Explicit attacks on passive side channels of the light source in the BB84 decoy state protocol

Various imperfections of the hardware in quantum key distribution (QKD) lead to discrepancies between the theory and real-world devices. An eavesdropper can use these discrepancies to compromise the QKD security, thus legitimate sides need to estimate the influence of imperfections to prevent the loss of security. Here we investigate explicit eavesdropping attacks on passive side channels of the light source for a BB84 decoy states QKD protocol. We consider an optimal phase-covariant cloning attack, followed by unambiguous state discrimination and a joint measurement. Our calculations provide a hint that for state-of-the-art light sources the inherent presence of passive side channels still allows the protocol to be secure, albeit with the reduced secret key rates.


Introduction
Quantum cryptography promises an unconditionally secure distribution of a secret key between two parties due to the no-cloning theorem. However, experimental QKD realizations lead to various loopholes and side channels, and, consequently, to additional information leakage to an eavesdropper. This leakage does not increase errors on receiving side, so an intervention into the QKD remains unnoticed by legitimate parties. As a result, an eavesdropper has more information about distributed bits than the protocol allows him, and the resulting key is no longer secure. An example of such a side channel is a light source that generates signal photons with slightly varying spatial, spectral, and temporal modes. These physical differences allow the adversary to distinguish photons more effectively than just attacking a quantum state of the signal photon. Possible ways of proper side channels account were an object of many investigations in recent years [1][2][3][4].
We investigate explicit eavesdropping attacks on passive side channels of the light source. The optimal phase-covariant cloning attack on the BB84 QKD protocol with decoy states is considered along with explicit attacks on the passive side channel of the light source -the unambiguous state discrimination and the collective measurement attacks. We compare our results with side-channel-free theoretical secret key rates of this protocol. We use a Hong-Ou-Mandel visibility as an experimentally accessible value to apply our estimates to characterization of state-of-the-art light sources. Our calculations provide a hint that for state-of-the-art light sources the inherent presence of passive side channels still allows the protocol to be secure, but with reduced secret key rates.

Optimal phase-covariant cloning attack
The optimal phase-covariant cloning attack is a unitary operator of a special form, which brings a signal state and an ancillary state to a specific entangled state. This entangled state has partial states with high fidelity for the initial state of the incoming photon. The optimal phasecovariant cloner implements an individual unitary attack on the BB84 protocol [5]. For signal states of the BB84 from the XY plane of the Bloch sphere, the action of the cloning unitary is where indices B and E correspond to state spaces of Bob and Eve, φ is a rotation angle around the Z-axis and η is a cloning parameter. The final state doesn't depend on the phase parameter, which is a property of phase covariance. The cloning unitary distributes information about the state, sent by Alice, between Bob and Eve states.

Explicit attacks on the side channel
We added an additional degree of freedom to states of two bases of the BB84 protocol: where augmented states ρ ∆ basis,bit have fixed scalar products among each other. With use of this approach, we modeled two types of attack on the passive side channel.

Unambiguous state discrimination (USD) of side channels states
Eve applies an unambiguous state discrimination measurement to side-channel degree of freedom. This measurement either gives her a certain quantum state of quantum system or returns a maximally mixed state and gives no information about the side channel state [6]. The POVM for this kind of measurement can be constructed for an ensemble of non-orthogonal and linearly independent states |φ i , i = 1, 2, 3, 4 in the following way: where M k are POVM operators and p i are probabilities of measuring one of ensemble states. There is a POVM for inconsistent result, when no information about measured state is revealed: If the USD measurement of the side channel state is successful, Eve obtains a secret bit without interacting with the signal state. If measurement gives an inconsistent result, she proceeds with the optimal phase-covariant cloning of the signal photon state. Her information with Alice reads where I ind AE is a mutual information between Alice and Eve after the phase-covariant cloning.

Joint measurement of side channel states and signal states
Eve makes a joint measurement of signal and side channel states after the phase-covariant cloning. In particular, after attack on carrier photons and basis exchange between Alice and Bob, Eve has one of two possible states in her quantum memory: Eve optimally discriminates between these states with a minimum error measurement. A probability to successfully discriminate the two states ρ 1 and ρ 2 is

Decoy state BB84 protocol
In practice, signal photons are generated by lasers with an unlocked initial phase, which leads to the randomization of the initial phases of signal photons. Furthermore, laser sources also generate many-photon states along with single-photon states. The resulting carrier quantum state has the following form where µ is the mean photon number of the coherent state and x is the encoded secret bit. To decrease the influence of many-photon states on the communication the mean photon number is usually taken low (less than one photon per pulse), and the resulting state is called a phaserandomized weak coherent pulse (PRWCP). Even though many-photon parts are attenuated, they continue to be a vulnerability in the BB84 protocol. These parts contain photons of the same single-photon states and thus open Eve a possibility to hold one photon with the same quantum state as photons sent towards Bob. In the end, Eve has a clone of the Bob state without introducing disturbance, and the security of the protocol is compromised.
This vulnerability can be closed with a so-called decoy-state method [7,8,9]. This method is based on an assumption, that Eve applies the same attack action to signals with different intensities. This assumption allows Alice and Bob to use photon signals with different intensities to estimate the single-photon component weight, which composes the secret fraction of the distributed bits. They can further proceed with security amplification, taking into account only the secret fraction of their bits.
In particular, receiving k-photon states, where k has values from 0 to infinity, the full probability of having a detection count on Bob side for a pulse with intensity is where Y k is a k-photon yield: where A is a value of Alice's random bit, and B is a value of Bob's bit, obtained from measurement. The probability of bit error on the Bob side is where k = 0 corresponds to dark counts of photodetectors. Using these quantities allows Bob to calculate a vacuum yield Y 0 , a single-photon yield Y 1 , and a single-photon error rate e 1 . These quantities are further used to estimate the secret fraction of distributed bits. The secret key rate then is calculated with the formula (see [10] for details): where f is a post-processing efficiency factor and e 1 is a bit error in single-photon component outcomes.

Hong-Ou-Mandel interference
When two photons are incident on the two sides of a balanced beam splitter, their exit this beam splitter depending on their quantum states. If the two photons are completely indistinguishable, their exit the beam splitter only pairwise. This phenomenon is called the Hong-Ou-Mandel (HOM) effect. Breaking the indistinguishability of photon states leads to exiting the beam splitter from different sides, and thus to coincidences on the detectors which are measuring beam splitter exits. Experimentally, this effect is usually characterized by the visibility of the interference (the HOM visibility). For PRWCP this visibility can be calculated in the following way (see [1] for details) where ρ 1 and ρ 2 are states of the incoming photons.

Results and conclusion
We calculated secret key rates for the BB84 protocol with two decoy states for the optimal phase-covariant cloning attack and two strategies of attacking the side-channel of the light source, described above. In our calculations we used typical parameters of the QKD setup: error correction coefficient f = 1.22, fiber attenuation α = 0.2 dB/km, Bob detector efficiency η Bob = 0.01, background yield Y 0 = 10 5 , background error rate e 0 is 0.5 and the mean photon number in a pulse µ = 0.5. A critical length of the transmission line is provided with a formula where e 1 is a single-photon component error rate and e det is a detector error rate. We can see from Figure 1, that using different strategies of attacking the side channel degree of freedom does not lead to a significant decrease in the secret key generation rate. The state-ofthe-art light sources have corresponding HOM visibilities in the range between 0.4 and 0.5, which we associate with a passive side channel. Thus, the presence of a physical mismatch between signal photon properties of the contemporary light sources does not completely compromise the security of the BB84 protocol with decoy states, provided that Eve uses the above-described attack strategies.
We conclude, that lower and upper bounds on the key rate leave a significant gap between the two. While the lower bound is very pessimistic in terms of the tolerable visibility values [1], the upper bounds given for the previously analyzed intercept-resend attack [11], and for presented here USD and joint measurement attacks allow visibility values to be much lower.
As a counter-measure against these attacks, we expect that protocols with complex alphabets [12][13][14][15][16] might be more resistant to side-channels due to the complexity of multiple state discrimination. Another possible solution is to use coherent states without phase randomization [17][18][19][20], which allows for higher information gain and a more accurate second-order visibility measurement.  Figure 1. Secret key rate R as a function of fiber-optic communication distance L for different values of Hong-Ou-Mandel interference visibility V , under the individual unitary attack on the BB84 decoy-state protocol for two attack strategies on the side channel degree of freedom (USD attack and joint measurement attack). We assume the standard single-mode optical fiber loss of 0.2 dB/km.