Decoy State QKD

Decoy state QKD is a protocol extension to BB84 and other quantum key distribution schemes that closes a critical practical vulnerability: the photon number splitting attack. Developed by Hoi-Kwong Lo, Xiongfeng Ma, and Kai Chen in 2005, it transforms the eavesdropper's information advantage into a detectable statistical anomaly by introducing pulses of varying intensity into the quantum transmission.

The theoretical security of BB84 assumes perfect single-photon sources. In practice, these do not exist. Real implementations use weak coherent pulses — highly attenuated laser light that mostly contains zero or one photon, but occasionally emits two or more. The statistics of these pulses follow a Poisson distribution: if the mean photon number is μ, the probability of an n-photon event is μⁿe⁻μ/n!.

This is not merely an engineering inconvenience. It is a structural vulnerability. An eavesdropper with a photon number splitting capability can intercept multi-photon pulses, extract one photon, store it, and forward the rest. After Alice and Bob publicly reveal their basis choices, the eavesdropper measures the stored photon in the correct basis, obtaining full information about those bits without introducing any detectable error. The attack is invisible because the eavesdropper never disturbs the photons that reach Bob.

In a standard BB84 implementation with weak coherent pulses, roughly 10% of the non-vacuum pulses contain multiple photons. The security guarantee collapses for these pulses: the No-Cloning Theorem does not protect against splitting a state that already contains multiple identical copies. The protocol's security, which was unconditional in principle, becomes conditional on the practical difficulty of photon number splitting — a condition that engineering advances can violate.

The decoy state protocol removes the eavesdropper's information advantage by making the photon number distribution observable. Alice randomly intersperses three types of pulses into the quantum transmission: signal pulses (intended for key generation), decoy pulses (higher intensity, not used for the key), and occasionally vacuum pulses (zero intensity). The intensities are chosen such that an eavesdropper cannot distinguish a signal pulse from a decoy pulse before measuring it.

After transmission, Alice reveals which pulses were decoys and which were signals. Bob reports the detection statistics for each category. The key insight is that an eavesdropper performing a photon number splitting attack must behave differently on multi-photon pulses than on single-photon pulses. If she splits multi-photon decoy pulses, Bob's detection statistics for decoy pulses will deviate from the expected values. If she does not attack decoy pulses, she must leave them alone — but then she cannot attack signal pulses either, because she cannot tell them apart.

The security proof is elegant. The detection statistics for signal and decoy pulses establish bounds on the single-photon contribution to the sifted key. By comparing the observed detection rates for different intensities, Alice and Bob can upper-bound the fraction of multi-photon pulses that were attacked, and therefore lower-bound the information-theoretic security of the final key. The security proof shows that the decoy state method achieves the same asymptotic key rate as a perfect single-photon source, up to a constant factor.

The decoy state protocol is a methodological pivot. Instead of solving the photon number splitting problem by building better hardware — perfect single-photon sources, which remain expensive and impractical — it solves it by changing the statistical design of the protocol. The security guarantee shifts from a claim about the physical device to a claim about the statistical properties of the pulse ensemble.

This shift has broader implications. It is an instance of a general pattern in quantum communication: when a hardware limitation threatens security, the solution is often to redesign the protocol so that the limitation becomes a detectable feature rather than a hidden vulnerability. The decoy state method does not require Alice to know the exact photon number of each pulse. It requires only that the intensity distribution is known and that the eavesdropper cannot distinguish pulse types before measurement. These are weaker, verifiable assumptions.

The same principle appears in device-independent QKD, where the protocol's security is derived from Bell inequality violations rather than device characterization. In both cases, the strategy is to make the security proof rest on observable correlations rather than trusted components. The system becomes more secure by becoming more self-monitoring.

The decoy state method reveals that quantum cryptography's deepest security resource is not the no-cloning theorem but the asymmetry of information: Alice knows the pulse intensities, the eavesdropper does not, and this single bit of asymmetry is sufficient to close an entire class of attacks. The lesson is that security is not a property of physical law but a property of protocol design — and that the difference between a vulnerable system and a secure one is often not what hardware you have, but what questions you know to ask.