1. Introduction
Quantum computers could render legacy cryptographic methods obsolete with their ability to solve complex mathematical problems exponentially faster than classical computers [
1]. To counter this emerging threat, quantum key distribution (QKD) has been developed, leveraging the principles of quantum mechanics to ensure unconditionally secure communication, irrespective of advancements in computational power. Basically, QKD works by encoding binary information into the physical state of a particle (photon), transmitting this encoded state through the quantum channel, and then decoding it at the receiving end. The encoded physical state, a quantum bit or qubit, forms the cornerstone of this technology.
The first practical demonstration of QKD over 30 cm of free space using polarization coding [
2] increased the interest in this new technology. Since then, a plethora of theoretical and experimental studies have led to the commercial availability of prototype QKD products. Various quantum cryptography protocols have been developed, with some demonstrating key transmission over tens of kilometers through both optical fiber and free space [
3,
4].
Recently funded research projects, such as SECOQC, have indicated a model for the development and operation of a point-to-point QKD network architecture with advanced protocols [
5]. Additionally, GÉANT, an organization that connects National Research and Education Networks (NRENs) throughout Europe and beyond, is exploring the integration of QKD services into its network, as well as the necessary hardware and software solutions for maintaining and monitoring a QKD-secured network. The growing interest in practical applications of QKD protocols in recent years is also evidenced by the establishment of the European Quantum Communication Infrastructure (EuroQCI) project [
6]. This infrastructure will consist of a terrestrial fiber-optic segment and a satellite network connecting strategic sites nationally and across borders to safeguard the privacy of sensitive and critical data for governmental institutions, their data centers, hospitals, and more.
In the context of smart grid infrastructure security, the work [
7] utilizes QKD secret keys over the MQTT protocol to support distributed energy resource (DER) communication. The practical implementation was tested in a real utility environment at the Electric Power Board (EPB) in Chattanooga, Tennessee, between a data center and an electrical substation connected via optical fiber.
In another recent work [
8], the application of QKD is discussed for communication channels in hydropower facilities. This implementation encrypts and decrypts command/control communications, mitigating security risks while integrating with existing control interfaces.
Moreover, Ref. [
9] demonstrates the implementation of quantum-safe 100 Gbps IPsec VPN tunnels over 46 km of fiber between two data centers, achieving a secret key rate of 7.4 kbps.
Another promising application is presented in [
10], which showcases and tests a real-time implementation of a submarine QKD system based on the BB84 protocol using an FPGA as a photon counting module.
QKD enables the secure sharing of a secret key between two parties, traditionally referred to as Alice and Bob, over a quantum channel. An eavesdropper, Eve, may attempt to intercept the communication during this process.
Several QKD protocols have been proposed, with the Brassard–Bennett 1984 (BB84) protocol being the first and most widely adopted [
11]. Due to its prominence and practical applications, this study focuses on the four-state BB84 protocol as the foundational model for QKD. The robustness of the protocol and its widespread use make BB84 an ideal candidate for investigating the effectiveness and security of QKD in real-world scenarios.
This paper advocates for a deeper investigation into the detectability of eavesdroppers, a non-trivial and unique feature of QKD. Indeed, the accurate detection of an eavesdropper would allow for more efficient use of the expensive quantum resources involved in QKD, ultimately enhancing the overall security and effectiveness of key-sharing processes.
The intercept-and-resend attack is widely recognized as a strategy employed by eavesdroppers within the BB84 protocol [
12]. The study of this approach has led to a practical eavesdropping method known as a partial intercept-and-resend attack [
13,
14], where the eavesdropper intercepts a qubit with probability
p (also referred to as the interception rate or density) and leaves it untouched with probability
. Such an attack represents one of the simplest individual attacks by an eavesdropper. For simplicity and clarity in analyzing eavesdropper detectability in the QKD protocol, this paper assumes the partial intercept-and-resend attack as the sole strategy employed by the eavesdropper.
Previous studies have calculated the quantum bit error rate (QBER) under the partial intercept-and-resend attack with rate
p in the BB84 protocol as
[
15]. This calculation considers the error due to eavesdropping independently of the error introduced via quantum system noise. This paper extends the previous analysis by examining the QBER of the partial intercept-and-resend attack in the BB84 protocol as a function of errors generated via quantum system noise. Therefore, this comprehensive analysis, in conjunction with the simulation validation, aims to provide a more realistic understanding of QBER behavior by incorporating the imperfections inherent in practical QKD systems.
Paper Contributions
The main contributions of the paper can be summarized as follows.
A definition and statistical performance analysis of an intrusion detection system for partial intercept-and-resend attacks to BB84 scheme, also considering quantum system noise.
An investigation of the role of the interception rate and key lengths on the BB84 security performances, which reflects its possible future application as a QKD scheme.
A simulative implementation that exploits an open-source library able to model the noise of real quantum computers. This feature allows the analysis of the obtained results using backend simulators inspired by real quantum machines.
To the best of the authors’ knowledge, all of these combined aspects have not been studied.
2. Related Works
A lot of work has been proposed to analyze the QKD in general and BB84 in particular.
The general unconditional security of the BB84 protocol has been demonstrated under ideal noise-free implementations [
16,
17]. Only specific studies have considered particular device imperfections [
18,
19], but they have typically employed an information theory-like approach to allow the extraction of a secure key. Conversely, the goal of this work is not to evaluate the security of the BB84 protocol but to develop an intrusion detection method for the partial intercept-and-resend attack on this protocol.
The simulation of the BB84 protocol has also been performed in several studies, such as [
20,
21,
22,
23]. They demonstrate its working principles, along with its limitations and the effects of noise in a quantum system.
There has been significant research on eavesdropper detection in the context of intercept-and-resend attacks within QKD protocols. Bennett and Brassard initially assumed that a communication could be considered free from eavesdropping activity if the measured QBER were zero [
11]. Elboukhari et al. calculated that, in the four-state BB84 QKD protocol, an eavesdropper would go undetected with a probability of
, where
K represents the number of qubits used to compute QBER [
24]. Subramaniam and Parakh extended this analysis to the limit case of infinite-state BB84 and quantum Diffie–Hellman protocols, determining that the probability of an eavesdropper remaining undetected is, at minimum,
[
25]. Zamani and Verma proposed a two-way QKD protocol and calculated the probability of undetected eavesdropping in relation to both
K and the number of key exchanges [
26]. However, a common assumption across these studies is the consideration of an ideal quantum system, wherein any QBER greater than zero is solely attributed to eavesdropping. This idealized perspective does not account for quantum system noise, which can also contribute to QBER.
A few works have investigated the possibility of developing an intrusion detection system for the BB84 scheme. Among these, the most similar to the approach presented in this paper are [
12,
27]. They present satisfactory results, often with high detection accuracy in their considered conditions. However, they do not examine some details, either the noisy simulation of a real quantum computer or the possibility for the eavesdropper to intercept only a fraction of the qubits being sent.
4. BB84 Simulation Model
This section describes the implementation of the BB84 simulation model within QuantumSolver (QS) [
35], with a specific focus on its
Crypto module. QS is a toolset developed in Qiskit [
36] that enables the simulation of QKD protocols, such as BB84, using IBM simulators and real quantum computers.
Figure 1 shows a simplified overview of the program’s internal operations.
In more detail, the program flow can be divided into three distinct phases presented in the following subsections:
Key generation.
Key checking.
Validation.
4.1. Key Generation
The initial phase of the program, depicted in
Figure 2, is responsible for generating the cryptographic key. When initiating the program, the available inputs that can be chosen include the following:
Input string length: In our modified version of the simulator, this parameter exactly corresponds to n, the number of bits initially exchanged during the QKD process.
Interception density: This refers to the percentage of qubits that Eve may intercept and forward to Bob. It quantifies Eve’s ability to eavesdrop on the qubit transmission between Alice and Bob, hence influencing the overall security and effectiveness of the key distribution process.
Backend: The IBM backend simulator to be used in receiving operations for decoding bits.
Figure 2.
BB84 key generation.
Figure 2.
BB84 key generation.
The program then initiates with Alice generating a binary array of length
n, corresponding to the random transmission “axes” (i.e., bases). Additionally, she randomly generates the
n bits to be exchanged with Bob to establish the secret key. For each bit, the associated quantum state is determined based on the corresponding random basis and the mapping strategy, as shown in
Table 1 and as explained below.
The simulation of the qubit encryption process on quantum hardware begins by looping the number of times specified by the parameter n to encode each bit. Accordingly, if the qubit’s state is 1, the X gate is applied. Otherwise, the qubit is skipped to the next step. Similarly, if the corresponding basis value is X (i.e., “diagonal”), the H gate is applied. Otherwise, no action is taken. Following this step, the qubit has been encrypted, and the next one can begin the same encryption process. Once all the qubits from the Alice —long array have been encrypted, they can be transmitted to Bob.
Before reaching Bob, Eve may attempt to intercept the transmitted qubits. She is equipped with an array of n randomly generated bits, which serve as her basis values. As with Alice, she will loop n times and attempt to guess the received bit. More specifically, the program randomly generates a number between 0 and 1, and if it is smaller than the interception density chosen as input, then Eve is successful in intercepting the qubit. Subsequently, the qubit is eventually subjected to an H gate operation if the corresponding basis is the “diagonal” one, or otherwise, no other operation is performed. Now the process continues by effectively measuring the intercepted qubit (by performing the Qiskit measure operation) and by decoding the corresponding bit value through the readout operation of the backend simulator (selected at the start of the program). Once all the intercepted qubits have been processed, they are forwarded to Bob.
Bob’s behavior is essentially identical to that of Eve, differing only in his interception density value, which is 1, since he intercepts all the qubits sent by Alice and Eve. Subsequently, Bob decodes the n received qubits by applying the same operations as Eve, based on the values of his random bases array. Upon completion, he publicly announces that Alice’s message has been received.
Upon receipt of the message, both Bob and Alice can securely share their bases. By doing so, they can compare the bases and keep only the bit values in which the bases are the same. Such remaining k bits will be used to subsequently form the private key, which will be verified in the following step.
4.2. Key Checking
Figure 3 illustrates the flow chart of the key-checking procedure. This procedure determines whether Alice and Bob share a secure secret or whether it is necessary to restart the BB84 protocol due to Bob observing bit errors on the received key, which may be caused by Eve’s interference and/or system noise. This is achieved by Bob publicly sharing the first
bits of the key with Alice. Subsequently, both parties compare these bits to ascertain any discrepancies. In such an event, the algorithm fails and necessitates a restart. Otherwise, if all the shared bits are identical, probably, the remaining, unshared bits will also be so. Subsequently, Alice and Bob discard the shared bits, as they have become public and cannot be utilized for the private key generation. The remaining bits then form the actual shared secret key, which can be used by both participants.
It should be noted that QS does not perform information reconciliation and privacy amplification techniques because, firstly, they are not strictly part of the protocol and, secondly, the described implementation requires a perfect match (i.e., zero error rate) between the cases of Alice and Bob compared key bits, rendering these techniques less indispensable. In a real-world scenario, instead, both are typically employed, as commented upon in
Section 3.2.
4.3. Validation
Finally, QS provides a potential subsequent step, namely a message exchange, as depicted in
Figure 4. This is not a component of the BB84 algorithm; rather, it is a validation process to show that the generated key can be employed to transmit encrypted messages in a practical setting.
The newly created and verified shared secret key is used by both Alice and Bob to generate a One-Time Pad (OTP). Alice encodes the original input string by XOR-ing it with the OTP and sends the encrypted message to Bob. Bob XORs the message once more with his own OTP to obtain the decrypted message. The program then checks whether the message that Bob decrypted differs from the original that was sent by Alice. If Bob’s resulting message differs from that originally sent by Alice, the cause may be the undetected interception of Eve or random noise. This step is feasible only in a testing-simulative scenario, as in the real world, Alice and Bob would have to publicly share the decrypted message to ascertain that they are equal.
5. Intrusion Detection Method
To define the intrusion detection method, it is necessary to analyze the details of some important aspects.
The first one is to evaluate the probability of detecting Eve, taking into account the conservative approach used with the QS in the checking phase. In particular, we recall that QS publicly shares half of the generated key to detect errors in the received bits caused by Eve’s action and/or system noise. In certain scenarios, this approach may be inefficient because each shared bit is subsequently discarded and cannot contribute to the final key. Furthermore, as the average probability of Bob correctly guessing Alice’s basis is only , the number of usable bits for the key will be reduced to around one-quarter of the initial number.
Table 2 summarizes the meaning of the symbols used in the remainder of the paper.
5.1. Probability of Detecting Eve’s Presence
Let us consider the situation in which it is known that Eve eavesdrops all qubits. When assuming the ideal scenario of a lack of system noise, the probability of each event can be easily determined, as follows.
Case 1: Eve selects the same basis as Alice. The probability of this event is 0.5. In this case, the data are successfully exchanged between Alice and Bob, and Eve intercepts the bit without introducing any error.
Case 2: Eve selects a basis that is different from Alice’s. The probability of this event is 0.5. However, two different subcases can be defined, depending on whether Bob correctly receives the qubit transmitted by Alice or not. In the first subcase, Eve’s interception is not detected, and Bob will successfully receive the bit sent by Alice. The second subcase considers the possibility that Bob fails to measure the qubit transmitted by Alice. This leads to an error in the qubit reception and, consequently, to the decoded bit. Both subcases have the same conditional probability, i.e., 0.5.
Considering all cases, the probability that Bob correctly receives the bit transmitted by Alice conditioned to the event that Eve intercepts all qubits is 0.75. This value is obtained by summing the probability of Case 1 (0.5) and the probability of Case 2 (0.5), multiplied by the corresponding conditional probability of the subcase 1 (0.5). In such an event, Alice and Bob are not aware of Eve’s interception because Bob correctly decodes the qubit regenerated by Eve. However, Eve is present. This probability is, therefore, linked to the scenario where Eve remains undetected because Alice and Bob have no actionable information to detect Eve’s presence.
This reasoning can be extended to determine the probability of Eve’s non-detection when Alice and Bob use
m bits for comparison. When assuming the statistical independence of Eve’s interception process, the probability of the event
(Eve’s interception is undetected) is as follows:
This equation demonstrates that the probability of detecting Eve’s interception, equal to
, increases rapidly with the number of compared bits in the case where Eve intercepts all qubits. For instance, in the case of 15 bits,
[
36]. For longer keys, comparing half of the bits becomes unnecessary and merely wastes useful bits that could be retained for the final key. For this reason, there is a clear need for the development of a more effective approach for practical applications.
5.2. Model QBER vs. Eve’s Interception Density
It is important to recall that the previous results are obtained with the assumption that Eve is present and intercepts all qubits. A general analysis instead should consider that the only information available is that Eve performs a partial intercept-and-resend attack. To analyze this scenario in detail, the two cases, with and without Eve’s interception, must be considered separately.
5.2.1. Case 1: Without Eve’s Interception
This analysis starts by considering the following example. Referring again to
Table 1, we consider the case in which Alice encodes the bit 0 with the basis +, hence employing the
state. Indeed, we will carry out the subsequent statistical analysis by making such an assumption. Anyway, it is worth emphasizing that such a model does not preclude the generalization of the obtained results to the remaining cases, given the inherent symmetry of the problem (i.e., equiprobable random choice of bit values and bases). Moreover, throughout the remainder of this paper, quantum states will be explicitly represented only with their corresponding bit values, as each state is uniquely determined according to its associated bit once the basis has been defined. On Bob’s side, the events and their associated probabilities are illustrated in
Figure 5 and described as follows:
Bob picks the correct basis, +, and hence, he always measures the correct state, 0, given the ideal communication channel.
Bob picks the wrong basis, X, and then the measured state is random, 0 or 1, with each state having the same probability of .
Figure 5.
Case 1: without Eve.
Figure 5.
Case 1: without Eve.
The probability of the event “Bob selects the correct basis”, shortly
(i.e., the + basis in
Figure 5), can easily be determined:
With the assumption of an ideal communication channel and the properties of quantum mechanics, the probability of the event “Bob measures the same bit” of Alice, shortly
, conditioned to have selected the correct basis is
, as is evident from
Figure 5. Therefore, in this scenario, if Bob chooses the correct basis (i.e., the same as Alice), he is sure about the correctness of the decoded bit.
Differently, the unconditioned probability of the event “Bob decodes the same bit transmitted by Alice” can be easily computed using the total probability theorem:
since
, and
(for the symmetry of the formulation, as previously discussed). In the above Equation (
2), the condition refers to the basis employed by Alice.
Applying the total probability theorem and also considering the assumption of the state (or bit, equivalently) transmitted by Alice,
is given by the following:
where
, and
(we recall that it is assumed that Alice encodes with equal random probability 0 or 1 bit values through qubits).
Again, the symmetry of the problem allows us to neglect the explicit computations for the other basis cases.
Therefore, Equation (
3) shows that Bob measures the correct bit with a probability of 0.75. However, it is worth noting that the BB84 implementation discards the bits measured with the wrong basis, i.e., the edge
X in the tree shown in
Figure 5. Consequently, only around
of the received bits will be kept. Nevertheless,
of the set of measured bits with the correct bases will produce the transmitted bits without errors, as previously shown. The importance of this strategy is outlined by the successive discussion that describes the scenario where Eve’s presence is assumed.
5.2.2. Case 2: With Eve
A more complex scenario occurs when Eve mimics Bob’s behavior by attempting to intercept the bits transmitted by Alice. The discussion of this case considers an example similar to the previous case, i.e., Alice encodes the bit 0 with the basis +. The alternative events are illustrated in
Figure 6 and described in the following.
Eve picks the correct basis with a probability of
, always measuring the bit 0. As illustrated in the lower edge of the tree shown in
Figure 6, in this case, Bob is in the same situation as in the previous case; i.e., he receives a bit, “0”, transmitted using the basis + (i.e., state
). Eve is transparent to Bob’s reception performance. Therefore, Bob measures the bit “0” with a probability of 1 when the correct basis, +, is selected. Consequently, the global probability of measuring the bit “0” in this case is
. Another event that allows Bob to observe “0” is when he uses the wrong basis. In this case, the two alternative outputs, 0 and 1, can be observed with the same probability. Thus, the probability of observing 0 is obtained from the intersection of the following events: “Eve selects the correct basis”, “Bob selects the wrong basis”, and “on the wrong basis Bob measures 0”. All of these events have the same probability,
. Thus, the probability of this global event is
.
Eve picks the wrong basis with a probability of and will equiprobabilly measure the two alternative bits, 0 and 1. From this point, Bob performs his measurement, which leads to two different scenarios:
- –
Eve measured 0; Bob will measure 0 with a probability equal to 1 when picking the wrong basis (with respect to Alice and, hence, the same basis of Eve) and, randomly, 0 (with probability) when picking the same basis as Alice. When taking into account the probability of Eve’s choices, the global probabilities of the two events are and , respectively.
- –
If Eve measured 1, Bob will measure 1 with a probability equal to 1 when picking the wrong basis and, randomly, 0 (with, again, a probability) when picking the same basis as Alice. In summary, Bob selects the correct state, 0, with probability . This can be computed as the product of the probability of the following events: “Eve picks the wrong basis”, “Eve measures 1”, “Eve picks the same basis as Alice”, and “Bob measures 0”. Indeed, all the above events are independent and have the same probability, .
Figure 6.
Case 2: with Eve.
Figure 6.
Case 2: with Eve.
Equation (
2) allows
to be obtained via the calculation of
. The detailed analysis presented above allows for the calculation of this probability as follows:
can be calculated by summing the probability of the different events leading Bob to measure state 0, as detailed above. Hence, referring to
Figure 6, we get
. Consequently,
This result indicates that Eve’s presence reduces from to . It is worth noting again that, in the BB84 procedure, only the bits that Bob obtains using the same basis as Alice are considered. The others are rejected.
Consequently, it is also important to calculate
:
where, again,
, and
The term
can be calculated by considering, again, the operations depicted in
Figure 6, as follows:
Finally, we return to Equation (
6). Given that
, we get
.
This result indicates that, even when Bob guesses the same basis as Alice, there is a probability of 0.25 that he measures the wrong state with respect to Alice due to Eve’s intervention. This observation quantifies how much Eve negatively affects Bob’s chances of measuring the correct value that Alice sent.
5.2.3. Impact of the Interception Density
The previous analysis considers the cases of knowing the presence or absence of Eve. The extension of the study is to evaluate the impact on the BB84 performance of the interception density parameter, indicated as
p, which represents the percentage of qubits (and, hence, bits) that Eve intercepts. This parameter is considered in QS and can be set before starting the simulation, as was already highlighted in
Section 4.1. If referring to the previous analysis, this parameter impacts the BB84, as described in
Figure 7:
With probability p, Eve intercepts the qubit; consequently, the BB84 performance can be computed following the analysis of Case 2 in this subsection.
With probability , Eve does not intercept the qubit; i.e., the scenario is equivalent to Case 1 in this subsection.
Figure 7.
Scenario with interception density p.
Figure 7.
Scenario with interception density p.
With respect to the previous analysis, the introduction of
p does not change Equation (
1), i.e.,
, while it impacts the probability of some other events as follows.
Recall Equation (
2),
, which can be calculated by considering Equations (
3) and (
5), weighted according to the conditioning probability
and
p, respectively:
can be easily derived from Equation (
6), taking into account that
is equal to
or
if Eve does or does not intercept the qubit, respectively:
This result allows for deriving a key relation between the computable (by Alice and Bob)
and Eve’s interception density,
p, in the case of a partial intercept-and-resend attack:
which confirms previous results [
15] and represents the starting point of the proposed intrusion detection method. It is worth pointing out that Equation (
11) is obtained when assuming ideal channel conditions, i.e., no system noise.
5.3. The Proposed Intrusion Detection Method
To generalize Equation (
11), the assumption on the channel noise should be released. For this aim, four different cases can be defined, depending on the presence of Eve and noise. Each case has a different impact on the theoretical
, as described in the following:
- 1.
No system noise, no Eve: ,
- 2.
System noise, no Eve: the can be derived once the amount of random noise is determined,
- 3.
No system noise, Eve: ,
- 4.
System noise, Eve: .
Among these alternative scenarios, the latter (with interception density
p) is the most interesting one. Considering a noisy scenario and Equation (
11), in the case where the parameter
p is known, the information that could be derived from the
observation is that, if
, Eve has not intercepted the exchanged bits. On the contrary, no useful information is available when
if no information on the noise is available. Of course, this is a probabilistic approach that may fail, as discussed below.
The
can be estimated after establishing the number of bits used for testing the BB84 procedure (i.e.,
m), Therefore indicating with
d the number of erroneous bits detected at Bob’s side in the shared key:
When considering the above analysis and Equation (
11), the
missed detection (
) event corresponds to the case that
, but Eve is present, i.e., when the number of wrong bits in the shared key is less than the expected mean value.
More specifically, when considering the corresponding integer value and, hence, setting a threshold equal to
, the missed detection probability
can be calculated as follows:
It is worth noting that the above Equation does not consider the noise; consequently, the actual would be even smaller since the noise would increase the probability of a bit error on Bob’s side. In other words, the proposed intrusion detection method incorporates errors on the bits due to system noise into Eve’s intervention, thus following a conservative approach in evaluating the attack scenario.
6. Performance Evaluation
The performance evaluation of the proposed intrusion detection method was carried out with the QS, using different quantum backend simulators and simulation settings, as described in
Section 6.1 and
Section 6.2, respectively. The key element of our approach, the estimation of the
, is discussed throughout all the remaining subsections.
6.1. Simulators of Quantum Communication
QS can be interfaced with a large amount of backend simulators, provided via IBM, and inspired by real quantum machines. These simulators mainly differ in terms of the following properties.
The number of qubits available for computations to the quantum computer.
The maximum number of shots. A shot is a single execution of a quantum algorithm; for example, a shot is a single pass through each stage of a complete quantum circuit. The maximum number of shots represents how many times an algorithm can be run for a single task, resulting in a probability distribution of results [
37].
The noise model, used to simulate the noisy operations of a real quantum computer.
After the analysis of all available backends (to take advantage of their inherent characteristics), our choice is to utilize the following two simulators:
aer_simulator and
fake_brooklin, both with the number of shots set to 1.
Table 3 summarizes their main features.
More specifically, the aer_simulator was selected for two main reasons:
The execution times are very low, enabling a high number of simulations in a short amount of time.
It simulates an ideal, noise-free, quantum circuit, allowing for the isolation of the impact of Eve.
On the other hand, the selection of fake_brooklin was due to its ability to model the system noise, giving more accurate and realistic results.
6.2. Settings of Simulation Analysis
The simulation study was carried out with different settings of
p and
n. In more detail, the values of Eve’s interception density are as follows:
and for each of them, four different settings of
n were considered:
The first three values refer to scenarios where BB84 is used to generate a symmetric key with the same security level as today’s standard symmetric key algorithms: AES-128, AES-192, and AES-256, respectively [
32]. Indeed, about half of the
n bits are lost due to the random choice of the bases by Alice and Bob, and another half of the remaining bits must be discarded because of the key-checking procedure (see
Section 4.2). Consequently, the average number of bits useful for the key is about
. Furthermore, once quantum computers can implement Grover’s algorithm, the complexity of a symmetric key search will be reduced from
to
[
1]. This means that, to have an equivalent post-quantum security level, the key lengths must be multiplied by a factor of 2. In summary, for example,
permits having the same security level of AES-128. Finally, the value
was chosen to provide sufficient data to accurately model the noise of the simulator and analyze the evolution of the model’s performance under increased safety requirements.
For each scenario characterized by the pair , 50 independent runswere conducted to estimate the average value and the corresponding confidence interval (CI).
6.3. Results: Model Validation
The first set of results aimed to validate the accuracy of Equation (
11). Two different scenarios were considered: without and with system noise. Clearly, the analysis of the first case exploits the
aer_simulator, while the second one refers to
fake_brooklin, under the assumption that the system noise is additive to Eve’s interception, i.e.,
where
is the
introduced via the system noise.
Figure 8 and
Figure 9 display the considered values of
p on the x-axis, while the estimated
,
, and its related
C.I. are shown on the y-axis. The dashed black line represents the best-fitting line (least squares error), based on the estimated mean
for each value of
p.
More specifically,
Figure 8 shows the results with the
aer_simulator for
. The resulting slope of the best-fitting line is
, which is closely aligned with the theoretical predicted value of
. As expected, the regression line passes through the origin, given that this simulator does not model noise.
Similar results were obtained for the other
n settings. For simplicity, only the case
is depicted in
Figure 9, while the essential data required to validate the model of Equation (
11) are summarized in
Table 4 for all considered values of
n.
Figure 10 and
Figure 11 refer to the
fake_brooklin simulator. The main distinction from the previous results is the inclusion of system noise, which generates
.
The best-fitting line in these figures suggests two conclusions. Firstly,
appears to be additive, as assumed in Equation (
14). Indeed, the best-fitting line has a slope of around 0.25. Secondly, the estimation of
can be derived by evaluating
when
. For instance,
Figure 10 displays a slope of 0.237 and
.
The comparison between
Figure 10 and
Figure 11 reveals a decrease in the size of the
CI as
n increases. Additionally, the figures illustrate a trend of higher CI intervals as
p increases.
Table 5 summarizes the quantitative results, highlighting the small variations in the estimated values of the slope and
.
Therefore, the results shown provide experimental evidence of the validity of Equation (
14).
6.4. Results: Intrusion Detection
This analysis aims to evaluate the accuracy of the method used to estimate
p on Bob’s side. The assumption is that
is known, for example, through measurement campaigns, as previously discussed. The intrusion detection procedure involves calculating
on Bob’s side and then, by inverting Equation (
14), estimating
, which provides Bob with information on the interception density. This information can help Bob decide whether the shared key can be considered secure or if the BB84 protocol needs to be rerun. This study only considered the
fake_brooklin simulator because it is important to account for the effects of the system noise in the estimation process.
In this regard, the
value refers to the result obtained in the scenario with
, as shown in
Table 5, i.e.,
. The rationale behind this choice is that the higher the value of
n, the higher the accuracy of the
estimate.
Figure 12 and
Figure 13 show the results for the cases
and
, respectively. The figures display the set of points (
p,
) obtained for each of the 50 runs. The analysis of the figures suggests that the average estimate is close to the set
p value. However, the different estimations are spread over a relatively wide interval. This interval widens further as
p approaches 1.
The comparison between
Figure 12 and
Figure 13 reveals that, as
n increases,
becomes progressively more accurate, and the spread of the estimation interval decreases. These conclusions were corroborated with the results for other values of
n, namely
.
The analysis of these tables reveals that the estimation becomes progressively more accurate with the increase in
n. Particularly, the last table,
Table 9 provides almost perfect average estimations, with a mean standard deviation (
in the tables) that is always less than
for all values of the interception density.
It is important to note that, while the accuracy of determining the real value of p is certainly valuable, in practical scenarios, simply knowing that may indicate a high likelihood of Eve’s presence. In summary, the method can detect Eve’s action as long as information on is available.
6.5. Additional Remarks
The results presented here assumed a noise-free environment, except for the intrinsic noise of the simulated quantum system. However, in real-world scenarios, noise could originate from various sources, including the communication channel. Excessive noise could potentially reduce the reliability of intrusion detection.
Moreover, this approach is inherently probabilistic, so if it were to be employed in a real-world application to detect an eavesdropper, an acceptance threshold would need to be established. If the estimated values were to fall above this threshold, the key exchange would be deemed insecure. To determine this threshold, all potential sources of noise would need to be considered, along with the number of errors that could be tolerated and corrected using error correction codes.
7. Conclusions
This paper has presented a method for intrusion detection within the BB84 QKD scheme with a partial intercept-and-resend attack. The proposed approach is based on a theoretical model that considers the induced via both eavesdropping (Eve’s interception) and inherent quantum system noise. A performance evaluation, conducted using a realistic quantum system simulator with noise, demonstrated the validity of the proposed method in estimating the interception density, which is crucial for detecting Eve’s presence.
In more detail, the results obtained indicate that the system accuracy is influenced by the actual interception density and the initial key length, n. Specifically, lower interception densities and longer key lengths improve the precision of the detection mechanism.
Therefore, these findings suggest that the method could be effectively utilized in real-world scenarios to detect eavesdropping activities during the generation of a private shared key, thereby enhancing the security of quantum communication systems. Further work on this topic will include an examination of the viability of the proposed method in actual BB84 applications, such as those described in
Section 1.