Quantum Key Distribution in the Presence of the Intercept-Resend with Faked States Attack

Abstract

Despite the unconditionally secure theory of the Quantum Key Distribution ($QKD$), several attacks have been successfully implemented against commercial $QKD$ systems. Those systems have exhibited some flaws, as the secret key rate of corresponding protocols remains unaltered, while the eavesdropper obtains the entire secret key. We propose the negative acknowledgment state quantum key distribution protocol as a novel protocol capable of detecting the eavesdropping activity of the Intercept Resend with Faked Sates ($IRFS$) attack without requiring additional optical components different from the $BB84$ protocol because the system can be implemented as a high software module. In this approach, the transmitter interleaves pairs of quantum states, referred to here as parallel and orthogonal states, while the receiver uses active basis selection.

1. Introduction

Quantum Key Distribution ($QKD$) represents a new cryptographic method to distribute a key between two remote users, usually called Alice and Bob [1]. $QKD$ systems require legitimate users to authenticate each other through a public channel. The purpose of a $QKD$ system is to generate secret bits that can be used to encrypt plaintext messages according to a simple xor function between the message and the secret key.

If an eavesdropper, commonly called Eve, tries to intercept the quantum channel to get the key, she will be detected. In such a case, Alice and Bob will discard the process before a key could be established. However, if they do not detect any eavesdropping activity, the quantum measurements can be used to derive the secret key [2]. After the transmission, Alice and Bob can compare a fraction of the exchanged key to see if there are any transmission errors caused by eavesdropping. $QKD$ systems have been carried out experimentally through dedicated optical fibers, across free space, weak laser pulses or single photons, entangled photon pairs or continuous variables [3].

Ideally, the security of $QKD$ protocols is supported by the properties of quantum mechanics, which make eavesdropping in the middle of the quantum channel detectable [1,4]. However, serious concerns arise at the technological level. Unfortunately, most of the promising $QKD$ systems are vulnerable to quantum hacking due to loopholes in the optical detection system [5,6,7,8,9,10,11,12,13,14,15]. Under this scenario, new $QKD$ methods must be developed to resist attacks related to such vulnerabilities as the Photon Number Splitting ($PNS$) and the Intercept and Resend with Faked States ($IRFS$) attacks [16,17].

In [18], we introduced a novel $QKD$ protocol that uses weak coherent states and active basis measurement, capable of detecting the $PNS$ eavesdropping activity. The strengths of the $ack$ $state$ (in [18] referred to as $ack$ $QKD$) against $PNS$ attack were discussed in [19]. In this paper, we extend the $ack$ $state$ protocol to the dual protocol $nack$ $state$ protocol to analyze its security against $IRFS$ attack. One of the main advantages of the proposed protocol is that it protects against $IRFS$ attack without requiring any changes in the hardware; only software changes are required. We do not discuss other attacks nor pretend to perform a general formal demonstration of its security.

2. Quantum Hacking in QKD Systems

A variety of attacks have been conceived of as exploiting the security of $BB84$-based systems, either theoretically or technologically. The Photon Number Splitting ($PNS$) attack can be included in the first category. In the second class, commonly referred to as quantum hacking, the Intercept Resend with Faked States ($IRFS$) attack can be mentioned, which exploits loopholes in the Avalanche Photo Diodes ($APD$s) of the electronic detection system. In the following section, we will describe the Intercept Resend ($IR$) attack and the Intercept-Resend with Faked States ($IRFS$).

(a) Intercept Resend ($IR$) attack

In the intercept resend attack, the eavesdropper measures each photon pulse sent by Alice, which she replaces with another pulse prepared in the quantum state that she has already measured. Eve is successful 50% of the time in measuring the pulse in the correct measurement basis, while Bob chooses half of the times the same basis as her; thus over time, she generates a Quantum Bit Error Rate ($QBER$) of $50\%\times 50\%=25\%$ (see Figure 1 and [4]).

(b) Intercept Resend with Faked States ($IRFS$) attack

In the Intercept Resend with Faked States ($IRFS$) attack, the eavesdropper is not interested in reconstructing the original states, but in producing instead pulses of that light that can be detected by Bob in a way that is controlled by her while she passes unnoticed in the quantum channel. The eavesdropper exploits imperfections of their optical system, so that Alice and Bob can assume that they are detecting the original quantum states while they are in fact detecting light pulses generated by Eve. These light pulses are called faked states [7]. To mount an $IRFS$ attack, Eve can exploit some weaknesses of Bob’s detector, such as time shift [8,9,10] or quantum blinding [7,8,9].

The quantum blinding attack is an $IRFS$ attack where the $QKD$ system is controlled by an eavesdropper using bright photon pulses during the linear mode operation of the $APD$s. In such attacks, Eve can eavesdrop on the full secret key without increasing the $QBER$ of the protocol. In order to achieve this, the eavesdropper sends bright pulses to Bob’s station that will be detected by the $APD$, which would operate like a classical photo diode, instead of operating in Geiger mode. Eve now can use the $IRFS$ attack to obtain the key [11,12].

As a result, as depicted in Figure 2a, if Bob chooses the same measurement basis as Eve, he gets a detection event in the corresponding $APD$ detector. Otherwise, if Bob measures with the opposite basis as shown in Figure 2b, the optical power is distributed over the two detectors, and no event is detected. Thus, Eve blinds Bob’s $APD$s detectors to make them operate as classical photo diodes. At the final stage of the protocol, Eve exploits the announcements revealed by Bob over the public channel to perform the classical post-processing, getting the same secret bits as Alice and Bob.

A simple countermeasure that can be applied in the electronic detection system is a watchdog detector that detects bright faked states [13]. The intercept-resend with faked states attack and quantum blinding were first implemented over a commercial $QKD$ system at the University of Singapore [12].

To conclude this section, we emphasize that the $IRFS$ attack works successfully on widely-used $QKD$ protocols, namely $BB84$, $SARG04$, Differential Phase Shift ($DPSK$), Coherent One Way ($COW$), Ekert [9] and the $decoy$ $state$ method, as pointed out in [13,20]. The attack exhibits an extra 3 dB loss because of the basis mismatch between Eve and Bob. This is easily compensated in practice by Eve, since she may use better detector efficiencies and surpass loss in the channel. Blinding attacks over detectors have been demonstrated in two commercially available $QKD$ systems [11]. It has been reported that Eve obtains the entire secret key while she remains undetected by the legitimate parties [12]. Finally, we remark that control detector attacks with active basis selection cause the gain from Eve to Bob be reduced by a half compared to the gain from Alice to Bob (see Figure 2 and

Table A1. The gain of the single (non-empty) and empty pulses, $Q_{(+)}$ and $Q_{(-)}$, respectively, where μ is the expected photon number of the source and $Y_0$ is the background noise. Here, ${\eta }_{BT}$ and ${\eta }_{ET}$ are the overall efficiency of Bob and Eve, respectively. In the $IRFS$ attack, Eve remains undetected provided she meets the condition ${\eta }_{ET}\ge \frac{\ln (2e^{-\mu {\eta }_{BT}}-Y_0-1)}{-\mu }$. At the bottom, we show the gain of the double $(+,+)$ detection events, which is written as $Q_{(+,+)}$, and the gain of single $(\pm ,\mp )$ detection events is represented as $Q_{(\pm ,\mp )}$. In the $IRFS$ attack, half of Eve’s biqubits can be effectively forwarded to Bob’s detectors. The “·” symbol denotes multiplication inside the $Q_{(\pm ,\mp )}$ relation. The factor of 1/2 is a result of Bob using an active basis choice, forcing Eve to blind his detector when his basis differs from her own (half the time), and since each pair of pulses is detected in the same basis, Eve will always blind Bob for both pulses or neither pulses, resulting in the same factor 1/2 for both single and double detection events.

$\mathit{Gain}$	$\mathit{Alice}$	$\mathit{Alice}-\mathit{Bob}$	$\mathit{Eve}-\mathit{Bob}$
$Q_{(-)}$	$e^{-\mu }$	$e^{-\mu {\eta }_{BT}}-Y_0$	-
$Q_{(+)}$	$1-e^{-\mu }$	$Y_0+1-e^{-\mu {\eta }_{BT}}$	$\frac{1}{2}(Y_0+1-e^{-\mu {\eta }_{ET}})$
$Q_{(-,-)}$	$e^{-2\mu }$	${(e^{-\mu {\eta }_{BT}}-Y_0)}^2$	-
$Q_{(\pm ,\mp )}$	$2e^{-\mu }·$	$2(e^{-\mu {\eta }_{BT}}-Y_0)·$	$(e^{-\mu {\eta }_{ET}}-Y_0)·$
	$(1-e^{-\mu })$	$(Y_0+1-e^{-\mu {\eta }_{BT}})$	$(Y_0+1-e^{-\mu {\eta }_{ET}})$
$Q_{(+,+)}$	${(1-e^{-\mu })}^2$	${(Y_0+1-e^{-\mu {\eta }_{BT}})}^2$	$\frac{1}{2}{(Y_0+1-e^{-\mu {\eta }_{ET}})}^2$

of Appendix A), according to the following rules [13]:

(i) 

For Bob’s basis choice matching Eve’s, the detector clicks deterministically;

(ii) 

For Bob’s basis choice not matching Eve’s, the faked state is not detected.

3. The Nack State Protocol

The $nack$ $state$ protocol is the dual version of the $ack$ $state$ protocol discussed in [19]. Both of them constitute a generalization of the well-known $BB84$. The $nack$ $state$ protocol uses pairs of parallel and orthogonal states instead of only single non-orthogonal state used in the $BB84$. This simple difference makes the $nack$ $state$ resilient to the $IRFS$ attack, as we will show later on. We chose the $nack$ prefix to denote that provided Alice sends two quantum states to Bob, the second measurement acts as the negative acknowledgment ($nack$) of the previous one, because it yields the opposite bit result. In the rest of this section, we describe the $nack$ $state$ protocol, and in Section 4, we discuss how the $nack$ $state$ protocol is capable of detecting the $IRFS$ attack.

We refer to the pair of quantum states as a biqubit. To be more specific, the following biqubits are defined in the $nack$ $state$ protocol: four parallel biqubits $(|0_X\rangle ,|0_X\rangle ),(|0_Z\rangle ,|0_Z\rangle ),(|1_X\rangle ,|1_X\rangle ),(|1_Z\rangle ,|1_Z\rangle )$ and two orthogonal biqubits $(|0_X\rangle ,|1_X\rangle ),(|0_Z\rangle ,|1_Z\rangle )$. The parallel and orthogonal biqubits are randomly interleaved by Alice. The order of the quantum states within the biqubit does not affect the behavior of the protocol (see Figure 3). On the other side of the quantum channel, Bob measures two incoming states of a biqubit using the same measurement basis (X or Z). The $nack$ $state$ protocol can be described according to the following steps:

• Alice is equipped with a photon source with an expected photon number μ that exhibits a Poisson distribution. Alice randomly chooses between a parallel or an orthogonal biqubit, and she prepares the biqubit to send it to Bob through the quantum channel;
• Bob measures the biqubit (two incoming pulses) using the same measurement basis X (or Z) that he chooses randomly (in Section 4.2, we discuss that the consecutiveness of states can be avoided if Alice sends a burst of the first states of each pair, followed by a burst of the second states of each pair);
• Bob announces publicly his measurement basis choices;
• To share secret bits, Alice and Bob perform sifting using single compatible events and double compatible matching detection events (from parallel states). Similarly, they apply sifting to the double detection events that contain a single compatible detection event. For this purpose, Bob indicates if the single detection is the first or the second inside the biqubit;
• Finally, they use an error correction algorithm and a privacy amplification method usually used in $BB84$-based protocols.

Table 1. We show the $nack$ $state$ protocol running in absence of errors at the quantum channel, all of the possible measurement results at Bob’s detectors. We assume that Alice sends the biqubits $(|0_X\rangle ,|1_X\rangle )$ and $(|1_Z\rangle ,|1_Z\rangle )$; then, all of the possible measurement results at Bob’s detectors are written. According to Bob’s basis selection, we show the detection event and Bob’s corresponding advertisement over the public channel. Notice that Bob announces publicly the number of the single detections inside the biqubit, first or second.

Alice’s Biqubit	Bob’s Basis	Detection Event	Public Disclosure	Description
	X	$(|0_X\rangle ,|1_X\rangle )$	X, ($2nM$)		compatible double non-matching, useful as two compatible single detection events
	X	$(|0_X\rangle ,-)$	X, ($S_1$)	compatible single matching, useful
	X	$(-,|1_X\rangle )$	X, ($S_2$)	compatible single matching, useful
	X	$(-,-)$	X, Lost	biqubit lost
	Z	$(|0_Z\rangle ,|0_Z\rangle )$	Z, ($2M$)	non-compatible double matching, useless
	Z	$(|1_Z\rangle ,|1_Z\rangle )$	Z, ($2M$)	non-compatible double matching, useless
$(|0_X\rangle ,|1_X\rangle )$	Z	$(|0_Z\rangle ,|1_Z\rangle )$	Z, ($2nM$)	non-compatible double non-matching, useless
	Z	$(|1_Z\rangle ,|0_Z\rangle )$	Z, ($2nM$)	non-compatible double non-matching, useless
	Z	$(|0_Z\rangle ,-)$	Z, ($S_1$)	non-compatible single matching, useless
	Z	$(|1_Z\rangle ,-)$	Z, ($S_1$)	non-compatible single matching, useless
	Z	$(-,|0_Z\rangle )$	Z, ($S_2$)	non-compatible single matching, useless
	Z	$(-,|1_Z\rangle )$	Z, ($S_2$)	non-compatible single matching, useless
	Z	$(-,-)$	Z, Lost	biqubit lost
	Z	$(|1_Z\rangle ,|1_Z\rangle )$	Z, ($2M$)	compatible double matching, useful
	Z	$(|1_Z\rangle ,-)$	Z, ($S_1$)	compatible single matching, useful
	Z	$(-,|1_Z\rangle )$	Z, ($S_2$)	compatible single matching, useful
	Z	$(-,-)$	Z, Lost	biqubit lost
	X	$(|0_X\rangle ,|0_X\rangle )$	X, ($2M$)	non-compatible double matching, useless
	X	$(|1_X\rangle ,|1_X\rangle )$	X, ($2M$)	non-compatible double matching, useless
$(|1_Z\rangle ,|1_Z\rangle )$	X	$(|0_X\rangle ,|1_X\rangle )$	X, ($2nM$)	non-compatible double non-matching, useless
	X	$(|1_X\rangle ,|0_X\rangle )$	X, ($2nM$)	non-compatible double non-matching, useless
	X	$(|0_X\rangle ,-)$	X, ($S_1$)	non-compatible single matching, useless
	X	$(|1_X\rangle ,-)$	X, ($S_1$)	non-compatible single matching, useless
	X	$(-,|0_X\rangle )$	X, ($S_2$)	non-compatible single matching, useless
	X	$(-,|1_X\rangle )$	X, ($S_2$)	non-compatible single matching, useless
	X	$(-,-)$	X, Lost	biqubit lost

shows an example of the $nack$ $state$ protocol. Here, Alice sends two biqubits to Bob. The first biqubit is the orthogonal pair $(|0_X\rangle ,|1_X\rangle )$, and the second biqubit is the parallel pair $(|1_Z\rangle ,|1_Z\rangle )$. If the two states sent by Alice arrive at Bob’s detection system without any error, a double detection event is produced. If only one of the two states of the biqubit arrives at Bob’s station, he obtains a single detection event.

The $nack$ $state$ protocol has been conceived of to use the same optical hardware of the $BB84$ protocol; thus, it can be configured in most $QKD$ systems as a software module application. However, two additional tasks must be implemented: the random computation of biqubits before preparing and sending the quantum states and the sifting stage of the protocol, which must include (1) sifting of single matching (compatible or non-compatible), where Bob announces the number of the single detections inside the biqubit; and (2) sifting of double detection, matching or non-matching, from parallel or orthogonal states. The error correction and privacy amplification stages of the $QKD$ protocol do not require changes.

Until now, we have a protocol that behaves similarly to $BB84$. In the $nack$ $state$ protocol, most of the biqubits pulses sent by Alice arrive at Bob’s station as single pulses that behave like $BB84$ signal pulses. However, we will see that in the presence of the $IRFS$ attack, the eavesdropper unbalances the gain of the single and double detection events, which is useful to detect her presence in the middle of the quantum channel.

For the moment, we can say that the gain of single and double detection events can be properly computed by Alice as discussed in Appendix A. As a matter of fact, the double detection gain decreases quadratically with the transmittance of the channel, but Alice can verify the gain of the double detection events from parallel and from orthogonal states. It should be noted that in order to detect the $IRFS$, before using the $QBER$ of the protocol, instead, we will verify, as the first step, the gain of the single and the double detection events.

4. Detecting the IRFS Attack

What should Alice and Bob expect from the absence of the $IRFS$ attack? They expect a distribution of detection events according to the gains of Table A1 in Appendix A: for illustrative purposes, consider the case where $\mu =0.2$, ${\eta }_{BT}=0.8$, which is the overall efficiency between Alice and Bob and zero dark counts ($Y_0=0$). Thus, the great majority of the total biqubits that Alice sends finishes at Bob’s station as lost biqubits (∼72.61%); single detection events are ∼25.2% and only ∼0.0219% of the measurement cases are double detection events. Although the double detection gain is small, it should not be considered negligible, because the number of pulses that Alice sends is high (${10}^{11}$–${10}^{13}$ [21]), and the transmission interval can be properly enhanced. However, for practical purposes, we will assume that the secret bits in the $nack$ $state$ protocol are produced by single detection events, and the key rate is at most the $BB84$ key rate. Nevertheless, we argue that double detection events can be used to detect the $IRFS$ attack, so in this section, we discuss the security of the protocol despite Eve’s efforts to improve her attack.

4.1. The $IRFS$ Attack with Blinding Pulses and Quantum Channel Substitution

In the presence of the $IRFS$ attack with blinding pulses, Eve is in the middle of the quantum channel using an optical detection system similar to Bob’s station. The challenge for Eve is to reproduce the gains of single and double detection events at Bob’s side to pass unnoticed in the quantum channel. However, the gain of the single detection events decreases linearly with the channel efficiency, but the double detection gain drops quadratically. In Appendix B, we show that, for practical parameters of the quantum channel, the eavesdropper cannot adjust the two gains simultaneously. Eve cannot control the two gains because:

• The eavesdropper can adjust the transmittance of the channel to a unique value, either to adjust the single or the double detection gain.
• Alice’s optical pulses arrive at Eve’s station sequentially. Thus, once the eavesdropper station has detected a pulse, she cannot know whether the next pulse will be also detected or lost. That is, Eve does not know when a single or a double detection event will occur.

Eve could adjust the efficiency of the quantum channel to the gain of the double detection events. Therefore, in order to remove the excess of the single detection gain, Eve could eliminate pulses according to some probability (e.g., 0.5). However, due to the second point stated before, the eavesdropper looses double detection pulses (a quarter in this example). Eve could be more selective removing only single detection events where the detection occurs in the second pulse. Using this strategy, Eve keeps the double detection gain unaltered. However, since Bob announces publicly the number of single detections inside the biqubit, first or second (see Table 1), the presence of Eve becomes noticeable.

Eve could combine the two strategies increasing the efficiency of the channel to produce an excess of the double, but also the single detection gain. The problem for Eve is that once she chooses a strategy to remove pulses, it affects equally the single and the double detection gains. As discussed in Appendix A, such gains obey different rates: while the first decreases linearly, the second varies quadratically with the transmittance of the channel. In addition, at the receiver station, the single and double detection events are registered as random interleaved events.

In Appendix B.1, we discuss a convenient method to compute the photon gain deviation caused by the $IRFS$ attack at a practical level.

4.2. The Non-Structured $Nack$ $State$ Protocol

The argument of Point 2 implies that Eve uses only a single station, but this is not a practical restriction. Eve could use two stations, one close to Alice to detect and one close to Bob to generate fake pulses. If the quantum channel uses optical fibers (the most common practical channel for ground-based $QKD$), all Eve would need is a radio link between her two stations to “catch up” with the quantum link. Even if we assume a low source rate of 1 MHz, the time delay between pulses is only one microsecond, which can be compensated using a 600-m link (traveling in free space takes two microseconds; travel in fiber takes three microseconds). Any practical $QKD$ system will operate over distances greater than 600 m, making it entirely feasible for Eve to detect both pulses of a pair before sending her fake state to Bob using a second station.

However, there is no reason why each pair has to be sent in a consecutive manner. We call this protocol the non-structured $nack$ $state$. If Alice were to send a burst of the first states of each pair, followed by a burst of the second states of each pair, she would create a separation between the pairs equal to the length of the bursts without reducing the pulse rate. Consider a 100-km fiber optic link; Alice could send the first states of each pair for 500 microseconds, followed by the second state of each pair for the next 500 microseconds, with Bob re-choosing the same basis for both 500-microsecond bursts. Because the 500-microsecond delay is at least the full travel time in the quantum channel, Eve would always be forced to fake the first state of each pair before receiving the second. If there is no issue with this approach, the authors can use it to justify Point 2, which in turn justifies Point 1.

4.3. Faking Double Detection Events

Another scenario for the eavesdropper is to fake double detection events. After all, we might ask why Eve cannot fake double detection events while she remains hidden in the channel. First of all, let us recall that Alice knows which biqubits contain parallel or orthogonal states. Second, consider the cases depicted in

Table 2. After Eve detects the first state of a biqubit, she tries to fake the second state. However, there exist six possible states, but one of them is erroneous, so she introduces an error probability of $\frac{1}{6}$. Here, we show the six choices for $(|0_Z\rangle ,|0_Z\rangle )$ and $(|1_Z\rangle ,|0_Z\rangle )$ biqubits.

Alice’s Biqubit	Eve’s Basis	Eve’s Detection	Forwarded Dates	Eve’s Result
$(|0_Z\rangle ,|0_Z\rangle )$	Z	$(-,|0_Z\rangle )$	$(|0_Z\rangle ,|0_Z\rangle )$	hidden
			$(|1_Z\rangle ,|0_Z\rangle )$	detected
	X	$(-,|0_X\rangle )$	$(|0_X\rangle ,|0_X\rangle )$	hidden
			$(|1_X\rangle ,|0_X\rangle )$	hidden
		$(-,|1_X\rangle )$	$(|0_X\rangle ,|1_X\rangle )$	hidden
			$(|1_X\rangle ,|1_X\rangle )$	hidden
$(|1_Z\rangle ,|0_Z\rangle )$	Z	$(-,|0_Z\rangle )$	$(|0_Z\rangle ,|0_Z\rangle )$	detected
			$(|1_Z\rangle ,|0_Z\rangle )$	hidden
	X	$(-,|0_X\rangle )$	$(|0_X\rangle ,|0_X\rangle )$	hidden
			$(|1_X\rangle ,|0_X\rangle )$	hidden
		$(-,|1_X\rangle )$	$(|0_X\rangle ,|1_X\rangle )$	hidden
			$(|1_X\rangle ,|1_X\rangle )$	hidden

. Suppose Alice has sent the $(|0_Z\rangle ,|0_Z\rangle )$ biqubit to Bob. The first pulse reaches Eve’s station, who measures it with the X (or Z) basis, but the second pulse arrives as a vacuum state either by the effect of the quantum channel, the detection system or the photon source. As a result, Eve gets a single detection event. Now, Eve decides to fake the second state, but she realizes that there are six possibilities to fake the $(|0_Z\rangle ,|0_Z\rangle )$ biqubit; such cases are listed in Table 2. Additionally, one of those cases is erroneous because no orthogonal measurement can be derived from parallel states. In this example, $(|1_Z\rangle ,|0_Z\rangle )$ cannot be obtained from $(|0_Z\rangle ,|0_Z\rangle )$. Similarly, $(|0_Z\rangle ,|0_Z\rangle )$ cannot be derived from $(|1_Z\rangle ,|0_Z\rangle )$. As a consequence, if Eve tries to fake a double detection event, she will produce a bit error of $\frac{1}{6}$. In this case, a bit error is produced when Bob announces a double matching event, but Alice expects a double non-matching event or vice versa.

According to [22], Bob’s visibility of Alice’s quantum state is computed as $V_{AB}=\frac{P\left(signal\right)}{P\left(total\right)}$ where $P\left(signal\right)=T_{AB}\times \eta \times V_{opt}$ and $P\left(total\right)=T_{AB}\times \eta +(1-T_{AB}\times \eta )\times 2\times Y_0$. Here, $V_{opt}$ is the optical visibility with a perfect source and detectors; η is the probability of detecting the photon when it arrives; $T_{AB}$ is the transmittance between Alice and Bob; and $Y_0$ is the background noise. For realistic experimental parameters: $\alpha =0.25$ dB·${\mathrm{km}}^{-1}$, $\eta =0.3$, $Y_0={10}^{-4}$ and $V_{opt}=0.99$. Figure 4 shows the visibility as a function of the distance.

On the other hand, the $QBER$ in $BB84$ can be computed as $QBER=\frac{pe}{pe+pc}$, where $pc$ ($pe$) is the probability to get, correctly or erroneously, the quantum bit sent by Alice, respectively. If we write such probabilities as a function of the optical visibility V, we have $pc=(1+V)/2$ and $pe=(1-V)/2$.

We discussed $pc$ ($pe$) for double detection events in Appendix C. Therefore, $pc=\frac{p_c^2}{p_c^2+p_e^2}$ and $pe=\frac{p_e^2}{p_c^2+p_e^2}$, and we derived the $QBER$ of the parallel and orthogonal states as $QBER=\frac{{(1-V)}^2}{{(1-V)}^2+{(1+V)}^2}$.

If we compare the $QBER$ of double detection events produced by the quantum channel against the $\frac{1}{6}$ error rate caused by the eavesdropper, we find that the maximum secure distance for detecting the $IRFS$ attack when the eavesdropper fakes double detection events is 176 km, which is within the range of the $BB84$ key rate, as is shown in Figure 4.

5. Discussion

5.1. $Decoy$ $State$ and the $Nack$ $State$ Protocol

At first glance, the $nack$ $state$ protocol seems to be similar to the $decoy$ $state$ protocol. However, they differ due to some main issues. For example, the states of the $decoy$ $state$ protocol are $BB84$ non-orthogonal states, which produce two photon distributions that differ from each other with respect to the expected photon number of the source (${\mu }_1\ne {\mu }_2$).

Thus, in the $decoy$ $state$ protocol, single detection events come from non-orthogonal states. As described by Hoi-Kwong Lo, if Eve lets an abnormally high fraction of multiphotons reach Bob’s station, then decoy states, which have a high weight of multiphotons, will have an abnormally high transmission probability [23]. Unfortunately, $decoy$ $state$ $QKD$ is vulnerable to the $IRFS$ attack [13,20]. On the other hand, in the $nack$ $state$ protocol, Alice interleaves randomly parallel and orthogonal quantum states. Unlike the $decoy$ $state$ protocol, in the $nack$ $state$, the photon source uses a unique μ value. However, single and double detection events come from parallel and orthogonal states randomly.

5.2. Measurement Device-Independent $QKD$

In [17], a $QKD$ system that is intended to be an independent measurement device has been introduced. Implementations of this approach have been demonstrated in [24,25]. However, [24] requires several additional optical components different from the $BB84$ protocol, and [25] relies on decoy states. Since $QKD$ must be as device independent as possible, adding hardware to the system may aggravate it. In contrast, the $nack$ $state$ protocol relies on the hardware of the original $BB84$ protocol, which has been extensively studied.

Other protocols have been designed to resist the $IRFS$ attack: varying randomly the efficiency of the detectors [26], monitoring a rate of coincidence detection at a pair of single photon detectors [27] or simply adding watchdogs detectors [28]. However, the $nack$ $state$ protocol exhibits two main advantages:

• The protocol uses the same optical equipment as the $BB84$. It does not use any other extra hardware;
• The protocol or its dual protocol, the $ack$ $QKD$, could be used to detect other attacks, such as the Photon Number Splitting attack ($PNS$) [19].

Thus, the $nack$ $state$ protocol would be useful to design a more secure and efficient $QKD$ protocol.

6. Conclusions

The Intercept Resend with Faked (blinding) States ($IRFS$) attack is detected by the $nack$ $state$ protocol using the gain of single and double detection events. The protocol uses the same optical hardware of the $BB84$ protocol, and it can be implemented in most $QKD$ systems as a software module application.

Although double detection events represent a small fraction of the total detection events, they are useful to detect the $IRFS$ attack. In addition, the smaller $QBER$ can be useful in future implementations to distill secret bits at longer distances.