Photon-number-splitting versus cloning attacks in practical implementations of the Bennett-Brassard 1984 protocol for quantum cryptography

In practical quantum cryptography, the source sometimes produces multiphoton pulses, thus enabling the eavesdropper Eve to perform the powerful photon-number-splitting (PNS) attack. Recently, it was shown by Curty and Lütkenhaus [Phys. Rev. A 69, 042321 (2004)] that the PNS attack is not always the optimal attack when two photons are present: if errors are present in the correlations Alice-Bob and if Eve cannot modify Bob’s detection efficiency, Eve gains a larger amount of information using another attack based on a $2\to 3$ cloning machine. In this work, we extend this analysis to all distances Alice-Bob. We identify a new incoherent $2\to 3$ cloning attack which performs better than those described before. Using it, we confirm that, in the presence of errors, Eve’s better strategy uses $2\to 3$ cloning attacks instead of the PNS. However, this improvement is very small for the implementations of the Bennett-Brassard 1984 (BB84) protocol. Thus, the existence of these new attacks is conceptually interesting but basically does not change the value of the security parameters of BB84. The main results are valid both for Poissonian and sub-Poissonian sources.

Figure 1

Illustrating the conjecture on Eve’s $2\to 3$ cloning strategies: the asymmetric $2\to 3$ cloning machine $A(2,3)$ is actually used at a working point where Eve keeps a perfect copy and forwards two identically perturbed photons to Bob, produced with the symmetric $1\to 2$ cloning machine $S(1,2)$.

Figure 2

Secret key rate per pulse $S$ as a function of the distance, for $\alpha =0.25\mathrm{dB}∕\mathrm{km}$, $\eta =0.1$, and $p_d={10}^{-5}$, and for $V=1,0.95,0.9,0.85,0.8$. The best attack (full line) uses strategy C for $2\to 3$ cloning; the value of the optimal $\mu$ is fixed by this strategy. For comparison, we plot the results that one would obtain using strategy A for $2\to 3$ cloning (dashed lines) and without using any $2\to 3$ cloning (dashed-dotted lines), computed for the same $\mu$.

Figure 3

Probabilities that define Eve’s optimal attack as a function of the visibility, for $d=30\mathrm{km}$, for the optimal $\mu$. In the lower half one reads the probabilities for the attacks on $n=1$; in the upper half, for $n=2$. The white symbols represent $D_1$ (lower half) and $D_2$ (upper half). Note that high visibility (small optical errors) are on the left. See text for detailed comment.

Figure 4

The four terms that sum up to Eve’s information (12) as a function of the visibility, for $d=30\mathrm{km}$ and for the optimal $\mu$. Eve’s information is divided by the value of $I(A:B)$ at any $V$. See text for detailed comments.

Figure 5

Optimal $\mu$ and secret key rate per pulse $S$ (log scale) for Poissonian sources as a function of the distance, for $\alpha =0.25$, $\eta =0.1$, and $p_d={10}^{-5}$, and for $V=1,0.9,0.8$. Comparison of the exact results (dashed lines, coming from Fig. 2) with two approximations. (I) Full lines: numerical optimization over $\mu$ alone as discussed in paragraph VB. (II) Dotted lines: explicit formulas (29, 30), that cannot be used for $V=0.8$. For $V=1$, the vertical asymptote is the limiting distance defined by Eq. (33).