Quantum Key Distribution in the Presence of the Intercept-Resend with Faked States Attack

: Despite the unconditionally secure theory of the Quantum Key Distribution ( QKD ), several attacks have been successfully implemented against commercial QKD systems. Those systems have exhibited some ﬂaws, as the secret key rate of corresponding protocols remains unaltered, while the eavesdropper obtains the entire secret key. We propose the negative acknowledgment state quantum key distribution protocol as a novel protocol capable of detecting the eavesdropping activity of the Intercept Resend with Faked Sates ( IRFS ) attack without requiring additional optical components different from the BB 84 protocol because the system can be implemented as a high software module. In this approach, the transmitter interleaves pairs of quantum states, referred to here as parallel and orthogonal states, while the receiver uses active basis selection.


Introduction
Quantum Key Distribution (QKD) represents a new cryptographic method to distribute a key between two remote users, usually called Alice and Bob [1].QKD systems require legitimate users to authenticate each other through a public channel.The purpose of a QKD system is to generate secret bits that can be used to encrypt plaintext messages according to a simple xor function between the message and the secret key.
If an eavesdropper, commonly called Eve, tries to intercept the quantum channel to get the key, she will be detected.In such a case, Alice and Bob will discard the process before a key could be established.However, if they do not detect any eavesdropping activity, the quantum measurements can be used to derive the secret key [2].After the transmission, Alice and Bob can compare a fraction of the exchanged key to see if there are any transmission errors caused by eavesdropping.QKD systems have been carried out experimentally through dedicated optical fibers, across free space, weak laser pulses or single photons, entangled photon pairs or continuous variables [3].
Ideally, the security of QKD protocols is supported by the properties of quantum mechanics, which make eavesdropping in the middle of the quantum channel detectable [1,4].However, serious concerns arise at the technological level.Unfortunately, most of the promising QKD systems are vulnerable to quantum hacking due to loopholes in the optical detection system [5][6][7][8][9][10][11][12][13][14][15].Under this scenario, new QKD methods must be developed to resist attacks related to such vulnerabilities as the Photon Number Splitting (PNS) and the Intercept and Resend with Faked States (IRFS) attacks [16,17].
In [18], we introduced a novel QKD protocol that uses weak coherent states and active basis measurement, capable of detecting the PNS eavesdropping activity.The strengths of the ack state (in [18] referred to as ack QKD) against PNS attack were discussed in [19].In this paper, we extend the ack state protocol to the dual protocol nack state protocol to analyze its security against IRFS attack.One of the main advantages of the proposed protocol is that it protects against IRFS attack without requiring any changes in the hardware; only software changes are required.We do not discuss other attacks nor pretend to perform a general formal demonstration of its security.

Quantum Hacking in QKD Systems
A variety of attacks have been conceived of as exploiting the security of BB84-based systems, either theoretically or technologically.The Photon Number Splitting (PNS) attack can be included in the first category.In the second class, commonly referred to as quantum hacking, the Intercept Resend with Faked States (IRFS) attack can be mentioned, which exploits loopholes in the Avalanche Photo Diodes (APDs) of the electronic detection system.In the following section, we will describe the Intercept Resend (IR) attack and the Intercept-Resend with Faked States (IRFS).

(a) Intercept Resend (IR) attack
In the intercept resend attack, the eavesdropper measures each photon pulse sent by Alice, which she replaces with another pulse prepared in the quantum state that she has already measured.Eve is successful 50% of the time in measuring the pulse in the correct measurement basis, while Bob chooses half of the times the same basis as her; thus over time, she generates a Quantum Bit Error Rate (QBER) of 50% × 50% = 25% (see Figure 1 and [4]).
Figure 1.The Intercept Resend (IR) attack against the BB84 produces a detectable Quantum Bit Error Rate (QBER) of 25%.In the figure, Alice sends a |0 Z state to Bob.However, Eve is in the middle of the quantum channel, and she applies the X basis measurement getting |1 X .Thus, she prepares a copy of such a state, and she resends it to Bob, who obtains |1 Z because he used the Z basis measurement.This introduces a secret bit error because Alice expects that Bob obtained |0 Z .

(b) Intercept Resend with Faked States (IRFS) attack
In the Intercept Resend with Faked States (IRFS) attack, the eavesdropper is not interested in reconstructing the original states, but in producing instead pulses of that light that can be detected by Bob in a way that is controlled by her while she passes unnoticed in the quantum channel.The eavesdropper exploits imperfections of their optical system, so that Alice and Bob can assume that they are detecting the original quantum states while they are in fact detecting light pulses generated by Eve.These light pulses are called faked states [7].To mount an IRFS attack, Eve can exploit some weaknesses of Bob's detector, such as time shift [8][9][10] or quantum blinding [7][8][9].
The quantum blinding attack is an IRFS attack where the QKD system is controlled by an eavesdropper using bright photon pulses during the linear mode operation of the APDs.In such attacks, Eve can eavesdrop on the full secret key without increasing the QBER of the protocol.In order to achieve this, the eavesdropper sends bright pulses to Bob's station that will be detected by the APD, which would operate like a classical photo diode, instead of operating in Geiger mode.Eve now can use the IRFS attack to obtain the key [11,12].
As a result, as depicted in Figure 2a, if Bob chooses the same measurement basis as Eve, he gets a detection event in the corresponding APD detector.Otherwise, if Bob measures with the opposite basis as shown in Figure 2b, the optical power is distributed over the two detectors, and no event is detected.Thus, Eve blinds Bob's APDs detectors to make them operate as classical photo diodes.At the final stage of the protocol, Eve exploits the announcements revealed by Bob over the public channel to perform the classical post-processing, getting the same secret bits as Alice and Bob.
A simple countermeasure that can be applied in the electronic detection system is a watchdog detector that detects bright faked states [13].The intercept-resend with faked states attack and quantum blinding were first implemented over a commercial QKD system at the University of Singapore [12].To conclude this section, we emphasize that the IRFS attack works successfully on widely-used QKD protocols, namely BB84, SARG04, Differential Phase Shift (DPSK), Coherent One Way (COW), Ekert [9] and the decoy state method, as pointed out in [13,20].The attack exhibits an extra 3 dB loss because of the basis mismatch between Eve and Bob.This is easily compensated in practice by Eve, since she may use better detector efficiencies and surpass loss in the channel.Blinding attacks over detectors have been demonstrated in two commercially available QKD systems [11].It has been reported that Eve obtains the entire secret key while she remains undetected by the legitimate parties [12].Finally, we remark that control detector attacks with active basis selection cause the gain from Eve to Bob be reduced by a half compared to the gain from Alice to Bob (see Figure 2 and Table A1 of Appendix A), according to the following rules [13]: (i) For Bob's basis choice matching Eve's, the detector clicks deterministically; (ii) For Bob's basis choice not matching Eve's, the faked state is not detected.

The Nack State Protocol
The nack state protocol is the dual version of the ack state protocol discussed in [19].Both of them constitute a generalization of the well-known BB84.The nack state protocol uses pairs of parallel and orthogonal states instead of only single non-orthogonal state used in the BB84.This simple difference makes the nack state resilient to the IRFS attack, as we will show later on.We chose the nack prefix to denote that provided Alice sends two quantum states to Bob, the second measurement acts as the negative acknowledgment (nack) of the previous one, because it yields the opposite bit result.In the rest of this section, we describe the nack state protocol, and in Section 4, we discuss how the nack state protocol is capable of detecting the IRFS attack.
We refer to the pair of quantum states as a biqubit.To be more specific, the following biqubits are defined in the nack state protocol: four parallel biqubits (|0 X , |0 X ), (|0 Z , |0 Z ), (|1 X , |1 X ), (|1 Z , |1 Z ) and two orthogonal biqubits (|0 X , |1 X ), (|0 Z , |1 Z ).The parallel and orthogonal biqubits are randomly interleaved by Alice.The order of the quantum states within the biqubit does not affect the behavior of the protocol (see Figure 3).On the other side of the quantum channel, Bob measures two incoming states of a biqubit using the same measurement basis (X or Z).The nack state protocol can be described according to the following steps: 1. Alice is equipped with a photon source with an expected photon number µ that exhibits a Poisson distribution.Alice randomly chooses between a parallel or an orthogonal biqubit, and she prepares the biqubit to send it to Bob through the quantum channel; 2. Bob measures the biqubit (two incoming pulses) using the same measurement basis X (or Z) that he chooses randomly (in Section 4.2, we discuss that the consecutiveness of states can be avoided if Alice sends a burst of the first states of each pair, followed by a burst of the second states of each pair); 3. Bob announces publicly his measurement basis choices; 4. To share secret bits, Alice and Bob perform sifting using single compatible events and double compatible matching detection events (from parallel states).Similarly, they apply sifting to the double detection events that contain a single compatible detection event.For this purpose, Bob indicates if the single detection is the first or the second inside the biqubit; 5. Finally, they use an error correction algorithm and a privacy amplification method usually used in BB84-based protocols.We represent the quantum states as black dots in a simplified Bloch sphere over two dimensions.The quantum measurement bases X and Z are illustrated here as a horizontal and a vertical line, respectively.In this representation, two concentric circles define the order in which the states are prepared and sent.Accordingly, the inner circle state contains the state that is first sent, and the outer circle state is prepared and transmitted.As discussed in [19], the non-orthogonal states are useful to detect the Photon Number Splitting (PNS) attack; an example is shown in (a).
In the nack state protocol, Alice chooses randomly two consecutive parallel states as the case depicted in (c) (|1 Z , |1 Z ).They produce a compatible measurement if Bob chooses, X for |i X or Z for |i Z where i = 0, 1.We sketch in (b) the case of quantum orthogonal states.Two cases are possible here Table 1 shows an example of the nack state protocol.Here, Alice sends two biqubits to Bob.The first biqubit is the orthogonal pair (|0 X , |1 X ), and the second biqubit is the parallel pair (|1 Z , |1 Z ).If the two states sent by Alice arrive at Bob's detection system without any error, a double detection event is produced.If only one of the two states of the biqubit arrives at Bob's station, he obtains a single detection event.
Table 1.We show the nack state protocol running in absence of errors at the quantum channel, all of the possible measurement results at Bob's detectors.We assume that Alice sends the biqubits (|0 X , |1 X ) and (|1 Z , |1 Z ); then, all of the possible measurement results at Bob's detectors are written.According to Bob's basis selection, we show the detection event and Bob's corresponding advertisement over the public channel.Notice that Bob announces publicly the number of the single detections inside the biqubit, first or second.

Alice
The nack state protocol has been conceived of to use the same optical hardware of the BB84 protocol; thus, it can be configured in most QKD systems as a software module application.However, two additional tasks must be implemented: the random computation of biqubits before preparing and sending the quantum states and the sifting stage of the protocol, which must include (1) sifting of single matching (compatible or non-compatible), where Bob announces the number of the single detections inside the biqubit; and (2) sifting of double detection, matching or non-matching, from parallel or orthogonal states.The error correction and privacy amplification stages of the QKD protocol do not require changes.
Until now, we have a protocol that behaves similarly to BB84.In the nack state protocol, most of the biqubits pulses sent by Alice arrive at Bob's station as single pulses that behave like BB84 signal pulses.However, we will see that in the presence of the IRFS attack, the eavesdropper unbalances the gain of the single and double detection events, which is useful to detect her presence in the middle of the quantum channel.
For the moment, we can say that the gain of single and double detection events can be properly computed by Alice as discussed in Appendix A. As a matter of fact, the double detection gain decreases quadratically with the transmittance of the channel, but Alice can verify the gain of the double detection events from parallel and from orthogonal states.It should be noted that in order to detect the IRFS, before using the QBER of the protocol, instead, we will verify, as the first step, the gain of the single and the double detection events.

Detecting the IRFS Attack
What should Alice and Bob expect from the absence of the IRFS attack?They expect a distribution of detection events according to the gains of Table A1 in Appendix A: for illustrative purposes, consider the case where µ = 0.2, η BT = 0.8, which is the overall efficiency between Alice and Bob and zero dark counts (Y 0 = 0).Thus, the great majority of the total biqubits that Alice sends finishes at Bob's station as lost biqubits (∼72.61%);single detection events are ∼25.2% and only ∼0.0219% of the measurement cases are double detection events.Although the double detection gain is small, it should not be considered negligible, because the number of pulses that Alice sends is high (10 11 -10 13 [21]), and the transmission interval can be properly enhanced.However, for practical purposes, we will assume that the secret bits in the nack state protocol are produced by single detection events, and the key rate is at most the BB84 key rate.Nevertheless, we argue that double detection events can be used to detect the IRFS attack, so in this section, we discuss the security of the protocol despite Eve's efforts to improve her attack.

The IRFS Attack with Blinding Pulses and Quantum Channel Substitution
In the presence of the IRFS attack with blinding pulses, Eve is in the middle of the quantum channel using an optical detection system similar to Bob's station.The challenge for Eve is to reproduce the gains of single and double detection events at Bob's side to pass unnoticed in the quantum channel.However, the gain of the single detection events decreases linearly with the channel efficiency, but the double detection gain drops quadratically.In Appendix B, we show that, for practical parameters of the quantum channel, the eavesdropper cannot adjust the two gains simultaneously.Eve cannot control the two gains because: 1.The eavesdropper can adjust the transmittance of the channel to a unique value, either to adjust the single or the double detection gain.2. Alice's optical pulses arrive at Eve's station sequentially.Thus, once the eavesdropper station has detected a pulse, she cannot know whether the next pulse will be also detected or lost.That is, Eve does not know when a single or a double detection event will occur.
Eve could adjust the efficiency of the quantum channel to the gain of the double detection events.Therefore, in order to remove the excess of the single detection gain, Eve could eliminate pulses according to some probability (e.g., 0.5).However, due to the second point stated before, the eavesdropper looses double detection pulses (a quarter in this example).Eve could be more selective removing only single detection events where the detection occurs in the second pulse.Using this strategy, Eve keeps the double detection gain unaltered.However, since Bob announces publicly the number of single detections inside the biqubit, first or second (see Table 1), the presence of Eve becomes noticeable.
Eve could combine the two strategies increasing the efficiency of the channel to produce an excess of the double, but also the single detection gain.The problem for Eve is that once she chooses a strategy to remove pulses, it affects equally the single and the double detection gains.As discussed in Appendix A, such gains obey different rates: while the first decreases linearly, the second varies quadratically with the transmittance of the channel.In addition, at the receiver station, the single and double detection events are registered as random interleaved events.
In Appendix B.1, we discuss a convenient method to compute the photon gain deviation caused by the IRFS attack at a practical level.

The Non-Structured Nack State Protocol
The argument of Point 2 implies that Eve uses only a single station, but this is not a practical restriction.Eve could use two stations, one close to Alice to detect and one close to Bob to generate fake pulses.If the quantum channel uses optical fibers (the most common practical channel for ground-based QKD), all Eve would need is a radio link between her two stations to "catch up" with the quantum link.Even if we assume a low source rate of 1 MHz, the time delay between pulses is only one microsecond, which can be compensated using a 600-m link (traveling in free space takes two microseconds; travel in fiber takes three microseconds).Any practical QKD system will operate over distances greater than 600 m, making it entirely feasible for Eve to detect both pulses of a pair before sending her fake state to Bob using a second station.
However, there is no reason why each pair has to be sent in a consecutive manner.We call this protocol the non-structured nack state.If Alice were to send a burst of the first states of each pair, followed by a burst of the second states of each pair, she would create a separation between the pairs equal to the length of the bursts without reducing the pulse rate.Consider a 100-km fiber optic link; Alice could send the first states of each pair for 500 microseconds, followed by the second state of each pair for the next 500 microseconds, with Bob re-choosing the same basis for both 500-microsecond bursts.Because the 500-microsecond delay is at least the full travel time in the quantum channel, Eve would always be forced to fake the first state of each pair before receiving the second.If there is no issue with this approach, the authors can use it to justify Point 2, which in turn justifies Point 1.

Faking Double Detection Events
Another scenario for the eavesdropper is to fake double detection events.After all, we might ask why Eve cannot fake double detection events while she remains hidden in the channel.First of all, let us recall that Alice knows which biqubits contain parallel or orthogonal states.Second, consider the cases depicted in Table 2. Suppose Alice has sent the (|0 Z , |0 Z ) biqubit to Bob.The first pulse reaches Eve's station, who measures it with the X (or Z) basis, but the second pulse arrives as a vacuum state either by the effect of the quantum channel, the detection system or the photon source.As a result, Eve gets a single detection event.Now, Eve decides to fake the second state, but she realizes that there are six possibilities to fake the (|0 Z , |0 Z ) biqubit; such cases are listed in Table 2. Additionally, one of those cases is erroneous because no orthogonal measurement can be derived from parallel states.In this example, (|1 Z , |0 Z ) cannot be obtained from (|0 Z , |0 Z ).Similarly, (|0 Z , |0 Z ) cannot be derived from (|1 Z , |0 Z ).As a consequence, if Eve tries to fake a double detection event, she will produce a bit error of 1  6 .In this case, a bit error is produced when Bob announces a double matching event, but Alice expects a double non-matching event or vice versa.
Table 2.After Eve detects the first state of a biqubit, she tries to fake the second state.However, there exist six possible states, but one of them is erroneous, so she introduces an error probability of 1  6 .Here, we show the six choices for (|0 Z , |0 Z ) and (|1 Z , |0 Z ) biqubits.

Alice's Biqubit Eve's Basis Eve's Detection Forwarded Dates Eve's Result
According to [22], Bob's visibility of Alice's quantum state is computed as V AB = P(signal) P(total) where P(signal) = T AB × η × V opt and P(total Here, V opt is the optical visibility with a perfect source and detectors; η is the probability of detecting the photon when it arrives; T AB is the transmittance between Alice and Bob; and Y 0 is the background noise.For realistic experimental parameters: α = 0.25 dB•km −1 , η = 0.3, Y 0 = 10 −4 and V opt = 0.99. Figure 4 shows the visibility as a function of the distance.The error rate of double detection events caused by the IRFS attack is 1  6 .If it is compared against the QBER of the quantum channel, the maximum secure distance to detect the IRFS attack is 176 km.In the presence of the IRFS attack, perfect visibility and zero dark counts are assumed in the link between Alice and Eve and from her to Bob. On the other hand, the QBER in BB84 can be computed as QBER = pe pe+pc , where pc (pe) is the probability to get, correctly or erroneously, the quantum bit sent by Alice, respectively.If we write such probabilities as a function of the optical visibility V, we have pc = (1 + V)/2 and pe = (1 − V)/2.
We discussed pc (pe) for double detection events in Appendix C. Therefore, pc = (1−V) 2 +(1+V) 2 .If we compare the QBER of double detection events produced by the quantum channel against the 1  6 error rate caused by the eavesdropper, we find that the maximum secure distance for detecting the IRFS attack when the eavesdropper fakes double detection events is 176 km, which is within the range of the BB84 key rate, as is shown in Figure 4.

Decoy State and the Nack State Protocol
At first glance, the nack state protocol seems to be similar to the decoy state protocol.However, they differ due to some main issues.For example, the states of the decoy state protocol are BB84 non-orthogonal states, which produce two photon distributions that differ from each other with respect to the expected photon number of the source (µ 1 = µ 2 ).
Thus, in the decoy state protocol, single detection events come from non-orthogonal states.As described by Hoi-Kwong Lo, if Eve lets an abnormally high fraction of multiphotons reach Bob's station, then decoy states, which have a high weight of multiphotons, will have an abnormally high transmission probability [23].Unfortunately, decoy state QKD is vulnerable to the IRFS attack [13,20].On the other hand, in the nack state protocol, Alice interleaves randomly parallel and orthogonal quantum states.Unlike the decoy state protocol, in the nack state, the photon source uses a unique µ value.However, single and double detection events come from parallel and orthogonal states randomly.

Measurement Device-Independent QKD
In [17], a QKD system that is intended to be an independent measurement device has been introduced.Implementations of this approach have been demonstrated in [24,25].However, [24] requires several additional optical components different from the BB84 protocol, and [25] relies on decoy states.Since QKD must be as device independent as possible, adding hardware to the system may aggravate it.In contrast, the nack state protocol relies on the hardware of the original BB84 protocol, which has been extensively studied.
Other protocols have been designed to resist the IRFS attack: varying randomly the efficiency of the detectors [26], monitoring a rate of coincidence detection at a pair of single photon detectors [27] or simply adding watchdogs detectors [28].However, the nack state protocol exhibits two main advantages: 1.The protocol uses the same optical equipment as the BB84.It does not use any other extra hardware; 2. The protocol or its dual protocol, the ack QKD, could be used to detect other attacks, such as the Photon Number Splitting attack (PNS) [19].
Thus, the nack state protocol would be useful to design a more secure and efficient QKD protocol.

Conclusions
The Intercept Resend with Faked (blinding) States (IRFS) attack is detected by the nack state protocol using the gain of single and double detection events.The protocol uses the same optical hardware of the BB84 protocol, and it can be implemented in most QKD systems as a software module application.
Although double detection events represent a small fraction of the total detection events, they are useful to detect the IRFS attack.In addition, the smaller QBER can be useful in future implementations to distill secret bits at longer distances.
Table A1.The gain of the single (non-empty) and empty pulses, Q (+) and Q (−) , respectively, where µ is the expected photon number of the source and Y 0 is the background noise.Here, η BT and η ET are the overall efficiency of Bob and Eve, respectively.In the IRFS attack, Eve remains undetected provided she meets the condition η ET ≥ ln(2e −µη BT −Y 0 −1) −µ .At the bottom, we show the gain of the double (+, +) detection events, which is written as Q (+,+) , and the gain of single (±, ∓) detection events is represented as Q (±,∓) .In the IRFS attack, half of Eve's biqubits can be effectively forwarded to Bob's detectors.The "•" symbol denotes multiplication inside the Q (±,∓) relation.The factor of 1/2 is a result of Bob using an active basis choice, forcing Eve to blind his detector when his basis differs from her own (half the time), and since each pair of pulses is detected in the same basis, Eve will always blind Bob for both pulses or neither pulses, resulting in the same factor 1/2 for both single and double detection events.

Gain
The yield Y i is computed across the following steps: 1.The fiber channel transmittance between Alice and Bob is written as T AB = 10 − αl 10 where α is the loss coefficient measured in dB/km, and the length l is measured in km.Furthermore, the local transmittance at Bob's side η B is written as t B • η D where t B is the internal transmittance of optical components and η D is the quantum efficiency of Bob's detectors.Then, the overall transmission and detection efficiency at Bob's side η BT is computed as η BT = t B • η D • T AB and typically η BT ranges 10 −3 [15]; 2. The transmittance η i of i photons' state at Bob's, that is η BTi = 1 − (1 − η BT ) i for i = 0, 1, ..., assuming independence between the i photons of the i photons' state; 3. The yield Y i of the i photons' state is obtained from two sources, the background noise (Y 0 ) and the true signal.Assuming that the background counts are independent from the signal photon detection, Y i is given by Y i = Y 0 + η BTi − Y 0 η BTi .However, assuming Y 0 small (around 10 −5 ) and η BT ∼ 10 −3 , the above equation can be reduced to Y i ∼ Y 0 + η BTi .
The overall gain Q (+) is the summation of each Q i contribution, thus i! e −µ , which leads to the relation Y 0 + 1 − e −µη BT .Finally, the Quantum Bit Error Rate (QBER) between Alice and Bob has been derived in [15] through the relation QBER , where e d is the error probability of the detector (e d ∼ 10 −2 ).
In order to obtain the gain of double detection events Q (−,−) , Q (±,∓) and Q (+,+) , we assume that each gain is independent of the other, that is . From the previous discussion, we have that the gain of the double detection events decreases quadratically Q (+,+) ∼ Q 2 (+) .In practical implementations of QKD, the single-matching events have the order of 10 −5 , while the double matching events reach the order of 10 −10 .to register double detection events.In this manner, Eve is detected if she waits for double detection events before she can forward them.
The rate of the double detection event is small because it decreases quadratically.However, at the same time, it is very remarkable that the QBER of the double matching detection events from parallel and orthogonal states also decreases quadratically.To see this, let us recall that in the BB84 protocol, the probability to get the correct bit is pc = (1 + V)/2, and the probability to obtain an erroneous bit is pe = (1 − V)/2, where V is the visibility of the optical system.To calculate the QBER of the one-photon states, the QBER = pe/(pe + pc) is applied [29].The same reasoning can be applied to the orthogonal biqubits case depicted in Figure C1b.(1−V) 2 +(1+V) 2 .Figure C2 illustrates the QBER of one-photon states of such protocols.Since the QBER of the nack sate is lower than the BB84, it is interesting to consider that future technologies could increase the double detection gain.Although there is not yet a formal derivation of the secret key rate for double detection events, it would be expected that the small QBER would lead to reaching longer QKD distances.

Figure 2 .
Figure 2. In the quantum blinding Intercept Resend with Faked States (IRFS) attack, Eve uses the same optical receiver unit as Bob to detect Alice's states in a random basis.Then, she prepares those quantum states, but she sends her results to Bob as bright light pulses instead of quantum pulses.(a) Bob uses the same basis as Eve; (b) Bob and Eve's basis are opposite.

Figure 3 .
Figure 3.We represent the quantum states as black dots in a simplified Bloch sphere over two dimensions.The quantum measurement bases X and Z are illustrated here as a horizontal and a vertical line, respectively.In this representation, two concentric circles define the order in which the states are prepared and sent.Accordingly, the inner circle state contains the state that is first sent, and the outer circle state is prepared and transmitted.As discussed in[19], the non-orthogonal states are useful to detect the Photon Number Splitting (PNS) attack; an example is shown in (a).In the nack state protocol, Alice chooses randomly two consecutive parallel states as the case depicted in (c) (|1 Z , |1 Z ).They produce a compatible measurement if Bob chooses, X for |i X or Z for |i Z where i = 0, 1.We sketch in (b) the case of quantum orthogonal states.Two cases are possible here {(|0 X , |1 X ), (|0 Z , |1 Z )}.

Figure 4 .
Figure 4.The error rate of double detection events caused by the IRFS attack is1  6 .If it is compared against the QBER of the quantum channel, the maximum secure distance to detect the IRFS attack is 176 km.In the presence of the IRFS attack, perfect visibility and zero dark counts are assumed in the link between Alice and Eve and from her to Bob.

c +p 2 e,
and we derived the QBER of the parallel and orthogonal states as QBER = (1−V)2
Now, suppose Alice sends the two parallel states (|1 Z , |1 Z ) to Bob who measures them using the Z basis.Those states are depicted in Figure C1a.The probability to get the two states (|1 Z , |1 Z ) is p 2 c , and the probability to get the opposite values (|0 Z , |0 Z ) is p 2 e , Case II of Figure C1a.Since the measurement cases (|0 Z , |1 Z ) and (|1 Z , |0 Z ), Cases III and IV of Figure C1a, are always discarded because they are non-matching cases, the final probabilities are pc parallel = p 2

Figure C1 .
Figure C1.The QBER of parallel and orthogonal states: Cases III and IV of (a,b) can be discarded by Alice, so they do not produce errors.

Figure C2 .
Figure C2.The nack state protocol uses pairs of parallel and orthogonal states.The QBER of parallel and orthogonal states is derived using the probabilities of two consecutive BB84 measurements.