Editing Quantum key distribution (section)

=== Photon number splitting attack ===
In the BB84 protocol Alice sends quantum states to Bob using single photons. In practice many implementations use laser pulses attenuated to a very low level to send the quantum states. These laser pulses contain a very small number of photons, for example 0.2 photons per pulse, which are distributed according to a [[Poisson distribution]]. This means most pulses actually contain no photons (no pulse is sent), some pulses contain 1 photon (which is desired) and a few pulses contain 2 or more photons. If the pulse contains more than one photon, then Eve can split off the extra photons and transmit the remaining single photon to Bob. This is the basis of the photon number splitting attack,<ref>{{cite journal | last1=Brassard | first1=Gilles | last2=Lütkenhaus | first2=Norbert | last3=Mor | first3=Tal | last4=Sanders | first4=Barry C. | title=Limitations on Practical Quantum Cryptography | journal=Physical Review Letters | publisher=American Physical Society (APS) | volume=85 | issue=6 | date=2000-08-07 | issn=0031-9007 | doi=10.1103/physrevlett.85.1330 | pmid=10991544 | pages=1330–1333| arxiv=quant-ph/9911054 | bibcode=2000PhRvL..85.1330B | s2cid=18688722 }}</ref> where Eve stores these extra photons in a quantum memory until Bob detects the remaining single photon and Alice reveals the encoding basis. Eve can then measure her photons in the correct basis and obtain information on the key without introducing detectable errors.

Even with the possibility of a PNS attack a secure key can still be generated, as shown in the GLLP security proof;<ref name="GLLP" /> however, a much higher amount of privacy amplification is needed reducing the secure key rate significantly (with PNS the rate scales as <math>t^2</math> as compared to <math>t</math> for a single photon sources, where <math>t</math> is the transmittance of the quantum channel).

There are several solutions to this problem. The most obvious is to use a true single photon 
source instead of an attenuated laser. While such sources are still at a developmental stage QKD has been carried out successfully with them.<ref>{{cite journal | last1=Intallura | first1=P. M. | last2=Ward | first2=M. B. | last3=Karimov | first3=O. Z. | last4=Yuan | first4=Z. L. | last5=See | first5=P. | last6=Shields | first6=A. J. | last7=Atkinson | first7=P. | last8=Ritchie | first8=D. A. |display-authors=5| title=Quantum key distribution using a triggered quantum dot source emitting near 1.3μm | journal=Applied Physics Letters | volume=91 | issue=16 | date=2007-10-15 | issn=0003-6951 | doi=10.1063/1.2799756 | page=161103| arxiv=0710.0565 | bibcode=2007ApPhL..91p1103I | s2cid=118994015 }}</ref> However, as current sources operate at a low efficiency and frequency key rates and transmission distances are limited. Another solution is to modify the BB84 protocol, as is done for example in the [[SARG04]] protocol,<ref>{{cite journal | last1=Scarani | first1=Valerio | last2=Acín | first2=Antonio | last3=Ribordy | first3=Grégoire | last4=Gisin | first4=Nicolas | title=Quantum Cryptography Protocols Robust against Photon Number Splitting Attacks for Weak Laser Pulse Implementations | journal=Physical Review Letters | volume=92 | issue=5 | date=2004-02-06 | issn=0031-9007 | doi=10.1103/physrevlett.92.057901 | pmid=14995344 | page=057901| arxiv=quant-ph/0211131 | bibcode=2004PhRvL..92e7901S | s2cid=4791560 }}</ref> in which the secure key rate scales as <math>t^{3/2}</math>. The most promising solution is the [[decoy states]]<ref name="HwangDecoy"/><ref name="VWDecoy"/><ref name="wangDecoy"/><ref name="LoDecoy"/><ref name="PracticalDecoy"/> in which Alice randomly sends some of her laser pulses with a lower average photon number. These decoy states can be used to detect a PNS attack, as Eve has no way to tell which pulses are signal and which decoy. Using this idea the secure key rate scales as <math>t</math>, the same as for a single photon source. This idea has been implemented successfully first at the University of Toronto,<ref>{{cite journal | last1=Zhao | first1=Yi | last2=Qi | first2=Bing | last3=Ma | first3=Xiongfeng | last4=Lo | first4=Hoi-Kwong | last5=Qian | first5=Li | title=Experimental Quantum Key Distribution with Decoy States | journal=Physical Review Letters | publisher=American Physical Society (APS) | volume=96 | issue=7 | date=2006-02-22 | issn=0031-9007 | doi=10.1103/physrevlett.96.070502 | pmid=16606067 | page=070502| hdl=1807/10013 | bibcode=2006PhRvL..96g0502Z | arxiv=quant-ph/0503192 | s2cid=2564853 }}</ref><ref>Y.Zhao, B. Qi, X. Ma, H.-K. Lo, and L. Qian, in Proc. IEEE ISIT, pp. 2094–2098 (2006).</ref> and in several follow-up QKD experiments,<ref>{{cite journal | last1=Yuan | first1=Z. L. | last2=Sharpe | first2=A. W. | last3=Shields | first3=A. J. | title=Unconditionally secure one-way quantum key distribution using decoy pulses | journal=Applied Physics Letters | publisher=AIP Publishing | volume=90 | issue=1 | year=2007 | issn=0003-6951 | doi=10.1063/1.2430685 | page=011118| arxiv=quant-ph/0610015 | bibcode=2007ApPhL..90a1118Y | s2cid=20424612 }}</ref> allowing for high key rates secure against all known attacks.