuan, and A. J. Shields, Applied Physics Letters, (2004)
38
 Robustness of our results
We found that our results are stable to small
changes in:

1. Dark count probability (20% fluctuation OK)

2. Average photon number of signal states (e.g.,

0.4-0.6 OK)

3. Efficiency of Practical Error Correction

Protocols. (A few percent OK)

39
 Generality of our idea

Our idea appears to be rather general and applies also

to:
1) Open-air and ground to satellite QKD.

2) Other QKD protocols (e.g., Parametric down

conversion based protocols).

3) Perhaps also testing in general quantum

communication and quantum computing protocols.

40
 Related Work

• Using another approach (strong reference

pulse), another protocol (essentially B92)
has recently been proven to be secure with
R=O(η). [Koashi, quant-ph/0403131 ]

• In future, it will be interesting to compare this

approach with ours.

41
 Summary
1. Decoy state BB84 allows:
• Secure bits per signal: O (η)
where η : channel transmittance.
• Distance > 130km

2. Feasible with current technology: Alice just switches

power of laser up and down (and measure
transmittance and error rate).

3. Best of Both Worlds: Can surpass best existing

experimental performance and yet achieve
unconditional security.

42
Theory and Experiment go hand in hand.
43
THE END

44