Hacking on decoy-state quantum key distribution system with partial phase randomization

Abstract

Quantum key distribution (QKD) provides means for unconditional secure key transmission between two distant parties. However, in practical implementations, it suffers from quantum hacking due to device imperfections. Here we propose a hybrid measurement attack, with only linear optics, homodyne detection, and single photon detection, to the widely used vacuum + weak decoy state QKD system when the phase of source is partially randomized. Our analysis shows that, in some parameter regimes, the proposed attack would result in an entanglement breaking channel but still be able to trick the legitimate users to believe they have transmitted secure keys. That is, the eavesdropper is able to steal all the key information without discovered by the users. Thus, our proposal reveals that partial phase randomization is not sufficient to guarantee the security of phase-encoding QKD systems with weak coherent states.

Figure 1. The diagram of the hybrid measurement attack.

r(s) is the signal (reference) pulse of Alice. BS: beam splitter with transmittance 1/2; D₀ and D₁ are single photon detectors (SPDs); d₀ and d₁ are photodiodes; x is the output of homodyne detection; LD: laser diode which is used by Eve to generate the reference pulse (LO pulse) of homodyne detection; PM: phase modulator which is used by Eve to modulate a phase (0 or π/2) on LO. Jr.Eve has the same equipments as Alice, which is used to resend faked states to Bob according to her measurement results. Note that, Eve measures both r and s of Alice with a interferometer in the single photon detection part, but she only measures the phase information of s in the homodyne detection part.

Figure 2

(a)The theoretical distribution of x for different encoding phase of Alice, which are drawn according to Eq.4. Here we assume ϕ_e = 0, δ = π/4 and μ = 0.3. (b) The error rate of Eve and Bob under our attack, which are drawn according to Eq.7. The solid line shows the error rate between Alice and Eve, and the dashed line shows the error rate between Alice and Bob. Here we set δ = 10°, x₀ = 1.5, and assume that the detection setups of both Alice and Bob are perfect.

Figure 3. The estimated key rate of Alice and Bob under our attack.

But in fact, the key are insecure, since our attack corresponds to an entanglement-breaking channel and no secret key can be generated under this channel. Here we also show the equivalent channel length of Q_μ, defined as len = −(10/a) log₁₀{min(1, Q_μ/(μη_Bob)} (a = 0.21 is the loss of standard fiber), which represents the minimal channel length of Alice and Bob that Eve can successfully load our attack. In the simulations, we assume that the SPD and homodyne detection of Eve are perfect, and set f(E_μ) = 1.22, Y₀ = 1.7 × 10⁻⁶, η_Bob = 0.045, μ = 0.48, and ν = 0.1 according to the experimental results of Ref. .

Figure 4. The estimated key rate of Alice and Bob for different μ and ν when Eve is present.

In the simulations, we set x₀ = 1.5, δ = 10°, and other parameters are the same as Fig. 3.