Studies of a few specific attacks on the COW protocol

2.2.1 Collective Beam-Splitting Attack

The Beam-Splitting Attack (BSA) translates the fact that all the light that is lost in the channel between Alice and Bob, characterized by its transmission coefficient t, must be given to the eavesdropper, Eve. The attack consists in Eve simulating the losses 1−t by putting a beam-splitter just outside Alice’s laboratory, and then

forwarding the remaining photons to Bob through a lossless line. Since it simulates exactly Bob’s expected optical mode, the BSA introduces no errors (i.e.,Q= 0 and V = 1) and is therefore impossible to detect.

The information that Eve can extract from her data depends on the way she processes them. For each bit she wants to estimate, she has to distinguish the two states |0, αEi and |αE,0i, where αE =√

1−t α. The case where Eve performs the same measurement as Bob was considered in [46, 47]; in [C,D], we allowed Eve to keep her systems in a quantum memory, and to extract the largest possible information out of them on the final key, after Alice and Bob have run the classical one-way post-processing. This corresponds to acollective attack, for which case Devetak and Winter have shown [50] that Eve’s information is upper bounded by the Holevo quantity

χAE =S(ρE)− 1

2S(ρE|A=0α)− 1

2S(ρE|A=α0) (2.1) where S is the von Neumann entropy, ρE|A=0α = |0, αEih0, αE| is Eve’s state con-ditioned on what Alice sent (similarly for ρE|A=α0), and ρE = ¹₂ρE|A=0α+¹₂ρE|A=α0. Denoting by h the binary entropy function, we find

χAE =h³1− |h0, αE|αE,0i|

2

´=h³1−e^−µ(1−t) 2

´ . (2.2)

The Devetak-Winter bound then reads, for the secret key rate r:

r=rsif t(IAB −χAE) =rsif t

h

1−h³1−e^−µ(1−t) 2

´i

, (2.3)

where rsif t is the sifting rate, i.e. the probability that Alice and Bob accept a bit:

here, including the detection efficiency η of Bob’s detector DB, the sifting rate per pair of pulses isrsif t = (1−f)µttBη. As there are no errors, Alice and Bob’s mutual information for each sifted bit is IAB = 1.

The key rate (2.3), as a function of the distance between Alice and Bob and after optimizing the mean number of photon µ, will be shown in Figures 2.2 and 2.3 in comparison with the following two classes of attacks.

2.2.2 Zero-error attacks based on Unambiguous State Dis-crimination

Another class of zero-error attacks (Q = 0, V = 1) was introduced and analyzed in [C]. These attacks exploit the fact that in the COW protocol, the coherence is checked only between successive pulses; in particular, no coherence is checked between all that comes before and all that comes after an empty pulse. Therefore, if Eve can be sure that a given pulse was empty, she can make an attack that breaks the coherence at the location of that pulse. More generally, Eve can try to distinguish a sequence of n pulses that begins and ends with an empty pulse: if she succeeds, she can send photons in this n-slot partial mode. These attacks are thus based on the unambiguous state discrimination (USD) of that n-slot sequence.

0 20 40 60 80 100 120 140 160 10⁻¹

10⁰

Distance (km)

µ

µ_opt for the collective BS attack µ_opt for our USD attack

0 20 40 60 80 100 120 140 160

10⁻⁷ 10⁻⁶ 10⁻⁵ 10⁻⁴ 10⁻³ 10⁻² 10⁻¹ 10⁰

Distance (km)

Secret key rate

r(µ_opt) for the collective BS attack r(µ_opt) for our USD attack

Figure 2.2: Optimal mean photon number µ (left-hand side) and corresponding secret-key rate r per pair of pulses (right-hand side) for the collective BSA and for the combination of 3-pulse and 4-pulse USD attacks, as a function of the distance between Alice and Bob. Parameters: η = 0.1; 0.25 dB km⁻¹ of losses; f = 0.1;

tB ≃1.

More specifically, we studied such USD attacks on three pulses, in which sequences

|0α0i are discriminated, and on four pulses pulses, which discriminate sequences

|0αα0i. We could show that if the fraction of decoy sequences used in the protocol is small enough (f .0.236), Eve could reproduce the detection rates of all individual detectors of Bob by combining these USD attacks. We refer to [C] for all the calculations. The optimal mean number of photon µ and the secret key rate r obtained when considering this attack are shown on Figure 2.2. One can see that this attack outperforms the BSA for distancesd&100 km, giving an optimalµand a secret key rate that scale, respectively, as √

t and t^3/2.

However, many limitations can be found to these USD attacks. Indeed, they are not entirely undetectable: even though all detection rates are reproduced, one could check other statistical parameters (such as the probabilities of detecting certain specific sequences), which would behave in an unexpected way. Also, Alice and Bob could simply choose f >0.236, and the attack that we studied would become impossible.

Be that as it may, it is important to be aware of these possible attacks, all the more so as there is no claim of optimality in the specific combination of USD attacks that we considered. Our results show that it is important that Alice and Bob include several tests of their statistics in the COW protocol.

2.2.3 Non-zero-error attacks on single or pairs of pulses

Let us now present another class of collective attacks that somehow generalizes the BSA by introducing errors (Q≥0, V ≤1). The idea is that Eve attaches ancillary quantum systems to each pulse or to each pair of pulses, and applies transformations

of the form (for the case of a two-pulse attack):

|αk−1, αkiA⊗ |EiE → |Ψ(αk−1, αk)iB,E (2.4) where αk−1, αk ∈ {0, α}. Errors will be due to the fact that Eve gets entangled to the system that goes to Bob, in order to gain more information. These attacks have been studied in [D], in the long distance regime (for µt ≪ 1): this allowed us to neglect multi-photon components on Bob’s side, and to parameterize Eve’s attack in finite dimensional Hilbert spaces. The problem was then to optimize Eve’s choice of states |Ψ(αk−1, αk)iB,E under the constraint that (2.4) has to be a unitary transformation, and so as to maximize her information for a given amount of errors that she introduces.

In the original version of the COW protocol, the pairing of the pulses that defines the logical bits is decideda priori by Alice, and is known to Eve. When performing the above attack on two successive pulses, Eve can therefore choose whether she wants to attack two pulses that together define one bit, or that are across a bit separation. This observation lead us to also consider modified versions of the COW protocol, in which the pairing of the pulses is not known a priori by Bob, nor Eve:

in the COWm1 version, Alice still pairs consecutive pulses, while in the COWm2 version, she is allowed to pair any two pulses. In this last case, as Eve has no reason to attack successive pulses together, we considered one-pulse attacks.

The resulting secret key rates per pulse¹ are illustrated on Figure 2.3, for the case V = 0.98, Q= 0. Again, we refer to [D] for details on the calculations. As expected, the COWm1 and COWm2 versions perform slightly better² than the original COW protocol. It is also interesting to note that the secret key rates that we get still behave linearly witht, as it was the case for the BSA. This makes the protocol quite efficient, and very suitable for long-distance QKD [48, 49].

Note finally that we also studied in [D] the same attacks on the Differential-Phase-Shift (DPS) [52, 53] protocol, which is another distributed-phase-reference protocol that shares very similar features with the COW protocol. We found indeed a very similar behavior against the attacks under study, with a secret key rate that also scales linearly with t.