Quantum Key Distribution: Basic Protocols and Threats

The last decade, the evolution in quantum computing has been enormous and real and reliable quantum computers are being developed quickly. One of the consequences of the upcoming quantum era is to make key distribution protocols insecure, as most of them are based on discrete algorithm problems. On the other hand, quantum computing provides a powerful and prominent tool for the safe transmission of information and cryptographic schemes and many of them have already been proposed. In this work, we discuss about quantum cryptography and we present certain quantum key distribution protocols. We also discuss about ‘potential attacks that can be performed against the quantum cryptographic schemes which are based on quantum system's imperfections and loopholes.

CCS Concepts: • Security and privacy; • Hardware → Quantum communication and cryptography; Keywords: quantum computing, quantum cryptography, quantum key distribution (QKD) protocols

ACM Reference Format:
Maria Sabani, Ilias Savvas, Dimitrios Poulakis, and Georgios Makris. 2022. Quantum Key Distribution: Basic Protocols and Threats. In 26th Pan-Hellenic Conference on Informatics (PCI 2022), November 25–27, 2022, Athens, Greece. ACM, New York, NY, USA 6 Pages. https://doi.org/10.1145/3575879.3576022

1 INTRODUCTION

Quantum computing is a contemporary field of research that studies and elaborates the construction and the operation of computer systems based on the principles of Quantum Mechanics. While in a classical computer the basic unit is the bit, in a quantum computer the basic unit is the qubit (QUantum BIT) [25]. A classical bit can be in two distinct states 0 or 1, but a quantum bit is a two-level quantum system described by a two-dimensional complex Hilbert space. That is a qubit can exist in typical states $\mathinner <|<0>\rangle >$ , $\mathinner <|<1>\rangle >$ or in any linear combination of these two states, such that $a\mathinner <|<0>\rangle > + b\mathinner <|<1>\rangle >$ , where and a 2 + b 2 = 1.

The fundamental principles that are the cornerstone of quantum computational systems, are the quantum superposition, the quantum entanglement and the quantum supremacy. Schrödinger's cat is a famous excrement that demonstrates a paradox of quantum superposition, i.e. the cat can be in the same time dead or alive [25, 29]. A bizarre and fascinating phenomenon of Quantum Physics is the Quantum Entanglement. Two particles (or more) are said to be entangled when they are generated, interact and they are connected in such a way even though there is a great distance or natural obstacles between them. Finally, the term quantum supremacy to describe the ability of a quantum computer to solve problems that no classical computer can do in any feasible amount of time [19]. Unfortunately, nowadays quantum computers are real with a limited number of qubits and other technical issues and limitations that question and reduce their reliability [16, 17].

Cryptography is the one of the oldest sciences and which ensures that two parties communicate safely without any interuption or change of theirs communication [26]. Cryptography is very important in our daily life, because we use cryptographic protocols in every electronic transaction or communication. Cryptographic schemes are based on hard mathematical problems and deal with the confidentiality, the integrity and the authenticity of the messages between the parties that communicate. A cryptosystem consists of plain messages, cipher messages, the keys that are being used and the encryption and decryption function. Cryptographic schemes are distinguished in symmetric and asymmetric by the type of key that is being used. When we say key we mean any type of mechanism, that is being used in order to hide a message like a set of rules to replace letters, an artificial set of symbols or nowadays a string of bits. With the transition to the quantum era, quantum computers will be able to make huge calculations only in a few seconds. As an example, Professor Peter Shor, in 1994, proved with a quantum algorithm and without a real quantum computer, that numbers can be analysed as the product of prime integers in polynomial time [27]. With Shor's Algorithm, a quantum computer overcomes difficult mathematical problems, the integer factorization and the discrete logarithm problem, on which is based the security of modern cryptosystems, like RSA or ECDSA. A fundamental issue is to be prepared for the quantum era with strong cryptographic protocols and appropriate methods strong enough against attacks.

In this work we discuss about Quantum Cryptography and the One-Time Pad cryptosystem. We present the Quantum Key Distribution method and the most well-known and applicative QKD protocol, the BB84. In addition, the protocols B92, E91 and the SARG04 are discussed. We present the current state in quantum cryptographic schemes and some attacks against them.

The rest of the paper is organized as follow. In Section 2 some basic issues about Quantum Cryptography are discussed and in Section 3 the One-Time Pad cryptographic system is presented. In Section 4 some Quantum Key Distribution protocols are presented and in Section 5 some attacks against these cryptographic schemes are discussed. Finally, Section 6 concludes this work and provides some future directions.

2 QUANTUM CRYPTOGRAPHY

The first concepts of Quantum Cryptography are encountered in the early 1970s, when Stephen Wiesner a student from Columbia University made an effort to publish his work about quantum money [34]. This was the first time that appeared the idea of quantum information and “quantum multiplexing" channel that allow one of two parties that communicate to send two messages to the other in a way that the receiver could decide which message to read but only if destroys the other message. The term "Quantum Cryptography" was presented for first time in 1982 [6] and since then, it is an object of interest, study and financial investment of researchers and huge companies.

Quantum Cryptography is the science that applies the principles of quantum mechanics in order to transfer or store data. The fundamental laws of nature and physics, make quantum cryptography the only approach which ensures the communication between two parties [2]. Quantum cryptographic protocols use methods that allow the two parties to communicate safely, with unlimited computational power and with perfect secrecy without an eaverdropper could notice their communication. With the unique capabilities and the huge computational power of quantum computers, quantum cryptography creates and executes various cryptographic tasks. A quantum computer can support and help to the development of a new, faster, stronger and efficient cryptographic protocol. Quantum cryptography uses a classical cryptosystem, such is One-Time Pad, to encrypt and transport a message but the Quantum Key Distribution (QKD) to create a private key [31]. This is precisely the great achievement of quantum cryptography, the discovery and development of QKD protocols.

3 ONE-TIME PAD (OTP)

OTP cryptosystem first proposed in 1882 to preserve confidentiality of telegraphic messages [3]. In 1917, a version of this scheme was proposed by Gilbert Vernam for use on the teletype [33]. It uses a pre-shared key that its size must be the same or bogger of the message's size. This scheme has the property of Shannon's perfect security provided that every key is used only once [26]. For this reason it is known as one time pad.

Suppose we have two users, Alice and Bob, and want to exchange messages over distance. Alice wants to encrypt a message m ≔ m₁m₂. m_n, of lenght n where m_i ∈ , i = 1. n, so she uses a key k ≔ k₁k₂. k_n, k_i ∈ . To encrypt m Alice uses binary addition ⊕ resulting the ciphertext c ≔ c₁c₂. c_n, c_i ∈ which is sent to Bob. Bob decrypts the message by doing binary addition with the same secret key k. Applying the binary operator ⊕ in quantum states means the application of X gate if k_i = 1 and nothing (Identity gate) if k_i = 0. Thus, the encrypted qubit can be expressed as

\begin c_i=X^\mathinner <|\rangle > \end

For the decryption procedure, in order to find out the decrypted message d, we just apply the X or the Identity gate to the encrypted qubit depending on the value of the secret key. That is,

\begin d_i= X^(X^\mathinner <|\rangle >) \end

For example, let the secret letter be “A” so the source message m = [0, 1, 0, 0, 0, 0, 0, 1], and let the secret key k = [0, 1, 1, 0, 1, 1, 0, 1]. The resulting encrypted message is shown in Table 1 where the encrypted binary string [0, 0, 1, 0, 1, 1, 0, 0] represents the symbol Comma.

Table 1: Coding-Encoding with OTP

A	1	0	0	0	1
k	1	1	1	1	1
encrypted	0	1	1	1	0

OTP considered to be secure but the key has to be random, to be at least as long as the message we have for encryption and it can never be reused in whole or partially. Quantum key distribution is a method that generates keys which fulfil these properties and make the communication truly secure.

4 QUANTUM KEY DISTRIBUTION

Quantum Key Distribution exploits the principles of Quantum Mechanics to generate a secret key through a quantum channel and this procedure is totally secure due to the laws of Physics. The intrinsic randomness of the quantum states and theirs measurements provide the randomness in the creation of the key. Moreover, QKD exploits the no-cloning theorem, where quantum states cannot be cloned, so we have a unique key. Furthermore, the Uncertainty Principle, that is presented by the German physist W.K. Heisenberg, make the Quantum Key Distribution process strong against an interception and retransmission attempt by a fraudulent user. With Heisenberg's principle the existence of an eavesdropper is revealed, as the attempt to measure the quantum states will provoke changes to the quantum system and the two parties that communicate will detect the eavesdropper.

We assume that exist two users, Alice and Bob, that they want to communicate and must generate a secret key. A quantum key distribution protocol has two phases. The quantum transmission phase, where the sender and the reciever send and measure quantum states or simply measure them, and the post-processing phase, where the bit strings generated in the quantum phase are returned into a pair of secure keys. For the quantum key distribution procedure it is necessary the existence of two channels, of a quantum channel and a classical channel where takes place the process of message exchange. In the quantum channel is transmitted a ray of photons, encoding every one photon with the method of polarization.

The polarization of photons is a cornestone in the process of encyption of information and quantum key distribution. Essentially, what we achieve with the polarization of the light is to orientate geometrically the oscillation of the electromagnetic field associated with its wave. We focus on two types of bases of polarization: the rectilinear basis (horizontal and vertical orientation) and the diagonal basis (orientation rotated by + 45 0 and − 45 0 ). So, a classical bit (0 or 1) is encoded into the polarization of a photon and this is achieved with filters or crystalls.

4.1 BB84

In 1984 Charles Bennett and Gilles Brassard proposed the first Quantum Key Distribution protocol, known as BB84 by theirs surnames and the year it was published [5]. The BB84 protocol is a cryptographic scheme, which encodes classical bits into qubits and it is been extensively analysed and implemented. Moreover, there have been many variations of BB84 and other quantum key distribution protocols have been developed. We assume there are two parties, Alice and Bob, that they want to exchange a secret key and communicate over distance and a potential eavesdropper, Eve.

The structure of BB84 is described below. The protocol consists of two channels, a quantum and a classical channel. The quantum channel, is where takes part the quantum transmission, namely the two parties prepare, send and measure theirs quantum states. The quantum channel is not secure, as the fraudulent user can have access to the information or interrupt the communication using techniques based on quantum mechanics. The classical channel, is where Alice and Bob communicate sending classical messages to each other i.e. transfrom the bit strings, they have obtained in quantum channel into secure keys. Eve can have access to the classical channel, i.e. she can listen to the conversation but cannot change the messages that Alice and Bob exchange.

The polarization bases which are used in the BB84, are the rectilinear $\oplus = \lbrace \mathinner <|<0>\rangle >, \mathinner <|\rangle > \rbrace$ , and the diagonial basis $\otimes = \lbrace \mathinner <|<+>\rangle >, \mathinner <|<->\rangle > \rbrace$ with $\mathinner <|<+>\rangle > = \frac>(\mathinner <|<0>\rangle > + \mathinner <|\rangle >)$ and $\mathinner <|<->\rangle > = \frac>(\mathinner <|<0>\rangle > - \mathinner <|\rangle >)$ . These two bases are mutually unbiased, namely when for example, we measure a photon that had been diagonally polarized with the rectilinear basis we get a totally random result, meaning that we cannot extract any information. At table 2 we demonstrate the way a bit can be encoded into the polarization of a photon.

Table 2: Encoding Bits

Base	Bit 0	Bit 1
⊕	$\xrightarrow [0^] \mathinner <\|<0>\rangle >$	$\xrightarrow [90^] <\uparrow >\mathinner <\|<1>\rangle >$
⊗	$\xrightarrow [45^] \mathinner <\|<+>\rangle >$	$\xrightarrow [-45^]\mathinner <\|<->\rangle >$

As we mentioned before, BB84 protocol has two phases and which are described below.

Quantum Transmission

Alice chooses a bit string a = (a₁. a_n) and a random combination of bases s ∈ n , where n >N.
Alice encodes her bit string, with the aid of the bases she has chosen, into polarized photon and Alice sends her photons to Bob.
Bob receives Alice's photons and chooses a basis (⊕ or ⊗) to measure each one of them and gets classical bits. Bob obtains a bit string b = (b₁. b_n). This pair a = (a₁. a_n) and b = (b₁. b_n) is called the raw key pair.

Classical Post-Processing

Sifting step. Bob announces into the public channel the bases he used. Alice compares the bases she has chosen with Bob's bases and selects the cases their choises match. The two parties discard all the bits which the encoding and measurement bases are different.
Parameter estimation step. Alice and Bob try to guess the fraction of positions i where a_i and b_i are not the same, i.e. the error rate in the quantum channel. Bob reveals randomly some bits of his key and if there is no eavesdropping, these bits are coincent with Alice's and she aggrees with them. If there is an eavesdropping attempt, there is a high error rate and the two parties abort the protocol.
At the last step Alice and Bob perform information reconciliation, i.e. they erase all errors in their bit strings and therefore they have the same strings, and privacy amplification they remove any knowledge that the eavesdropper has of the key[7].

Moreover, in Table 3 will give an example of BB84 protocol without the presence of an eavesdropper.

Table 3: BB84 Protocol

Alice's Bits	1	0	1	0	0	1	0	1
Alice's Basis	⊗	⊗	⊗	⊕	⊕	⊕	⊗	⊕
Alice's state	$\mathinner <\|<->\rangle >$	$ \mathinner <\|<+>\rangle >$	$ \mathinner <\|<->\rangle >$	$ \mathinner <\|<0>\rangle >$	$ \mathinner <\|<0>\rangle >$	$ \mathinner <\|<1>\rangle >$	$ \mathinner <\|<+>\rangle >$	$ \mathinner <\|<1>\rangle >$
Bob's Basis	⊕	⊗	⊕	⊗	⊕	⊗	⊕	⊕
Sifted Key	0	0	1

4.2 B92

In 1992 Charles Bennett presented a new Quantum Key Distribution protocol, named by his surname and the year that was published [4]. This protocol is essentially a variant of BB84 protocol, with main difference that the B92 uses two states of polarization, instead of four that are being used in the BB84 protocol. It is a two non-orthogonal quantum state protocol and with its architecture an eavesdropper can be detected.

B92 is a QKD scheme that uses polarized photons for the communication of two parties, Alice and Bob, through two channels. One classical public channel, where a fraudulent user can have access and one quantum channel. As BB84, B92 protocol has two phases, the quantum transmission that takes place into the quantum channel, and the second phase that takes place into the classical channel. The steps of B92 protocol are decribed below.

Alice chooses a bit string a = (a₁. a_n) and encodes each bit value, a_i, i ∈ n>, 0 as $\mathinner <|<0>\rangle >$ and 1 as $\mathinner <|<+>\rangle >= \frac<\mathinner <|<0>\rangle >+\mathinner <|<1>\rangle >>>$
Alice sends her qubits to Bob, who generates a bit string b = (b₁. b_n) and chooses the basis ⊕ for b_i = 0 and the basis ⊗ for b_i = 1.
Bob measures the results and these results forms another bit string s: If Bob obtains the result − 1 then the i-th bit of s is s_i = 0, and if Bob obtains the result + 1 then s_i = 1.
Then through the public channel Bob announces s and keeps the b secret.
Alice and Bob choose only the pairs of bits [a_i, b_i] for which s_i = 1.

In Table 4, a discrete example of the implementation of B92 protocol is given.

Table 4: B92 protocol

Bits that are sent
by Alice (a_i)	0	0	0	0	1	1	1	1
Alice's basis polarization	$\mathinner <\|<0>\rangle >$	$\mathinner <\|<0>\rangle >$	$\mathinner <\|<0>\rangle >$	$\mathinner <\|<0>\rangle >$	$\mathinner <\|<1>\rangle >$	$\mathinner <\|<1>\rangle >$	$\mathinner <\|<1>\rangle >$	$\mathinner <\|<1>\rangle >$
Bits that are chosen
by Bob (b_i)	0	0	1	1	0	0	1	1
Bob's basis	⊕	⊕	⊗	⊗	⊕	⊕	⊗	⊗
Measurement's result
by Bob	$\mathinner <\|<0>\rangle >$	$\mathinner <\|<1>\rangle >$	$\mathinner <\|<+>\rangle >$	$\mathinner <\|<->\rangle >$	$\mathinner <\|<0>\rangle >$	$\mathinner <\|<1>\rangle >$	$\mathinner <\|<+>\rangle >$	$\mathinner <\|<->\rangle >$
Value of s	0	-	0	1	0	1	0	-

B92 Quantum Key Distribution protocol proved to be secure as its safety lies at the heart of quantum key distribution [30]. The two parties can communicate and exchange a secret key safely, as it is impossible for a fraudulent user to learn informations about the states and therefore the key, without disturbing the quantum system.

4.3 SARG04

In 2004, a new quantum key distribution protocol proposed, a variation of BB84 protocol [28]. SARG04 is developed by changing the information encoding at BB84, to become more robust against the photon-number-splitting (PNS) attacks. The first phase of SARG04 protocol is exactly the same with BB84’s first phase and the two protocols differ in the classical sifting procedure.

At the second phase, Alice does not announce the bases she uses to encode the bits. She chooses a pair of non-orthogonal states for every qubit she sent and she announces the two states, noticing which is the right one. Bob knows that the qubit he received was in one of the two states that Alice has announced. So, to learn the secret bit Bob must have enough for to distinguish between the two states. Bob makes the measurement and if his measurement is in accordance with the announced states, announce that the bit is invalid. This is because Bob cannot determine which of the two states is the correct one. If one of states is inconsisent with his measurement, Bob announce the bit to be valid, as he can retrieve the secret key bit.

Alice sends the state $\mathinner <|<0>\rangle >$ with two photon pulses in the randomly selected set.
Alice reveals the set $a_= (\mathinner <|<0>\rangle >, \mathinner <|<+>\rangle >)$ and notes 0 as the secret bit.
If Bob measures the state in the base $\oplus = \lbrace \mathinner <|<0>\rangle >, \mathinner <|\rangle > \rbrace$ , the possible result is $\mathinner <|<0>\rangle >$ , so this result is consistent with the state $\mathinner <|<0>\rangle >$ . Due to the fact that this outcome is also possible if the transmitted state had been $\mathinner <|\rangle >$ , Bob announces the bit invalid.
If Bob measures the state in the $\otimes = \lbrace \mathinner <|<+>\rangle >, \mathinner <|<->\rangle > \rbrace$ base then he obtains $\mathinner <|\rangle >$ or $\mathinner <|<->\rangle >$ with probability $\frac$ . If his result is $\mathinner <|\rangle >$ it is consistent with both states and if is $\mathinner <|<->\rangle >$ , Bob is certain that Alice's state is $\mathinner <|<0>\rangle >$ since this result can never be obtained from the state $\mathinner <|\rangle >$ . Then, Bob knows that the secret bit is 0 and announces the bit is valid.

In this example, Eve gets $\mathinner <|<0>\rangle >$ using the $\oplus = \lbrace \mathinner <|<0>\rangle >, \mathinner <|\rangle > \rbrace$ base and measures $\mathinner <|<+>\rangle >$ or $\mathinner <|<->\rangle >$ with $\frac$ probability. So, she cannot determine the state from her measurement's result in two-photon pulses. The advantage of SARG04 protocol over BB84 protocol is that the sender, Alice, never announces her encoding bases. So, the fraudulent user, Eve, has to store more photons to obtain reliable information about the secret bits, and this is more possible for her to be detected.

4.4 E91

In 1991, proposed a QKD protopol which is based on the quantum entanglement, the E91 protocol [9]. The idea is a quantum key distribution scheme with the aid of states that there are in quantum entanglement, phenomenon that had been analysed by Einstein, Podolsky and Rosen (EPR) [8]. Assuming that we have a pair of particles, that is named EPR, and we know the value of the measurement one of them, then we know the value of the measurement and for the other. The E91 QKD protocol uses a source which produces pairs of particles that there are in state of quantum entanglement and the pairs are being distributed between Alice and Bob, the two parties that communicate. Alice and Bob have access to a classical channel where can send classical messages to each other and where and eavesdropper can listen the communication.

In the Ekert's protocol the source, in which Alice and Bob have access to, distributes entangled pair of qubits among them, states of the form

\begin \mathinner <|<\Psi ^<+>>\rangle >_ = \frac>(\mathinner <|<00>\rangle > + \mathinner <|<11>\rangle >) \end
(1)

The scheme uses two different basis $\oplus = \lbrace \mathinner <|<0>\rangle >, \mathinner <|<1>\rangle > \rbrace$ and $\otimes = \lbrace \mathinner <|<+>\rangle >, \mathinner <|<->\rangle > \rbrace$ . The E91 protocol can be described below :

The source produces the pair of photons that there are in state of quantum entanglement and sends the first particle $\mathinner <|<\psi ^<+>>\rangle >_$ to Alice and the second one $\mathinner <|<\psi ^<+>>\rangle >_$ to Bob.
The two parties choose randomly one of the basis ⊕, ⊗ to measure the particle that they received and record their measurement. Through the classical channel they broadcast the measurement basis they used.
Alice and Bob divide the measurements into two seperate groups: a group that they used different measurement basis (different orientation of analysers) and a group that used the same measurement basis. Alice and Bob discard all measurements in which one or both of them failed to register a particle at all.
The first group, where they use different measurements basis, can reveal an eavesdropper as if exists a bit error, the eavesdropper is detected.
If Alice and Bob are certain that the quantum channel is safe, the second group can be used as raw keys. They perform error correction and privacy amplification to turn the sifted key into a shared secret key.

Table 5: E91 protocol

Received Photons	$\mathinner <\|<1>\rangle > \mathinner <\|<->\rangle >$	$\mathinner <\|<1>\rangle > \mathinner <\|<->\rangle >$	$\mathinner <\|<0>\rangle > \mathinner <\|<->\rangle >$	$\mathinner <\|<1>\rangle > \mathinner <\|<+>\rangle >$
Alice's Basis	⊕	⊗	⊕	⊗
Alice's measurements	1	0	0	1
Received Photons	$\mathinner <\|<1>\rangle > \mathinner <\|<+>\rangle >$	$\mathinner <\|<0>\rangle > \mathinner <\|<->\rangle >$	$\mathinner <\|<0>\rangle > \mathinner <\|<+>\rangle >$	$\mathinner <\|<0>\rangle > \mathinner <\|<+>\rangle >$
Bob's Basis	⊗	⊗	⊗	⊗
Bob's measurements	1	0	1	1
Key	0	1

5 THREATS AND ATTACKS

Quantum Key Distribution is considered to be a procedure of generating and exchanging keys that is secure, as it is based on the laws of Quantum Physics. For the first QKD protocol, the BB84, proved to be secure by its creators against certain attacks and since then several proofs of security have been presented. The issue of Quantum Key Distribution security is of major importance and is an object of research. Although the protocols are designed to be unbreakable, from theory to practice there are some loopholes.

Due to imperfections in the creation of photons as well as in their measurement and generally imperfections in the quantum system hardware, there are many ways to perform attacks against QKD protocols. There are also some limitations in the single photon detectors or weak points in their optoelectronic interfaces [18]. So, a fraudulent user exploits all these above and develops strategies to extract information in a communication channel.

The attacks are distinguished by the order of power given to the eavesdropper and can be described by the way the fraudulent user interacts with the sender's quantum states. When we suppose that the eavesdropper has little power, we talk about individual, collective attacks which are considered in the direction to simplify the security analysis of the QKD protocol. In the case that the eavesdropper has unlimited computational power, we refer to coherent attacks and this type of attacks is considered in order to prove the security of a QKD protocol.

5.1 Photon Number Splitting Attack (PNS)

Many times new protocols are proposed with the hope to be more secure and robust against certain attacks, as for example SARG04 was proposed as a stronger variation of BB84 against PNS attacks. Photon number splitting attack exploits imperfections and weaknesses in the experimental implementation of Quantum Key Distribution protocols. In a QKD protocol, the sender encodes each bit in a qubit and sends it to the receiver who measures it. Then the two parties communicate through the public channel, announce and compare the basis they used. Consider this procedure to be realised with weak light pulses. A typical signal pulse contains a large number of photon, nevertheless it is hard to manufacture ideal single photon sources. So, many times in the implementation of a QKD protocol there are weak laser pulses to encode the bits. This loophole exploits an eavesdropper to perform a PNS attack [21]. PNS is a powerful attack and it is performed on a realistic photon source. When Alice sends her photons to Bob with weak laser pulses, Eve splits off a signal photon and let the remaining signal passing to Bob. Then, Eve waits for Alice to reveal the basis she used for each signal and therefore measures the photon she obtains and extracts informations about the encoded bits and the secret key [1]. Since the attack is been performed without errors, Eve will not be detected, if we assume that the receiver, Bob, has no access to the statistics of photons he receives.

Two effective methods against the PNS attack is the SARG04 protocol and a strategy known as decoy states where the eavesdropper is detected [20] as is used a few different photon intensities instead of one.

5.2 Faked-state attack

BB84 protocol is designed and implemented in a quantum system that sends and detects single photons. Nevertheless, in current quantum systems are sent weak light signals and the detectors imitate detecting single photons by receiving very weak signals [12]. In the faked-state attack, the eavesdropper exploits this weakness of the system in the receiver's detector, i.e. the diode used to detect photons [22, 23]. So, this type of attack is based on the concept of faked states of light [24], states that are prepared by Eve and sent to Bob to control and force him to measure in the basis she dictates.

The avalanche photodiode (APD) detector is manufactured to detect, at least approximately, single photons but in practice it is necessary a recharge time between the detection of two photons in a row. Supposing the laser signals are weak, this is not an issue as the detector has the sufficient time to recharge. Now, if it being shined continuous light into the APD, the detector has not the adequate time to recharge and becomes a typical photodiode [24]. In this case, the eavesdropper exploiting the beam of light, manipulates the detector by blinding it or clicking it.

More specifically, Eve intercepts, measures the photons of Alice by choosing randomly a basis and prepares a new faked state to send to Bob. It is said to be faked because she is not send a quantum state but make Bob's detector think it is detecting a quantum state. Eve measure's Alice state and prepares the opposite base and the opposite bit. For example, if Alice sends the bit 1 in the rectilinear base, she changes it to 0 bit in the diagonal base for Bob. In the same time, exploiting the beam of light, she blinds the 0- detector of Bob. Now, if Bob measures in the same base as Eve, he can measure a 1 or nothing at all with probability $\frac$ . If he measures in a different basis, he can detect nothing at all.

5.3 Trojan-Horse Attack

Trojan-Horse attacks are common attacks in classical cryptography as well as in quantum key distribution protocols. This type of attack is based on the fact that the light is reflected back and speads through optical components and it takes advantage of the loopholes or the optical set-up of the devices [13, 32]. Trojan-Horse attack is otherwise known as Light Injection attack, because of the method an eavesdropper applies. Eve sends bright light pulses through the quantum channel into the apparatuses of Alice and Bob and tries from the light's reflection to gain information. When the light meets a mirror-like surface, a reflection is accomplished and the photons are reflected back to a basis selector and captivate the state of the polarizer or the modulator.

Eve accepts the spatial, temporal or frequency modes of the quantum channel to examine the device of Alice. So, Eve sends light pulses to the devices of Alice and Bob and uses an adjusted auxiliary source and a detector to analyze the backscattered signal [10]. These light pulses the eavesdropper sends go back and forward through the quantum channel and therefore through the attacked subsystem [14]. So, when the photons are reflected back and cross through the basis detector, Eve obtains information about the basis that the two parties have chosen, and therefore the secret key.

It is crucial for the eavesdropper not to be detected during this procedure. There are ways that the two parties can detect a fraudulent user, as with the installation of a passive monitoring device which measures the incoming signal and when the device notices it, raises an alarm. Another way to cancel this type of attack, is an optical isolator which prevents the light that Eve sends to enter the quantum system [14, 15]. Trojan-Horse attacks can be prevented if the QKD system is properly manufactured. In 2008, was proposed "Plug and Play" system, where Alice has an auxiliary detector to uncover a possible eavesdropping [11]. So, we can design the quantum key distribution devices with filters and monitorind detectors to avoid this type of attacks.

6 CONCLUSIONS

Quantum key distribution is concerned to be manna from heaven for secure and authenticated communication. The laws of Quantum Physics establish a secret key generation and exchange between two or more parties with ensured security. Despite the fact that quantum key protocols are theoretically well structured and designed, their real implementation has imperfections. Defective optical fibres, unwell constructed detectors and other loopholes become the cause of the attacks which are performed against the QKD schemes. So, there are various challenges that appear and become a subject of research.

Future research focuses on modifications that can be made to the apparatuses of quantum systems and can prevent these attacks. Some others aspects and challenges that are been studied at this moment, is the distance between the parties that execute the QKD protocol, the key rate that is accomplished and the security proof of a protocol when we have this long distance.

REFERENCES

R. Aggarwal, H. Sharma, and D. Gupta. 2011. Analysis of Various Attacks over BB84 Quantum Key Distribution Protocol. International Journal of Computer Applications 20, 8(2011).
G. Van Assche. 2006. Quantum Cryptography and Secret-Key Distillation. Cambridge University Press, New York, NY.
S. M. Bellovin. 2011. Frank Miller: Invertor of the One-Time Pad. Cryptologia 35, 3 (2011), 203–222.
C. H. Bennett. 1992. Quantum cryptography using any two nonorthogonal states. Phys.Rev.Lett. 68, 21 (1992), 3121–3124. https:// doi. org/ 10. 1103/ physrevlett. 68. 3121
C. H. Bennett and G. Brassard. 1988. Privacy amplification by public discussion. SIAM J.Comput. 17, 2 (1988), 210–229. https:// doi. org/ 10. 1137/ 0217014
C. H. Bennett, G. Brassard, S. Breidbart, and Wiesner. 1982. Quantum cryptography, or Unforgeable subway tokens. Advances in Cryptology: Proceedings of Crypto ’82 (August 1982), 267–275.
C. H. Bennett, G. Brassard, G. Robert, and J. M. Privacy. 1984. Quantum cryptography: public key distribution and coin tossing. Proc. IEEE Int. Conf. Comput. Syst. Sign. Process 175, 8 (1984).
A. Einstein, B. Podolsky, and N. Rosen. 1935. Can Quantum-Mechanical Description of Physical Reality be Considered Complete?Physical Review 47, 10 (1935), 777–780.
A. K. Ekert. 1991. Quantum cryptography based on Bell's theorem. Phys. Rev. Lett. 67, 6 (1991), 661–663. https:// doi. org/ 10. 1103/ physrevlett. 67. 661
A. Khan et al.2015. Trojan-horse attacks on continuous-variable quantum cryptographic systems. (2015).
A. Muller et al.1997. Plug and play’ systems for quantum cryptography. Applied Phys. Lett. 70(1997), 793–795.
C. Pacher et al.2017. Attacks on quantum key distribution protocols that employ non-ITS authentication. ArXiv: Cryptography and Security 2 (2017). https://arxiv.org/pdf/1209.0365.pdf
N. Gisin et al.2006. Trojan Horse attacks on Quantum Key Distribution systems. Phys. Rev. A 73, 022320 (2006).
N. Jain et al.2014. Trojan-horse attacks threaten the security of practical quantum cryptography. New Journal of Physics 16, 123030 (2014).
N. Jain et al.2015. Risk Analysis of Trojan-Horse Attacks on Practical Quantum Key Distribution Systems. IEEE Journal of Selected Topics in Quantum Electronics 21 (2015), 168–177.
I. P. Galanis, I. K. Savvas, A. V. Chernov, and M. A. Butakova. 2021. Reliability Testing, Noise and Error Correction of Real Quantum Computing Devices. Telfor Journal 13, 1 (2021), 41–46.
I. P. Galanis, I. K. Savvas, and G. Garani. 2021. Experimental Approach of the Quantum Volume on Different Quantum Computing Devices. The 14th International Symposium on Intelligent Distributed Computing (2021).
R. H. Hadfield. 2009. Single-photon detectors for optical quantum information applications. Nat.Phot.3 (2009), 696–705.
J.Preskill. 2012. Quantum computing and the entanglement frontier. (2012). https://doi.org/10.48550/arXiv.1203.5813
H. K. Lo, X. Ma, and K. Chen. 2005. Decoy State Quantum Key Distribution. Phys. Rev. Lett. 94, 230503 (2005).
N. Lutkenhaus. 1996. Security against eavesdropping attacks in quantum cryptography. Phys. Rev. A 54, 1 (1996), 97–111.
V. Makarov. 2009. Controlling passively quenched single photon detectors by bright light. New J. Phys 11, 065003 (2009).
V. Makarov, V. Anisimov, and J. Skaar. 2006. Effects of detector efficiency mismatch on security of quantum cryptosystems. Phys. Rev. A 74, 022313 (2006).
V. Makarov and D. Hjelme. 2005. Faked states attack on quantum cryptosystems. Journal of Modern Optics 52 (2005), 691–705.
M. A. Nielsen and I. L. Chuang. 2010. Quantum Computation and Quantum Information. Cambridge University Press, New York.
Dimitrios Poulakis. 2004. Cryptography. Ziti Publications, Thessaloniki.
M. Sabani, I. P. Galanis, I. K. Savvas, and G. Garani. 2021. Implementation of Shor's Algorithm and Some Reliability Issues of Quantum Computing Devices. PCI 2021: 25th Pan-Hellenic Conference on Informatics, ACM International Conference Proceeding Series(2021), 296–392.
V. Scarani et al. 2004. Quantum cryptography protocols robust against photon number splitting attacks for weak laser pulse implementations. Phys. Rev. Lett. 92, 5 (2004). https:// doi. org/ 10. 1103/ physrevlett. 92. 057901
E. Schodinger. 1935. Die gegenwartige Situation in der Quantenmechanik. Naturwissenschaften 23, 48 (1935), 807–812.
K. Tamaki and N. Ltkenhaus. 2004. Unconditionally Security of the Bennett 1992 quantum key-distribution over lossy and noisy channel. Phys. Rev. A 69, 032316 (2004).
W. Trappe and L. C. Washington. 2006. Introduction to Cryptography with Coding Theory. Pearson Education, USA.
A. Vakhitov, V. Makarov, and D. R. Hjelmer. 2001. Large pulse attack as a method of conventional optical eavesdropping in quantum cryptography. J. Mod. Opt. 48, 2023 (2001).
G.S. Vernam. 1926. Cipher printing telegraph systems: for secret wire and radio telecommunications?J.AIEE 45, 2 (1926), 109–115.
S. Wiesner. 1983. Conjugate coding. Sigact News 15, 1 (1983), 78–88.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org.

PCI 2022, November 25–27, 2022, Athens, Greece