1. Introduction

Recent trends in quantum technologies suggest a future of quantum computers (QC) having superior computational power [1,2]. Such computational power can efficiently solve hard mathematical problems that are the foundations of security for certain public-key cryptosystems. QCs thus pose a serious threat to our current cryptographic infrastructure. One possible solution can be post-quantum cryptography [3–5] – classical algorithms thought to be secure against quantum attacks – but there is no mathematical proof that these algorithms provide information theoretic security. Thus, in an effort to fight quantum with quantum the trend is towards quantum cryptography [6–8] – more popularly known as quantum key distribution (QKD).

QKD [7,8] uses the laws of quantum mechanics to generate a secret key between two distant parties Alice and Bob. This key then can be used for encryption using one-time-pad and guarantee secure communication. In theory, QKD provides mathematical proof of security by modeling the device behaviors and using the laws of quantum mechanics. However, in practice, devices often behave differently than the assumed model, leaving a gap between theory and practice that can be exploited by an eavesdropper. This gap can be anywhere in the system implementation such as measurement devices [9,10], monitoring systems [11], assumption in the security proofs [12], leakage of information [13–15], change of characteristics [16,17], imperfect sources [18,19], imperfect detector characteristics [20–23] etc. It is essential for QKD security to explore and identify these gaps and characterize them in order to assess the threat. In this work we analyze one such gap – detector-efficiency mismatch [20,21,23,24]– and analyze its effects.

A fundamental assumption in QKD security proofs is that the measurement outcomes should be independent of the measurement bases and Eve should not have any control over them. In ideal QKD, it is impossible for Eve to control the measurement outcomes without introducing errors called quantum bit error rate (QBER). However, in practice, there might be implementation vulnerabilities that allow Eve to have this control. For example, if there is a sensitivity mismatch among the detectors for a certain degree of freedom of the incoming photons, Eve can modify that degree of freedom so that one detector becomes more sensitive compared to another [20–22,24,25]. This can happen in the time degree of freedom: implementation vulnerability may make one detector more sensitive in a particular time window than the others. In this case, Eve can shift the arrival time of certain pulses to coincide with that window. Thus, detection events occurring in that particular time-window have a higher chance of occurring in the sensitive detector and a bias is achieved. Similarly, if the detector sensitivity varies with spatial-mode of the incoming light [20], Eve can send light at certain angle ($\phi$, $\theta$) to create a bias among the detector sensitivity and achieves a control. The demonstration of exploiting such spatial-mode-sensitivity-mismatch was shown in [21,22] while the security proofs against such attacks are reported in Refs. [26–29].

A countermeasure to the detector-efficiency-mismatch type attacks presented in [20,24,25], was proposed in Refs. [30] that involves randomly changing the roles of the detectors to hash out any mismatch in the detection system and reduce efficiency mismatch. However, it is not clear how effective the countermeasure is when one considers that detectors operate on optical modes rather than on single-photon signals as mentioned in [21]. In this paper, we scrutinize the effectiveness of this countermeasure. In Section 2, we introduce and review some necessary details of the spatial-mode-efficiency-mismatch attack reported in [21]. In Section 3, we simulate a detector scrambling countermeasure and show the countermeasure blocks the side-channel. Then in Section 4, we show how the scrambling countermeasure can be bypassed by resorting to a more general attack strategy. We conclude in Section 5.

2. Review of detection efficiency mismatch

We shall assume a polarization-encoded Bennett-Brassard (BB84) QKD scheme with passive basis-choice implementation as shown in Fig. 1(a). The beam splitter (BS) is used for selecting the HV or DA bases and the polarization beam splitters (PBSs) followed by two detectors are used to measure the polarization in a basis. Detectors h and v are used for measuring the incoming H and V polarized light while detectors d and a are used for measuring D and A polarized light respectively.

 

Fig. 1. a) Schematic of a typical BB84 receiver setup with four photodetectors. The labels indicate the case when there is incoming $H$-polarized light.b) Spatial efficiency mismatch in detectors h and v when looked from the channel. Blue and Red regions indicate the efficiencies – as a function of illumination angle ($\phi$, $\theta$) – of the h and v detectors respectively where one detector is on while the other is off . The green region indicates ranges of ($\phi$, $\theta$), where both detectors are equally sensitive. None of the detectors are sensitive in the white region. For a mismatch of this kind, an adversary can utilize this to get some information about the key.

Download Full Size | PDF

The efficiency-mismatch side-channel is explained with the help of Fig. 1(b). Here we show how the sensitivity of the $h$ and $v$ detectors varies in response to the angle of the incoming light. The circle on the left (right) shows the sensitive area of detector $h (v)$. Outside the circle the sensitivity is zero (in practical detectors, sensitivity does not go to zero so abruptly, but this simple assumption serves the purpose to explain the concept). In the overlapping (green) region, both the detectors are equally sensitive. However, if the light is sent towards the red (blue) region, detector $v (h)$ has a higher sensitivity than the $h (v)$ detector. Eve can stage a faked-stage attack to exploit this bias.

The faked-state attack considered in Ref. [21] is based on the following assumptions. Eve is present outside Alice’s lab. She intercepts and measures the signal going towards Bob. Then she reproduces another pulse with the same polarization as her measurement outcome but with different mean photon number, and sends it towards Bob at an angle where the target detector has a higher sensitivity compared to others. More specifically, if Eve’s measurement outcome is $j$, she reproduces $j$ polarized light with mean photon number $\mu _j$ and sends it at an angle where detector $j$ has a higher sensitivity than the other three detectors. This angle is referred to as the attack angle for detector $j$. She uses a lossless channel to overcome the channel loss and maximize her target detection probabilities. The sifted key rate and QBER in Eve’s presence become (derived in Section 5)

 

Fig. 2. Simulated QBER vs line loss. The dotted green curve shows QBER without EVE. The lower two solid curve (red and blue) indicates the results obtained in [21]. The blue curve shows the optimized $QBER_e$ when Eve matches the Bob compares the total sifted key rate with the expected Alice-Bob sifted key rate $R_{ab}$. The red curve shows the optimized $QBER_e$ when Eve matches the rate for individual channels like $R_{ab} = R_{e}(j)$ where $j \in \{\mathrm {h,v,d,a}\}$. The upper solid curve shows the optimized QBER in presence of detector scrambling countermeasure. It can be seen that the QBER is raised significantly and Bob can smoke out Eve’s presence with this countermeasure.

Download Full Size | PDF

3. Detector scrambling countermeasure

In this section we discuss the general detector scrambling countermeasure outlined in [30] and investigate its effectiveness in preventing the attack. Let us assume that a half-wave plate (HWP) is placed in front of the BS in Fig. 1. By rotating the axis of the HWP Bob can rotate the incoming polarization by $\theta _{B} = 0~^{\circ} , 45~^{\circ} , 90~^{\circ}$ and $135~^{\circ}$. When $\theta _{B} = 0~^{\circ}$, the detectors marked by h,v,d and a are used to detect incoming horizontal (H), vertical (V), diagonal (D) and anti-diagonal (A) polarized lights respectively. When $\theta _{B} = 90~^{\circ}$ , the bases are unchanged but the roles of each detector is inverted, i.e, detector marked h measures V and vice versa. In case of $\theta _{B} = 45~^{\circ}$, the roles of each basis is flipped and finally for $\theta _{B} = 135~^{\circ}$ both the roles of each basis and each detector is flipped, i.e, a detector marked h measures D and A when $\theta _{B} = 45~^{\circ}$ and $\theta _{B} = 135~^{\circ}$ respectively. Thus, by randomly changing the incoming polarization by a HWP, it is possible for Bob to scramble the roles of both his bases and detectors.

In the following, we assume Bob scrambles his detectors with equal a-priori probability. The sifted key rate $R_e(j|\theta _B)$ and error rate $E_{j|\theta _B }$ in the presence of Eve given she sends $j$ polarized light – towards attack angle $j$ with mean photon number $\mu _j$ – and Bob applies $\theta _B$ rotation, can be derived similar to Eqs. (7) to (9) as presented in Section 5. Thus, the total sifted key rate $R_e^s$ and $QBER_e^s$ with Eve’s attack and Bob applying scrambling countermeasure become:

4. Detector-scrambling-bypass strategy

So far, we have assumed that when Eve sends a $j$ polarized light, it is always sent towards attack angle $j$ with mean photon number $\mu _j$. In this section, we discard this assumption to generalize the attack. In particular, we assume, when Eve sends a $j$ polarized light, it can be directed towards any of the four attack angles $k \in \{ h,v,d,a\}$ with mean photon number $\mu _j^k$ and probability $f_j^k$ with $\sum _k f_j^k = 1$. Let $p_i^k(j|\theta _{B})$ be the raw click probability at Bob’s detector $i$, given Eve sent a $j$-polarized light towards attack angle $k$ with mean photon number $\mu _j^k$ that has been rotated by an angle $\theta _{B}$ during scrambling.

Let $R_e^k(j|\theta _{B})$ be the sifted key rate when Eve sends j polarized light at k attack angle with Bob rotating the polarization by angle $\theta _{B}$. By deriving $R_e^k(j|\theta _{B})$ using similar analysis as Eq. (17)–(20) we get,

 

Fig. 3. QBER versus line loss with Eve’s improved attack. The dotted green curve shows QBER without EVE. The blue and red curves indicate $QBER_e$ when Bob matches $R_{ab}$ with total sifted key rate and individual channel rates respectively. For our attack model, we have considered that if Alice and Bob are willing to accept a slight increase of QBER by less than $1\%$, $2\%$ and $5\%$, Eve can manipulate the mean photon numbers to attack the system for a line loss upto 16 dB,17 dB and 20 dB respectively.

Download Full Size | PDF

Figure 4(a) and Fig. 4(b) show the optimized probabilities $f_j^k$ and mean photon number per pulse chosen by Eve for a channel loss of 6 dB respectively. For a certain channel loss, Eve has to follow a specific blueprint to attack the system. For example, the probability plot in Fig. 4(a) shows that Eve sends V polarized light at V attack angle with higher probability than others. On the other hand, Eve has to send V polarized light with higher mean photon number than other polarizations as shown in Fig. 4(b). For different channel loss the value of the optimized free parameters will be different. Moreover, These scenarios are entirely dependent on the specific mismatch present in the system. In Section 2, we have reviewed a specific detector-efficiency-mismatch strategy: whenever Eve sent a $j$ polarized light, it was always sent towards attack angle $j$ with mean photon number $\mu _j$. The power of this strategy was limited as explained in Section 3: by simply changing the roles of the detectors and bases, Eve’s presence could be identified. In this section we attempt to generalize our attack strategy. In particular, we assume that Eve can send the $j$ polarized light towards any of the four attack angles $k \in \{ h,v,d,a\}$ with mean photon number $\mu _j^k$ and probability $f_j^k$ where $\sum _k f_j^k = 1$. The intuition behind this strategy is that it brings new free parameters into the optimization which Eve could adjust to her advantage as described next.

 

Fig. 4. a) Scatter plot of probability $f_j^k$ at channel loss of 6 dB. In the detection-scrambling-bypass strategy Eve would send a specific polarized light at all attack angles with a specific probability distribution. Each column indicates the attack angles and each row represents the polarization of light sent by Eve. We see that in most of the cases Eve sends $H$-polarized light at $h$ attack angle and so on. b) Scatter plot of mean Photon number at a channel loss of 6 dB with same column and row representation. In this case, if Eve wants to manage a successful attack, she needs to send $V$-polarized light more at $H$-attack angle than that at $V$-polarized light. Thus, depending on the window where there is total efficiency mismatch Eve needs to deploy her faked states following a specific blueprint.

Download Full Size | PDF

5. Conclusion

In this work, we have shown that randomizing the roles of the detectors cannot function as an efficient countermeasure against detector-efficiency-mismatch type attacks. Although it can prevent the original attack proposed in Ref. [21], it fails to do so when a more general strategy is followed. The general strategy works even when Bob uses any non-uniform a priori scrambling probabilities.

We note that no two practical setups will have an exact mismatch, and hence it would not be possible for Eve to acquire one prototype to learn the mismatch of the target system. However, according to Kerckhoff’s principle [31] quantum cryptography assumes that except for the key, Eve knows all the system’s imperfections. So, to guarantee unconditional security in theory, we need to assume that Eve knows the exact details of the mismatch and Bob’s scrambling countermeasure to optimize her attack. From a practical point of view, Eve can listen to Bob’s classical communication channel while sending a small fraction of faked states at different spatial angles to get an estimate of the efficiency mismatch [32]. Eve can pursue a similar strategy to estimate Bob’s detector scrambling statistics. Thus, unless new techniques are proposed to strengthen the existing detector-scrambling countermeasure strategies, it cannot guarantee security against detector efficiency mismatch based attacks. The result and methodology in this paper could be used to scrutinize a free-space quantum communication receiver against detector-efficiency-mismatch type attacks.

Appendix A: Sifted key rate and QBER during attack

To derive the key rate and QBER formula in Eve’s presence, Ref [21] started with a system with only Eve and Bob. Let us consider Eve is sending a $j$-polarized pulse to Bob with mean photon number $\mu _j$ towards the attack angles $j$. Let $p_i(j)$ be the raw click probability at detector $i$ while incoming light is $j$ polarized. For Eve sending $H$ polarized light, these probabilities are:

(5)$$\begin{aligned}& p_h(H) \approx ~c_h + 1 - \exp(-\frac{\mu_H F \eta_h(H)}{2}) \\ & p_v(H) \approx ~c_v + 1 - \exp(-\frac{\mu_H (1-F) \eta_v(H)}{2}) \\ & p_{d(a)}(H) \approx ~c_{d(a)} + 1 - \exp(-\frac{\mu_H \eta_{d(a)}(H)}{4}) \end{aligned}$$

Here, $c_i$ is the dark count probability per bit slot at the $i$-th detector, F is the fidelity and $\eta _i(j)$ is the probability of detection at Bob’s $i$-th detector given Eve sent $j$-polarized light. We assume that when Bob registers a multiple click, he performs a squashing operation [33–35]. 1 shows the cases where Bob makes his decisions based on the clicks on his detectors. All other cases are discarded in the squashing model. Let $\mathrm {P_{k}(l)}$ (where $k \in \{hv,da\}$, $l \in \{H,V,D,A\}$) be the probability that Bob measures in the $k$ basis given the incoming light is $l$ polarized. Then $P_{hv}(H)$ can be computed from cases $1$, $2$ and $5$ in 1 as:

(6)$$\begin{aligned}P_{hv}(H) &= p_h(H)[1 - p_d(H)][1 - p_a(H)][1 - p_v(H)] \\ & \quad + p_v(H)[1 - p_d(H)][1 - p_a(H)][1 - p_h(H)] \\ & \quad + p_v(H)p_h(H)[1 - p_d(H)][1 - p_a(H)] \\ & = [1 - p_d(H)][1 - p_a(H)] \\ & \quad \times [p_h(H) + p_v(H) - p_h(H)p_v(H)]. \end{aligned}$$

Table 1. Possible outcome of events after squashing.

View Table | View all tables in this article

The probabilities $P_{hv}(V),P_{da}(D),P_{da}(A)$ can be calculated similarly. Now we include Alice into the picture. We first assume the case where Alice sends a $H$-polarized light. The possible scenarios are shown in Fig. 5. It is sufficient to consider only the cases when Bob measures in same basis as Alice (HV in this case) as the other cases will be discarded during sifting. Here we assume, Eve measures Alice’s outgoing signal in $HV$ or $DA$ basis with equal a-priory probability using a measurement setup having perfect detection efficiency and no dark count. Thus, with $50\%$ probability she measures in the correct (incorrect) basis and sends the correct (incorrect) state to Bob. Let $R_e(j)$ be the sifted key rate with Eve’s presence given Alice sent a $j$ polarized light. Following Fig. 5, $R_e(j)$ can be given by,

(7)$$R_e(H) \approx \frac{1}{2} P_{hv}(H) + \frac{1}{4} P_{hv}(D) + \frac{1}{4} P_{hv}(A)$$

The error rate with Eve given Alice sends a $H$ polarized light can also be calculated with the help of Fig. 5. When Eve measures in the same basis as Alice, she introduces no error (assuming perfect fidelity at Bob). However, when she measures in the wrong basis (in this case, $DA$) there is some probability of error. Let $\mathrm {P_i(j)}$ be the probability that, after squashing, Bob decides on outcome $i$ given incoming light was $j$-polarized light. Thus, $\mathrm {P_v(H)}$ would be,

(8)$$\mathrm{P_v(H)} = [p_v(H) - \frac{p_h(H) p_v(H)}{2}][1 - p_d(H)][1-p_a(H)]$$

 

Fig. 5. A Bayesian network showing the possible scenarios if Alice sends $H$-polarized light and Bob measure in $HV$-basis. This only portrays a scenario where fidelity is 1.0 with no dark counts.

Download Full Size | PDF

According to Fig. 5, Bob can measure a $v$ only when Eve sends a D or A polarized light (we disregard the case that Bob gets a $v$ when Eve sends a $H$). The probability of each of these cases is shown in Fig. 5 to be $1/8$. Thus the error rate $E_H$ conditioned on Alice sending $H$-polarized light can be expressed as:

(9)$$E_H = \frac{1}{8} \mathrm{P_v(D)} + \frac{1}{8} \mathrm{P_v(A)}$$

In deriving Eqs. (7) to (9), we have assumed simplified cases. In a more general scenario, we also need to consider $P_{hv}(V)$ since the setup may have imperfect fidelity and dark counts in the photodetectors. Let $P_c^e$ and $P_w^e$ be the probability that Eve measures Alice’s signal in the correct basis and gets a click in the correct and wrong photodetector respectively. Let, $P_{nc}^e$ be the probability that Eve measures in the non-compatible or wrong basis. We can then modify Eq. (7) for the case of sifted key rate when there is incoming $H$-polarized light. Thus, the sifted key rate can be written from [21] in the following form

(10)$$\begin{aligned}R_e(H) \approx &P_c^e P_{hv}(H) + P_w^e P_{hv}(V) + P_{nc}^e [ P_{hv}(D) + P_{hv}(A)] \\ & + (1 - P_c^e - P_w^e - 2P_{nc}^e) (c_h + c_v - c_h c_v) \end{aligned}$$

Similarly, we can modify Eq. (9) to calculate the error rate with Eve in between, when Alice sends $H$-polarized light. If Bob has a click in the $v$ photodetector with incoming $H$-polarized light then that would be an error case with Eve measuring Alice’s signal in the correct basis. Similarly, for other cases where Eve measures in the correct basis but gets a click in the wrong photodetector and Eve measuring in the wrong basis, if Bob gets a click in the $v$ photodetector that would count as an error and can be expressed in the following form:

(11)$$\begin{aligned}E_H \approx &P_c^e \mathrm{P_v(H)} + P_w^e \mathrm{P_v(V)} + P_{nc}^e [\mathrm{P_v(D)} + \mathrm{P_v(A)}] \\ & + (1 - P_c^e - P_w^e - 2 P_{nc}^e) (c_v - \frac{c_v c_h}{2}) \end{aligned}$$

Sifted key rates and QBERs during attack given Alice sends $V$, $D$ and $A$ polarized light can be calculated similarly. The total sifted key rate and QBER in Eve’s presence become

(12)$$\begin{aligned} & R_e = \frac{1}{4} \sum_{j = H,V,D,A} R_e(j),\\ & \textrm{QBER}_e =\frac{1}{4 R_e} \sum_{j = H,V,D,A} E_j. \end{aligned}$$

Appendix B: Sifted key rate and QBER with scrambling countermeasure

For detector scrambling countermeasure, we assume Bob's measurement setup with a half-wave plate (HWP) as shown in Fig. 6. Let $p_i(j | \theta _B)$ be the raw click probability at Bob’s $i$-th detector given Eve sends $j$ polarized light with mean photon number $\mu _j$ directed towards attack angle $j$ which is rotated by Bob by an angle $\theta _{B}$. The probabilities for $\theta _B = 0^{\circ} , 45~^{\circ} , 90~^{\circ}$ and $135~^{\circ}$ can be derived similar to Eq. (5). When $\theta _B = 0~^{\circ}$:

(13)$$\begin{aligned} & p_h(H | 0^{{\circ}}) \approx ~c_h + 1 - \exp(-\frac{\mu_H F \eta_h(H)}{2})\\ & p_v(H | 0^{{\circ}}) \approx ~c_v + 1 - \exp(-\frac{\mu_H (1-F) \eta_v(H)}{2})\\ & p_{d(a)}(H | 0^{{\circ}}) \approx ~c_{d(a)} + 1 - \exp(-\frac{\mu_H \eta_{d(a)}(H)}{4}) \end{aligned}$$

When $\theta _B = 45~^{\circ}$ the $H$-polarized light is rotated to a $D$-polarized light and corresponding raw click probabilities become:

(14)$$\begin{aligned} & p_d(H | 45^{{\circ}}) \approx c_d + 1 - exp(-\frac{\mu_H F \eta_d(H)}{2}) \\ & p_a(H | 45^{{\circ}}) \approx c_a + 1 - exp(-\frac{\mu_H (1-F) \eta_a(H)}{2}) \\ & p_{h(v)}(H | 45^{{\circ}}) \approx c_{h(v)} + 1 - exp(-\frac{\mu_H \eta_{h(v)}(H)}{4}) \end{aligned}$$

For $\theta _{B} = 90~^{\circ}$:

(15)$$\begin{aligned} & p_v(H | 90^{{\circ}}) \approx c_v + 1 - exp(-\frac{\mu_H F \eta_v(H)}{2})\\ & p_h(H | 90^{{\circ}}) \approx c_h + 1 - exp(-\frac{\mu_H (1-F) \eta_h(H)}{2})\\ & p_{d(a)}(H | 90^{{\circ}}) \approx c_{d(a)} + 1 - exp(-\frac{\mu_H \eta_{d(a)}(H)}{4}) \end{aligned}$$

and finally for $\theta _B = 135~^{\circ}$:

(16)$$\begin{aligned} & p_a(H | 135^{{\circ}}) \approx c_a + 1 - exp(-\frac{\mu_H F \eta_a(H)}{2}) \\ & p_d(H | 135^{{\circ}}) \approx c_d + 1 - exp(-\frac{\mu_H (1-F) \eta_d(H)}{2})\\ & p_{h(v)}(H | 135^{{\circ}}) \approx c_{h(v)} + 1 - exp(-\frac{\mu_H \eta_{h(v)}(H)}{4}) \end{aligned}$$

Let $R_e(j|\theta _B)$ be the sifted key rate in the presence of Eve given she sends $j$ polarized light – towards attack angle $j$ with mean photon number $\mu _j$ – and Bob applies $\theta _B$ rotation on it. Using similar analysis used for deriving Eq. (10), we can find the rates for different $\theta _B$. For example,

(17)$$\begin{aligned}R_e(H|&0^{{\circ}}) \approx P_{c}^{e}P_{hv}(H|0^{{\circ}}) + P_{w}^{e}P_{hv}(V |0^{{\circ}}) \\ & + P_{nc}^{e}[P_{hv}(D|0^{{\circ}}) + P_{hv}(A | 0^{{\circ}})] \\ & + (1 - P_{c}^{e} - P_{w}^{e} - 2P_{nc}^{e}) (c_{h} + c_{v} - c_{h} c_{v}) \end{aligned}$$

(18)$$\begin{aligned}R_e(H|&90^{{\circ}}) \approx P_{c}^{e}P_{hv}(H|90^{{\circ}}) + P_{w}^{e}P_{hv}(V |90^{{\circ}}) \\ & + P_{nc}^{e}[P_{hv}(D|90^{{\circ}}) + P_{hv}(A | 90^{{\circ}})] \\ & + (1 - P_{c}^{e} - P_{w}^{e} - 2P_{nc}^{e}) (c_{h} + c_{v} - c_{h} c_{v}) \end{aligned}$$

(19)$$\begin{aligned}R_e(H|&45^{{\circ}}) \approx P_{c}^{e}P_{da}(H|45^{{\circ}}) + P_{w}^{e}P_{da}(V |45^{{\circ}}) \\ & + P_{nc}^{e}[P_{da}(D|45^{{\circ}}) + P_{da}(A | 45^{{\circ}})] \\ & + (1 - P_{c}^{e} - P_{w}^{e} - 2P_{nc}^{e}) (c_{d} + c_{a} - c_{d} c_{a}) \end{aligned}$$

(20)$$\begin{aligned}R_e(H|&135^{{\circ}}) \approx P_{c}^{e}P_{da}(H |135^{{\circ}}) + P_{w}^{e}P_{da}(V |135^{{\circ}}) \\ & + P_{nc}^{e}[P_{da}(D|135^{{\circ}}) + P_{da}(A | 135^{{\circ}})] \\ & + (1 - P_{c}^{e} - P_{w}^{e} - 2P_{nc}^{e}) (c_{d} + c_{a} - c_{d} c_{a}) \end{aligned}$$

We assume in our model that Bob is scrambling the role of the photodetectors with equal a-priori probabilities. Thus, modifying Eq. (1) and averaging Bob’s rate for each $\theta _B$ (that accounts for the extra $\frac {1}{4}$ factor), we obtain Bob’s total sifted key rate:

(21)$$R_e^s = \frac{1}{4} \sum_{j = H,V,D,A} \frac{1}{4}\sum_{\theta= 0^{{\circ}},45^{{\circ}},90^{{\circ}},135^{{\circ}}} R_e(j | \theta)$$

The error rates conditioned on Alice sending $H$-polarized light and Bob applying $\theta _B \in \{0~^{\circ} ,45~^{\circ} ,90~^{\circ} ,135~^{\circ} \}$ rotation can be calculated similar to Eq. (11) in previous section. They are:

(22)$$\begin{aligned}E_{H| 0^{{\circ}}} & \approx P_{c}^{e} \mathrm{P_{v}(H|0^{{\circ}})} + P_{w}^{e}\mathrm{P_{v}(V|0^{{\circ}})} \\ & + P_{nc}^{e}[\mathrm{P_v(D|0^{{\circ}})} + \mathrm{P_v(A|0^{{\circ}})}] \\ & + (1 - P_{c}^{e} - P_{w}^{e} - P_{nc}^{e})(c_v - \frac{c_v c_h}{2}) \end{aligned}$$

(23)$$\begin{aligned}E_{H| 90^{{\circ}}} & \approx P_{c}^{e} \mathrm{P_{h}(H|90^{{\circ}})} + P_{w}^{e}\mathrm{P_{h}(V|90^{{\circ}})} \\ &+ P_{nc}^{e}[\mathrm{P_h(D|90^{{\circ}})}+ \mathrm{P_h(A|90^{{\circ}})}] \\ & + (1 - P_{c}^{e} - P_{w}^{e} - P_{nc}^{e})(c_v - \frac{c_v c_h}{2}) \end{aligned}$$

(24)$$\begin{aligned} E_{H| 45^{{\circ}}} & \approx P_{c}^{e} \mathrm{P_{a}(H|45^{{\circ}})} + P_{w}^{e}\mathrm{P_{a}(V|45^{{\circ}})} \\ &+ P_{nc}^{e}[\mathrm{P_a(D|45^{{\circ}})}+\mathrm{P_a(A|45^{{\circ}})}] \\ & + (1 - P_{c}^{e} - P_{w}^{e} - P_{nc}^{e})(c_v - \frac{c_v c_h}{2}) \end{aligned}$$

(25)$$\begin{aligned} E_{H| 135^{{\circ}}} & \approx P_{c}^{e} \mathrm{P_{d}(H|135^{{\circ}})} + P_{w}^{e}\mathrm{P_{d}(V|135^{{\circ}})} \\ &+ P_{nc}^{e}[\mathrm{P_d(D|135^{{\circ}})}+ \mathrm{P_d(A|135^{{\circ}})}] \\ & + (1 - P_{c}^{e} - P_{w}^{e} - P_{nc}^{e})(c_v - \frac{c_v c_h}{2}) \end{aligned}$$

Here, $\mathrm {P_{i}(j|\theta _B)}$ is the probability that outcome $i$ is selected by Bob after squashing given that Eve has sent $j$-polarized light which was rotated by Bob by an angle $\theta _B$. So, modifying Eq. (8) we get,

(26)$$\begin{aligned}\mathrm{P_v(H|\theta)} & = [p_v(H|\theta) - \frac{p_h(H|\theta)p_v(H|\theta)}{2}] \\ & \times[1-p_d(H|\theta)][1-p_a(H|\theta)] \end{aligned}$$

The total QBER in Eve’s presence becomes:

(27)$$ QBER_e^s = \frac{1}{4R_e} \sum_{j=H,V,D,A} \frac{1}{4}\sum_{\theta= 0^{{\circ}},45^{{\circ}},90^{{\circ}},135^{{\circ}}} E_{j | \theta} $$

In a plausible scenario, if Bob applies $\theta _B = 45~^{\circ}$ and expects an incoming H polarized light from Alice, he will be expecting a click in his d detector. But if the light is coming from Eve, it will be directed towards, the H attack angle where the h detector has the highest efficiency. This increases the error rate. Simulations also verify that, scrambling the role of detectors can smoke out Eve’s presence.

 

Fig. 6. Bob’s measurement setup during scrambling

Download Full Size | PDF

Appendix C: Details on optimization

The objective of our optimization is to minimize the QBER during attack– for a given loss- while maintaining the rates expected by Alice-Bob so that Eve’s presence is not detected. The free parameters – that Eve can optimize – are the mean photon numbers $\mu _j^k$ and probabilities $f_j^k$. The optimization is performed using an ‘interior-point’ algorithm in MATLAB. The optimization can be expressed as:

(28)$$\begin{cases} minimize ~~ QBER_e^s = & f[\eta_0, \mu_j^k, \eta_i(j), F, c_i, f_j^k]\\ constraint: & R_{ab} = R_e(j)\\ Tolerance: & 1e-6 \end{cases}$$

Here, $\mu _j, \eta _i(j), F, c_i$ have been introduced in previous sections and $\eta _0$ is the inherent detector efficiency in Bob receiver. The optimization terminates if the constraints are satisfied within the tolerable range of $1e-6$. For a line loss of $x_{loss}$ the overall efficiency is defined as:

(29)$$ \eta_0 = 0.2 \times 10^{(- \frac{x_{loss}}{10})} $$

‘Interior-point’ algorithm can be greatly affected by the initial values of the variables. For our optimization, we started with random initial conditions for $x_{loss} = 3~ dB$. We found the minimum QBER value for this case as well as the corresponding $\mu _j^k$ and $f_j^k$ values. For the optimizations of higher $x_{loss}$ values we took the results of previous optimization step to be the initial values of current optimization. 2 presents the data for $\eta _i(j)$ taken from [21].

Table 2. Detection probabilities of Bob’s detector

View Table | View all tables in this article

Disclosures

The authors declare no conflicts of interest.

References

1. W. Knight, “Ibm raises the bar with a 50-qubit quantum computer,” Tech. rep., MIT Technology Review (2017).

2. D. Castelvecchi, “Quantum computers ready to leap out of the lab in 2017,” Tech. rep., Nature News (2017).

3. R. C. Merkle, “Secrecy, authentication, and public key systems,” Ph.D. thesis, Stanford University (1979).

4. R. J. Mceliece, “A public-key cryptosystem based on algebraic,” Coding Thv 4244, 114–116 (1978).

5. J. Hoffstein, J. Pipher, and J. H. Silverman, “Ntru: A ring-based public key cryptosystem,” in International Algorithmic Number Theory Symposium, (Springer, 1998267–288

6. C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, (IEEE Press, New York, Bangalore, India, 1984175–179

7. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74(1), 145–195 (2002). [CrossRef]  

8. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301–1350 (2009). [CrossRef]  

9. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4(10), 686–689 (2010). [CrossRef]  

10. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun. 2(1), 349 (2011). [CrossRef]  

11. S. Sajeed, I. Radchenko, S. Kaiser, J.-P. Bourgoin, A. Pappa, L. Monat, M. Legré, and V. Makarov, “Attacks exploiting deviation of mean photon number in quantum key distribution and coin tossing,” Phys. Rev. A 91(3), 032326 (2015). [CrossRef]  

12. S. Sajeed, A. Huang, S. Sun, F. Xu, V. Makarov, and M. Curty, “Insecurity of detector-device-independent quantum key distribution,” Phys. Rev. Lett. 117(25), 250505 (2016). [CrossRef]  

13. N. Jain, E. Anisimova, I. Khan, V. Makarov, C. Marquardt, and G. Leuchs, “Trojan-horse attacks threaten the security of practical quantum cryptography,” New J. Phys. 16(12), 123030 (2014). [CrossRef]  

14. S. Sajeed, C. Minshull, N. Jain, and V. Makarov, “Invisible trojan-horse attack,” Sci. Rep. 7(1), 8403 (2017). [CrossRef]  

15. P. V. P. Pinheiro, P. Chaiwongkhot, S. Sajeed, R. T. Horn, J.-P. Bourgoin, T. Jennewein, N. Lütkenhaus, and V. Makarov, “Eavesdropping and countermeasures for backflash side channel in quantum cryptography,” Opt. Express 26(16), 21020–21032 (2018). [CrossRef]  

16. V. Makarov, J.-P. Bourgoin, P. Chaiwongkhot, M. Gagné, T. Jennewein, S. Kaiser, R. Kashyap, M. Legré, C. Minshull, and S. Sajeed, “Creation of backdoors in quantum communications via laser damage,” Phys. Rev. A 94(3), 030302 (2016). [CrossRef]  

17. A. N. Bugge, S. Sauge, A. M. M. Ghazali, J. Skaar, L. Lydersen, and V. Makarov, “Laser damage helps the eavesdropper in quantum cryptography,” Phys. Rev. Lett. 112(7), 070503 (2014). [CrossRef]  

18. C. H. Bennett, F. Bessette, L. Salvail, G. Brassard, and J. Smolin, “Experimental quantum cryptography,” J. Cryptology 5(1), 3–28 (1992). [CrossRef]  

19. F. Xu, K. Wei, S. Sajeed, S. Kaiser, S. Sun, Z. Tang, L. Qian, V. Makarov, and H.-K. Lo, “Experimental quantum key distribution with source flaws,” Phys. Rev. A 92(3), 032305 (2015). [CrossRef]  

20. V. Makarov, A. Anisimov, and J. Skaar, “Effects of detector efficiency mismatch on security of quantum cryptosystems,” Phys. Rev. A 74(2), 022313 (2006). [CrossRef]  

21. S. Sajeed, P. Chaiwongkhot, J.-P. Bourgoin, T. Jennewein, N. Lütkenhaus, and V. Makarov, “Security loophole in free-space quantum key distribution due to spatial-mode detector-efficiency mismatch,” Phys. Rev. A 91(6), 062301 (2015). [CrossRef]  

22. M. Rau, T. Vogl, G. Corrielli, G. Vest, L. Fuchs, S. Nauerth, and H. Weinfurter, “Spatial mode side channels in free-space qkd implementations,” IEEE J. Sel. Top. Quantum Electron. 21(3), 187–191 (2015). [CrossRef]  

23. P. Chaiwongkhot, K. B. Kuntz, Y. Zhang, A. Huang, J.-P. Bourgoin, S. Sajeed, N. Lütkenhaus, T. Jennewein, and V. Makarov, “Eavesdropper’s ability to attack a free-space quantum-key-distribution receiver in atmospheric turbulence,” Phys. Rev. A 99(6), 062315 (2019). [CrossRef]  

24. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystems,” Quant. Inf. Comp. 7, 73–82 (2007).

25. V. Makarov and J. Skaar, “Faked states attack using detector efficiency mismatch on SARG04, phase-time, DPSK, and Ekert protocols,” Quant. Inf. Comp. 8, 622–635 (2008).

26. C. F. Fung, K. Tamaki, B. Qi, H. Lo, and X. Ma, “Security proof of quantum key distribution with detection efficiency mismatch,” Quantum Inf. Comput. 9, 131–165 (2009).

27. Y. Zhang, P. J. Coles, A. Winick, J. Lin, and N. Lütkenhaus, “Security proof of practical quantum key distribution with detection-efficiency mismatch,” Phys. Rev. Res. 3(1), 013076 (2021). [CrossRef]  

28. A. Trushechkin, “Security of quantum key distribution with detection-efficiency mismatch in the multiphoton case,” arXiv preprint arXiv:2004.07809 (2020).

29. M. Bochkov and A. Trushechkin, “Security of quantum key distribution with detection-efficiency mismatch in the single-photon case: Tight bounds,” Phys. Rev. A 99(3), 032308 (2019). [CrossRef]  

30. T. F. da Silva, G. C. do Amaral, G. B. Xavier, G. P. Temporão, and J. P. von der Weid, “Safeguarding quantum key distribution through detection randomization,” IEEE J. Sel. Top. Quantum Electron. 21(3), 159–167 (2015). [CrossRef]  

31. A. Kerckhoffs, “La cryptographie militaire,” J. des sciences militaires IX, 5–83 (1883).

32. V. Makarov and D. R. Hjelme, “Faked states attack on quantum cryptosystems,” J. Mod. Opt. 52(5), 691–705 (2005). [CrossRef]  

33. N. J. Beaudry, T. Moroder, and N. Lütkenhaus, “Squashing models for optical measurements in quantum communication,” Phys. Rev. Lett. 101(9), 093601 (2008). [CrossRef]  

34. T. Tsurumaru and K. Tamaki, “Security proof for quantum-key-distribution systems with threshold detectors,” Phys. Rev. A 78(3), 032302 (2008). [CrossRef]  

35. O. Gittsovich, N. J. Beaudry, V. Narasimhachar, R. R. Alvarez, T. Moroder, and N. Lütkenhaus, “Squashing model for detectors and applications to quantum-key-distribution protocols,” Phys. Rev. A 89(1), 012325 (2014). [CrossRef]