Cryptography Reference
In-Depth Information
entanglement can be seen even in implementations that actually do not use
entanglement [8].
2.5.2 PNS Attacks and Countermeasures
One limitation to quantum cryptography is due to the small but nonzero
probability that a (pseudo-) single-photon source actually emits two or more
photons. If this is the case and if the legitimate partners Alice and Bob use the
BB84 protocol, then Eve can perform the following attack, known as photon
number splitting (PNS) attack [73,74]. First, Eve measures the total photon-
number in each pulse leaving Alice'soffice. Next, whenever the pulse contains
two or more photons, she keeps one, while teleporting the other(s) to Bob. In
this way Eve sometimes holds a perfect copy of the qubit sent by Alice and
is thus no longer limited by the no-cloning theorem, since Alice unwillingly
offered her a copy. It is intuitively clear that if such multiphotons are too
frequent, then the security is lost. The situation could be even worse if Eve
can block the single-photon pulses and Bob does not notice this (Bob could be
fooled if the missing single-photon pulses are compensated by the increased
probability that he gets the multiphoton pulses thanks to the — assumed
perfect — teleportation). Hardware-based countermeasures involve a strong
reference pulse [76] or modulating pulse intensity [78]. Recently we imagined
a way to attenuate the effect of PNS attacks, with a mere change of the sifting
part of the BB84 protocol. The basic idea is to encode bits into nonorthogonal
states. In this way, even if Eve holds a perfect copy, she cannot extract full
information about the encoded bit. The same holds true, of course, for Bob.
But Bob is in a much more favorable situation than Eve: he may perform an
unambiguous state discrimination [75,77] and simply declare to Alice whether
he was successful or not [21,22].
2.5.3 Three- and Four-Photon Quantum
Communication
Finally, let us mention how quantum teleportation and entanglement swap-
ping could be exploited to extend the distances over which quantum cryp-
tography is secure. The first remark is that detectors are noisy: there is a finite
dark count probability, which is clearly independent of the distance. Sec-
ondly, the signal, on the contrary, i.e., the rate at which Bob detects photons,
decreases exponentially with the distance. Hence, for any detector/channel
pair, there is a distance limit beyond which quantum cryptography is un-
practical [7]. Attractive ways around this limitation are quantum repeaters
and quantum relays. The idea of a relay consists in dividing the channel
into
n
equal trunks [67,68]. Halves of the inner nodes contain a two-photon
source (EPR source of entangled photons as described in Section 2.4); the
other halves contain a (partial) Bell measurement [79]; see Figure 2.12. In
this way, Bob's detector is activated only if all the Bell measurements were
