Attacking Quantum Key Distribution with Single-Photon Two-Qubit

Home , BB84

arXiv:quant-ph/0508051v2 22 Sep 2005 omd lhuhavreyo oetal rcia ap- practical potentially of per- variety been have a experiments although such QKD, no formed, BB84 knowledge attacking our toward to as directed attention, that Our be analyses [3]. will security non-idealities however, have of as variety [2], a incorporate BB84 pub- up ideal been opens for have number, lished proofs photon Security average vulnerability. events, low additional multi-photon per at of average rare on occurrence photon although the one and than interval, less bit at run sources Employing such typically single-photon as are true performance Eve. a QKD of reduces by further lieu source, intrusion in source, can laser attenuated as an systems, events error these cause can in and counts atmospheric background loss for systems, and, propagation QKD counts to Dark owing inefficiencies. undetected, detector go will tons pro- with security. pad QKD complete one-time in full shared communicate the can a have they of which Bob end and potential the Alice any At cedure, to bits, information (Eve). ampli- key sifted privacy eavesdropper useful their sufficient deny in apply to and errors fication prescribed errors, identify a these to employ correct Bob operations and of Alice set value. used. Alice bit that incorrect basis same the in An the detection occurred are a has has These count Bob his which used. in intervals she bit that co- i.e., Alice events, bases ones in the occurred detections. with detections incident has which Bob he informs which then associated for and intervals bases bit of measurement sequence the Alice to closes ( etpoosi ihrthe either in photons tect i,Aietasisasnl htni admyse- randomly for a ( allotted horizontal in from interval photon chosen single time polarization, a each lected transmits states In Alice bit, polarization [1]. a follows single-photon as using works QKD) (BB84 ∗ V lcrncades [email protected] address: Electronic nln-itneQDsses oto lc’ pho- Alice’s of most systems, QKD long-distance In ent-rsad18 unu e distribution key quantum 1984 Bennett-Brassard ,+45 ), error takn unu e itiuinwt igepoo two single-photon with distribution key quantum Attacking ascuet nttt fTcnlg,Rsac Laborato Research Technology, of Institute Massachusetts ◦ vn sasf vn nwihBbdcdsthe decodes Bob which in event sift a is event or , ASnmes 36.d 36.x 25.v 42.40.Lm 42.50.Dv, 03.67.Lx, 03.67.Dd, numbers: PACS t a into simulation physical attack. the s converts nondemoli from configuration quantum constructed this polarization-preserving CNOT Adding deterministic o a logic. simulation using physical QKD complete BB84 a based describes o means paper by This QKD) (BB84 gate. distribution key quantum 1984 Brassard − h uh-ee-rnt(P)poeraie h otpower most the realizes probe (FPB) Fuchs-Peres-Brandt The .INTRODUCTION I. 45 ◦ hl o admycosst de- to chooses randomly Bob while , H / V or ± eryH Shapiro H. Jeffrey 45 ◦ ae.Bbdis- Bob bases. H Dtd etme 4 2018) 14, September (Dated: ,vertical ), and sift ∗ n rnoN .Wong C. N. Franco and yo lcrnc,Cmrde ascuet 23 USA 02139 Massachusetts Cambridge, Electronics, of ry i elzto fteFBatc npolarization-based on attack FPB determinis- the true BB84. of a can realization into number simulation tic photon physical polarization- this of of convert addition measurements the QND how showing complete preserving by conclude, a theoret- IV, We Sec. describe logic. its in quantum we and (SPTQ) single- from two-qubit III probe constructed photon probe Sec. FPB this of In the simulation physical review performance. we ical II Sec. In presence. her Alice keeping to the while oblivious about distilled Bob have derive and Bob the really and Alice construct Eve test: that the to can key to interest information security of much BB84’s how is put it and at- simulation believe physical the we of Thus implementation full tack. this a turn into soon simulation may single- physical detection quan- on (QND) in attack nondemolition underway developments tum individual that powerful and BB84, most probe photon the (FPB) Fuchs-Peres-Brandt i.e., the [5], phys- of permits objec- technology simulation current particular ical that show Our to be [4]. will tive discussed been have proaches ie rbblt htasfe i ilb eevdi er- in a received for be i.e., will bit disturbance, sifted of a level that given that probability a given bits for sifted receives error-free Bob the interaction, of about amount state, maximum Rényi information probe the Eve of measurement—affords choice and appropriate Slutsky the retained. with has she al. photon et probe Bob, the to on measurement photon (POVM) operator-valued Alice’s probability a sends a performs in then and photon Eve Alice’s a with manner. which interact supplies unitary it in Eve lets way and performed. photon general be probe could most attack we the individual Fuchs so described an attacks. [6], [7] individual attacks Peres to collective and consideration about our known limit will is pho- collective Less Alice’s a of In groups tons. time. probe a measurements at Eve’s one attack, photons Alice’s probes Eve h eane fti ae sognzda follows. as organized is paper this of remainder The na niiulatc nsnl-htnB8 QKD, BB84 single-photon on attack individual an In I H UH-EE-RNTPROBE FUCHS-PERES-BRANDT THE II. 8 eosrtdta h uh-ee construct— Fuchs-Peres the that demonstrated [8] inmaueet fpoo ubrto number photon of measurements tion u eemnsi elzto fteFPB the of realization deterministic rue h P-rb tako polarization- on attack FPB-probe the f igecnrle-O (CNOT) controlled-NOT single a f u niiulatc nBennett- on attack individual ful nl-htntoqbtquantum two-qubit ingle-photon qbtqatmlogic quantum -qubit 2

|V i ror. Brandt [5] extended the Slutsky et al. treatment by |1i showing that the optimal probe could be realized with a ◦ 45 ◦ single CNOT gate. Figure 1 shows an abstract diagram of |− i |+45 i the resulting Fuchs-Peres-Brandt probe. In what follows we give a brief review of its structure and performance— |0i see [5] for a more detailed treatment—where, for simplic- ity, we assume ideal conditions in which Alice transmits |Hi a single photon per bit interval, there is no propagation loss and no extraneous (background) light collection, and both Eve and Bob have unity quantum eﬃciency pho- FIG. 2: (Color online) Computational basis for Eve’s CNOT todetectors with no dark counts. These ideal conditions gate referenced to the BB84 polarization states. imply there will not be any errors on sifted bits in the absence of eavesdropping; the case of more realistic con- CNOT’s input and the kets on the right-hand side de- ditions will be discussed brieﬂy in Sec. IV. note the Bob Eve state of the control and target qubits at the CNOT’s⊗ output. Similarly, when Alice uses the Eve 45◦ basis, Eve’s CNOT gate has the following behav- Alice Bob ior,±

◦ ◦ ◦ +45 Tin +45 T+ + 45 TE (8) | ◦i| i −→ | ◦i| i |− ◦i| i 45 Tin 45 T− + +45 TE . (9) FIG. 1: (Color online) Block diagram of the Fuchs-Peres- |− i| i −→ |− i| i | i| i Brandt probe for attacking BB84 QKD. Suppose that Bob measures in the basis that Alice has employed and his outcome matches what Alice sent. In each bit interval Alice transmits, at random, a single Then Eve can learn their shared bit value, once Bob dis- photon in one of the four BB84 polarization states. Eve closes his measurement basis, by distinguishing between uses this photon as the control-qubit input to a CNOT the T+ and T− output states for her target qubit. Of gate whose computational basis—relative to the BB84 course,| i this knowledge| i comes at a cost: Eve has caused polarization states—is shown in Fig. 2, namely an error event whenever Alice and Bob choose a com- mon basis and her target qubit’s output state is TE . 0 cos(π/8) H + sin(π/8) V (1) | i | i ≡ | i | i To maximize the information she derives from this intru- 1 sin(π/8) H + cos(π/8) V , (2) sion, Eve applies the minimum error probability receiver | i ≡ − | i | i for distinguishing between the single-photon polarization in terms of the H/V basis. Eve supplies her own probe states T+ and T− . This is a projective measurement photon, as the target-qubit input to this CNOT gate, in | i | i onto the polarization basis d+ , d− , shown in Fig. 3 the state and given by {| i | i} T C + + S , (3) | ini≡ | i |−i + + d+ = | i |−i = 0 (10) where C = √1 2PE, S = √2PE, = ( 0 1 )/√2, | i √2 | i − |±i | i ± | i and 0 PE 1/2 will turn out to be the error prob- + ≤ ≤ d− = | i − |−i = 1 . (11) ability that Eve’s probe creates on Bob’s sifted bits [9]. | i √2 | i So, as PE increases from 0 to 1/2, Tin goes from + to . The (unnormalized) output states| i that may| occuri |−ifor this target qubit are |T−i |d−i = |1i S |T+i T± C + (4) | i ≡ | i± √2|−i S E T . (5) d = 0 | i ≡ √2|−i | +i | i

Here is how the FPB probe works. When Alice uses the H/V basis for her photon transmission, Eve’s CNOT gate eﬀects the following transformation, FIG. 3: (Color online) Measurement basis for Eve’s minimum- error-probability discrimination between |T+i and |T−i. H T H T− + V TE (6) | i| ini −→ | i| i | i| i V Tin V T+ + H TE , (7) | i| i −→ | i| i | i| i Two straightforward calculations will now complete where the kets on the left-hand side denote the Al- our review of the FPB probe. First, we ﬁnd the error ice Eve state of the control and target qubits at the probability that is created by Eve’s presence. Suppose ⊗ 3

Alice and Bob use the H/V basis and Alice has sent H . Alice and Bob will incur an error if the control target| i 1 ⊗ 0.9 output from Eve’s CNOT gate is V TE . The proba- | i| 2 i 0.8 bility that this occurs is TE TE = S /2 = PE. The h | i 0.7 same conditional error probability ensues for the other 0.6 three error events, e.g., when Alice and Bob use the IR 0.5 ◦ ◦ 45 basis, Alice sends +45 , and the CNOT output is 0.4 ± ◦ | i 45 TE . It follows that the unconditional error prob- 0.3 |−abilityi| incurredi by Alice and Bob on their sift events is 0.2 0.1 PE. 0 Now we shall determine the Rényi information that 0 0.1 0.2 0.3 0.4 0.5 Eve derives about the sift events for which Alice and PE Bob do not suffer errors. Let B = 0, 1 and E = 0, 1 denote the ensembles of possible bit{ values} that Bob{ and} FIG. 4: (Color online) Eve’s Rényi information about Bob’s Eve receive on a sift event in which Bob’s bit value agrees error-free sifted bits as a function of the error probability that with Alice’s. The Rényi information (in bits) that Eve her eavesdropping creates. learns about each Alice/Bob error-free sift event is

1 2 gives T+ = T− = TE = 1/2 . Here it is clear IR log2 P (b) | i | i | i |−i ≡ − b ! that Eve gains no information about Bob’s error-free bits, X=0 p 1 1 but his error probability is 1/2 because of the action of 2 the target qubit on the control qubit. + P (e) log2 P (b e) , (12) |−i | e=0 b ! X X=0 where P (b), P (e) are the prior probabilities for Bob’s III. PHYSICAL SIMULATION IN SPTQ LOGIC and Eve’s{ bit values,} and P (b e) is the conditional prob- | ability for Bob’s bit value to be b given that Eve’s is e. In single-photon two-qubit quantum logic, each pho- Alice’s bits are equally likely to be 0 or 1, and Eve’s ton encodes two independently controllable qubits [11]. conditional error probabilities satisfy [10] One of these is the familiar polarization qubit, with basis H , V . The other we shall term the momentum P (e =1 b =0)= P (e =0 b =1) (13) {| i | i} | | qubit—because our physical simulation of the FPB probe 2 1 T+ T− will rely on the polarization-momentum hyperentangled = 1 1 |h | i| (14) photon pairs produced by type-II phase matched spon- 2 − − T T T− T− s h +| +ih | i! taneous parametric downconversion (SPDC)—although 1 4PE(1 2PE) in the collimated configuration in which SPTQ is im- = 1 − . (15) plemented its basis states are single-photon kets for 2 − 1 PE p − ! right and left beam positions (spatial modes), denoted R , L . Unlike the gates proposed for linear optics These results imply that b is also equally likely to be 0 {| i | i} or 1, and that P (b e)= P (e b), whence quantum computing [12], which are scalable but non- | | deterministic, SPTQ quantum logic is deterministic but 4PE(1 2PE) not scalable. Nevertheless, SPTQ quantum logic suffices IR = log2 1+ − , (16) (1 PE )2 for a complete physical simulation of polarization-based − BB84 being attacked with the FPB probe, as we shall which we have plotted in Fig. 4. show. Before doing so, however, we need to comment on Figure 4 reveals several noteworthy performance points the gates that have been demonstrated in SPTQ logic. for the FPB probe. The IR = 0, PE = 0 point in this It is well known that single qubit rotations and CNOT figure corresponds to Eve’s operating her CNOT gate gates form a universal set for quantum computation. In with Tin = + for its target qubit input. It is well SPTQ quantum logic, polarization-qubit rotations are known| thati such| i an input is unaffected by and does not easily accomplished with wave plates, just as is done affect the control qubit. Thus Bob suffers no errors but in linear optics quantum computing. Momentum-qubit Eve gets no Rényi information. The IR = 1, PE = 1/3 rotations are realized by first performing a SWAP op- point in this figure corresponds to Eve’s operating her eration, to exchange the polarization and momentum CNOT gate with T = 1/3 + + 2/3 , which qubits, then rotating the polarization qubit, and finally | ini | i |−i leads to T± d± . In this case Eve’s Fig. 3 receiver performing another SWAP. The SWAP operation is a makes no| errors,i ∝ | soi she obtainsp the maximump (1 bit) cascade of three CNOTs, as shown in Fig. 5. For its im- Rényi information about each of Bob’s error-free bits. plementation in SPTQ quantum logic the left and right The IR =0, PE =1/2 point in this figure corresponds to CNOTs in Fig. 5 are momentum-controlled NOT gates Eve’s operating her CNOT gate with T = , which (M-CNOTs) and the middle CNOT is a polarization- | ini |−i 4 controlled NOT gate (P-CNOT). (An M-CNOT uses this manner. Moreover, if Eve could do so, she would not the momentum qubit of a single photon to perform the bother with an FPB probe as she could directly observe controlled-NOT operation on the polarization qubit of Bob’s bit values. that same photon, and vice versa for the P-CNOT gate.)

Experimental demonstrations of deterministic M-CNOT, one of pol. state four pol. states unchanged P-CNOT, and SWAP gates are reported in [11, 13]. Bob’s 1 Alice Eve SWAP

Single impose photon momentum P-CNOT SWAP source qubit Bob’s BB84 setting Bob’s pol. 0 analysis Joint (Bob and Eve) measurement SWAP SWAP HWP

FIG. 5: Quantum circuit diagram for a SWAP gate realized FIG. 6: (Color online) Physical simulation of polarization- as a cascade of three CNOTs. In SPTQ quantum logic the based BB84 QKD and the FPB-probe attack. upper rail is the momentum qubit and the lower rail is the polarization qubit of the same photon. toBob’spassive ±45°analysis Figure 6 shows a physical simulation of polarization- Bob’s based BB84 under FPB attack when Alice has a single- 1 photon source and Bob employs active basis selection; SWAP Fig. 7 shows the modification needed to accommodate Bob’s using passive basis selection. In either case, Alice SWAP uses a polarizing beam splitter and an electro-optic mod- 50/50 Bob’s beamsplitter Bob’spassive 0 ulator, as a controllable half-wave plate (HWP), to set HV- analysis the randomly-selected BB84 polarization state for each Joint(BobandEve) photon she transmits. Moreover, she employs a single measurement spatial mode, which we assume coincides with the R beam position in Eve’s apparatus. Eve then begins her FIG. 7: (Color online) Modification of Fig. 6 to accommodate Bob’s using passive basis selection. attack by imposing the probe state Tin on the momentum qubit. She does this by applying| i a SWAP gate, to exchange the momentum and polarization qubits of If Bob employs passive basis selection (Fig. 7), then he Alice’s photon, rotating the resulting polarization qubit uses a 50/50 beam splitter followed by static-HWP anal- ◦ (with the HWP in Fig. 6) to the Tin state, and then ysis in the H-V and 45 bases, with only the former using another SWAP to switch this| statei into the mo- being explicitly shown± in Fig. 7. The rest of Eve’s at- mentum qubit. This procedure leaves Alice’s BB84 po- tack mimics what was seen in Fig. 6, i.e., she gets inside larization state unaffected, although her photon, which Bob’s measurement boxes with SWAP gates, half-wave will ultimately propagate on to Bob, is no longer in a sin- plates, and additional detectors so that she can perform gle spatial mode. Eve completes the first stage of her at- her probe measurement while providing Bob with his tack by sending Alice’s photon through a P-CNOT gate, BB84 polarization-measurement data. Because the Fig. 7 which will accomplish the state transformations given in arrangement requires that twice as many SWAP gates, Eqs. (6)–(9), and then routing it to Bob. If Bob em- twice as many half-wave plates, and twice as many single- ploys active basis selection (Fig. 6), then in each bit in- photon detectors be inserted into Bob’s receiver system, terval he will use an electro-optic modulator—as a con- as compared to what is needed in the Fig. 6 setup, we trollable HWP—plus a polarizing beam splitter to set shall limit the rest of our discussion to the case of active the randomly-selected polarization basis for his measure- basis selection as it leads to a more parsimonious phys- ment. The functioning of this basis-selection setup is ical simulation of the Fuchs-Peres-Brandt attack. We unaffected by Alice’s photon no longer being in a single recognize, of course, that the decision to use active basis spatial mode. The reason that we call Fig. 6 a physical selection is Bob’s to make, not Eve’s. More importantly, simulation, rather than a true attack, lies in the measure- however, in Sec. IV we will show how the availability ment box. Here, Eve has invaded Bob’s turf, and inserted of polarization-preserving QND photon-number measure- SWAP gates, half-wave plates, polarizing beam splitters, ments can be used to turn Fig. 6 into a true, deterministic and additional photodetectors, so that she can forward to implementation of the FPB attack. The same conversion Bob measurement results corresponding to photon count- can be accomplished for passive basis selection. Before ing on the polarization basis that he has selected while turning to the true-attack implementation, let us flesh she retains the photon counting results corresponding to out some details of the measurement box in Fig. 6 and her d+ , d− measurement. Clearly Bob would never show how SPDC can be used, in lieu of the single-photon knowingly{| i | permiti} Eve to intrude into his receiver box in source, to perform this physical simulation. 5

Let ψout denote the polarization momentum state at the output| i of Eve’s P-CNOT gate in⊗ Fig. 6. Bob’s po- SWAP Eve larization analysis box splits this state, according to the basis he has chosen, so that one basis state goes to the momentum upper branch of the measurement box while the other entangled goes to the lower branch of that box. This polariza- SWAP tion sorting does nothing to the momentum qubit, so the SWAP gates, half-wave plates, and polarizing beam Pump crystal P-CNOT SWAP splitters that Eve has inserted into the measurement box Bob’s accomplish her d+ , d− projective measurement, i.e., entangledinpol. analysis BB84 Joint(BobandEve) {| i | i} andmomentum the horizontal paths into photodetectors in Fig. 6 are pro- setting measurement jecting the momentum qubit of ψ onto d− and the | outi | i vertical paths into photodetectors in Fig. 6 are projecting FIG. 8: (Color online) Proposed conﬁguration for a complete this state onto d . Eve records the combined results of | +i physical simulation of the FPB attack on BB84 that is based the two d+ versus d− detections, whereas Bob, who on hyperentangled photon pairs from type-II phase matched only sees| thei combined| i photodetections for the upper SPDC and gates built from SPTQ quantum logic. and lower branches entering the measurement box, gets his BB84 polarization data. Bob’s data is impaired, of course, by the eﬀect of Eve’s P-CNOT. IV. THE COMPLETE ATTACK

Although the FPB attack’s physical simulation, as de- Single-photon on-demand sources are now under devel- scribed in the preceding section, is both experimentally opment at several institutions [14], and their use in BB84 feasible and technically informative, any vulnerabilities QKD has been demonstrated [15]. At present, however, it might reveal would only be of academic interest were it is much more practical to use SPDC as a heralded there no practical means to turn it into a true deter- source of single photons [16]. In SPDC, signal and idler ministic implementation in which Eve did not need to photons are emitted in pairs, thus detection of the signal invade Bob’s receiver. Quantum nondemolition measure- photon heralds the presence of the idler photon. More- ment technology provides the key to creating this com- over, with appropriate configurations [17], SPDC will plete attack. As shown in the appendix, it is possible, produce photons that are simultaneously entangled in po- in principle, to use cross-phase modulation between a larization and in momentum. This hyperentanglement strong coherent-state probe beam and an arbitrarily po- leads us to propose the Fig. 8 configuration for physi- larized signal beam to make a QND measurement of the cally simulating the FPB-probe attack on BB84. Here, signal beam’s total photon number while preserving its a pump laser drives SPDC in a type-II phase matched polarization state. Cross-phase modulation QND mea- χ(2) crystal, such as periodically-poled potassium titanyl surement of photon number has long been a topic of phosphate (PPKTP), producing pairs of orthogonally- interest in quantum optics [18], and recent theory has polarized, frequency-degenerate photons that are entan- shown that it provides an excellent new route to pho- gled in both polarization and momentum. The first po- tonic quantum computation [19]. Thus it is not un- larizing beam splitter transmits a horizontally-polarized warranted to presume that polarization-preserving QND photon and reflects a vertically-polarized photon while measurement of total photon number may be developed. preserving their momentum entanglement. Eve uses a With such technology in hand, the FPB-probe attack SWAP gate and (half-wave plate plus polarizing beam shown in Fig. 9 becomes viable. Here, Eve imposes a splitter) polarization rotation so that her photodetector’s momentum qubit on Alice’s polarization-encoded pho- clicking will, by virtue of the momentum entanglement, ton and performs a P-CNOT operation exactly as dis- herald the setting of the desired Tin momentum-qubit cussed in conjunction with Figs. 6 and 8. Now, however, state on the horizontally-polarized| photoni emerging from Eve uses a SWAP-gate half-wave plate combination so the first polarizing beam splitter. Alice’s electronically that the d+ and d− momentum qubit states emerg- controllable half-wave plate sets the BB84 polarization ing from| heri P-CNOT| i become V and H states en- qubit on this photon, and the rest of the Fig. 8 configu- tering the polarizing beam splitter| i that follows| i the half- ration is identical to that shown and explained in Fig. 6. wave plate. This beam splitter routes these polarizations Inasmuch as the SPDC source and SPTQ gates needed to into its transmitted and reflected output ports, respec- realize the Fig. 8 setup have been demonstrated, we pro- tively, where, in each arm, Eve employs a SWAP gate, a pose that such an experiment be performed. Simultane- polarization-preserving QND measurement of total pho- ous recording of Alice’s polarization choices, Bob’s polar- ton number, and another SWAP gate. The first of these ization measurements and Eve’s d+ versus d− results SWAPs returns Alice’s BB84 qubit to polarization, so can then be processed through the| BB84i protocol| i stack to that a click on Eve’s polarization-preserving QND appa- study the degree to which the security proofs and eaves- ratus completes her d+ , d− measurement without dropping analyses stand up to experimental scrutiny. further scrambling Alice’s{| i BB84| i} qubit beyond what has 6 already occurred in Eve’s P-CNOT gate. The SWAP mit mounting of a true deterministic FBP-probe attack. gates that follow the QND boxes then restore definite (V Our analysis has presumed ideal conditions in which Al- and H) polarizations to the light in the upper and lower ice employs a single-photon source, there is no propaga- branches so that they may be recombined on a polarizing tion loss and no extraneous (background) light collec- beam splitter. The SWAP gate that follows this recom- tion, and both Eve and Bob have unity quantum ef- bination then returns the BB84 qubit riding on Alice’s ficiency photodetectors with no dark counts. Because photon to polarization for transmission to and measure- current QKD systems typically employ attenuated laser ment by Bob. This photon is no longer in the single sources, and suffer from propagation loss, photodetector spatial mode emitted by Alice’s transmitter, hence Bob inefficiencies, and extraneous counts, it behooves us to at could use spatial-mode discrimination to infer the pres- least comment on how such non-idealities could impact ence of Eve, regardless of the PE value she had chosen the FPB probe we have described. to impose. Eve, however, can preclude that possibility. The use of an attenuated laser source poses no problem Because the result of her d+ , d− measurement tells for the configurations shown in Figs. 6–9. This is because {| i | i} her the value of the momentum qubit on the photon be- the single-qubit rotations and the CNOT gates of SPTQ ing sent to Bob, she can employ an additional stage of quantum logic effect the same transformations on coher- qubit rotation to restore this momentum qubit to the R ent states as they do on single-photon states. For ex- | i state corresponding to Alice’s transmission. Also, should ample, the same half-wave plate setting that rotates the Alice try to defeat Eve’s FPB probe by augmenting her single-photon H qubit into the single-photon V qubit BB84 polarization qubit with a randomly-chosen momen- will transform| thei horizontally-polarized coherent| i state tum qubit, Eve can use a QND measurement setup like α H into the vertically-polarized coherent state α V . that shown in Fig. 9 to collapse the value of that momen- Likewise,| i the SPTQ P-CNOT gate that transforms a| sin-i tum qubit to R or L , and then rotate that momentum gle photon carrying polarization ( H = 0 , V = 1 ) | i | i qubit into the R -state spatial mode before applying the and momentum ( R = 0 , L = | 1 i) qubits| i | accordingi | i | i FPB-probe attack. At the conclusion of her attack, she to | i | i | i | i can then randomize the momentum qubit on the photon that will be routed on to Bob without further impact— cHR HR + cHL HL + cVR V R + cVL VL beyond that imposed by her P-CNOT gate—on that pho- | i | i | i | i −→ cHR HR + cHL HL + cVR VL + cVL V R ,(17) ton’s polarization qubit. So, unless Alice and Bob gen- | i | i | i | i eralize their polarization-based BB84 protocol to include will transform the four-mode coherent-state input with cooperative examination of the momentum qubit, Alice’s eigenvalues randomization of that qubit will neither affect Eve’s FPB attack, nor provide Alice and Bob with any additional aˆHR aˆHL aˆVR aˆVL = evidence, beyond that obtained from the occurrence of h i h i h i h i errors on sifted bits, of Eve’s presence. αHR αHL αVR αVL , (18)

into a four-mode coherent-state output with eigenvalues

Eve to Bob aˆHR aˆHL aˆVR aˆVL =

Click for |d+i SWAP h i h i h i h i αHR αHL αVL αVR , (19) SWAP QND SWAP from where thea ˆ’s are annihilation operators for modes la- Alice impose beled by their polarization and beam positions. It follows momentum P-CNOT SWAP SWAP QND SWAP qubit that the coherent-state PE and IB calculations mimic

Click for |d−i the qubit derivations that we presented in Sec. III, with

SWAP SWAP coherent-state inner products taking the place of qubit-

HWP state inner products. At low average photon number, these coherent-state results reduce to the qubit expres- sions for events which give rise to clicks in the photode- FIG. 9: (Color online) Deterministic FPB-probe attack on tectors shown in Figs. 6–9. polarization-based BB84 that is realized with polarization- Finally, a word about propagation loss, detector inef- preserving QND measurements and SPTQ quantum logic. ﬁciencies, and extraneous counts from dark current or background light is in order. All of these non-idealities Some concluding remarks are now in order. We have actually help our Eve, in that they lead to a non-zero shown that a physical simulation of the Fuchs-Peres- quantum bit error rate between Alice and Bob in the Brandt attack on polarization-based BB84 is feasible absence of the FPB attack. If Eve’s PE value is set be- with currently available technology, and we have argued low that baseline error rate, then her presence should be that the development of polarization-preserving QND undetectable. technology for measuring total photon number will per- 7

Acknowledgments ton number in the signal beam can be inferred from a homodyne-detection measurement of the appropriate ′ The authors acknowledge useful technical discussions probe quadrature. In particular, the state ofa ˆP will be with Howard Brandt, Jonathan Smith and Stewart Per- √N P when the signal beam’s total photon number is | i sonick. This work was supported by the Department of zero, and its state will be (1 + iκ)√N P when the signal Defense Multidisciplinary University Research Initiative beam’s total photon number| is one, wherei κ 1 has been ′ ≪ ′ program under Army Research Office grant DAAD-19- employed. Homodyne detection of thea ˆP 2 Im(âP ) 00-1-0177 and by MIT Lincoln Laboratory. quadrature thus yields a classical random-variable≡ out- ′ come αP 2 that is Gaussian distributed with mean zero and variance 1/4, in the absence of a signal-beam photon, APPENDIX: QND MEASUREMENT and Gaussian distributed with mean κ√N P and variance 1/4 in the presence of a signal-beam photon. Note Here we show that it is possible, in principle, to use that these conditional distributions are independent of cross-phase modulation between a strong coherent-state the polarization state of the signal-beam photon when it probe beam and an arbitrarily-polarized signal beam to is present. Using the decision rule, “declare signal-beam ′ make a QND measurement of the signal beam’s total pho- photon present if and only if αP 2 >κ√N P /2,” it is easily ton number. Let aˆH , aˆV , aˆP be the annihilation oper- shown that the QND error probability is bounded above { } 2 ators of the horizontal and vertical polarizations of the by exp( κ NP /2)/2 1. − ≪ signal beam and the (single-polarization) probe beam, The preceding polarization independent, low error respectively at the input to a cross-phase modulation in- probability QND detection of the signal beam’s total teraction. We shall take that interaction to transform photon number does not disturb the polarization state these annihilation operators according to the following of that beam. This is so because the probe imposes the commutator-preserving unitary operation, same nonlinear phase shift on both the H and V polarizations of the signal beam. Hence, if the signal-beam ′ † aˆH aˆH exp(iκaˆP aˆP )âH (A.1) input is in the arbitrarily-polarized single-photon state, −→ ≡ ′ † aˆV aˆV exp(iκaˆP aˆP )âV (A.2) −→ ≡ S H H V V H V ′ † † ψ = c 1 0 + c 0 1 , (A.4) aˆP aˆP exp[iκ(âH aˆH +âV aˆV )]âP , (A.3) | i | i | i | i | i −→ ≡ where 0 < κ 1 is the cross-phase modulation cou- where cH 2 + cV 2 = 1, then, except for a physically pling coefficient.≪ When the probe beam is in a strong unimportant| | absolute| | phase, the signal-beam output will 2 coherent state, √N P with NP 1/κ , the total pho- also be in the state ψS . | i ≫ | i

[1] C. H. Bennett and G. Brassard, Proc. of IEEE Inter- [7] C. A. Fuchs and A. Peres, Phys. Rev. A 53, 2038 (1996). national Conference on Computers, Systems, and Signal [8] B. A Slutsky, R. Rao, P,-C. Sun, and Y. Fainman, Phys. Processing, Bangalore, India, 1984, p. 175 (IEEE, New Rev. A 57, 2383 (1998). York, 1984); see, e.g., N. Gisin, G. Ribordy, W. Tittel, [9] Equation (3) corrects an error in [5]. Because of an extra- and H. Zbinden, Rev. Mod. Phys. 74, 145 (2002) for a neous root problem, the expression for Eve’s target-qubit review of progress in both theory and experiment. input state in that paper is only correct for 0 ≤ PE ≤ 1/4. [2] P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 This can be seen by comparing the input probe state |A2i (2000); D. Mayers, J. ACM 48, 351 (2001); H.-K. Lo, J. from Eq. (207) of [5] with our target-qubit input state Phys. A 34, 6957 (2001). |Tini from Eq. (3). The former coincides with the latter [3] B. Slutsky, P.-C. Sun, Y. Mazurenko, R. Rao, and Y. for 0 ≤ PE ≤ 1/4, but not for 1/4 < PE ≤ 1/2. Indeed, Fainman, J. Modern Opt. 44, 953 (1997); G. Brassard, because Brandt’s |A2i states for PE = 1/4 ± x are identi- N. Lütkenhaus, T. Mor, and B. C. Sanders, Phys. Rev. cal, for all 0 ≤ x ≤ 1/4, it is clear that his two-state FPB Lett. 85, 1330 (2000); G. Gilbert and M. Hamrick, e- probe traces out the same Rényi information trajectory print quant/ph-0009027; V. Makarov and D. R. Hjelme, when PE increases from 1/4 to 1/2 as it does when PE de- J. Modern Opt. 52, 691 (2005). creases from 1/4 to 0. In subsequent work [H.E. Brandt, [4] D. S. Naik, C. G. Peterson, A. G. White, A. J. Berglund, “Unambiguous state discrimination in quantum key dis- and P. G. Kwiat, Phys. Rev. Lett. 84, 4733 (2000); tribution,” to appear in Quant. Inform. Proc.], Brandt M. Genovese, Phys. Rev. A 63, 044303 (2001); M. has recognized this problem, and pointed out that a spe- Williamson and V. Vedral, J. Mod. Opt. 50, 1989 (2003). cial case of his third unitary transformation from [5], ob- [5] H. E. Brandt, Phys. Rev. A 71, 042312 (2005). tained by collapsing that four-state probe to a two-state [6] C. H. Bennett, T. Mor, and J. A. Smolin, Phys. Rev. A probe, achieves the desired Rényi information formula for 54, 2675 (1996); E. Biham and T. Mor, Phys. Rev. Lett. 0 ≤ PE ≤ 1/2. 78, 2256 (1997); E. Biham, M. Boyer, G. Brassard, J. [10] C. W. Helstrom, Inform. Control 10, 254 (1964). van de Graaf, and T. Mor, Algorithmica 34, 372 (2002). [11] M. Fiorentino and F. N. C. Wong, Phys. Rev. Lett. 93, 8

070502 (2004). Poizat, and P. Grangier, Phys. Rev. Lett. 89, 187901 [12] E. Knill, R. Laﬂamme, and G. J. Milburn, Nature 409, (2002); E. Waks, K. Inoue, C. Santori, D. Fattal, J. Vuck- 46 (2001); J. D. Franson, M. M. Donegan, M. J. Fitch, ovic, G. S. Solomon, and Y. Yamamoto, Nature 420, 762 B. C. Jacobs, and T. B. Pittman, Phys. Rev. Lett. 89, (2002). 137901 (2002); J. L. O’Brien, G. J. Pryde, A. G. White, [16] J. G. Rarity, P. R. Tapster, and E. Jakeman, Opt. Com- T. C. Ralph, and D. Branning, Nature 426, 264 (2003). mun. 62, 201 (1987). [13] M. Fiorentino, T. Kim, and F. N. C. Wong, Phys. Rev. [17] M. Fiorentino, G. Messin, C. E. Kuklewicz, F. N. C. A 72, 012318 (2005). Wong, and J. H. Shapiro, Phys. Rev. A 69, 041801(R) [14] C. Santori, M. Pelton, G. Solomon, Y. Dale, and Y. Ya- (2004). mamoto, Phys. Rev. Lett. 86, 1502 (2000); S. Noda, A. [18] G. J. Milburn and D. F. Walls, Phys. Rev. A 28, 2065 Chutinan, and M. Imada, Nature 407, 608 (2000); A. (1983); N. Imoto, H. A. Haus, and Y. Yamamoto, Phys. Beveratos, R. Brouri, T. Gacoin, J.-Ph. Poizat, and P. Rev. A 32, 2287 (1985); P. Grangier, J. A. Levenson, and Grangier, Phys. Rev. A 64, 061802 (2001); M. Keller, B. J.-Ph. Poizat, Nature 396, 537 (1998). Lange, K. Hayasaka, W. Lange, and H. Walther, Nature [19] W. J. Munro, K. Nemoto, and T. P. Spiller, New J. Phys. 431, 1075 (2004). 7, 137 (2005). [15] A. Beveratos, R. Brouri, T. Gacoin, A. Villing, J.-Ph.