Air Force Institute of Technology Air Force Institute of Technology

AFIT Scholar AFIT Scholar

Faculty Publications

4-20-2016

Using Modeling and Simulation to Study Photon Number Splitting Using Modeling and Simulation to Study Photon Number Splitting

Attacks Attacks

Logan O. Mailloux Air Force Institute of Technology

Douglas D. Hodson Air Force Institute of Technology

Michael R. Grimaila Air Force Institute of Technology

Ryan D. Engle Air Force Institute of Technology

Colin V. Mclaughlin Naval Research Laboratory

See next page for additional authors

Follow this and additional works at: https://scholar.afit.edu/facpub

Part of the Electromagnetics and Photonics Commons, Information Security Commons, and the

Systems Engineering Commons

Recommended Citation Recommended Citation Mailloux, L. O., Hodson, D. D., Grimaila, M. R., Engle, R. D., Mclaughlin, C. V., & Baumgartner, G. B. (2016). Using Modeling and Simulation to Study Photon Number Splitting Attacks. IEEE Access, 4, 2188–2197. https://doi.org/10.1109/ACCESS.2016.2555759

This Article is brought to you for free and open access by AFIT Scholar. It has been accepted for inclusion in Faculty Publications by an authorized administrator of AFIT Scholar. For more information, please contact richard.mansfield@afit.edu.

Authors Authors Logan O. Mailloux, Douglas D. Hodson, Michael R. Grimaila, Ryan D. Engle, Colin V. Mclaughlin, and Gerald B. Baumgartner

This article is available at AFIT Scholar: https://scholar.afit.edu/facpub/25

Received March 24, 2016, accepted April 3, 2016, date of publication April 20, 2016, date of current version May 23, 2016.

Digital Object Identifier 10.1109/ACCESS.2016.2555759

Using Modeling and Simulation to StudyPhoton Number Splitting AttacksLOGAN O. MAILLOUX1, (Member, IEEE), DOUGLAS D. HODSON1,MICHAEL R. GRIMAILA1, (Senior Member, IEEE), RYAN D. ENGLE1, (Member, IEEE),COLIN V. MCLAUGHLIN2, AND GERALD B. BAUMGARTNER31Air Force Institute of Technology, Wright-Patterson AFB, OH 45433-7765, USA2Naval Research Laboratory, Washington, DC 20375, USA3Laboratory for Telecommunications Sciences, College Park, MD 20740, USA

Corresponding author: L. O. Mailloux (logan.mailloux@afit.edu)

This work was supported in part by the Laboratory for Telecommunication Sciences under Grant 5743400-304-6448 and in part by theDepartment of Defense High Performance Computing Modernization Program within the Air Force Research Laboratory,Wright-Patterson AFB, OH, USA.

ABSTRACT Quantum key distribution (QKD) is an innovative technology, which exploits the laws ofquantum mechanics to generate and distribute unconditionally secure shared cryptographic keying materialbetween two geographically separated parties. The unique nature of QKD that ensures eavesdropping onthe key distribution channel necessarily introduces detectable errors and shows promise for high-securityenvironments, such as banking, government, and military. However, QKD systems are vulnerable toadvanced theoretical and experimental attacks. In this paper, the photon number splitting (PNS) attackis studied in a specialized QKD modeling and simulation framework. First, a detailed treatment of thePNS attack is provided with emphasis on practical considerations, such as performance limitations andrealistic sources of error. Second, ideal and non-ideal variations of the PNS attack are studied to measure theeavesdropper’s information gain on the QKD-generated secret key bits and examine the detectability of PNSattacks with respect to both quantum bit error rate and the decoy state protocol. Finally, this paper providesa repeatable methodology for efficiently studying advanced attacks, both realized and notional, against QKDsystems and more generally quantum communication protocols.

INDEX TERMS Quantum key distribution, photon number splitting attack, decoy state protocol.

I. INTRODUCTIONQuantum Key Distribution (QKD) Quantum Key Distribut-ion (QKD) is the most mature application of quantuminformation science and heralded as a revolutionarytechnology offering the means for two geographicallyseparated parties to generate unconditionally secure sharedcryptographic keying material. Unlike conventional keydistribution techniques (i.e., RSA), the security of QKD restson the laws of quantum mechanics and not computationalcomplexity. In theory, these attributes make QKD wellsuited for high-security applications such as banking,government, and military environments. However, QKDis a nascent technology where implementation defects,practical engineering limitations, and poor design decisionscan result in vulnerabilities [1]. These vulnerabilities aresubject to a growing number of theoretical and realizedattacks from sophisticated ‘‘quantum hacking’’ groups [2].

Moreover, understanding the security and performanceimpact of these attacks is critical for QKD systemcertification in strictly controlled high-secure environ-ments [3].

Arguably the most powerful QKD attack to date,the Photon Number Splitting (PNS) attack is a theoreticalattack designed to gain full information on theQKD-generatedshared secret key bits without introducing detectableerrors [4], [5]. While the PNS attack cannot be fully realizedwith current technology, in his defining work on the topicLütkenhaus states: ‘‘the PNS attack can be well approximatedwith linear optics, a rudimentary QND measurement anda short-time quantum memory’’ [5]. Thus, in this workwe study both the ideal PNS attack and non-ideal versionsthrough Modeling and Simulation (M&S). More specifically,the PNS attack is modeled with performance limitations andrealistic sources of error while simulation is used to measure

21882169-3536 2016 IEEE. Translations and content mining are permitted for academic research only.

Personal use is also permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

VOLUME 4, 2016

L.O. Mailloux et al.: Using Modeling and Simulation to Study Photon Number Splitting Attacks

the eavesdropper’s information gain on the QKD system’ssecret key bits. Additionally, the detectability of the PNSattack is examined with respect to both Quantum Bit ErrorRate (QBER) and the decoy state protocol.

This paper is organized as follows: Section II providesa brief history of QKD and discusses vulnerabilities whichpermit the PNS attack. In Section III, the PNS attack isdecomposed and modeled in a parameterized fashion toaccount for technology induced performance limitationsand realistic sources of error. Simulation results for theeavesdropper’s information gain and the attack’s detectabilityare presented in Section IV. Lastly, conclusions and futurework are described in Section V. This work is relatedto the Author’s previous works [6]–[8] and extends theinitial PNS attack assessment accomplished in [9]. Foraccessible engineering oriented introductions to QKD,please see [10] and [11]. For more comprehensive reviewssee [12] and [13].

II. BACKGROUNDThe genesis of QKD can be traced back to StephenWiesner, who proposed the idea of encoding informationon polarized photons in the late 1960s [14]. In 1984,Bennett and Brassard extended this idea to create thefirst QKD protocol, known as ‘‘BB84,’’ to generateunconditionally secure shared cryptographic keying materialbetween two geographically separated parties [15]. Fromits relatively unnoticed beginnings, QKD has gained globalinterest as an emerging cyber security technology.

FIGURE 1. QKD System Context Diagram. The sender ‘‘Alice’’ and receiver‘‘Bob’’ generate shared secret key, K , to encrypt sensitive information.

Fig. 1 depicts a QKD system consisting of a sender‘‘Alice,’’ a receiver ‘‘Bob,’’ a quantum channel (i.e., anotherwise unused optical fiber or direct line of sight free spacepath), and a classical channel (i.e., a conventional networkconnection) configured to generate the shared secret key, K .Alice is shown with a laser source configured to preparesingle photons known as quantum bits or ‘‘qubits,’’ whileBob measures the photons using specialized Single PhotonDetectors (SPDs). The QKD-generated shard secret key, K ,can be used to encrypt sensitive data, voice, or video.

QKD-generated key can be used to increase the securityposture of traditional symmetric encryption algorithms suchas AES through frequent re-keying, reducing the time andinformation available for cryptanalysis. Alternatively, QKDis often described as an enabler to the One-Time-Pad (OTP)

– the only known encryption algorithm to achieve perfectsecrecy [16], [17]. QKD’s appeal is generally found in itsability to generate unlimited amounts of unconditionallysecure random key; thus making previously unrealistic OTPconfigurations possible.

TABLE 1. Example BB84 protocol.

As illustrated in Table 1, BB84 is a prepare-and-measureprotocol where Alice prepares photons in one of four polar-ization states (e.g.,↔,l,⤡, or⤢) according to a randomlyselected bit value (0 or 1) and basis (⊕ for the pair ↔,lor ⊗ for the pair ⤡,⤢,). The encoded photons are sentover the quantum channel to Bob, where he measureseach photon using a randomly selected measurement basis(⊕ or ⊗). If Alice’s encoding and Bob’s decoding basesmatch, the photon’s bit value is read correctly with a highprobability. Otherwise a random result occurs (i.e., equallikelihood of a 0 or 1). This is due to the inherent uncertaintyin the measurement of a quantum system [12].

A. IMPLEMENTATION NON-IDEALITIES ANDSYSTEM VULNERABILITIESWhile the ‘‘unconditionally secure’’ nature of QKDdepends on formal security proofs [12], real-world systemshave implementation non-idealities which deviate fromtheir theoretical underpinnings [1], [13]. These non-idealimplementations can lead to vulnerabilities which raiseserious concerns regarding the security of QKD systems [3].For example, state of the art commercially viableQKD systems do not employ on-demand single photonsources [18], [19]. These systems utilize reliable, low costlaser sources to generate classical optical pulses with millionsof photons and attenuate them to weak coherent pulses witha Mean Photon Number (MPN)< 1. These low energy levelsare represented by a Poisson distributionP(n|µ) = µne−µ

/n!

where µ = MPN and n represents the number of photonsin each weak coherent pulse [12]. This means, for example,when the MPN of µ = 0.5, ∼61% of the pulses have nophotons, ∼30% of the pulses have one photon, and ∼9% ofthe pulses have two or more photons. Thus, ∼23% of thenon-empty pulses are insecure multi-photon pulses.

This implementation non-ideality represents a significantsecurity vulnerability which exposes information about the‘‘unconditionally secure’’ QKD-generated key to eaves-droppers. These insecure multi-photon pulses have been

VOLUME 4, 2016 2189

L.O. Mailloux et al.: Using Modeling and Simulation to Study Photon Number Splitting Attacks

the subject of a number of experimental and theoreticalattacks since the first QKD was built in 1989 [20]. Morespecifically, the PNS attack was designed to take advantageof the multi-photon vulnerability in order to gain completeinformation on Alice and Bob’s shared secret key bits [4], [5].

III. THE PNS ATTACK MODELIn this section, the PNS attack is functionally decomposedand modeled to accurately account for technologicalperformance limitations and realistic sources of error.

A. THE PNS ATTACKSuggestions of a PNS-like attack were first made in theearly 1990’s [20], [21]; however, it was not until 2000 that theattack was formally defined [4], [5] with additional insightsoffered shortly thereafter [22]–[26]. In accordance with QKDsecurity proofs, the PNS attack is conducted by an all-powereavesdropper ‘‘Eve’’ who is only constrained by the lawsof quantum mechanics. Unique to this attack, Eve does notintroduce errors on the quantum channel (i.e., increase theQBER), which is how attacks are typically detected by QKDsystems.

FIGURE 2. Provides a simplified depiction of the PNS attack conductedagainst a QKD system (i.e., the transmitter Alice and receiver Bob).

Fig. 2 provides a simplistic depiction of Eve conductingthe PNS attack, where she is actively eavesdropping on thequantum channel. In this context, Eve is able to interfere withthe quantum channel (i.e., block, manipulate, or fabricatequantum signals) and eavesdrop on the classical channel(i.e., listen but not introduce or spoofmessages). According toQKD security proofs, the all-powerful Eve is able to employany conceivable technologies as long as they do not violatethe known laws of quantum mechanics [4], [5]. For example,it is valid (within the laws of quantum mechanics) for Eve totransmit photons to Bob without loss or error even though notechnological means currently exists [12].

The PNS attack is typically described in three steps:(i) Eve determines the number of photons, n, in each optical

pulse generated by Alice. If n ≥ 2, the multi-photon pulse issplit with one photon stored internally. Otherwise, the pulseis blocked.

(ii) For eachmulti-photon pulse (i.e., n ≥ 2), Eve transmitsthe remaining n− 1 photons to Bob via a lossless channel.(iii) Eve listens to the classical channel for

Alice’s and Bob’s sifting information (i.e., the basesannouncements). Once Eve knows the basis measurement

information, she is able to correctly measure each storedphoton to obtain a complete copy of the shared secret keybits.

B. CONCEPTUAL MODELFig. 3 provides a conceptual model of the Eve’s physicalarchitecture with the three PNS steps, denoted as (i),(ii), and (iii). While Eve’s construction may vary, thisdepiction provides a complete representation based onEve’s architecture as most often described in the availableliterature [4], [5], [22]–[26]. First, note Eve now constitutestwo parts, Eve and Eve′, connected by a classicalcommunications channel, as well as, the third party‘‘Charlie’’ in support of lossless quantum teleportation.

In order to conduct step (i) of the PNS attack, Evedetermines the number of photons, n, in each pulse generatedby Alice through a Quantum Non-Demolition (QND)measurement. This specializedmeasurement uses a projectionof Alice’s weak coherent optical pulse to determine thenumber of photons in each pulse without disturbing theencoded state of each photon [4]. This allows Eve to avoidintroducing detectable errors. When n = 1, the pulse issimply blocked by Eve; however, when n ≥ 2 Eve isconfigured to split one (1) photon from each multi-photonpulse and store it in her quantum memory, while theremaining n − 1 photons are transmitted to Bob. Basedon well-stated theory [5] and promising experimentalresult [27]–[29] there are no perceived performancelimitations associated with conducting Eve’s QNDmeasurements.

When considering quantum memory in the context ofreading, writing, and storing data as single photons, there arevarious technologies in research and development [30].Whilethese technologies are currently not sufficient to supporta complete PNS attack (i.e., storing 100,000’s of photonsfor∼60 seconds), the field is rapidly evolving [31]. Thus, it isnot unreasonable for Eve’s quantummemory (and supportingmeasurement system) to provide sufficient storage, accurateread/write capability, immediate response times, and lowerror rates when considering the rapidly advancing field ofquantum computing [32].

In step (ii), lossless transmission of photons from Eveto Eve′ is often described as the instantaneous, on-demand,error-free quantum teleportation of photons. While thisidealized transmission is allowable within the laws ofquantummechanics, there are no known technological meansfor achieving this functionality. More realistically, Eve usesthe third party, Charlie, to distribute entangled photon pairs,along with a complex Bell state measurement to achievea performance limited version of quantum teleportation.With respect to Charlie’s entangled photon pairs, hemust be configured to reliably generate and prepositionwell-synchronized photon pairs at both Eve and Eve′. Thismeans the entangled photons must be intrinsically correlatedsuch that measuring one photon at Eve simultaneouslycollapses the corresponding photon at Eve′ into a known

2190 VOLUME 4, 2016

L.O. Mailloux et al.: Using Modeling and Simulation to Study Photon Number Splitting Attacks

FIGURE 3. Conceptual model of Eve’s PNS attack [9]. The PNS attack steps (i), (ii), and (iii) are mapped to Eve’s physicalcomponents.

state regardless of the distance between them. While nottrivial, current technologies can generate entangled photonpairs [12]. However, these photons must also overcomepotentially significant losses and noise along their respectivepaths from Charlie to Eve and Eve′. Despite seeminglyproblematic circumstances, well-synchronized entangledphoton pairs at Eve and Eve′ can be achieved throughadvanced techniques such as quantum purification [33].

Once the entangled photons are prepositioned, Eveperforms a Bell state measurement with the n − 1encoded photons to be teleported. This results in oneof four measurement outcomes: | 8+

⟩, | 8−

⟩, | 9+

⟩, or

| 9−⟩, which must be transmitted to Eve′ via her classical

channel [33]. However, only two of the four outcomes aredefinitive, where the non-definitive outcomes can increasethe system’s QBER. Thus, performance of the describedquantum teleportation scheme is generally limited to 50%.In order to remedy this shortcoming, Grice proposedusing ancillary entangled photon pairs to achieve highersuccess rates (this phenomenon is detailed further inSection IV) [34]. Additionally, because of Eve’s losslessquantum teleportation, Eve′ must also apply gain matchingas to not exceed Bob’s expected detection rate. This canbe achieved through a relatively simple variable opticalattenuator configured to precisely control Eve’s quantumthroughput. While step (ii) is seemingly complex – requiring

multiple quantum processes and advanced compensations –reasonable performance can be achieved [5].

In step (iii), Eve listens to Alice’s and Bob’s classicalchannel for encoding basis information. Eve then usesthis information to correctly measure each stored photon(i.e., in the matching prepare-and-measure basis). Thismeasurement allows Eve to gain complete information oneach of Bob’s detected qubits. In this way, the PNS attackallows Eve to gain information on the QKD system’sraw secret key bits before any post-processing activitiessuch as entropy estimation and privacy amplificationoccur.

C. THE PNS MODEL’S DECOMPOSED FUNCTIONALITYFig. 4 illustrates the modeled PNS attack against a decoystate QKD system (for a detailed discussion of the decoystate QKD system model see [8]). The PNS attack model isdesigned in a parameterized fashion to account for the ideal,theoretical PNS attack, as well as, non-ideal versions thataccount for performance limitations and realistic sources oferror. The model also accounts for expected timing delays inEve such as propagation delays through each of Eve’s opticalcomponents and transmission over her classical channel. Themodel is decomposed into five functions derived from thethree PNS attack steps described in III.A and the conceptualmodel presented in III.B.

VOLUME 4, 2016 2191

L.O. Mailloux et al.: Using Modeling and Simulation to Study Photon Number Splitting Attacks

FIGURE 4. A model of Eve (and Eve′) conducting a PNS attack against thedecoy state enabled QKD system (i.e., Alice and Bob).

1) QNDMEASUREMENT()Eve’s QND measurement is modeled with no significantperformance limitations. This means that each weakcoherent optical pulse with an associated Mean PhotonNumber (MPN), is transformed into a Fock state pulserepresentation with a discrete number of photons [35]. Thisallows the specific number of photons per pulse to bedetermined probabilistically and each photon to be treatedindependently such that its encoded state is retained duringthe QND measurement. If desired, performance limitationscan be introduced during QND measurement to representdevice non-idealities such as multi-photon spits which causethe encoded qubit state to erroneously collapse.

2) QUANTUMTELEPORTION()The modeled quantum teleportation function is designed ina parameterized fashion to transfer photons from Eve to Eve′.By default, the function is configured to instantaneouslytransfer Fock state pulses (i.e., independent photons) fromEve to Eve′ without loss or error. However, the function isconfigurable to represent practical performance limitationsof the teleportation process, where the non-idealities ofEve’s Bell state measurement are captured by introducingerroneous results into Eve’s quantum teleportation process.In this way, Eve can simulate theoretical or experimentalconfigurations of the PNS attack.Moreover, this functionalityallows notional quantum communication means to be furtherexplored.

3) MEASUREMENTOUTPUT()Assuming Eve is able to store and measure photonswithout error, the output of Eve’s PNS attack is a copyof Alice’s and Bob’s raw secret key bits (i.e., a string ofbinary 0’s and 1’s). Measurement errors can be added asdesired by the researcher.

4) GAINMATCHING()Eve′ conducts gain matching by applying a specificattenuation to Eve’s teleported pulses in order to meet Bob’s

expected detection rate. Eve’s attenuation is specific tothe modeled QKD system’s architectural implementation(i.e., losses over the quantum channel and within Bob). Theattenuation is applied universally to all pulses propagatingthrough Eve′ to Bob regardless of their photon number.

5) INDUCEERRORS()Due to engineering limitations, manufacturing defects, anddynamic operational environments, device non-idealities areexpected to cause errors (e.g., fielded QKD systems typicallyhave measured error rates of 3-5% QBER [12]). Theseerrors may occur anywhere within the optical path, however,they are only realized where measurements occur. Thus,the model is configured such that errors can be introducedat any modeled optical component and realized at Bob’sdetectors [7]. For example, the modeler may want to studythe impact of errors at Eve’s QND measurement.

For additional details on the PNS attack model, please seethe associated video posted at the IEEE Access website.

IV. PNS ATTACK RESULTSIn this Section, we present simulation results for both idealand non-ideal versions of the PNS attack. In particular, Eve’sinformation gain and her detectability are studied for severalPNS attack configurations using the model described inSection III. As an example of the model’s ability flexibility,Grice’s proposed method for increasing the success rate ofEve’s quantum teleportation is studied [34].

A. QUANTUM TELEPORTATION PERFORMANCELIMITATIONSWhile there are many technological challenges in realizingthe ideal PNS attack, arguably the most significant is Eve’sability to successfully perform quantum teleportation [9].Teleportation of arbitrarily encoded photons is a non-trivialtask, typically limited to a 50% success rate, dueto the inability to discriminate between all four Bellstate measurement outcomes (i.e., | 8+

⟩, | 8−

⟩, | 9+

⟩,

| 9−⟩) [34]. However, recently Grice proposed a method

for increasing the success rate of Eve’s Bell statemeasurement using ancillary photons [34]. More specifically,the performance of Eve’s quantum teleportation (i.e., her Bellstate measurement) can be significantly improved with theaddition of ancillary photons

Ancillary Photons = 2N − 2 (1)

where N =1, 2, 3, . . . , n. These ancillary entangled photonpairs, known as ancilla, contribute to an arbitrarily highquantum teleportation success rate:

Success Rate = 1− 1/2N (2)

Table 2 details the addition of entangled photon pairs as theycontribute to Eve’s improved Bell state measurement andthus her quantum teleportation success rate. For example,the addition of one entangled photon pair (N = 2) increases

2192 VOLUME 4, 2016

L.O. Mailloux et al.: Using Modeling and Simulation to Study Photon Number Splitting Attacks

FIGURE 5. Simulation results of Eve conducting PNS attacks against the modeled decoy state QKD system (i.e., Alice and Bobof Fig. 4). The performance of several PNS attack configurations with increasing numbers of ancilla (additional entangledphoton pairs to improve performance of Eve’s PNS attack) are shown with respect to information gain on the QKD-generatedshared secret key bits.

TABLE 2. Quantum teleportation success rates.

Eve’s quantum teleportation success rate from 50% to 75%.While the addition of several entangled photons pairs is notpractical, configurations of up to 63 ancilla are consideredto highlight and study the gap between theoretical attacksand what is currently feasible. Moreover, examining Grice’sproposed method is merely example of how the model can beused to study the PNS attack and its impact on QKD systems.

In each of these eight cases, 1,000 simulation runs werecompleted in order to conduct a thorough assessment of Eve’sPNS attack and provide statistically significant analysis.These simulation results are detailed in the followingsubsections.

B. ASSESSMENT OF EVE’S INFORMATION GAINFig. 5 presents simulation results for each of the eight PNSattack configurations examined in this study. In general,as the number of additional ancilla increases, Eve’squantum teleportation success rate improves and herinformation gain approaches 100%. Eve’s information gainis primarily dependent upon the success rate of her Bell statemeasurement scheme (N = 1, 2, 3, 4, 5, 6, 7); however,it is also supplemented by the likelihood of randomly

guessing the correct bit value (0 or 1) when quantumteleportation is unsuccessful. For example, Eve’s 0-AncillaPNS configuration (N = 1) results in ∼75% informationgain because the Bell state measurement success rate is 50%and a 25% contribution occurs due to inherent randomness inEve’s choice of basis and bit value.

More specifically, Evewill successfully teleport the correctbasis and bit value according to the Bell state measurementsuccess rates of Table 2; however, in each case there remainsa percentage of unsuccessful attempts. When unsuccessful,Eve must still apply a basis and bit value to each qubitto be teleported. This is accomplished randomly from theperspective of Bob’s measurement. Unsuccessful attemptswith non-matching bases are sifted from Bob’s detectionsand have no impact on Eve’s information gain (or herinduced QBER). Conversely, randomly assigned matchingprepare-and-measure bases contribute to Eve’s informationgain where the random assignment of a 0 or 1 resultsin Eve gaining additional information on the secret keybits. Because Eve’s only bit options are 0 or 1, she willsuccessfully gain information on approximately 1/2 of theunsuccessful teleportation attempts. Additionally, note thaterrors during quantum exchange will slightly reduce Eve’seffective information gain; however, assuming Eve knowsAlice’s and Bob’s error reconciliation technique, she canrecover this information during post processing activities.

In the semi-plausible 1-Anicilla and 3-Ancilla PNS attackconfigurations of Fig. 5, Eve is able to gain approx-imately 88% and 94%, respectively, of Alice’s and Bob’sraw key information. In addition, several PNS configurationswith increasingly large numbers of supplemental ancilla(i.e., 7, 15, 31, 63 entangled photon pairs) are shown to

VOLUME 4, 2016 2193

L.O. Mailloux et al.: Using Modeling and Simulation to Study Photon Number Splitting Attacks

FIGURE 6. Simulation results of Eve conducting PNS attacks against the modeled decoy state QKD system(i.e., Alice and Bob of Fig. 4). The performance of several PNS attack configurations with increasing numbers of ancilla(additional entangled photon pairs to improve performance of Eve’s PNS attack) are shown with respect to the QKDsystem’s measured QBER. Additionally, the QBER and noise thresholds are shown to further illustrate detectability ofthe PNS attacks.

demonstrate how Eve’s information gain can approach thetheoretical attack’s ideal performance. In the ideal PNSattack, Eve is able to gain information on 100% of theQKD-generated raw key bits (minus occasional errors due tonoise).

While the impact of the theoretical PNS attack iswell-understood, these results demonstrate how muchinformation PNS attacks can gain on Alice’s and Bob’sshared secret key bits with consideration for non-idealimplementations. Next, the detectability of Eve’s PNS attacksare explored with respect to both QBER and the decoy stateprotocol.

C. EVE’S DETECTABILITY DUE TO INDUCED QBERThe unconditionally secure nature of QKD is based onuncertainty in the qubit’s measurement result when preparingphotons in two conjugate bases as with the BB84 protocol(i.e.,⊕ or⊗) [36]. This is because Eve must randomly selecther measurement basis while eavesdropping on the quantumchannel (when not conducting the ideal PNS attack). Thus,her random choice necessarily introduces detectable errorsand increases the system’s measured QBER above allowablethresholds. For example, during an intercept-resend attack,Eve intercepts Alice’s encoded photons, measures them, andretransmits the measured values to Bob. For each measuredphoton, Eve must pick a measurement basis (⊕ or⊗) and willinevitably be wrong 50% of the time. When Eve correctlyguesses the matching basis, she can accurately measure andretransmit the correct encoded value with minimal error;however, when she guesses the non-matching basis, she isprone to error because Bob will only measure the correct

bit value (0 or 1) 50% of the time. Thus, Eve will introducea 25% QBER when attempting the intercept-resend attack,which is readily detectable compared to the establishedQKD QBER security threshold of 11% [13]. Since QBER isthe primary detection mechanism for unconditionally securekey distribution, it is important to understand how theoreticaland non-ideal PNS attacks impact the system’s QBER.

Fig. 6 depicts the measured QBERs for the eight PNSattack configurations studied. Additionally, a QBER securitythreshold of 11% [13] is shown along with an expected noiselevel of 5% [12]. While the security threshold can be furtherlowered (e.g., 8%), it is often difficult to well-characterizethe system’s noise level due to uncontrollable physicaldisturbances over miles of optical fiber (e.g., vibrationsfrom nearby road, train, or subway traffic). Thus, to avoidfalse positives (i.e., indications of an attack when none isoccurring) security thresholds are expected to remain at 11%.

As expected, the performance limited 0-Ancilla PNSconfiguration has a relatively high error rate witha measured QBER of∼25%. More specifically, Eve’s∼25%induced QBER is the result of her correctly guessingAlice’s and Bob’s prepare-and-measure basis but randomlyassigning the wrong bit value (0 or 1). This is because Evewill not induce errors when she successfully performs theBell state measurement or when she randomly (from Bob’sperspective) selects the wrong basis measurement (becausethey will be sifted out). Thus, Eve only introduces errors tothe system’s measured QBER when she randomly selects thematching basis and the wrong bit value, which occurs 25% ofthe time when N = 1.In the 1-Ancilla configuration a QBER of ∼12.5% is

observed, which is clearly above the security threshold;

2194 VOLUME 4, 2016

L.O. Mailloux et al.: Using Modeling and Simulation to Study Photon Number Splitting Attacks

however, the 3-Ancilla PNS results demonstrate a QBERof 6.25% which falls below the security threshold and onlyslightly above expected noise level. As additional ancilla(i.e., 7, 15, 31, and 63) are considered, the attack becomesincreasingly undetectable approaching the ideal PNS attack.Recall, the ideal PNS attack does not introduce errors on thequantum channel because Eve makes informed measurementdecisions after quantum exchange by listening for siftingbasis information as described in step (iii) of the PNS attack.Because the PNS attack is not detectable using the measuredQBER, an alternate detectionmethodwas introduced in 2003,namely the decoy state protocol [37].

TABLE 3. Target QKD system model configuration.

D. EVE’S DETECTABILITY WITH THE DECOY STATEPROTOCOLShortly after the PNS attack was formalized, the decoystate protocol was introduced as a mitigation technique [37].It was quickly improved upon in a series of works [38]–[42]and is now employed in a number of record-holding,high-performance QKD systems [18], [19]. Decoy stateenabled QKD systems typically employ three states: Signal,Decoy, and Vacuum as described in Table 3. The decoystate protocol extends the BB84 protocol by configuringAlice to randomly transmit signal, decoy, and vacuum statesaccording to their prescribed occurrence percentages andrespective MPNs, where each state must be indistinguishablesuch that Eve cannot distinguish a decoy state pulse froma signal or vacuum state pulse.

The decoy state QKD system model used in thisstudy (as illustrated in Fig. 4) is based on decoystate protocol configuration as presented in Table 3,which is primarily based on operational characteristicsfrom [18] and [19] and consistent with a comprehensivesurvey of practically-oriented fielded decoy state QKDsystems. Modeling parameters of note include: 10 dBchannel loss; 3.5 dB receiver loss; 10% detector efficiency;2.5E-6 dark count rate, and 0.008 after pulse rate. A detaileddescription of the decoy state enabled QKD system model isavailable in [7] and [8].

The decoy state protocol detects PNS attacks by comparingsignal and decoy photon number dependent yields described

by the security condition [38]

Yn = Y signaln = Y decoyn (3)

where n = 1, 2, 3, . . . ,N. However, these photon numberdependent yields cannot be measured directly without usingcostly photon number resolving detectors [43], thus theauthor’s efficiency-based security condition is used [44]

ηsignal = ηdecoy. (4)

Using this security condition the signal and decoy stateefficiencies can be directly calculated from standardizedsystem measurements such the state’s MPN µ, gain Qµ anddark count rate Y0 as described for the signal state efficiency:

ηsignal =−ln

∣∣ 1+ Y0 − Qµ∣∣

µ(5)

where the system’s measured dark count rate is

Y0 =Number of vacuum state detectionsNumber of vacuum state pulses sent

(6)

And the measured signal state gain is

Qµ =Number of signal state detectionsNumber of signal state pulses sent

. (7)

The decoy state’s efficiency ηdecoy is likewise defined usingthe dark count Y0, the operational decoy state gainQν , and thedecoy state MPN ν.

Fig. 7 presents simulation results for the decoy stateenabled QKD system under normal operations and whensubject to PNS attacks. In this case, only the ideal PNSconfiguration is shown in detail since all eight PNS attackconfigurations are very similar. This is because the signal anddecoy state efficiencies depend on the number of detections(i.e., the state’s measured gain) and not Eve’s informationgain or induced QBER.

On the left side of Fig. 7, signal and decoy efficiency resultsfrom 1,000 simulation runs are shown for normal operatingconditions without PNS attacks. Overlap between the signaland decoy state efficiencies implies secure operation withvariation primarily driven by the number of detectionsper state during each simulation run. The signal statedemonstrates relatively little variation compared to the decoystate because of its higher occurrence percentage (99%compared 0.5%) and MPN (0.5 to 0.1). More specifically,the signal state has nearly 40,000 detections per round ofquantum exchange, while the decoy state has<100 detections.On the right side of Fig. 7, the impact of the PNS

attack is demonstrated as the decoy state efficiency issignificantly reduced outside normal operational parameters.This is because Eve’s PNS attack unavoidably blocksa disproportionally large percentage of decoy state pulsesdue to its lower MPN (0.1 compared to 0.5). Moreover,the negative impact of the PNS attack on the decoy stateefficiency is accentuated when employing a very smalloccurrence percentage such as 0.5%. In some cases, the PNS

VOLUME 4, 2016 2195

L.O. Mailloux et al.: Using Modeling and Simulation to Study Photon Number Splitting Attacks

FIGURE 7. Simulation results of Eve conducting PNS attacks against the modeled decoy state QKD system(i.e., Alice and Bob of Fig. 4). During normal operations the signal and decoy state efficiencies overlap, ηsignal = ηdecoy,implying a secure operational state. In each PNS attack configuration studied, the signal and decoy state efficiencies arestatistically different, ηsignal 6=ηdecoy, implying the PNS attack is readily detectable.

attack blocked nearly all of the decoy state pulses drivingthe state’s efficiency towards zero. In each of the eightconfigurations studied, the decoy state protocol can detectthe PNS attack with high statistical confidence P < 0.001over 1,000 trials.

V. CONCLUSIONSIn this article, we provide a comprehensive discussion ofthe PNS attack and present a flexible PNS model capableof studying the impact of implementation non-idealitiessuch as practical limitations in quantum teleportation,QND measurements, or quantum memory. This work isuseful for the study of QKD implementation securityfor system certification, as well as, understanding howadvanced quantum attacks can impact theoretical securitymodels. Lastly, this work presents an efficient and repeatablemethodology for studying attacks against QKD systems, andmore generally, quantum communication protocols. Futurework includes using the PNS attack model to study decoystate QKD systems and configurations.

DISCLAIMERThe views expressed in this paper are those of the authorsand do not reflect the official policy or position of theUnited States Air Force, the Department of Defense, orthe U.S. Government.

REFERENCES[1] V. Scarani and C. Kurtsiefer. (2009). ‘‘The black paper of quan-

tum cryptography: Real implementation problems.’’ [Online]. Available:http://arxiv.org/abs/0906.4547

[2] (Jun. 2015). Quantum Hacking Lab. [Online]. Available:http://www.vad1.com/lab/

[3] ETSI. (Jun. 8, 2015). Quantum Key Distribution Stan-dards. [Online]. Available: http://www.etsi.org/technologies-clusters/technologies/quantum-key-distribution

[4] G. Brassard, N. Lutkenhaus, T. Mor, and B. C. Sanders, ‘‘Limita-tions on practical quantum cryptography,’’ Phys. Rev. Lett., vol. 85,no. 6, p. 1330, 2000.

[5] N. Lütkenhaus, ‘‘Security against individual attacks for realistic quantumkey distribution,’’ Phys. Rev. A, vol. 61, no. 5, p. 052304, 2000.

[6] L. O. Mailloux, M. R. Grimaila, D. D. Hodson, G. Baumgartner,and C.McLaughlin, ‘‘Performance evaluations of quantum key distributionsystem architectures,’’ IEEE Security Privacy, vol. 13, no. 1, pp. 30–40,Jan. 2015.

[7] L. O. Mailloux et al., ‘‘A modeling framework for studying quantum keydistribution system implementation nonidealities,’’ IEEE Access, vol. 3,no. 1, pp. 110–130, Jan./Feb. 2015.

[8] L. O. Mailloux, R. D. Engle, M. R. Grimaila, D. D. Hodson,and C. McLaughlin, ‘‘Modeling decoy state quantum key distributionsystems,’’ J. Defense Model. Simul., Appl., Methodol., Technol., vol. 12,no. 4, pp. 489–506, 2015.

[9] L. O. Mailloux, D. D. Hodson, M. R. Grimaila, J. M. Colombi,C. V. McLaughlin, and G. B. Baumgartner, ‘‘Test and evaluation of com-plex cyber security systems: A case study in usingmodeling and simulationto more efficiently understand, test, and evaluate the security of quantumkey distribution systems,’’ ITEA J., vol. 36, no. 3, pp. 199–207, 2015.

[10] B. Qi, L. Qian, and H.-K. Lo. (2010). ‘‘A brief introductionof quantum cryptography for engineers.’’ [Online]. Available:http://arxiv.org/abs/1002.1237

[11] C. Elliott, ‘‘Quantum cryptography,’’ IEEE Security Privacy, vol. 2, no. 4,pp. 57–61, Jul. 2004.

[12] N. Gisin, G. Ribordy,W. Tittel, and H. Zbinden, ‘‘Quantum cryptography,’’Rev. Modern Phys., vol. 74, no. 1, pp. 145–195, Mar. 2002.

[13] V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek,N. Lütkenhaus, and M. Peev, ‘‘The security of practical quantumkey distribution,’’ Rev. Mod. Phys., vol. 81, no. 3, pp. 1301–1350,Sep. 2009.

[14] S. Wiesner, ‘‘Conjugate coding,’’ SIGACT News, vol. 15, no. 1, pp. 78–88,Jan. 1983.

[15] C. H. Bennett and G. Brassard, ‘‘Quantum cryptography: Public key dis-tribution and coin tossing,’’ in Proc. IEEE Int. Conf. Comput., Syst. SignalProcess., 1984, pp. 175–179.

[16] G. S. Vernam, ‘‘Cipher printing telegraph systems for secret wire and radiotelegraphic communications,’’ Trans. Amer. Inst. Elect. Eng., vol. 45, no. 2,pp. 295–301, Jan. 1926.

2196 VOLUME 4, 2016

L.O. Mailloux et al.: Using Modeling and Simulation to Study Photon Number Splitting Attacks

[17] C. E. Shannon, ‘‘Communication theory of secrecy systems,’’ Bell LabsTech. J., vol. 28, no. 4, pp. 656–715, Oct. 1949.

[18] A. R. Dixon et al., ‘‘High speed prototype quantum key distribution systemand long term field trial,’’ Opt. Exp., vol. 23, no. 6, pp. 7583–7592,2015.

[19] S. Wang et al., ‘‘Field and long-term demonstration of a widearea quantum key distribution network,’’ Opt. Exp., vol. 22, no. 18,pp. 21739–21756, 2014.

[20] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin,‘‘Experimental quantum cryptography,’’ J. Cryptol., vol. 5, no. 1, pp. 3–28,Jan. 1992.

[21] B. Huttner, N. Imoto, N. Gisin, and T. Mor, ‘‘Quantum cryptography withcoherent states,’’ Phys. Rev. A, vol. 51, no. 3, p. 1863, 1995.

[22] N. Lütkenhaus and M. Jahma, ‘‘Quantum key distribution with realisticstates: Photon-number statistics in the photon-number splitting attack,’’New J. Phys., vol. 4, no. 1, pp. 44.1–44.9, 2002.

[23] M. Williamson and V. Vedral, ‘‘Eavesdropping on practical quantum cryp-tography,’’ J. Mod. Opt., vol. 50, no. 13, pp. 1989–2011, 2002.

[24] A. Acin, N. Gisin, and V. Scarani, ‘‘Coherent-pulse implementationsof quantum cryptography protocols resistant to photon-number-splittingattacks,’’ Phys. Rev. A, vol. 69, no. 1, p. 012309, 2003.

[25] V. Scarani, A. Acin, G. Ribordy, and N. Gisin, ‘‘Quantum cryptographyprotocols robust against photon number splitting attacks for weak laserpulse implementations,’’ Phys. Rev. Lett., vol. 92, no. 5, p. 057901, 2004.

[26] A. Niederberger, V. Scarani, and N. Gisin, ‘‘Photon-number-splittingversus cloning attacks in practical implementations of theBennett–Brassard 1984 protocol for quantum cryptography,’’ Phys.Rev. A, vol. 71, no. 4, p. 042316, 2005.

[27] G. Nogues, A. Rauschenbeutel, S. Osnaghi, M. Brune, J. M. Raimond,and S. Haroche, ‘‘Seeing a single photon without destroying it,’’ Nature,vol. 400, no. 6741, pp. 239–242, 1999.

[28] J. Calsamiglia, S. M. Barnett, and N. Lütkenhaus, ‘‘Conditional beam-splitting attack on quantum key distribution,’’ Phys. Rev. A, vol. 65,no. 1, p. 012312, 2001.

[29] P. Grangier, J. A. Levenson, and J.-P. Poizat, ‘‘Quantum non-demolitionmeasurements in optics,’’ Nature, vol. 396, no. 6711, pp. 537–542, 1998.

[30] C. Simon et al., ‘‘Quantummemories,’’ Eur. Phys. J. D, Atomic, Molecular,Opt. Plasma Phys., vol. 58, no. 1, pp. 1–22, 2010.

[31] A. I. Lvovsky, B. C. Sanders, and W. Tittel, ‘‘Optical quantum memory,’’Nature Photon., vol. 3, no. 12, pp. 706–714, Dec. 2009.

[32] M. A. Nielsen and I. L. Chuang, Quantum Computation and QuantumInformation. Cambridge, U.K.: Cambridge Univ. Press, 2010.

[33] S. Loepp andW.K.Wooters,Protecting Information. NewYork, NY, USA:Cambridge Univ. Press, 2006.

[34] W. P. Grice, ‘‘Arbitrarily complete bell-statemeasurement using only linearoptical elements,’’ Phys. Rev. A, vol. 84, no. 4, p. 042331, 2011.

[35] C. Gerry and P. Knight, Introductory Quantum Optics. Cambridge, U.K.:Cambridge Univ. Press, 2005.

[36] D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, ‘‘Security ofquantum key distribution with imperfect devices,’’ in Proc. Int. Symp. Inf.Theory (ISIT), 2004, pp. 136–157.

[37] W.-Y. Hwang, ‘‘Quantum key distribution with high loss: Toward globalsecure communication,’’ Phys. Rev. Lett., vol. 91, no. 5, p. 057901, 2003.

[38] H.-K. Lo, X. Ma, and K. Chen, ‘‘Decoy state quantum key distribution,’’Phys. Rev. Lett., vol. 94, no. 3, p. 230504, 2005.

[39] X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, ‘‘Practical decoy state for quantumkey distribution,’’ Phys. Rev., vol. 72, no. 1, p. 012326, 2005.

[40] X.-B. Wang, ‘‘Beating the photon-number-splitting attack in practicalquantum cryptography,’’ Phys. Rev. Lett., vol. 94, no. 23, p. 230503,2005.

[41] X.-B. Wang, ‘‘Decoy-state protocol for quantum cryptography withfour different intensities of coherent light,’’ Phys. Rev. A, vol. 72,no. 1, p. 012322, 2005.

[42] J. W. Harrington, J. M. Ettinger, R. J. Hughes, and J. E. Nordholt. (2005).‘‘Enhancing practical security of quantum key distribution with a fewdecoy states.’’ [Online]. Available: http://arxiv.org/abs/quant-ph/0503002

[43] R. H. Hadfield, ‘‘Single-photon detectors for optical quantum infor-mation applications,’’ Nature Photon., vol. 3, no. 12, pp. 696–705,2009.

[44] L. O. Mailloux et al., ‘‘Quantum key distribution: Examination of thedecoy state protocol,’’ IEEE Commun. Mag., vol. 53, no. 10, pp. 24–31,Oct. 2015.

LOGAN O. MAILLOUX (M’12) received 15

the B.S. degree in 2002, the M.S. degree 16

in 2008, and the Ph.D. degree in 2015. He is 17

a Commissioned Officer in the United States Air 18

Force and an Assistant Professor with the Air 19

Force Institute of Technology, Wright-Patterson 20

AFB, OH, USA. His research interests include 21

system security engineering, complex information 22

communication and technology implementations, 23

and quantum key distribution systems. He is 24

a member of Tau Beta Pi, Eta Kappa Nu, INCOSE, and ACM. 25

DOUGLAS D. HODSON received the B.S. degree 26

in 1985, the M.S. degree in 1987, and the 27

Ph.D. degree in 2009. He is an Assistant 28

Professor of Software Engineering with the Air 29

Force Institute of Technology, Wright-Patterson 30

AFB, OH, USA. His research interests include 31

computer engineering, software engineering, 32

real-time distributed simulation, and quantum 33

communications. He is also a DAGSI Scholar and 34

a member of Tau Beta Pi. 35

MICHAEL R. GRIMAILA (SM’05) received 36

the B.S. degree in 1993, the M.S. degree 37

in 1995, and the Ph.D. degree in 1999. He 38

is a Professor and the Head of the Systems 39

Engineering Department and a member of the 40

Center for Cyberspace Researchwith theAir Force 41

Institute of Technology, Wright-Patterson AFB, 42

OH, USA. His research interests include computer 43

engineering,mission assurance, quantum commun- 44

ications and cryptography, data analytics, network 45

management and security, and systems engineering. He is a member of 46

Tau Beta Pi, Eta Kappa Nu, and ACM, and a fellow of the ISSA. 47

RYAN D. ENGLE (M’14) received the B.S. degree 48

in 2007 and the M.S. degree in 2015. He is 49

currently pursuing the Ph.D. degree with the 50

Air Force Institute of Technology, Wright- 51

Patterson AFB. He is a Commissioned Officer in 52

the U.S. Air Force. His research interests include 53

software engineering, computer engineering, and 54

model-based quantum key distribution systems. 55

He is a member of ACM. 56

COLIN V. MCLAUGHLIN received the B.A. degree in 2003 and the 57

Ph.D. degree in 2010. He is a Research Physicist with the United States Naval 58

Research Laboratory, Washington, DC, USA. He specializes in photonic 59

communication devices and systems. 60

GERALD B. BAUMGARTNER received the B.S. degree in 1971, the 61

M.S. degree in 1973, and the Ph.D. degree from the Illinois Institute 62

of Technology, in 1980. He is a Research Physicist with the Laboratory 63

for Telecommunications Sciences, College Park, MD, USA. His research 64

interests include quantum optics, quantum communications, quantum 65

information, communications security, communications system modeling, 66

and simulation and statistical signal processing. He is a member of the 67

American Physical Society, the Optical Society of America, and the Society 68

for Industrial and Applied Mathematics. 69

70

VOLUME 4, 2016 2197