QQuantum-Space Attacks
Ran Gelles Tal MorTechnion - Israel Institute of TechnologyComputer Science Department { gelles, talmo } @cs.technion.ac.il November 11, 2018
Abstract
Theoretical quantum key distribution (QKD) protocols commonly rely on the use of qubits (quantumbits). In reality, however, due to practical limitations, the legitimate users are forced to employ a largerquantum (Hilbert) space, say a quhexit (quantum six-dimensional) space, or even a much larger quantumHilbert space. Various specific attacks exploit of these limitations. Although security can still be provedin some very special cases, a general framework that considers such realistic QKD protocols, as well as attacks on such protocols, is still missing.We describe a general method of attacking realistic QKD protocols, which we call the ‘quantum-space attack’. The description is based on assessing the enlarged quantum space actually used by aprotocol, the ‘quantum space of the protocol’. We demonstrate these new methods by classifying various(known) recent attacks against several QKD schemes, and by analyzing a novel attack on interferometry-based QKD.
Quantum cryptography has brought us new ways of exchanging a secret key between two users (knownas Alice and Bob). The security of such Quantum Key Distribution (QKD) methods is based on a verybasic rule of nature and quantum mechanics—the “no-cloning” principle. The first QKD protocol wassuggested in a seminal paper by Bennett and Brassard [5] in 1984, and is now known as BB84. Duringrecent years many security analyses were published [46, 35, 6, 42, 7, 22] which proved the information-theoretical security of the BB84 scheme against the most general attack by an unlimited adversary (knownas Eve), who has full control over the quantum channel . Those security proofs are limited as they alwaysconsider a theoretical QKD that uses perfect qubits. Although these security proofs do take errors intoaccount, and the protocols use error correction and privacy amplification (to compensate for these errors andfor reducing any partial knowledge that Eve might have), in general, they avoid security issues that arisefrom the implementation of qubits in the real world .A pivotal paper by Brassard, L¨utkenhaus, Mor, and Sanders [12, 13] presented the “Photon NumberSplitting (PNS) attack” and exposed a security flaw in experimental and practical QKD: One must take intoaccount the fact that Alice does not generate perfect qubits (2 basis-states of a single photon), but, instead,generates states that reside in an enlarged Hilbert space (we call it “quantum space” here), of six dimensions.The reason for that discrepancy in the size of the used quantum space is that each electromagnetic pulse thatAlice generates contains (in addition to the two dimensions spanned by the single-photon states) also a All QKD protocols assume that Alice and Bob also use an insecure, yet unjammable, classical channel. a r X i v : . [ qu a n t - ph ] N ov acuum state and three 2-photon states, and these are extremely useful to the eavesdropper. That paperproved that, in contrast to what was assumed in previous papers, Eve can make use of the enlarged space,and get a lot of information on the secret key, sometimes even full information, without inducing any noise.Many attacks on the practical protocols then followed (e.g., [25, 26, 24, 36, 34, 21]), based on extensions ofthe quantum spaces, exploring various additional security flaws; other papers [25, 40, 45] suggested possibleways to overcome such attacks. On the one hand, several security proofs, considering specific imperfections,were given for the BB84 protocol [24, 27]. Yet on the other hand, it is generally impossible now to provethe security of a practical protocol, since a general framework that considers such realistic QKD protocols, and the possible attacks on such protocols, is still missing.We show that the PNS attack, and actually all attacks directed at the channel, are various special casesof a general attack that we define here, the Quantum-Space Attack (QSA). The QSA generalizes existingattacks and also offers novel attacks. The QSA is based on the fact that the “qubits” manipulated in theQKD protocol actually reside in a larger Hilbert space, and this enlarged space can be assessed . Althoughthis enlarged space is not fully accessible to the legitimate users, they can still analyze it, and learn whata fully powerful eavesdropper can do. We believe that this assessment of the enlarged “quantum spaceof the protocol” is a vital step on the way to proving or disproving the unconditional security of practicalQKD schemes. We focus on schemes in which the quantum communication is uni-directional, namely, fromAlice’s laboratory (lab) to Bob’s lab. We consider an adversary that can attack all the quantum states thatcome out of Alice’s lab, and all the quantum states that go into Bob’s lab.The paper is organized as follows: Definitions of the quantum spaces involved in the realization ofa protocol, and of the “quantum space of the protocol”, are presented and discussed in Section 2. The“quantum-space attack” is defined and discussed in Section 3. Using the general framework when theinformation carriers are photons is discussed in Section 4. Next, in Section 5 we show that the best knownattacks on practical QKD are special cases of the QSA. Section 6 demonstrates and analyzes a novel QSAon an interferometric implementation of the BB84 and the six-state QKD protocols. Last, we discuss a fewsubtleties and open problems for future research in Section 7.We would like to emphasize that our (crypt)analysis presents the difficulty of proving unconditionalsecurity for practical QKD setups, yet also provides an important (probably even vital) step in that direction.
The Quantum Space Attack (QSA) is the most general attack on the quantum channel that connects Aliceto Bob. It can be applied to any realistic QKD protocol, yet here we focus on uni-directional schemes andon implementations of the BB84 protocol and the six-state protocol. We need to have a proper model ofthe protocol in order to understand the Hilbert space that an unlimited Eve can attack. This space has neverbeen analyzed before except for specific cases. Our main finding is a proper description of this space, whichallows, for the first time, defining the most general eavesdropping attack on the channel. We start with amodel of a practical “qubit”, continue with understanding the spaces used by Alice and Bob, and end bydefining the relevant space, the
Quantum Space of the Protocol (QSoP), used by Eve to attack the protocol.The attacks on the QSoP are what we call
Quantum-Space Attacks . In most QKD protocols, Alice sends Bob qubits, namely, states of 2 dimensional quantum spaces ( H ).A realistic view should take into account any deviation from theory, caused by Alice’s equipment. Forexample, Alice might encode the qubit via a polarized photon: | z (cid:105) via a photon polarized horizontally, and2 z (cid:105) polarized vertically. This can be written using Fock notation as | n h , n v (cid:105) F where n h ( n v ) represents thenumber of horizontal (vertical) photons; then | z (cid:105) ≡ | , (cid:105) F and | z (cid:105) ≡ | , (cid:105) F . When Alice’s photon is lostwithin her equipment (or during the transmission), Bob gets the state | , (cid:105) F , so that Alice’s realistic spacebecomes H . Alice might send multiple photons and then H A is of higher dimension, see Section 4.2. Definition 1. Alice’s realistic space, H A , is the minimal space containing the actual quantum states sentby Alice to Bob during the QKD protocol. In the BB84 protocol, Alice sends qubits in two fixed conjugate bases. Theoretically, Alice randomlychooses a basis and a bit value and sends the chosen bit encoded in the appropriate chosen basis as a state in H (e.g. | z (cid:105) , | z (cid:105) , | x (cid:105) = ( | z (cid:105) + | z (cid:105) ) / √ , and | x (cid:105) = ( | z (cid:105) − | z (cid:105) ) / √ ). To a better approximation, thestates sent by Alice are four different states | ψ i (cid:105) A ( i = 1 , , , ) in her realistic space H A , spanned by thesefour states. This space H A is of dimension | H A | , commonly between 2 and 4, depending on the specificimplementation. As practical instruments often diverse from theory, Alice might send quite different states.As an extreme example, see the tagging attack (Section 5.2), which is based on the fact that Alice’s spacecould contain more than just these four theoretical states, so that | H A | > is possible. Bob commonly receives one of several possible states | ψ i (cid:105) A sent by Alice, and measures it. The most generalmeasurement Bob can perform is to add an ancilla, perform a unitary transformation on the joint system,perform a complete measurement, and potentially “forget” some of the outcomes . However, once Alice’sspace is larger than H , the extra dimensions provided by Alice could be used by Bob for his measurement, instead of adding an ancilla. Interestingly, by his measurement Bob might be extending the space vulnerableto Eve’s attack well beyond H A . This is possible since in many cases the realistic space, H A , is embeddedinside a larger space M . Definition 2.
The space M is the space in which H A is embedded, H A ⊆ M . The space M is the actualspace available for Alice and an Eavesdropper. Due to the presence of an eavesdropper, Bob’s choice whether to add an ancilla or to use the extendedspace M is vital for security analysis. In the first case the ancilla is added by Bob, inside his lab, while in thesecond it is controlled by Alice, transferred through the quantum channel and exposed to Eve’s deeds. Evemight attack the extended space M , and thus have a different effect on Bob, considering his measurementmethod.For example, suppose Alice sends two non-orthogonal states of a qubit, θ = (cid:0) cos θ sin θ (cid:1) and θ = (cid:0) cos θ − sin θ (cid:1) ,with a fixed and known angle ≥ θ ≥ ◦ . Bob would like to distinguish between them, while allowinginconclusive results sometimes, but no errors [38]. Bob can add the ancilla | (cid:105) Anc ≡ (cid:0) (cid:1) Anc and performthe following transformation U : | (cid:105) Anc ⊗ (cid:18) cos θ ± sin θ (cid:19) = cos θ ± sin θ U −→ sin θ ± sin θ √ cos 2 θ = √ θ | (cid:105) Anc ⊗ (cid:18) / √ ± / √ (cid:19) + √ cos 2 θ | (cid:105) Anc ⊗ (cid:18) (cid:19) (1) States written using the Fock notation |·(cid:105) F are called Fock states, see Section 4. The six-state scheme uses the three conjugate bases of the qubit space; namely, also | y (cid:105) = ( | z (cid:105) + i | z (cid:105) ) / √ , etc. By the term “forget” we mean that Bob’s detection is unable to distinguish between several measured states. This entire process can be described in a compact way by using a POVM [39]. | (cid:105) Anc ≡ (cid:0) (cid:1) Anc . This operation leads to a conclusive result with probability θ (when themeasured ancilla is | (cid:105) Anc ), and inconclusive result otherwise. It is simple to see that the same measurementcan be done, without the use of an ancilla , if the states θ and θ are embedded at Alice’s lab in a largerspace M , e.g. M = H , using Bob’s transformation cos θ ± sin θ U −→ sin θ ± sin θ √ cos 2 θ . (2)In the general case, the space M might be very large, even infinite. Bob might use only parts of it, for hismeasurements.A complication in performing security analysis is due to Bob’s option to both use an ancilla and extendthe space used by Alice. Our analysis in the following sections starts with the space extension only (Sections2.3–2.4), and later on deals with the general case (Sections 2.5–2.6). Let us formulate the spaces involved in the protocol, as described above. Assume Alice uses the space H A according to Definition 1, which is embedded in a (potentially larger) space M . Ideally, in the BB84protocol, Bob would like to measure just the states in H A , but in practice he usually can not do so. Eachone of Alice’s states | ψ i (cid:105) A is transformed by Bob’s equipment into some pure state | ψ i (cid:105) M ∈ M . The spacewhich is spanned by those states contains all the information about Alice’s states {| ψ i (cid:105) A } .More important, Bob might be measuring un-needed subspaces of M which Alice’s states do not span.For instance, examine the case where Bob uses detectors to measure the Fock states | , (cid:105) F and | , (cid:105) F . Bob isusually able to distinguish a loss (the state | , (cid:105) F ) or an error (e.g. | , (cid:105) F , one horizontal photon and one ver-tical photon), from the two desired states, but he cannot distinguish between other states containing multiplephotons. This means that Bob measures a much larger subspace of the entire space M , but (inevitably) inter-prets outcomes outside H A as legitimate states; e.g. the states | , (cid:105) F , | , (cid:105) F , etc. are (mistakenly) interpretedas | , (cid:105) F . See further discussion in Section 4.3.We denote Bob’s setup (beam splitters, phase shifters, etc.) by the unitary operation U B , followed bya measurement; all these operations are operating on the space M (or parts of it). Bob might have severaldifferent setups (e.g. a different setup for the z -basis and for the x -basis). Let U be the set of unitarytransformations in all Bob’s setups. Definition 3. [This definition is Temporary.]
Given a specific setup-transformation U j ∈ U , let H B j ⊆ M be the subsystem actually measured by Bob, having K basis states {| φ k (cid:105) B j } k =0 ...K − . The set of Bob’sMeasured Spaces is the set { H B j } j =0 ...J − of J = | U | spaces. We have already seen that Bob might be measuring un-needed dimensions. On the other hand he mightnot measure certain subspaces of M , even when Alice’s state might reach there. In either case, the deviationis commonly due to limitations of Bob’s equipment. The “quantum space of the protocol” (QSoP) is in fact Alice’s extended space, taking into considerationits extensions due to Bob’s measurements. The security analysis of a protocol depends on the space H B − defined below. The case in which Bob transposes the state into a mixed state is a special case of the analysis done in Section 2.5. For thenotion of mixed states or quantum mixture see [37, 39]. efinition 4. [This definition is Temporary.] The reversed space H B − is the Hilbert space spanned bythe states U − j ( | φ k (cid:105) B j ) , for each possible setup U j ∈ U , and for each basis state | φ k (cid:105) B j of the appropriate H B j ⊆ M . The Space H B − usually resides in a larger space than H A . For instance, using photons, the ideal space H A consists of two modes with 2 basis states, see Section 4. Now H B − could have an infinite space ineach mode, but also could have more modes.In order to derive the quantum space of the protocol we need to define the way Alice’s space is extendedaccording to H B − , for this simple case where Bob does not add an ancilla. In this case, the space H B − simply extends Alice’s space to yield the QSoP via H P = H A + H B − . Formally speaking Definition 5. [This definition is Temporary.] The Quantum Space of the Protocol , H P , is the spacespanned by the basis states of the space H A and the basis states of the space H B − . If Alice’s realistic space is fully measured by Bob’s detection process, then H A is a subspace of H B − ,hence H P = H B − . In the general case, one must consider Bob’s option to add an ancilla during his measurement process. Thisaddition causes a considerable difficulty in analyzing a protocol, however it is often an inherent part of theprotocol, and can not be avoided. We denote the added ancilla as the state | (cid:105) B (cid:48) that resides in the space H B (cid:48) . Definition 6. M (cid:48) is the space that includes the physical space used by Alice as defined in Definition 2, inaddition to Bob’s ancilla, M (cid:48) = M ⊗ H B (cid:48) . Bob measures a subspace of the space M (cid:48) , so the (permanent) definitions of his measured spaces H B j and the reversed space H B − should be modified accordingly. Definition 7.
Given a specific setup-transformation U j ∈ U let H B j ⊆ M (cid:48) be the subsystem actuallymeasured by Bob, having K basis states {| φ k (cid:105) B j } k =0 ...K − . The set of Bob’s Measured Spaces , is the set { H B j } j =0 ...J − of J = | U | spaces. The quantum space of the protocol is still Alice’s extended space, while considering its extensions due toBob’s measurements. Yet, the added ancilla makes things much more complex. The security analysis ofa protocol depends now not on the space H B − defined below, but on a (potentially much larger ) spaceobtained from it by tracing-out Bob’s ancilla. As before, we first define the reversed space. Definition 8. The reversed space H B − is the Hilbert space spanned by the states U − j ( | φ k (cid:105) B j ) , for eachpossible setup U j ∈ U , and for each basis state | φ k (cid:105) B j of the appropriate H B j ⊆ M (cid:48) . Once a basis state of one of Bob’s measured spaces | φ k (cid:105) B j is reversed by U − j we result with a statethat might, partially, reside in Bob’s ancillary space H B (cid:48) . Since Eve has no access to this space it must betraced-out (separated out), for deriving the QSoP. Let us redefine the QSoP given the addition of the ancilla: Giving this space to Eve (for getting an upper bound on her information), might be easier to analyze, but is usually not possiblesince it would give her too much power, making the protocol insecure. efinition 9. The Quantum Space of the Protocol, H P , is the space spanned by (a) the basis states of thespace H A ; and (b) the states Tr Bob [ U − j ( | φ k (cid:105) B j )] , (namely, after tracing out Bob), for each possible setup U j ∈ U , and for each basis state | φ k (cid:105) B j of the appropriate space H B j . Whenever U B entangles Bob’s ancilla with the system sent from Alice, tracing out Bob’s ancilla afterperforming U − B might cause an increase of the QSoP to the dimension of Bob’s ancillary space. For in-stance, assume Alice’s state is embedded in an n -qubit space to which Bob adds an ancilla of n -qubits andperforms a unitary transformation U , such that for one state measured by Bob, | Ψ (cid:105) B U − −→ n/ (cid:80) n − k =0 | k (cid:105) P | k (cid:105) B (cid:48) .Tracing out Bob from this state yields the maximally mixed state ρ P = n (cid:80) n − k =0 | k (cid:105)(cid:104) k | , so that in this ex-ample the whole n -qubits space is spanned. When Alice and Bob use qubits, in theoretical QKD, Eve can attack the protocol in many ways. In hersimplest attack, the so-called “measure-resend attack”, Eve performs any measurement (of her choice) onthe qubit, and accordingly decides what to send to Bob.A generalization of that attack is the “translucent attack”, in which Eve attaches an ancilla, in an initialstate | (cid:105) E (and in any dimension she likes), and entangles the ancilla and Alice’s qubit, using | (cid:105) E | i (cid:105) A → (cid:80) j =0 | E ij (cid:105) E | j (cid:105) A where | i (cid:105) A is a basis for Alice’s qubit, and Eve’s states after the unitary transformation are | E ij (cid:105) E . Using this transformation one can define the most general “individual-particle attack” [19, 20], andalso the most general “collective attack” [9, 8]. In the individual-particle attack Eve delays the measurementof her ancilla till after learning anything she can about the qubit (e.g., its basis), while in the collective attackEve delays her measurements further till she learns anything she can about all the qubits (e.g., how the finalkey is generated from the obtained string of shared bits), so she attacks directly the final key .The most general attack that Eve could perform on the channel is to attack all those qubits transmittedfrom Alice to Bob, using one large ancilla. This is the “joint attack”. Security, in case Eve tries to learn amaximal information on the final key, was proven in [46, 35, 6, 42, 7] via various methods. The attack’sunitary transformation is written as before, but with i a binary string of n bits, and so is j , | (cid:105) E | i (cid:105) A → (cid:80) n − j =0 | E ij (cid:105) E | j (cid:105) . By replacing the qubit space H by Alice’s realistic “qubit” in the space H A , and by defining Eve’s attackon the entire space of the protocol H P , we can generalize each of the known attacks on theoretical QKDto a “quantum space attack” (QSA). We can easily define now Eve’s most general individual-transmissionQSA on a realistic “qubit”, which generalizes the individual-particle attack earlier described. Eve preparesan ancilla in a state | (cid:105) E , and attaches it to Alice’s state, but actually her ancilla is now attached to the entireQSoP. Eve performs a unitary transformation U E on the joint state. If Eve’s attack is only on H A , we writethe resulting transformation on any basis state of H A , | i (cid:105) A , as | (cid:105) E | i (cid:105) A → (cid:80) j | E ij (cid:105) E | j (cid:105) A , where the sumis over the dimension of H A . The Photon-Number-Splitting attack (see Section 5.1) is an example for suchan attack. The most general individual-transmission QSA is based on a translucent QSA on the QSoP, | (cid:105) E | i (cid:105) P → (cid:88) j | E ij (cid:105) E | j (cid:105) P , (3)where the sum is over the dimension of H P . The subsystem in H P is then sent to Bob while the rest (thesubsystem H E ) is kept by Eve. We write the transformation on any basis state of H P , | i (cid:105) P , but note that6t is sufficient to define the transformation on the different states in H A , namely for all states of the form | i (cid:105) A , since other states of the QSoP are never sent by Alice (any other additional subsystem of the QSoP isnecessarily at a known state when it enters Eve’s transformation).Attacks that are more general than the individual transmission QSA , the collective QSA and the jointQSA , can now be defined accordingly. In the most general collective QSA, Eve performs the above translu-cent QSA on many (say, n ) realistic “qubits” (potentially a different attack on each one, if she likes), waitstill she gets all data regarding the generation of the final key, and she then measures all the ancillas together,to obtain the optimal information on the final key or the final secret. The most general attack that Eve couldperform on the channel is to attack all those realistic “qubits” transmitted from Alice to Bob, using one largeancilla. This is the “joint QSA”. The attack’s unitary transformation is written as before, but with i a stringof n digits rather than a single digit (digits of the relevant dimension of H P ), and so is j , | (cid:105) E | i (cid:105) P ⊗ n → | H P | n − (cid:88) j =0 | E ij (cid:105) E | j (cid:105) P ⊗ n . (4)Eve measures the ancilla, after learning all classical information, to obtain the optimal information on thefinal key or the final secret. As before, it is sufficient to define the transformation on the different input statesfrom ( H A ) ⊗ n .We would like to emphasize several issues: 1.– When analyzing specific attacks, or when trying to obtaina limited security result, it is always legitimate to restrict the analysis to the relevant (smaller) subspace ofthe QSoP, for simplicity, e.g., to H A , or to H B − , etc. 2.– Any bi-directional protocol will have a muchmore complicated QSoP, thus it might be extremely difficult to analyze any type of QSA (even the simplestones) on such protocols. This remark is especially important since bi-directional protocols play a veryimportant role in QKD, since they appear in many interesting protocols such as the plug-and-play [33],the ping-pong [10], and the classical Bob [11] protocols. Specifically they provided (via the plug-and-play) the only commerical QKD so far [48, 49]. 3.– It is well known that the collective or joint attack isonly finished after Eve gets all quantum and classical information, since she delays her measurements tillthen [9, 8, 6, 35, 7]; if she expects more information, she better wait and attack the final secret rather thanthe final key; it is important to notice that if the key will be used to encode quantum information (say, qubits)then the quantum-space of the protocol will require a modification, potentially a major one; It is interestingto study if this new notion of QSoP has an influence on analysis of such usage of the key as done (for theideal qubits) in [4]. Since most of the practical QKD experiments and products are done using photons, in this section wedemonstrate our QSoP and QSA definitions and methods via photons. Our analysis uses the Fock-Space notations for describing photonic quantum spaces. For clarity, states written using the Fock notation aredenoted with the superscript ‘ F ’, e.g. | (cid:105) F , | (cid:105) F , and | , , (cid:105) F .A photon can not be treated as a quantum system in a straightforward way. For instance, unlike dustparticles or grains of sand, photons are indistinguishable particles, meaning that when a couple of photonsare interacting, one cannot define the evolution of the specific particle, but rather describe the whole system.Let us examine a cavity, for instance. It can contain photons of specific wavelengthes ( λ , λ , etc.) andthe energy of a photon of wavelength λ is directly proportional to /λ . While one cannot distinguish between A description of the Fock space and Fock notations can be found in various quantum optic books, e.g. [41]. n such photonsof the same wavelength carry n times that energy. If the cavity is at its ground (minimal) energy level, wesay that there are “no photons” in the cavity and denote the state as | (cid:105) F —the vacuum state. The conventionis to denote only those modes that are potentially populated, so if we can find n photons in one mode, andno photons in any other mode, we write, | n (cid:105) F . If two modes are populated by n a and n b photons, and allother modes are surely empty, we write | n a , n b (cid:105) F (or | m, n (cid:105) F ab ). When there is no danger of confusion, andthe number of photons per mode is small (smaller than ten), we just write | mn (cid:105) F for m photons in one modeand n in the other. In addition to its wavelength, a photon also has a property called polarization, and abasis for that property is, for instance, the horizontal and vertical polarizations mentioned earlier. Thus, twomodes (in a cavity) can also have the same energy, but different polarizations.Outside a cavity photons travel with the speed of light, say from Alice to Bob, yet modes can still bedescribed, e.g., by using “pulses” of light [14]. The modes can then be distinguished by different directionsof the light beams (or by different paths), or by the timing of pulses (these modes are denoted by non-overlapping time-bins), or by orthogonal polarizations.A proper description of a photonic qubit is commonly based on using two modes ‘ a ’ and ‘ b ’ which arepopulated by exactly a single photon, namely, a photon in mode a , so the state is | (cid:105) F ab , or a photon inmode b , so the state is | (cid:105) F ab . However, a quantum space that consists of a single given photonic mode ‘ a ’is not restricted to a single photon, and can be populated by any number of photons. A basis for this spaceis {| n (cid:105) F a } with n ≥ , so that the quantum space is infinitely large, H ∞ . Theoretically, a general state in thisspace is can be written as the superposition (cid:80) ∞ n =0 c n | n (cid:105) F a , with (cid:80) n | c n | = 1 , c n ∈ C . Similarly, a quantumspace that consists of two photonic modes has the basis states | n a , n b (cid:105) F , for n a , n b ≥ and a general stateis of the form (cid:80) ∞ n a ,n b =0 c n a ,n b | n a , n b (cid:105) F with (cid:80) ∞ n a ,n b =0 | c n a ,n b | = 1 , c n a ,n b ∈ C . This quantum space isdescribed as a tensor product of two “systems” H ∞ ⊗ H ∞ .Using exactly two photons in two different (and orthogonal) modes assists in clarifying the differencebetween photons and dust particles (or grains of sand): Due to the indistiguishability of photons, only 3different states can exist (instead of 4): | (cid:105) F ab , | (cid:105) F ab and | (cid:105) F ab . The last state has one photon in mode‘ a ’ and another photon in ‘ b ’, however, exchanging the photons is meaningless since one can never tell onephoton from another.A realistic model of a photon source (in a specific mode) is of a coherent pulse (a Poissonian distribution) | α (cid:105) = e − | α | ∞ (cid:88) n =0 α n √ n ! | n (cid:105) including terms that describe the possibility of emitting any number n of photons. As the number of photonsincreases beyond some number, the probability decreases, so it is common to neglect the higher orders.In QKD, experimentalists commonly use a “weak” coherent state (such that | α | (cid:28) ) and then termswith n ≥ can usually be neglected. There is also a lot of research about sources that emit (to a goodapproximation) single photons, and then, again, terms with n ≥ can usually be neglected. While the theoretical qubit lives in H , a realistic view defines the space actually used by Alice to be muchlarger. The possibility to emit empty pulses increases Alice’s realistic space into H , due to the vacuumstate | (cid:105) F ab . When Alice sends a qubit using two modes, using a weak coherent state (or a “single-photon”source), her realistic space, H A , is embedded in H ∞ ⊗ H ∞ . Terms containing more than two photons can be8eglected, so these are excluded from Alice’s space H A . The appropriate realistic quantum space of Alice, H A , is now a quhexit: the six-dimensional space spanned by χ = {| (cid:105) F , | (cid:105) F , | (cid:105) F , | (cid:105) F , | (cid:105) F , | (cid:105) F } .The PNS attack demonstrated in Section 5.1, is based on attacking this 6 dimensional space H A . Note alsothat terms with more than two photons still appear in M , and thus could potentially appear in the QSoP (andthen used by Eve).At times, Alice’s realistic space is even larger, due to extra modes that are sent through the channel, andare not meant to be a part of the protocol. These extra modes might severely compromise the security ofthe protocol, since they might carry some vital information about the protocol. A specific QSA based onthat flaw is the “tagging attack” (Section 5.2). Note that even if Alice uses exactly two modes, the quantumspace M where H A is embedded, certainly contains other modes as well. Let us discuss Bob’s measurement of photonic spaces. There are (mainly) two types of detectors that canbe used. The common detector can not distinguish a single photon from more than one photon (these kindof detectors are known as threshold detectors ). The Hilbert space where Bob’s measurement is definedis infinite , since a click in the detector tells Bob that the number of photons occupying the mode is “notzero” i.e. the detector clicks when | n (cid:105) F is detected, for n ≥ . This means that Bob measures the state | (cid:105) F , or he measures | (cid:105) F , | (cid:105) F , . . . but then “forgets” how many photons were detected. Bob might severelycompromise the security, since he inevitably interprets a measurement of a state containing multiple photonsas the “legal” state that contains only a single photon. An attack based on a similar limitation is the “Trojan-Pony” attack described below, in Section 5.3. In order to avoid false interpretations of the photon numberreaching the detector, Bob could use an enhanced type of detector known as the photon-number resolvingdetector or a counter (which is still under development). This device distinguishes a single photon from n ≥ photons, hence any eavesdropping attempt that generates multi-photon states can potentially benoticed by Bob. A much enhanced security can be achieved now, although the QSoP is infinite also in thiscase, due to identifying correctly the legitimate state | (cid:105) F , from various legitimate states.The number of modes in the QSoP depends on Bob’s detectors as well. Bob commonly increases thenumber of measured modes by “opening” his detector for more time-bin modes or more frequency modes.For instance, suppose Bob is using a detector whose detection time-window is quite larger than the width ofthe pulse used in the protocol, since he does not know when exactly Alice’s pulse might arrive. The result isan extension of the space used by Alice, so that the QSoP includes the subspace of M that contains all thesemeasured modes. When a single detector is used to measure more than one mode without distinguishingthem , the impact on the security might be severe, see the “Fake state” attack (Section 5.4).In addition to the known attacks described in the following subsection, a new QSA is analyzed in Sec-tion 6, where we examine the more general case of QSA, in which Bob adds an ancilla during the process. All known attacks can be considered as special cases of the Quantum-Space Attack. In this section we showa description of several such attacks using QSA terms. For each and every attack we briefly describe thespecific protocol used, the quantum space of the protocol, and a realization of the attack as a QSA. In practice, that space is as large as Eve might wish it to be. We can ignore the case where Eve uses too many photons so thatthe detector could burn due to the high energy, since it is not in Eve’s interest. Thus, in some of the analyses below we replace ∞ by some large number L . .1 The photon number splitting attack [13] The Protocol.
Consider a BB84 protocol, where Alice uses a “weak pulse” laser to send photons in twomodes corresponding to the vertical and horizontal polarizations when using the z basis (the diagonal po-larizations then relate to using the x basis). Bob uses a device called a Pockel cell to rotate the polarization(by ◦ ) for measuring the x basis, or performs no rotation if measuring the z basis. The measurement ofthe state is then done using two detectors and a “polarization beam splitter” that passes the first mode to onedetector and the second mode to the other detector (for a survey of polarization-based QKD experiments,see [23, 17]). The Quantum Space of the Protocol.
Every pulse sent by Alice is in one of four states, each in asuperposition of the 6 orthogonal states χ = {| (cid:105) F , | (cid:105) F , | (cid:105) F , | (cid:105) F , | (cid:105) F , | (cid:105) F } , where the space used byAlice is H A = H . Bob uses two setups, U B z = I for the z basis, and U B x for the x basis, which is morecomplex and described in Appendix A.1.The detectors used by Bob cannot distinguish between modes having single photon and multiple pho-tons. Each one of his two detectors measures the basis elements {| n (cid:105) F } for n ≥ (of the specific modedirected to that specific detector), where Bob interprets the states {| n (cid:105) F } with n > as measuring the state | (cid:105) F of the same mode. Bob’s measured space H B is thus infinite and spanned by the states {| mn (cid:105) F } for m, n ≥ . The QSoP H P is equal to H B z ( = H B x ) since performing U − does not change the dimension-ality of the spanned space (in both setups). The Attack.
Eve measures the number of photons in the pulse, using non-demolition measurement. Ifshe finds that the number of photons is ≥ , she blocks the pulse and generates a loss. In the case she findsthat the pulse consists of 2 photons, she splits one photon out of the pulse and sends it to Bob, keepingthe other photon until the bases are revealed, thus getting full information of the key-bit. Eve sends theeavesdropped qubits to Bob via a lossless channel so that Bob will not notice the enhanced loss-rate. Asis common in experimental QKD, Bob is willing to accept a high loss-rate (he does not count losses aserrors), since most of Alice’s pulses are empty. See the precise mathematical description of this attack inAppendix A. The Protocol.
Consider a BB84 QKD protocol in which Alice sends an enlarged state rather than a qubit.This state contains, besides the information qubit, a tag giving Eve some information about the bit. Thetag can, for example, tell Eve the basis being used by Alice. For a potentially realistic example, let the tagbe an additional qutrit indicating if Alice used the x -basis, or the z -basis, or whether the basis is unknown :whenever Alice switches basis, a single photon comes out of her lab prior to the qubit-carrying pulse, tellingthe basis, say using the states | (cid:105) F tag and | (cid:105) F tag , and when there is no change of basis, what comes out priorto the qubit is just the vacuum | (cid:105) F tag . The Quantum Space of the Protocol.
In this example, Alice is using the space H A = H ⊗ H tag = H ⊗ H . Bob, unaware of the enlarged space used by Alice, expects and receives only the subspace H .We assume that Bob ideally measures this space with a single setup U B = I , therefore H B = H . SinceBob’s setup does not change the space, H B − = H as well. However, the tag is of a much use to Eve, andindeed the QSoP following Definition 5, defined to be H P = H ⊗ H tag . The Attack.
Eve uses the tag in order to retrieve information about the qubit without inducing error(e.g. via cloning the qubit in the proper basis). The attack is then an intercept-resend QSA. We mention thatthis attack is very similar to a side-channel cryptanalysis of classic cryptosystems.
A Short Summery.
It can be seen that the PNS attack described above is actually a special case ofthe tagging attack, where the tag in that case is in fact another copy of the transmitted qubit. This copy10s kept by Eve until the bases are revealed, then it can be measured so the the key-bit value is exposedwith certainty. Both those QSA attacks are based on the fact that Alice (realistic) space is larger than thetheoretical one. Although in the PNS example, the QSoP is further extended due to Bob’s measurement, theattack is not based on that extension but on the fact that H A is larger than H . In the following attacks Bob’smeasurements cause the enlargement of the QSoP, allowing Eve to exploit the larger QSoP for her attack. In Trojan-pony attacks Eve modifies the state sent to Bob in a way that gives her information. In contrast toa “Trojan-horse” that goes in-and-out of Bob’s lab, the “pony” only goes in, therefore, it is not consideredan attack on the lab, but only on the channel. We present here an interesting example [24].
The Protocol.
Assume a polarization-encoded BB84 protocol, in which Alice is ideal, namely, sendingperfect qubits ( H A = H ). However, Bob uses realistic threshold detectors that suffer from losses and darkcounts, and that cannot distinguish between one photon and k photons for < k < L . In order to be ableto “prove” security, for a longer distance of transmission Bob wants to keep the error-rate low although theincrease of dark counts’ impact with the distance [13]. Therefore, Bob assumes that Eve has no controlover dark counts, and whenever both detectors click, Alice and Bob agree to consider it as a loss since itis outside of Eve’s control (i.e. the QSoP is falsely considered to be H ). Namely, they assume that anerror occurs only when Bob measures in the right basis, and only one detector clicks, (which is the detectorcorresponding to the wrong bit-value). The Quantum Space of the Protocol.
Same as in Section 5.1, Bob’s measured spaces H B z , H B x ,the reversed space H B − as well as the QSoP H P , are merely the spaces describing two modes (withup to L photons), H L ⊗ H L . Bob’s detectors cannot distinguish between receiving a single-photon pulsefrom a multi-photon pulse, so his measurement is properly described as a projection of the received stateonto the space containing {| ij (cid:105) F } followed by “forgetting” the exact result, and keeping only one of threeresults: “ { } ≡ detector-1 clicks”, “ { } ≡ detector-2 clicks”, and else it is { } , a “loss”. In formal, generalized-measurements language (called POVM, see [39, 37]) these three possible results are written as: { } ≡ (cid:80) L − k =1 | k (cid:105) F F (cid:104) k | , { } ≡ (cid:80) L − k =1 | k (cid:105) F F (cid:104) k | , { } ≡ | (cid:105) F F (cid:104) | + (cid:80) L − k ,k =1 | k k (cid:105) F F (cid:104) k k | , andtheir sum is the identity matrix. The Attack.
Eve’s attack is the following: (a) Randomly choose a basis (b) Measure the arriving qubitin that specific chosen basis (c) Send Bob m -photons identical to the measured qubit, where m (cid:29) .Obviously, when Eve chooses the same basis as Alice and Bob then Bob measures the exact value sent byAlice, and Eve gets full information. Otherwise, both of his detectors click, implying a “loss”, except for anegligible probability, ≈ ( − m +1) , thus Eve induces no errors. The main observation of this measure-resendQSA is that treating a count of more than a single photon as a loss, rather than as an error, is usually notjustified. A second conclusion is that letting Bob use counters instead of threshold detectors (to distinguish asingle photon from multiple photons), together with treating any count of more than one photon as an error,could be vital for proving security against QSA. The price is that dark counts put severe restrictions on thedistance to which communication can still be considered secure, as suggested already by [13]. The Protocol.
In this example, we examine a polarization encoded BB84 protocol, and an ideal Alice( H A = H ). This time Bob’s detectors are imperfect so that their detection windows do not fully overlap,meaning that there exist times in which one detector is blocked (or it has a low efficiency), while the otherdetector is still regularly active. Thus, if Eve can control the precise timing of the pulse, she can controlwhether the photon will be detected or lost. The setup is built four detectors and a rotating mirror (sinceBob does not want to spend money on a Pockel cell (polarization rotator), he actually uses 2 fixed different11etups). Using the rotating mirror Bob sends the photon into a detection setup for basis z or a detectionsetup for basis x . Suppose the two detection setups use slightly different detectors, or slightly differentdelay lines, or slightly different shutters, and Eve is aware of this (or had learnt it during her past attackson the system). For simplicity, we model the non-overlapping detection windows, as additional two modes,one slightly prior to Alice’s intended mode (the pulse), and one right after it. The Quantum Space of the Protocol.
The original qubit is sent in a specific time-bin t (namely, H A = H ). The setup U Z is a set of two detectors and a polarized beam splitter, separating the horizontaland the vertical modes to the detectors, where U x separate the diagonal modes into a set of two (different)detectors. Let the detectors for one basis, say z , be able to measure a pulse arriving at t or t , while thedetectors for the other basis ( x ) measure pulses arriving at t − or t .For simplicity, we degenerate the space to contain one or less photons , so that H B z is H , i.e. twopossible time-bins consisting each of two (polarization) modes of one or less photons. The measured spaceof the x -setup has two possible time-bins and two possible polarization modes, thus H B x = H as well,however, the two time-bins for this setup are t and t . Following Definition 4 we get that that the reversedspace H B − contains three time-bins ( t − , t and t ) with two polarization modes in each, therefore H B − = H , under the single-photon assumption. The QSoP, following Definition 5 equals H B − since H A ⊂ H B − . The Attack.
Eve exploit the larger space by sending “fake” states using the external time bins ( t − and t ). Eve randomly chooses a basis, measures the qubit sent by Alice, and sends Bob the same polarizationstate she found, but at t − if she have used the x basis, or at t if she have used the z basis. Since no ancillais kept by Eve, this is an intercept-resend QSA.Bob will get the same result as Eve if he uses the same basis, or a loss otherwise. The mathematical de-scription of the attack is as follows: Eve can generate superpositions of states of the form | V t − H t − V t H t V t H t (cid:105) F ,where the index { H, V } denotes this mode has Vertical or Horizontal polarization, and its subscript denotesthe time-bin of the mode. Eve’s measure-resend attack is described as measuring Alice’s qubit in the x basis,creating a new copy of the measured qubit, and performing the transformation ( | (cid:105) F → | (cid:105) F ) ; ( | (cid:105) F → | (cid:105) F ) or as performing a measurement in the z basis, and performing the transformation ( | (cid:105) F → | (cid:105) F ) ; ( | (cid:105) F → | (cid:105) F ) on the generated copy. A short summery
We see that Eve can “force” a desired value (or a loss) on Bob, thus gaining allthe information while inducing no errors (but increasing the loss rate). Bob can use a shutter to block theirrelevant time-bins but such a shutter could generate a similar problem in the frequency domain. This attackis actually a special case of the Trojan-pony attack, in which the imperfections of Bob’s detectors allow Eveto send states that will be un-noticed unless the measured basis equals to Eve’s chosen basis.
In order to demonstrate the power of QSA, and to see its advantages, this section presents a partial securityanalysis of some interferometric BB84 and 6-state schemes. Interferometric schemes are more common thanany other type of implementation in QKD experiments [43, 32, 23, 18, 17, 33] and products [48, 49]. Inthis section we define the specific equipment used by Bob, and we formulate U B and Bob’s measurements.We then find the spaces H A , H B j , H B − and the QSoP, H P . Finally, we demonstrate a novel attack whichis found to be very successful against a specific variant of the BB84 interferometric scheme; this specificQSA, which we call the “reversed-space attack”, is designed using the tools developed in Sections 2 and 3. As mentioned above, this is used for non-security proof, and is not legitimate assumption for proving unconditional security,where the three time-modes should be considered as H L ⊗ H L ⊗ H L . .1 Bob’s equipment We begin with a description of interferometric (BB84 and six-state) schemes, which is based on sendingphase-encoded qubits arriving in two time-separated modes [43, 32]. Alice encodes her qubit using twotime-bins t (cid:48) and t (cid:48) , where a photon in the first mode, | (cid:105) F t (cid:48) t (cid:48) , represents the state | z (cid:105) , and a photon in theother mode, | (cid:105) F t (cid:48) t (cid:48) , represents | z (cid:105) . The BB84 protocol of [43, 32] (and many others) uses the x and y bases, meaning that Alice (ideally) sends one of the following four states: | x (cid:105) = ( | (cid:105) F t (cid:48) t (cid:48) + | (cid:105) F t (cid:48) t (cid:48) ) / √ ; | x (cid:105) = ( | (cid:105) F t (cid:48) t (cid:48) − | (cid:105) F t (cid:48) t (cid:48) ) / √ ; | y (cid:105) = ( | (cid:105) F t (cid:48) t (cid:48) + i | (cid:105) F t (cid:48) t (cid:48) ) / √ ; and | y (cid:105) = ( | (cid:105) F t (cid:48) t (cid:48) − i | (cid:105) F t (cid:48) t (cid:48) ) / √ .Bob uses an interferometer built from two beam splitters with one short path and one long path (Fig-ure 1). A pulse of light travels through the short arm of the interferometer in T short seconds, and throughthe long arm in T long = T short + ∆ T seconds, where ∆ T is also precisely the time separation betweenthe two arriving modes of the qubit, ∆ T = t (cid:48) − t (cid:48) . A controlled phase shifter P φ , is placed in the longarm of the interferometer. It performs a phase shift by a given phase φ , i.e. P φ ( | ψ (cid:105) ) = e iφ | ψ (cid:105) . Thephase shifter is set to φ = 0 ( φ = π/ ) when Bob measures the x ( y ) basis. Each beam splitter interferestwo input arms (modes 1, 2) into two output arms (modes 3, 4), in the following way (for a single photon): | (cid:105) F , (cid:55)→ √ | (cid:105) F , + i √ | (cid:105) F , , and | (cid:105) F , (cid:55)→ i √ | (cid:105) F , + √ | (cid:105) F , . The photon is transmitted/reflectedwith a probability of ; The transmitted part keeps the same phase as the incoming photon, while the re-flected part gets an extra phase of e iπ/ , if it carries a single photon. When a single mode, carrying at least asingle photon, enters a beam splitter from one arm, and nothing enters the other input arm, we must considerthe other entry to be an additional mode (an ancilla) in a vacuum state.When a single mode (carrying one or more photons) enters the interferometer at time t (cid:48) , see Figure 1, ityields two modes at time t due to traveling through the short arm, and two modes at time t due to travelingthrough the long arm. Those four output modes are: times t , t in the ‘ s ’ (straight) arm of the interferometer,and times t , t in the ‘ d ’ (down) arm. A basis state in this Fock space is then | n s , n s , n d , n d (cid:105) F . In thecase of having that single mode carrying exactly a single photon, the transformation, which requires threeadditional empty ancillas , is | (cid:105) F t (cid:48) | (cid:105) F (cid:55)→ ( | (cid:105) F − | (cid:105) F + i | (cid:105) F + i | (cid:105) F ) / . Note that a pulsewhich is sent at a different time (say, t (cid:48) x ) results in the same output state, but with the appropriate delays, i.e. | (cid:105) F t (cid:48) x | (cid:105) F (cid:55)→ ( | (cid:105) F − | (cid:105) F + i | (cid:105) F + i | (cid:105) F ) / , (5)where the resulting state is defined in the Fock space whose basis states are | n s x , n s x +1 , n d x , n d x +1 (cid:105) .Let us now examine any superposition of two modes ( t (cid:48) and t (cid:48) ) that enter the interferometer one afterthe other, with exactly the same time difference ∆ T as the difference lengths of the arms. The state evolvesin the following way (see Appendix B.2): cos θ | (cid:105) F t (cid:48) t (cid:48) | (cid:105) F + sin θe iϕ | (cid:105) F t (cid:48) t (cid:48) | (cid:105) F (cid:55)→ (cid:16) cos θ | (cid:105) F B + ( − cos θe iφ + sin θe iϕ ) | (cid:105) F B − sin θe i ( ϕ + φ ) | (cid:105) F B + i cos θ | (cid:105) F B + i (cos θe iφ + sin θe iϕ ) | (cid:105) F B + i sin θe i ( ϕ + φ ) | (cid:105) F B (cid:17) / (6)describing the evolution for any possible BB84 state sent by Alice ( | x (cid:105) , | x (cid:105) , | y (cid:105) , | y (cid:105) determined by thevalue of ϕ = 0 , π , π , π respectively, when θ = π ). As a result of this precise timing, these two modes aretransformed into a superposition of 6 possible modes (and not 8 modes) at the outputs, due to interferenceat the second beam splitter. Only four vacuum-states ancillas (and not six) are required for that process. Theresulting 6 modes are t , t , t in the ‘ s ’ arm and in the ‘ d ’ arm of the interferometer. Denote this Fockspace as H B , with basis elements | n s , n s , n s , n d , n d , n d (cid:105) F B . See a brief description in Appendix B.1. t in both output arms ofthe interferometer. A click in the “down” direction means measuring the bit-value , while a click in the“straight” direction means . The other modes are commonly considered as a loss (they are not measured)since they give an inconclusive result regarding the original qubit. We refer this BB84 variant as “ xy -BB84”.One might want to use the z basis in his QKD protocol (using ϕ = 0 , and θ = 0 or θ = π ), for instance,in order to avoid the need for a controlled phase shifter or for another equipment-related reason, or in orderto perform “QKD with classical Bob” [11]. A potentially more important reason might be to perform the6-state QKD [15, 3, 29] protocol, due to its improved immunity against errors (27.4% errors versus only20% in BB84 [16]). A possible and easy to implement variant for realizing a measurement in the z basis isthe following: Bob uses the setup U B x (i.e. he sets P φ to φ = 0 ), and opens his detectors at times t and t , corresponding to the bit-values and respectively (See Equation (6)). Unfortunately, technologicallimitations, e.g. of telecommunication wavelength (IR) detectors, might make it difficult for Bob to openhis detectors for more than a single detection window per pulse. Bob could perform a measurement of just the states {| (cid:105) F B , | (cid:105) F B } , opening the d arm detector at time t (to measure | z (cid:105) ) and the s armdetector at time t (to measure | z (cid:105) ). We refer this variant as “ xyz -six-state”. We assume Alice to be almost ideal, having the realistic space H A = H (a qubit or a vacuum state), usingtwo time-bin modes. As we have seen, four ancillary modes in vacuum states are added to each transmission.Therefore, the interferometer setups U B x and U B y transform the 2-mode states of H A into a subspace thatresides in the 6 modes space H B . For simplicity, we assume that Eve does not generate n -photon states,with n ≥ , so we can ignore high photon numbers in the H B space . Therefore, we redefine H B = H ,the space spanned by the vacuum, and the six single-photon terms in each of the above modes.Using the x and y bases, Bob measures only time-bin t , so his actual measured spaces consist of twomodes: time-bin t in the ‘ s ’ arm and the ‘ d ’ arm. In that case, the measured spaces are H B x = H B y = H ,spanned by the states {| (cid:105) F B , | (cid:105) F B , | (cid:105) F B } . When Bob uses the z basis, he measures twodifferent modes, so H B z is spanned by the states {| (cid:105) F B , | (cid:105) F B , | (cid:105) F B } .Let us define the appropriate space H B − for the 6-state protocol, according to Definition 8. Thespace H B − is spanned by the states given by performing U ∈ {U B x , U B y } on {| (cid:105) F B , | (cid:105) F B , | (cid:105) F B } , as well as the states given by performing U B z on {| (cid:105) F B , | (cid:105) F B , | (cid:105) F B } . In-terestingly, once applying U − , the resulting states are embedded in an 8-mode space defined by the twoincoming arms of the interferometer, ‘ a ’ (from Alice) and ‘ b ’ (from Bob), at time bins t (cid:48)− , t (cid:48) , t (cid:48) , and t (cid:48) .The basis states of H B − are listed in Appendix B.3.Following Definition 9, the QSoP H P of this implementation for the 6-state protocol, is the subsystem of H B − which is controlled by Eve. It is spanned by the 8-mode states spanning H B − after tracing out Bob.The space that contains those “traced-out” states has only four modes that are controlled by Eve, specifically,input ‘ a ’ of the interferometer at times t (cid:48)− to t (cid:48) , having a basis state of the form | a t (cid:48)− a t (cid:48) a t (cid:48) a t (cid:48) (cid:105) F P . Giventhe single-photon restriction, we get H P = H , namely, the space spanned by the vacuum state, and a singlephoton in each of the four modes, i.e. {| (cid:105) F P , | (cid:105) F P , | (cid:105) F P , | (cid:105) F P , | (cid:105) F P } . This same result isobtained also if Bob measures all the six modes in H B .Bob might want to see how the basis states of the 4-mode QSoP, H P , evolve through the interferometerin order to place detectors on the resulting modes, which will be used to identify Eve’s attack. It is interestingto note, that those basis states result in
10 different non-empty modes (!) . If Bob measures all these modes,he increases the QSoP, and maybe allows Eve to attack a larger space, and so on and so forth. Therefore, inorder to perform a security analysis, one must first fix the scheme and only then assess the QSoP. Otherwise, As mentioned in Section 2, this assumption is not legitimate when proving unconditional security of a protocol.
14 “ping-pong” effect might increase the spaces’ dimensions to infinity. A similar, yet reversed logic, hintsthat it could actually be better for Bob, in terms of the simplicity of the analysis for the “ xy -BB84” scheme,to measure just the two modes at t (i.e. the space spanned by | , n s , , , n d , (cid:105) F B ), thus reducing the QSoPto a 2-mode space, H P = H A , see Appendix B.4. Although Eve is allowed to attack a larger space than thistwo-mode H P , she has no advantage in doing so: pulses that enter the interferometer on different modes(i.e. other time-bins than t (cid:48) and t (cid:48) ), never interfere with the output pulses of time-bin t measured by Bob.Therefore, state occupying different modes can not be distinguished from the states in which those modesare empty. Consider a BB84 variant in which Bob uses only the x and the z bases, using a single interferometer, wherethe z -basis measurement is performed according to the description in the last few lines of Section 6.1. Werefer this variant as “ xz -BB84”. The QSoP of this scheme, H P is the space described above for the “ xyz -six-state” protocol. The following attack | (cid:105) E | (cid:105) P U E −→ | E (cid:105) E (cid:0) | (cid:105) F P + | (cid:105) F P (cid:1) + 12 | E (cid:105) E (cid:0) | (cid:105) F P + | (cid:105) F P (cid:1) (7) | (cid:105) E | (cid:105) P U E −→ | E (cid:105) E (cid:0) −| (cid:105) F P + | (cid:105) F P (cid:1) + 12 | E (cid:105) E (cid:0) | (cid:105) F P − | (cid:105) F P (cid:1) (8)which we call “the Reversed-Space Attack”, allows Eve to acquire information about the transmitted qubits,without inducing any errors. The states |·(cid:105) E denote Eve’s ancilla which is not necessarily a photonic system.The state | z (cid:105) A ≡ | (cid:105) F P and | z (cid:105) A ≡ | (cid:105) F P are the regular states send by Alice, where we addedthe relevant extension of H A in H P . When | z (cid:105) A is sent by Alice, the attacked state U E | (cid:105) E | z (cid:105) A reachesBob’s interferometer, and interferes in a way such that it can never reach Bob’s detector at time t , i.e. F (cid:104) | B U B x (cid:0) ( U E | (cid:105) E | z (cid:105) A ) | (cid:105) F B (cid:48) (cid:1) = 0 . Although the attacked state U E | (cid:105) E | z (cid:105) A reaches modesthat Alice’s original state | z (cid:105) A can never reach, Bob never measures those modes, and cannot notice theattack. A similar argument applies when Alice sends | z (cid:105) A .As for the x basis , this attack satisfies | (cid:105) E | x (cid:105) A (cid:55)→ √ | E (cid:105) E + | E (cid:105) E )( | (cid:105) F P + | (cid:105) F P ) + 1 √ | E (cid:105) E − | E (cid:105) E )( | (cid:105) F P − | (cid:105) F P ) (9) | (cid:105) E | x (cid:105) A (cid:55)→ √ | E (cid:105) E − | E (cid:105) E )( | (cid:105) F P − | (cid:105) F P ) + 1 √ | E (cid:105) E + | E (cid:105) E )( | (cid:105) F P + | (cid:105) F P ) . (10)The first element in the sum results in the desired interference in Bob’s lab, while the second is not measuredby Bob’s detectors at time t . By letting Eve’s probes | E (cid:105) E and | E (cid:105) E be orthogonal states, Eve gets a lotof information while inducing no errors at all. Yet, we find that Eve is increasing the loss rate by this attackto 87.5%, but a very high loss rate is anyhow expected by Bob (as explained in the analysis of the PNS [13]and the tagging [24] attacks).In conclusion, this attack demonstrates the risk of using various setups without giving full securityanalysis for the specific setup. We are not familiar with any other security analysis that takes into accountthe enlarged space generated by the inverse-transformation of Bob’s space. For simplicity we use the shorter notation | x (cid:105) ≡ ( | (cid:105) F P + | (cid:105) F ) / √ , etc. Conclusion
In this paper we have defined the QSA, a novel attack that generalizes all currently known attacks on thechannel. This new attack brings a new method for performing security analysis of protocols. The attack isbased on a realistic view of the quantum spaces involved, and in particular, the spaces that become largerthan the theoretical ones, due to practical considerations. Although this paper is explicitly focused on thecase of uni-directional implementations of a few schemes, its main observations and methods apply to anyuni-directional QKD protocol, to bi-directional QKD protocols, and maybe also to any realistic quantumcryptography scheme beyond QKD.The main conclusion of this research is that the quantum space which is attacked by Eve can be assessed,given a proper understanding of the experimental limitations. This assessment requires a novel cryptanalysisformalism — analyzing the states generated in Alice’s lab, as well as the states that are to be measured byBob (assessing them as if they go backwards in time from Bob’s lab); this type of analysis resembles thetwo-time formalism in quantum theory [1, 44].Open problems for further theoretical research include: 1.– Generalization of the QSA to other conven-tional protocols (such as the two-state protocol, EPR-based protocols, d-level protocols, etc.); such a gen-eralization should be rather straightforward. 2.– Proving unconditional security (or more limited securityresults such as “robustness” [11]) against various QSAs. This is especially important for the interferometricsetup, where the QSoP is much larger than Alice’s six-dimensional space (the one spanned by χ ). 3.–Describing the QSA for more complex protocols, such as two-way protocols [33, 10, 11] in which the quan-tum communication is bi-directional, and protocols which use a larger set of states such as data-rejectedprotocols [2] or decoy-state protocols [25, 45, 30, 47]. 4.– Extend the analysis and results to composableQKD [4]. 5(a).– In some cases, if Bob uses “counters” and treats various measurement outcomes as er-rors, the effective QSoP relevant for proving security is potentially much smaller than the QSoP definedhere. 5(b).– Adding counters on more modes increases the QSoP defined here, but might allow analysis ofa smaller “attack’s QSoP”, if those counters are used to identify Eve’s attack. More generally, the connec-tion between the way Bob interprets his measured outcomes, and the “attack’s QSoP” is yet to be furtheranalyzed. Acknowledgments.
We thank Michel Boyer, Dan Kenigsberg and Hoi-Kwong Lo for helpful remarks.
References [1] D. Z. Albert, Y. Aharonov, and S. D’Amato. Curious new statistical prediction of quantum mechanics.
PhysicalReview Letters , 54(1):5–7, Jan 1985.[2] S. M. Barnett, B. Huttner, and S. J. D. Phoenix. Eavesdropping Strategies and Rejected-data Protocols inQuantum Cryptography.
Journal of Modern Optics , 40:2501–2513, Dec. 1993.[3] H. Bechmann-Pasquinucci and N. Gisin. Incoherent and coherent eavesdropping in the six-state protocol ofquantum cryptography.
Physical Review A , 59(6):4238–4248, Jun. 1999.[4] M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim. The universal composable securityof quantum key distribution. In
TCC 2005: Second Theory of Cryptography Conference , pages 386–406, Jan.2005.[5] C. H. Bennett and G. Brassard. Quantum Cryptography: Public key distribution and coin tossing.
Proceedingsof IEEE International Conference on Computers, Systems and Signal Processing , pages 175–179, Dec. 1984.[6] E. Biham, M. Boyer, P. O. Boykin, T. Mor, and V. P. Roychowdhury. A proof of the security of quantumkey distribution. In
Proceedings of the 32nd Annual ACM Symposium on Theory of Computing (STOC) , pages715–724, New York, 2000. ACM Press.[7] E. Biham, M. Boyer, P. O. Boykin, T. Mor, and V. P. Roychowdhury. A proof of the security of quantum keydistribution.
J. Cryptology , 19(4):381–439, 2006.
8] E. Biham, M. Boyer, G. Brassard, J. van de Graaf, and T. Mor. Security of Quantum Key Distribution AgainstAll Collective Attacks.
Algorithmica , 34:372–388, Nov. 2002.[9] E. Biham and T. Mor. Security of quantum cryptography against collective attacks.
Physical Review Letters ,78(11):2256–2259, Mar 1997.[10] K. Bostr¨om and T. Felbinger. Deterministic secure direct communication using entanglement.
Physical ReviewLetters , 89(18):187902, Oct 2002.[11] M. Boyer, D. Kenigsberg, and T. Mor. Quantum key distribution with classical Bob. ArXiv Quantum Physicse-prints, 2007. quant-ph/0703107.[12] G. Brassard, N. L¨utkenhaus, T. Mor, and B. C. Sanders. Security Aspects of Practical Quantum Cryptography.In
EUROCRYPT 2000: International Conference on the Theory and Application of Cryptographic Techniques ,LNCS 1807:289–299, 2000[13] G. Brassard, N. L¨utkenhaus, T. Mor, and B. C. Sanders. Limitations on Practical Quantum Cryptography.
Physical Review Letters , 85:1330–1333, Aug. 2000.[14] K. J. Blow, R. Loudon, S. Phoenix and T. J. Shepherd. Continuum fields in quantum optics
Physical Review A ,42(7):4102–4114, Oct. 1990.[15] D. Bruß. Optimal Eavesdropping in Quantum Cryptography with Six States.
Physical Review Letters , 81:3018–3021, Oct. 1998.[16] H. F. Chau. Practical scheme to share a secret key through a quantum channel with a 27.6% bit error rate.
Physical Review A , 66(6):060302, Dec. 2002.
For different (slightly smaller) numbers, see [24]. [17] M. Dusek, N. Lutkenhaus, and M. Hendrych. Quantum Cryptography. ArXiv Quantum Physics e-prints, Jan.2006. quant-ph/0601207.[18] C. Elliott, D. Pearson, and G. Troxel. Quantum cryptography in practice. In
SIGCOMM ’03: Proceedings ofthe 2003 conference on Applications, technologies, architectures, and protocols for computer communications ,pages 227–238, New York, NY, USA, 2003. ACM Press.[19] A. Ekert, B. Huttner, G. Palma and A. Peres. Eavesdropping on quantum-cryptographical systems.
PhysicalReview A , 50(2):1047–1056, Aug. 1994.[20] C. Fuchs, N. Gisin, R. Griffiths, C.S. Niu and A. Peres. Optimal eavesdropping in quantum cryptography. I.Information bound and optimal strategy.
Physical Review A , 56(2):1163–1172, Aug. 1997.[21] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy. Trojan-horse attacks on quantum-key-distributionsystems.
Physical Review A , 73(2):022320–+, Feb. 2006.[22] N. Gisin, B. Kraus, and R. Renner. Lower and upper bounds on the secret key rate for QKD protocols usingone–way classical communication.
Physical Review Letters , 95:080501, 2005.[23] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden. Quantum cryptography.
Reviews of Modern Physics , 74:145–195, Jan. 2002.[24] D. Gottesman, H.-K. Lo, N. L¨utkenhaus, and J. Preskill. Security of quantum key distribution with imperfectdevices.
Quantum Information and Computation , 5:325–360, 2004.[25] W.-Y. Hwang. Quantum key distribution with high loss: Toward global secure communication.
Physical ReviewLetters , 91(5):057901, Aug. 2003.[26] W.-Y. Hwang, I.-T. Lim, and J.-W. Park. No-clicking event in quantum key distribution. ArXiv Quantum Physicse-prints, 2004. quant-ph/0412206.[27] H. Inamori, N. L¨utkenhaus, and D. Mayers. Unconditional security of practical quantum key distribution.
Eu-ropean Physical Journal D , 41:599–627, Mar. 2007.[28] H.-K. Lo and H. F. Chau. Unconditional security of quantum key distribution over arbitrarily long distances.
Science , 283:2050–2056, 1999.[29] H.-K. Lo. Proof Of Unconditional Security of Six-State Quatum Key Distribution Scheme.
Quantum Informationand Computation , 1(2):81–94, Aug. 2001.[30] H.-K. Lo, X. Ma, and K. Chen. Decoy State Quantum Key Distribution.
Physical Review Letters ,94(23):230504–+, Jun. 2005.[31] V. Makarov, A. Anisimov, and J. Skaar. Effects of detector efficiency mismatch on security of quantum cryp-tosystems.
Physical Review A , 74:022313, 2006.[32] C. Marand and P. Townsend Quantum key distribution over distances as long as 30 km
Optics Letters , 20:1695–1697, Aug. 1995.[33] A. Muller, T. Herzog, B. Huttner, W. Tittel, H. Zbinden and N. Gisin. “Plug and play” systems for quantumcryptography.
Applied Physics Letters , 70:793–395, Feb 1997.
34] V. Makarov and D. R. Hjelme. Faked states attack on quantum cryptosystems.
Journal of Modern Optics ,52:691–705, May 2005.[35] D. Mayers. Unconditional security in quantum cryptography.
J. ACM , 48(3):351–406, 2001, based on [46] .[36] A. Niederberger, V. Scarani, and N. Gisin. Photon-number-splitting versus cloning attacks in practical imple-mentations of the Bennett-Brassard 1984 protocol for quantum cryptography.
Physical Review A , 71:042316,2005.[37] M. A. Nielsen and I. L. Chuang.
Quantum Computation and Quantum Information . Cambridge University Press,Cambridge, UK, 2000.[38] A. Peres. How to differentiate between non-orthogonal states.
Physics Letters A , 128:19, Mar 1988.[39] A. Peres.
Quantum Theory: concepts and methods . Kluwer, Dordrecht, 1993.[40] V. Scarani, A. Ac´ın, G. Ridbory and N. Gisin. Quantum Cryptography Robust against Photon Number SplittingAttacks for Weak Laser Pulse Implementations.
Physical Review Letters , 92(5):057901–+, Feb. 2004.[41] M. Scully and M. S. Zubairy.
Quantum Optics . Cambridge University Press, Cambridge, United Kingdom,1997.[42] P. W. Shor and J. Preskill. Simple proof of security of the BB84 quantum key distribution protocol.
PhysicalReview Letters , 85:441–444, 2000, based on [28] .[43] P. D. Townsend. Secure key distribution system based on quantum cryptography.
Electronics Letters , 30:809–811, May. 1994.[44] L. Vaidman, Y. Aharonov, and D. Z. Albert. How to ascertain the values of σ x , σ y , and σ z of a spin-1/2 particle. Physical Review Letters , 58(14):1385–1387, Apr. 1987.[45] X. B. Wang. Beating the Photon-Number-Splitting Attack in Practical Quantum Cryptography.
Physical ReviewLetters , 94:230503, Jun. 2005.[46] A. Yao. Security of quantum protocols against coherent measurements
STOC ’95: Proceedings of the twenty-seventh annual ACM symposium on Theory of computing , pages 67–75, Las Vegas, Navada, United States, 1995.[47] Z. L. Yuan, A. W. Sharpe, and A. J. Shields. Unconditionally secure one-way quantum key distribution usingdecoy pulses.
Applied Physics Letters ppendixA Mathematical Description of the PNS attack The PNS attack can be realized using (an infinite set of) polarization independent beams splitters. Eve usesa beam splitter to split photons from Alice’s state. Using a non-demolition measurement Eve measures thenumber of photons in one output of the beam splitter, and repeat the splitting until she acquires exactly onephoton. Formally U E is defined: | (cid:105) F E | (cid:105) F A (cid:55)→ | (cid:105) F E | (cid:105) F P | (cid:105) F E | (cid:105) F A (cid:55)→ | (cid:105) F E | (cid:105) F P | (cid:105) F E | (cid:105) F A (cid:55)→ | (cid:105) F E | (cid:105) F P | (cid:105) F E | (cid:105) F A (cid:55)→ | (cid:105) F E | (cid:105) F P | (cid:105) F E | (cid:105) F A (cid:55)→ ( | (cid:105) F E | (cid:105) F P + | (cid:105) F E | (cid:105) F A ) / √ .Whenever Alice sends a pulse with two photons of the same polarization, Eve and Bob end up, each, withhaving a single photon of the original polarization. Proposition 1.
Eve’s PNS attack for a pulse of 2 photons, gives Eve full information while inducing noerrors.Proof.
According to its definition it is trivial to verify the attack for the horizontal and vertical polarizations | z (cid:105) (2) and | z (cid:105) (2) (where | P (cid:105) ( k ) means k photons having polarization P ). Using the standard creationand annihilation operators ( a † and a ) , we can write the state of two photons in the diagonal polarization( x basis): | x (cid:105) (2) = (cid:16) √ ( a † + a † ) (cid:17) | (cid:105) F = (cid:0) | (cid:105) F + √ | (cid:105) F + | (cid:105) F (cid:1) , similarly | x (cid:105) (2) = (cid:0) | (cid:105) F −√ | (cid:105) F + | (cid:105) F (cid:1) . | (cid:105) F E | x (cid:105) (2) P ≡ | (cid:105) F E (cid:0) | (cid:105) F + √ | (cid:105) F + | (cid:105) F (cid:1) P U E −→ (cid:0) | (cid:105) F E | (cid:105) F P + | (cid:105) F E | (cid:105) F P + | (cid:105) F E | (cid:105) F P + | (cid:105) F E | (cid:105) F P (cid:1) = 12 (cid:0) ( | (cid:105) F E + | (cid:105) F E ) | (cid:105) F P + ( | (cid:105) F E + | (cid:105) F E ) | (cid:105) F P (cid:1) = 12 ( | (cid:105) F E + | (cid:105) F E )( | (cid:105) F P + | (cid:105) F P ) ≡ | x (cid:105) E | x (cid:105) (1) P | (cid:105) F E | x (cid:105) (2) P ≡ | (cid:105) F E (cid:0) | (cid:105) F − √ | (cid:105) F + | (cid:105) F (cid:1) P U E −→ (cid:0) | (cid:105) F E | (cid:105) F P − | (cid:105) F E | (cid:105) F P − | (cid:105) F E | (cid:105) F P + | (cid:105) F E | (cid:105) F P (cid:1) = 12 (cid:0) ( | (cid:105) F E − | (cid:105) F E ) | (cid:105) F P − ( | (cid:105) F E − | (cid:105) F E ) | (cid:105) F P (cid:1) = 12 ( | (cid:105) F E − | (cid:105) F E )( | (cid:105) F P − | (cid:105) F P ) ≡ | x (cid:105) E | x (cid:105) (1) P Which completes the proof. See any quantum optics book, e.g. [41] .1 Polarization change A Polarization based QKD protocol makes a use of a Pockel cell ( U B x ), rotating the polarization of thephotons going through it. For a single photon, its action is trivial, | (cid:105) F U Bx −→ √ | (cid:105) F + | (cid:105) F ) , and | (cid:105) F U Bx −→ √ | (cid:105) F − | (cid:105) F ) . (11)For a state that contains multiple photons, the transformation is not intuitive, and most simply defined usingthe creation and annihilation operators. In a somewhat simplified way, the Pokcel cell can be considered asperforming a † (cid:55)→ (cid:16) √ ( a † + a † ) (cid:17) and a † (cid:55)→ (cid:16) √ ( a † − a † ) (cid:17) , so that a state is transformed in the followingway | nm (cid:105) F = (cid:16) a † (cid:17) n (cid:16) a † (cid:17) m | (cid:105) F U Bx −→ (cid:18) √ a † + a † ) (cid:19) n (cid:18) √ a † − a † ) (cid:19) m | (cid:105) F . (12) B QSoP of the Interferometeric Scheme: Supplementary Information
B.1 A (brief) graphical description of pulses evolution through interferometer
See Figure 2 for evolution of a single occupied mode through the interferometer, and Figure 3 for evolutionof two superpositioned modes.
B.2 Evolution of modes through the interferometer
In order to simplify the analysis (a simplification that is not allowed when proving the full security ofa scheme) we look at the ideal case in which exactly one photon (or none) is sent by Alice. The ba-sis states are then the vacuum | (cid:105) F B ≡ | V (cid:105) F B , and the six states (that we denote for simplicity by) | (cid:105) F B ≡ | s (cid:105) F B ; | (cid:105) F B ≡ | s (cid:105) F B ; | (cid:105) F B ≡ | s (cid:105) F B ; | (cid:105) F B ≡ | d (cid:105) F B ; | (cid:105) F B ≡ | d (cid:105) F B and | (cid:105) F B ≡ | d (cid:105) F B .The full transformation of a single photon pulse through the interferometer is given by Equation (5).Alice sends photons at time bins t (cid:48) and t (cid:48) only, so the interferometer transformation on Alice’s basis statesis | (cid:105) F A | (cid:105) F ˆ B (cid:55)→ | V (cid:105) F B , and | (cid:105) F A | (cid:105) F ˆ B (cid:55)→ ( | s (cid:105) F B − e iφ | s (cid:105) F B + i | d (cid:105) F B + ie iφ | d (cid:105) F B ) / | (cid:105) F A | (cid:105) ˆ B (cid:55)→ ( | s (cid:105) F B − e iφ | s (cid:105) F B + i | d (cid:105) F B + ie iφ | d (cid:105) F B ) / , (13)where | (cid:105) ˆ B denotes ancilla added during the process . Equation 13 can be used to describe the interfer-ometer effect on a general qubit, shown in Equation (6).The states sent by Alice during the “ xy -BB84” protocol evolve in the interferometer as follows: | x (cid:105) A φ =0 −→ ( | s (cid:105) F B − | s (cid:105) F B + i | d (cid:105) F B + 2 i | d (cid:105) F B + i | d (cid:105) F B ) / √ | x (cid:105) A φ =0 −→ ( | s (cid:105) F B − | s (cid:105) F B + | s (cid:105) F B + i | d (cid:105) F B − i | d (cid:105) B ) / √ | y (cid:105) A φ = π/ −→ ( | s (cid:105) F B + | s (cid:105) F B + i | d (cid:105) F B − | d (cid:105) F B − i | d (cid:105) F B ) / √ | y (cid:105) A φ = π/ −→ ( | s (cid:105) F B − i | s (cid:105) F B − | s (cid:105) F B + i | d (cid:105) F B + i | d (cid:105) F B ) / √ (14) Those ancillas (the space H ˆ B ) are originated by Alice extended space H P and by Bob ( H B (cid:48) ). Performing U − reveals theexact origin of those ancillas. x and y , measuring time-bin t , i.e. the states | d (cid:105) F for | (cid:105) and | s (cid:105) F for | (cid:105) in the measured basis. Other states give Bob no information about the state sentby Alice. B.3 H B − of the “ xyz -six-state” scheme Let Bob be using interferometric setups U B x and measuring 6 modes (corresponding the space with a basisstate | n s n s n s n d n d n d (cid:105) F B ) with one or less photons. Following Definition 8, the states spanning thespace H B − can be derived using Equation (6) (adjusted to the appropriate space): | (cid:105) F B U − Bx −→ | (cid:105) F P B (cid:48) | (cid:105) F B U − Bx −→
12 ( −| (cid:105) F P B (cid:48) + | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) ) | (cid:105) F B U − Bx −→
12 ( − i | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) + | (cid:105) F P B (cid:48) − | (cid:105) F P B (cid:48) ) | (cid:105) F B U − Bz −→ | (cid:105) F P B (cid:48) | (cid:105) F B U − Bz −→
12 ( −| (cid:105) F P B (cid:48) + | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) ) | (cid:105) F B U − Bz −→
12 ( − i | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) + | (cid:105) F P B (cid:48) − | (cid:105) F P B (cid:48) ) | (cid:105) F B U − By −→ | (cid:105) F P B (cid:48) | (cid:105) F B U − By −→
12 ( i | (cid:105) F P B (cid:48) + | (cid:105) F P B (cid:48) − | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) ) | (cid:105) F B U − By −→
12 ( −| (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) − | (cid:105) F P B (cid:48) ) (15)defined over the space H P ⊗ H B (cid:48) with basis state | a t (cid:48)− a t (cid:48) a t (cid:48) a t (cid:48) b t (cid:48)− b t (cid:48) b t (cid:48) b t (cid:48) (cid:105) F P B (cid:48) . Note that performing U − requires an additional ancilla, since the modes number increases from six to eight. B.4 QSoP of the “ xy -BB84” scheme Assume Bob measures only time-bin t in both output arms of the interferometer, i.e. the measured space is H B subspace spanned by | , n s , , , n d , (cid:105) F B . Assuming a single-photon restriction, the reversed space,21f that measured space that is spanned by: | (cid:105) F B U − Bx −→ | (cid:105) F P B (cid:48) | (cid:105) F B U − Bx −→
12 ( −| (cid:105) F P B (cid:48) + | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) ) | (cid:105) F B U − Bx −→
12 ( − i | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) + | (cid:105) F P B (cid:48) − | (cid:105) F P B (cid:48) ) | (cid:105) F B U − By −→ | (cid:105) F P B (cid:48) | (cid:105) F B U − By −→
12 ( i | (cid:105) P B (cid:48) + | (cid:105) F P B (cid:48) − | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) ) | (cid:105) F B U − By −→
12 ( −| (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) − i | (cid:105) F P B (cid:48) − | (cid:105) F P B (cid:48) ) (16)as can be verified using Equation (6). The space H B − is embedded in a 4-mode space H P ⊗ H B (cid:48) , havingthe basis element | a t (cid:48) a t (cid:48) b t (cid:48) b t (cid:48) (cid:105) F P B (cid:48) , i.e. Alice modes at times t (cid:48) and t (cid:48) and Bob’s added ancillary modes attimes t (cid:48) and t (cid:48) respectively. The resulting six states (16) span a 4-dimensional space, i.e. H B − = H . TheQSoP in this special case is H P = H , spanned by | a t (cid:48) a t (cid:48) (cid:105) F with one or less photons.22 ' t' (a) s-Armd-Arm t t t t t t Bob's Lab(b)( c ) ( d )( e ) P Figure 1: Bob’s laboratory setup for the x and y basis. (a) Alice sends a qubit; (b) Vacuum states are addedin the interferometer; (c), (d) beam-splitters; (e) phase shifter P φ .23
1) s-Armd-Arm(2) (a) Time T : the pulse (1) is about to enter the interferom-eter. A vacuum ancilla (2) is added in the input of the firstbeam splitter. (4) s-Armd-Arm(3)(3') (b) Time T : Pulses (1) and (2) interfere and become a su-perposition of (3) and (3’) in the short and long arms ofthe interferometer, respectively, | (cid:105) | (cid:105) BS −→ ( | (cid:105) | (cid:105) (cid:48) + i | (cid:105) | (cid:105) (cid:48) ) / √ . Pulse (3) is about to enter the second beamsplitter so a vacuum ancilla is added (4). (3') s-Armd-Arm (5) (5')( 6 ) (c) Time T : pulses (5) and (5’) are created by pulses (3)and (4), √ | (cid:105) | (cid:105) BS −→ ( i | (cid:105) | (cid:105) (cid:48) + | (cid:105) | (cid:105) (cid:48) ) / . Pulse(3’) is about to enter the second beam-splitter so a vacuumancilla is added (6). ( 7 ) s-Armd-Arm ( 7 ')( 5 ) ( 5 ') (d) Time T : Pulses (7) and (7’) are created by interfering(3’) and (6). i √ | (cid:105) (cid:48) | (cid:105) BS −→ ( i | (cid:105) | (cid:105) (cid:48) − | (cid:105) | (cid:105) (cid:48) ) / . Figure 2: Evolution in time of a single photon pulse through an interferometer satisfying | (cid:105) , , , Interferometer −→ ( | (cid:105) (cid:48) , (cid:48) , , − | (cid:105) (cid:48) , (cid:48) , , + i | (cid:105) (cid:48) , (cid:48) , , + i | (cid:105) (cid:48) , (cid:48) , , ) / . The num-bers represent the appropriate mode number of each pulse. The input state ( | (cid:105) t | (cid:105) ) consists of modes(1) for the pulse at t and (2), (4) and (6) for the vacuum ancillas. The output modes that correspond to thestate | n s , n s , n d , n d (cid:105) are modes (5’), (7’), (5) and (7) respectively.24
1) s-Armd-Arm(2) (1')(2') (a) Time T : The general single-photon qubit ( α | (cid:105) + β | (cid:105) )is sent to Bob is in two modes (1) and (2). Bob adds twovacuum ancillas (1’) and (2’) that interfere with the photonin the first beam splitter (BS-1). (2) s-Armd-Arm( 3 )(2') ( 3 ') (4) (b) Time T : Modes (1) and (1’) interfere and create (3) and(3’) in the short and long arm respectively, α | (cid:105) | (cid:105) (cid:48) BS −→ α √ ( | (cid:105) | (cid:105) (cid:48) + i | (cid:105) | (cid:105) (cid:48) ) . Pulse (3) is about to enter BS-2so a vacuum ancilla is added (4). ( 6 ) s-Armd-Arm ( 3' ) ( 5 ) ( 5 ')( 6 ') (c) Time T : Pulses (5) and (5’) are created by the in-terference of (3) and (4) α √ | (cid:105) | (cid:105) BS −→ iα | (cid:105) | (cid:105) (cid:48) + α | (cid:105) | (cid:105) (cid:48) . Pulses (6) and (6’) created by the interferenceof (2) and (2’) in BS-1 β | (cid:105) | (cid:105) (cid:48) BS −→ β √ ( | (cid:105) | (cid:105) (cid:48) + i | (cid:105) | (cid:105) (cid:48) ) . . ( 7 ) s-Armd-Arm ( 7 ')( 5 ) ( 5 ')( 6 ')( 8 ) (d) Time T : Pulses (7) and (7’) are created by the interfer-ence of (3’) and (6) in BS-2 iα √ | (cid:105) (cid:48) | (cid:105) + β √ | (cid:105) (cid:48) | (cid:105) BS −→ i ( α + β )2 | (cid:105) | (cid:105) (cid:48) + β − α | (cid:105) | (cid:105) (cid:48) . Pulse (6’) is about to en-ter BS-2 so a vacuum ancilla is added (8). ( 7 ) s-Armd-Arm ( 7 ')( 5 ) ( 5 ')( 9 ') ( 9 ) (e) Time T : Pulses (9) and (9’) are created by the interfer-ence of (6’) and (8) in BS-2 iβ √ | (cid:105) (cid:48) | (cid:105) BS −→ iβ | (cid:105) | (cid:105) (cid:48) − β | (cid:105) | (cid:105) (cid:48) . Figure 3: Evolution in time of two modes through an interferometer satisfying ( α | (cid:105) | (cid:105) + β | (cid:105) | (cid:105) ) | (cid:105) (cid:48) , (cid:48) , , Interferometer −→ ( α | (cid:105) + β − α | (cid:105) − β | (cid:105) + iα | (cid:105) + i ( α + β )2 | (cid:105) + iβ | (cid:105) ) (cid:48) , (cid:48) , (cid:48) , , , . The numbers represent the appropriate mode number of eachpulse. The corresponding state is | n s n s n s n d n d n d (cid:105)(cid:105)