Modeling, Simulation, and Performance Analysis of Decoy State Enabled Quantum Key Distribution Systems

: Quantum Key Distribution (QKD) systems exploit the laws of quantum mechanics to generate secure keying material for cryptographic purposes. To date, several commercially viable decoy state enabled QKD systems have been successfully demonstrated and show promise for high-security applications such as banking, government, and military environments. In this work, a detailed performance analysis of decoy state enabled QKD systems is conducted through model and simulation of several common decoy state conﬁgurations. The results of this study uniquely demonstrate that the decoy state protocol can ensure Photon Number Splitting (PNS) attacks are detected with high conﬁdence, while maximizing the system’s quantum throughput at no additional cost. Additionally, implementation security guidance is provided for QKD system developers and users


Introduction
Quantum Key Distribution (QKD) is a revolutionary security protocol which generates unlimited amounts of symmetric keying material between two geographically separated parties.Unlike conventional key distribution techniques, the security of QKD rests on the laws of quantum mechanics and not on computational complexity [1].In theory, these attributes make QKD well suited for high-security applications such as banking, government, and military environments.However, implementation non-idealities and practical engineering limitations in commercially viable QKD systems (i.e., those which balance cost, performance, and security towards affordability) can negatively impact system performance and security [2].For example, while commercial QKD systems often employ the decoy state protocol to mitigate vulnerabilities in non-ideal photon sources [3,4], its implementation security is poorly understood.Note, the decoy state protocol is well studied with respect to secure key rate generation (see background for details).
This work uniquely studies the decoy state protocol's implementation security in commercially viable QKD systems by modeling, simulating, and analyzing decoy state protocol configurations.The results of this study: (i) demonstrate the effectiveness of the several common decoy state enabled QKD system configurations to detect Photon Number Splitting (PNS) attacks; (ii) optimize the decoy state protocol to maximum quantum throughput; (iii) offer implementation security recommendations for QKD system designers and users; and (iv) present a repeatable methodology for analyzing the performance and security of QKD systems.This article is an extension of the Author's previous works [5][6][7][8][9].
This article is organized as follows: First, an introduction to QKD is provided with an emphasis on security vulnerabilities, the PNS attack, and the decoy state protocol.Note, Section 2 is intended for those unfamiliar with QKD and the decoy state protocol.If the reader is familiar with these protocols, they should proceed directly to the next Section.In Section 3, the research method is explained, including a comprehensive listing of fielded decoy state enabled QKD systems, the Researcher's experimental design, and the QKD system-level model.Section 4 details the decoy state protocol's ability to detect PNS attacks across 40 common decoy state protocol configurations.Next, an optimization of the protocol is presented and demonstrated through model and simulation.Lastly, several implementation security recommendations are offered.Section 5 presents conclusions and future work.For security specialists desiring to further understand QKD, please see [5,10,11].For comprehensive physics-based reviews of QKD, please see [1,4].

Quantum Key Distribution
The genesis of QKD traces back to the late 1960s, when Wiesner first proposed the idea of encoding information on polarized photons using two conjugate bases [12].In 1984, Bennett and Brassard extended this idea by introducing the first QKD protocol, known as "BB84", to generate shared secret keying material between two parties [13].Today, QKD is gaining attention as an important development in the cybersecurity solution space because of its ability to generate unlimited amounts of symmetric keying material for use with the One-Time-Pad (OTP)-the only known encryption algorithm to achieve perfect secrecy [14,15].In this way, QKD enables unbreakable communications and has inspired research efforts across Asia, Europe, and North America [16].While there are many competing QKD protocols, BB84 is primarily considered in this work because it remains a popular implementation choice and is relatively easy to understand [1].

The BB84 QKD Protocol
Figure 1 illustrates a notional QKD system configured to securely generate the secure shared key K, which is used to encrypt/decrypt sensitive data, voice, or video communications.The QKD system consists of a sender "Alice", a receiver "Bob", a quantum channel (i.e., an optical fiber or direct line of sight free space path), and a classical channel (i.e., a conventional networked connection).Alice is shown with a laser source configured to generate and prepare single photons, known as quantum bits or "qubits".The encoded photons are then transmitted over the quantum channel to Bob, whom measures them using specialized single photon detectors.This exchange of encoded single photons is described by the BB84 protocol.
This article is organized as follows: First, an introduction to QKD is provided with an emphasis on security vulnerabilities, the PNS attack, and the decoy state protocol.Note, Section 2 is intended for those unfamiliar with QKD and the decoy state protocol.If the reader is familiar with these protocols, they should proceed directly to the next Section.In Section 3, the research method is explained, including a comprehensive listing of fielded decoy state enabled QKD systems, the Researcher's experimental design, and the QKD system-level model.Section 4 details the decoy state protocol's ability to detect PNS attacks across 40 common decoy state protocol configurations.Next, an optimization of the protocol is presented and demonstrated through model and simulation.Lastly, several implementation security recommendations are offered.Section 5 presents conclusions and future work.For security specialists desiring to further understand QKD, please see [5,10,11].For comprehensive physics-based reviews of QKD, please see [1,4].

Quantum Key Distribution
The genesis of QKD traces back to the late 1960s, when Wiesner first proposed the idea of encoding information on polarized photons using two conjugate bases [12].In 1984, Bennett and Brassard extended this idea by introducing the first QKD protocol, known as "BB84", to generate shared secret keying material between two parties [13].Today, QKD is gaining attention as an important development in the cybersecurity solution space because of its ability to generate unlimited amounts of symmetric keying material for use with the One-Time-Pad (OTP)-the only known encryption algorithm to achieve perfect secrecy [14,15].In this way, QKD enables unbreakable communications and has inspired research efforts across Asia, Europe, and North America [16].While there are many competing QKD protocols, BB84 is primarily considered in this work because it remains a popular implementation choice and is relatively easy to understand [1].

The BB84 QKD Protocol
Figure 1 illustrates a notional QKD system configured to securely generate the secure shared key , which is used to encrypt/decrypt sensitive data, voice, or video communications.The QKD system consists of a sender "Alice", a receiver "Bob", a quantum channel (i.e., an optical fiber or direct line of sight free space path), and a classical channel (i.e., a conventional networked connection).Alice is shown with a laser source configured to generate and prepare single photons, known as quantum bits or "qubits".The encoded photons are then transmitted over the quantum channel to Bob, whom measures them using specialized single photon detectors.This exchange of encoded single photons is described by the BB84 protocol.the BB84 protocol as a prepare and measure protocol where Alice encodes photons in one of four polarization states (e.g., ↔, ↕, ⤢, or ⤡) according to a randomly selected bit

Alice Prepares Bob Measures Bit Basis Prepared State Basis Result
More specifically, the security of BB84 is based on the uncertainty principle where the measurement result is random when using two conjugate bases (i.e., ⊕ or ⊗) to prepare single photons [17].For example, during an intercept-resend attack anyone attempting to listen on the quantum channel must randomly select a measurement basis and will necessarily introduce detectable errors.These unavoidable errors increase the protocol's measured Quantum Bit Error Rate (QBER)-the ratio (or percent) of errors detected with respect to the total number of matched pulse detections-and if the QBER ever exceeds the protocol's security threshold (e.g., QBER > 11% [4]), the secret key distribution process is aborted (or restarted) as it is assumed an eavesdropper is active on the quantum channel.This is because all errors on the quantum channel are attributed to adversarial interference.

Vulnerabilities in Protocol Implementation
BB84 security proofs assume several idealities, including perfect on-demand single photon sources, lossless quantum transmission, perfect transmitter-receiver basis alignment, and perfect single photon detection [18].However, these security assumptions are not valid when building real-world systems which deviate from theoretical protocols [2].For example, reliable on-demand single photon sources are not currently available nor are they expected in the near term [1].Therefore, most QKD systems attenuate classical laser pulses down from millions of photons to weak coherent pulses with an average photon number less than one.More specifically, the number of photons contained in the pulse is represented using a Poisson distribution with a low (i.e., <1) Mean Photon Number (MPN) where is the average number of photons in a pulse (i.e., is the MPN) and represents the number of photons in the pulse (i.e., = 0, 1, 2, 3, … , N).For example, with a typical MPN, = 0.5, nearly 60% of the pulses have zero photons, 30% of the pulses have one photon, and 9% of the pulses have two or more photons.This means nearly 23% of the non-empty pulses emitted by Alice are non-ideal multiphoton pulses which leak information about the "unconditionally secure" QKD-generated secret key to eavesdroppers.This introduces a significant security vulnerability into the QKD protocol.

Alice Prepares Bob Measures Bit Basis Prepared State Basis Result
More specifically, the security of BB84 is based on the uncertainty principle where the measurement result is random when using two conjugate bases (i.e., ⊕ or ⊗) to prepare single photons [17].For example, during an intercept-resend attack anyone attempting to listen on the quantum channel must randomly select a measurement basis and will necessarily introduce detectable errors.These unavoidable errors increase the protocol's measured Quantum Bit Error Rate (QBER)-the ratio (or percent) of errors detected with respect to the total number of matched pulse detections-and if the QBER ever exceeds the protocol's security threshold (e.g., QBER > 11% [4]), the secret key distribution process is aborted (or restarted) as it is assumed an eavesdropper is active on the quantum channel.This is because all errors on the quantum channel are attributed to adversarial interference.

Vulnerabilities in Protocol Implementation
BB84 security proofs assume several idealities, including perfect on-demand single photon sources, lossless quantum transmission, perfect transmitter-receiver basis alignment, and perfect single photon detection [18].However, these security assumptions are not valid when building real-world systems which deviate from theoretical protocols [2].For example, reliable on-demand single photon sources are not currently available nor are they expected in the near term [1].Therefore, most QKD systems attenuate classical laser pulses down from millions of photons to weak coherent pulses with an average photon number less than one.More specifically, the number of photons contained in the pulse is represented using a Poisson distribution with a low (i.e., <1) Mean Photon Number (MPN) where is the average number of photons in a pulse (i.e., is the MPN) and represents the number of photons in the pulse (i.e., = 0, 1, 2, 3, … , N).For example, with a typical MPN, = 0.5, nearly 60% of the pulses have zero photons, 30% of the pulses have one photon, and 9% of the pulses have two or more photons.This means nearly 23% of the non-empty pulses emitted by Alice are non-ideal multiphoton pulses which leak information about the "unconditionally secure" QKD-generated secret key to eavesdroppers.This introduces a significant security vulnerability into the QKD protocol.

Photon Number Splitting (PNS) Attacks
) according to a randomly selected bit value (0 or 1) and basis (⊕ for the pair ↔, or ⊗ for the pair and do not contribute to the shared key string.

Alice Prepares Bob Measures Bit Basis Prepared State Basis Result
More specifically, the security of BB84 is based on the uncertainty principle where the measurement result is random when using two conjugate bases (i.e., ⊕ or ⊗) to prepare single photons [17].For example, during an intercept-resend attack anyone attempting to listen on the quantum channel must randomly select a measurement basis and will necessarily introduce detectable errors.These unavoidable errors increase the protocol's measured Quantum Bit Error Rate (QBER)-the ratio (or percent) of errors detected with respect to the total number of matched pulse detections-and if the QBER ever exceeds the protocol's security threshold (e.g., QBER > 11% [4]), the secret key distribution process is aborted (or restarted) as it is assumed an eavesdropper is active on the quantum channel.This is because all errors on the quantum channel are attributed to adversarial interference.

Vulnerabilities in Protocol Implementation
BB84 security proofs assume several idealities, including perfect on-demand single photon sources, lossless quantum transmission, perfect transmitter-receiver basis alignment, and perfect single photon detection [18].However, these security assumptions are not valid when building real-world systems which deviate from theoretical protocols [2].For example, reliable on-demand single photon sources are not currently available nor are they expected in the near term [1].Therefore, most QKD systems attenuate classical laser pulses down from millions of photons to weak coherent pulses with an average photon number less than one.More specifically, the number of photons contained in the pulse is represented using a Poisson distribution with a low (i.e., <1) Mean Photon Number where is the average number of photons in a pulse (i.e., is the MPN) and represents the number of photons in the pulse (i.e., = 0, 1, 2, 3, … , N).For example, with a typical MPN, = 0.5, nearly 60% of the pulses have zero photons, 30% of the pulses have one photon, and 9% of the pulses have two or more photons.This means nearly 23% of the non-empty pulses emitted by Alice are non-ideal multiphoton pulses which leak information about the "unconditionally secure" QKD-generated secret key to eavesdroppers.This introduces a significant security vulnerability into the QKD protocol.

Photon Number Splitting (PNS) Attacks
More specifically, the security of BB84 is based on the uncertainty principle where the measurement result is random when using two conjugate bases (i.e., ⊕ or ⊗) to prepare single photons [17].For example, during an intercept-resend attack anyone attempting to listen on the quantum channel must randomly select a measurement basis and will necessarily introduce detectable errors.These unavoidable errors increase the protocol's measured Quantum Bit Error Rate (QBER)-the ratio (or percent) of errors detected with respect to the total number of matched pulse detections-and if the QBER ever exceeds the protocol's security threshold (e.g., QBER > 11% [4]) the secret key distribution process is aborted (or restarted) as it is assumed an eavesdropper is active on the quantum channel.This is because all errors on the quantum channel are attributed to adversarial interference.

Vulnerabilities in Protocol Implementation
BB84 security proofs assume several idealities, including perfect on-demand single photon sources, lossless quantum transmission, perfect transmitter-receiver basis alignment, and perfec single photon detection [18].However, these security assumptions are not valid when building real-world systems which deviate from theoretical protocols [2].For example, reliable on-demand single photon sources are not currently available nor are they expected in the near term [1].Therefore most QKD systems attenuate classical laser pulses down from millions of photons to weak coheren pulses with an average photon number less than one.More specifically, the number of photons contained in the pulse is represented using a Poisson distribution with a low (i.e., <1) Mean Photon Number (MPN) where is the average number of photons in a pulse (i.e., is the MPN) and represents the number of photons in the pulse (i.e., = 0, 1, 2, 3, … , N).For example, with a typical MPN, = 0.5 nearly 60% of the pulses have zero photons, 30% of the pulses have one photon, and 9% of the pulses have two or more photons.This means nearly 23% of the non-empty pulses emitted by Alice are non-ideal multiphoton pulses which leak information about the "unconditionally secure" QKD-generated secret key to eavesdroppers.This introduces a significant security vulnerability into the QKD protocol.

Photon Number Splitting (PNS) Attacks
).Once Alice randomly prepares the photons, they are sent to Bob where he measures each photon using a randomly selected basis (⊕ or ⊗).If Alice's encoding and Bob's decoding bases match, the photon's bit value is read correctly with a high probability.Otherwise, a random result occurs (i.e., equal likelihood of a 0 or 1); this is due to the inherent uncertainty in the measurement of an unknown (i.e., a randomly encoded) single photon.Typically, these random results are "sifted" from Bob's recorded detections and do not contribute to the shared key string.
3 of 20 value (0 or 1) and basis (⊕ for the pair ↔, ↕ or ⊗ for the pair ⤢, ⤡).Once Alice randomly prepares the photons, they are sent to Bob where he measures each photon using a randomly selected basis (⊕ or ⊗).If Alice's encoding and Bob's decoding bases match, the photon's bit value is read correctly with a high probability.Otherwise, a random result occurs (i.e., equal likelihood of a 0 or 1); this is due to the inherent uncertainty in the measurement of an unknown (i.e., a randomly encoded) single photon.Typically, these random results are "sifted" from Bob's recorded detections and do not contribute to the shared key string.

Alice Prepares Bob Measures Bit Basis Prepared State Basis Result
More specifically, the security of BB84 is based on the uncertainty principle where the measurement result is random when using two conjugate bases (i.e., ⊕ or ⊗) to prepare single photons [17].For example, during an intercept-resend attack anyone attempting to listen on the quantum channel must randomly select a measurement basis and will necessarily introduce detectable errors.These unavoidable errors increase the protocol's measured Quantum Bit Error Rate (QBER)-the ratio (or percent) of errors detected with respect to the total number of matched pulse detections-and if the QBER ever exceeds the protocol's security threshold (e.g., QBER > 11% [4]), the secret key distribution process is aborted (or restarted) as it is assumed an eavesdropper is active on the quantum channel.This is because all errors on the quantum channel are attributed to adversarial interference.

Vulnerabilities in Protocol Implementation
BB84 security proofs assume several idealities, including perfect on-demand single photon sources, lossless quantum transmission, perfect transmitter-receiver basis alignment, and perfect single photon detection [18].However, these security assumptions are not valid when building real-world systems which deviate from theoretical protocols [2].For example, reliable on-demand single photon sources are not currently available nor are they expected in the near term [1].Therefore, most QKD systems attenuate classical laser pulses down from millions of photons to weak coherent pulses with an average photon number less than one.More specifically, the number of photons contained in the pulse is represented using a Poisson distribution with a low (i.e., <1) Mean Photon Number (MPN) is the average number of photons in a pulse (i.e., is the MPN) and represents the number of photons in the pulse (i.e., = 0, 1, 2, 3, … , N).For example, with a typical MPN, = 0.5, nearly 60% of the pulses have zero photons, 30% of the pulses have one photon, and 9% of the pulses have two or more photons.This means nearly 23% of the non-empty pulses emitted by Alice are non-ideal multiphoton pulses which leak information about the "unconditionally secure" QKD-generated secret key to eavesdroppers.This introduces a significant security vulnerability into the QKD protocol.value (0 or 1) and basis (⊕ for the pair ↔, ↕ or ⊗ for the pair ⤢, ⤡).Once Alice randomly prepares the photons, they are sent to Bob where he measures each photon using a randomly selected basis (⊕ or ⊗).If Alice's encoding and Bob's decoding bases match, the photon's bit value is read correctly with a high probability.Otherwise, a random result occurs (i.e., equal likelihood of a 0 or 1); this is due to the inherent uncertainty in the measurement of an unknown (i.e., a randomly encoded) single photon.Typically, these random results are "sifted" from Bob's recorded detections and do not contribute to the shared key string.

Alice Prepares Bob Measures Bit Basis Prepared State Basis Result
More specifically, the security of BB84 is based on the uncertainty principle where the measurement result is random when using two conjugate bases (i.e., ⊕ or ⊗) to prepare single photons [17].For example, during an intercept-resend attack anyone attempting to listen on the quantum channel must randomly select a measurement basis and will necessarily introduce detectable errors.These unavoidable errors increase the protocol's measured Quantum Bit Error Rate (QBER)-the ratio (or percent) of errors detected with respect to the total number of matched pulse detections-and if the QBER ever exceeds the protocol's security threshold (e.g., QBER > 11% [4]), the secret key distribution process is aborted (or restarted) as it is assumed an eavesdropper is active on the quantum channel.This is because all errors on the quantum channel are attributed to adversarial interference.

Vulnerabilities in Protocol Implementation
BB84 security proofs assume several idealities, including perfect on-demand single photon sources, lossless quantum transmission, perfect transmitter-receiver basis alignment, and perfect single photon detection [18].However, these security assumptions are not valid when building real-world systems which deviate from theoretical protocols [2].For example, reliable on-demand single photon sources are not currently available nor are they expected in the near term [1].Therefore, most QKD systems attenuate classical laser pulses down from millions of photons to weak coherent pulses with an average photon number less than one.More specifically, the number of photons contained in the pulse is represented using a Poisson distribution with a low (i.e., <1) Mean Photon Number (MPN) where is the average number of photons in a pulse (i.e., is the MPN) and represents the number of photons in the pulse (i.e., = 0, 1, 2, 3, … , N).For example, with a typical MPN, = 0.5, nearly 60% of the pulses have zero photons, 30% of the pulses have one photon, and 9% of the pulses have two or more photons.This means nearly 23% of the non-empty pulses emitted by Alice are non-ideal multiphoton pulses which leak information about the "unconditionally secure" QKD-generated secret key to eavesdroppers.This introduces a significant security vulnerability into the QKD protocol.value (0 or 1) and basis (⊕ for the pair ↔, ↕ or ⊗ for the pair ⤢, ⤡).Once Alice randomly prepares the photons, they are sent to Bob where he measures each photon using a randomly selected basis (⊕ or ⊗).If Alice's encoding and Bob's decoding bases match, the photon's bit value is read correctly with a high probability.Otherwise, a random result occurs (i.e., equal likelihood of a 0 or 1); this is due to the inherent uncertainty in the measurement of an unknown (i.e., a randomly encoded) single photon.Typically, these random results are "sifted" from Bob's recorded detections and do not contribute to the shared key string.

Alice Prepares Bob Measures Bit Basis Prepared State Basis Result
More specifically, the security of BB84 is based on the uncertainty principle where the measurement result is random when using two conjugate bases (i.e., ⊕ or ⊗) to prepare single photons [17].For example, during an intercept-resend attack anyone attempting to listen on the quantum channel must randomly select a measurement basis and will necessarily introduce detectable errors.These unavoidable errors increase the protocol's measured Quantum Bit Error Rate (QBER)-the ratio (or percent) of errors detected with respect to the total number of matched pulse detections-and if the QBER ever exceeds the protocol's security threshold (e.g., QBER > 11% [4]), the secret key distribution process is aborted (or restarted) as it is assumed an eavesdropper is active on the quantum channel.This is because all errors on the quantum channel are attributed to adversarial interference.

Vulnerabilities in Protocol Implementation
BB84 security proofs assume several idealities, including perfect on-demand single photon sources, lossless quantum transmission, perfect transmitter-receiver basis alignment, and perfect single photon detection [18].However, these security assumptions are not valid when building real-world systems which deviate from theoretical protocols [2].For example, reliable on-demand single photon sources are not currently available nor are they expected in the near term [1].Therefore, most QKD systems attenuate classical laser pulses down from millions of photons to weak coherent pulses with an average photon number less than one.More specifically, the number of photons contained in the pulse is represented using a Poisson distribution with a low (i.e., <1) Mean Photon Number (MPN) (1) where is the average number of photons in a pulse (i.e., is the MPN) and represents the number of photons in the pulse (i.e., = 0, 1, 2, 3, … , N).For example, with a typical MPN, = 0.5, nearly 60% of the pulses have zero photons, 30% of the pulses have one photon, and 9% of the pulses have two or more photons.This means nearly 23% of the non-empty pulses emitted by Alice are non-ideal multiphoton pulses which leak information about the "unconditionally secure" QKD-generated secret key to eavesdroppers.This introduces a significant security vulnerability into the QKD protocol.value (0 or 1) and basis (⊕ for the pair ↔, ↕ or ⊗ for the pair ⤢, ⤡).Once Alice randomly prepares the photons, they are sent to Bob where he measures each photon using a randomly selected basis (⊕ or ⊗).If Alice's encoding and Bob's decoding bases match, the photon's bit value is read correctly with a high probability.Otherwise, a random result occurs (i.e., equal likelihood of a 0 or 1); this is due to the inherent uncertainty in the measurement of an unknown (i.e., a randomly encoded) single photon.Typically, these random results are "sifted" from Bob's recorded detections and do not contribute to the shared key string.

Alice Prepares Bob Measures Bit Basis Prepared State Basis Result
More specifically, the security of BB84 is based on the uncertainty principle where the measurement result is random when using two conjugate bases (i.e., ⊕ or ⊗) to prepare single photons [17].For example, during an intercept-resend attack anyone attempting to listen on the quantum channel must randomly select a measurement basis and will necessarily introduce detectable errors.These unavoidable errors increase the protocol's measured Quantum Bit Error Rate (QBER)-the ratio (or percent) of errors detected with respect to the total number of matched pulse detections-and if the QBER ever exceeds the protocol's security threshold (e.g., QBER > 11% [4]), the secret key distribution process is aborted (or restarted) as it is assumed an eavesdropper is active on the quantum channel.This is because all errors on the quantum channel are attributed to adversarial interference.

Vulnerabilities in Protocol Implementation
BB84 security proofs assume several idealities, including perfect on-demand single photon sources, lossless quantum transmission, perfect transmitter-receiver basis alignment, and perfect single photon detection [18].However, these security assumptions are not valid when building real-world systems which deviate from theoretical protocols [2].For example, reliable on-demand single photon sources are not currently available nor are they expected in the near term [1].Therefore, most QKD systems attenuate classical laser pulses down from millions of photons to weak coherent pulses with an average photon number less than one.More specifically, the number of photons contained in the pulse is represented using a Poisson distribution with a low (i.e., <1) Mean Photon Number (MPN) where is the average number of photons in a pulse (i.e., is the MPN) and represents the number of photons in the pulse (i.e., = 0, 1, 2, 3, … , N).For example, with a typical MPN, = 0.5, nearly 60% of the pulses have zero photons, 30% of the pulses have one photon, and 9% of the pulses have two or more photons.This means nearly 23% of the non-empty pulses emitted by Alice are non-ideal multiphoton pulses which leak information about the "unconditionally secure" QKD-generated secret key to eavesdroppers.This introduces a significant security vulnerability into the QKD protocol.More specifically, the security of BB84 is based on the uncertainty principle where the measurement result is random when using two conjugate bases (i.e., ⊕ or ⊗) to prepare single photons [17].For example, during an intercept-resend attack anyone attempting to listen on the quantum channel must randomly select a measurement basis and will necessarily introduce detectable errors.These unavoidable errors increase the protocol's measured Quantum Bit Error Rate (QBER)-the ratio (or percent) of errors detected with respect to the total number of matched pulse detections-and if the QBER ever exceeds the protocol's security threshold (e.g., QBER > 11% [4]), the secret key distribution process is aborted (or restarted) as it is assumed an eavesdropper is active on the quantum channel.This is because all errors on the quantum channel are attributed to adversarial interference.

Vulnerabilities in Protocol Implementation
BB84 security proofs assume several idealities, including perfect on-demand single photon sources, lossless quantum transmission, perfect transmitter-receiver basis alignment, and perfect single photon detection [18].However, these security assumptions are not valid when building real-world systems which deviate from theoretical protocols [2].For example, reliable on-demand single photon sources are not currently available nor are they expected in the near term [1].Therefore, most QKD systems attenuate classical laser pulses down from millions of photons to weak coherent pulses with an average photon number less than one.More specifically, the number of photons contained in the pulse is represented using a Poisson distribution with a low (i.e., <1) Mean Photon Number (MPN) where µ is the average number of photons in a pulse (i.e., µ is the MPN) and n represents the number of photons in the pulse (i.e., n = 0, 1, 2, 3, . . ., N).For example, with a typical MPN, µ = 0.5, nearly 60% of the pulses have zero photons, 30% of the pulses have one photon, and 9% of the pulses have two or more photons.This means nearly 23% of the non-empty pulses emitted by Alice are non-ideal multiphoton pulses which leak information about the "unconditionally secure" QKD-generated secret key to eavesdroppers.This introduces a significant security vulnerability into the QKD protocol.

Photon Number Splitting (PNS) Attacks
The PNS attack is a powerful attack designed to take advantage of the multiphoton vulnerability in order to obtain a full copy of Alice and Bob's shared secret key bits without introducing errors and thus increasing the QBER [19,20].A brief introduction to the PNS attack is given here, with a detailed, yet easily understandable engineering-oriented explanation available in [9].
Figure 2 provides a simplified depiction of the eavesdropper "Eve" conducting a PNS attack against the QKD system (i.e., Alice and Bob).In accordance with QKD security proofs, Eve is an all-powerful adversary limited only by the laws of quantum mechanics [4].She is allowed full control of the quantum channel to introduce losses or errors and may eavesdrop on, but not fabricate, messages exchanged on the classical channel.In order to conduct the PNS attack, Eve replaces the quantum channel with a quantum teleportation channel which enables the lossless transmission of photons from Alice to Bob using the properties of entangled quantum systems [21].An Eve entity is also required in close proximity to Bob to regulate the lossless transmission of photons as to not exceed Bob's expected detection rate; thus, avoiding obvious detection.
in order to obtain a full copy of Alice and Bob's shared secret key bits without introducing errors and thus increasing the QBER [19,20].A brief introduction to the PNS attack is given here, with a detailed, yet easily understandable engineering-oriented explanation available in [9].
Figure 2 provides a simplified depiction of the eavesdropper "Eve" conducting a PNS attack against the QKD system (i.e., Alice and Bob).In accordance with QKD security proofs, Eve is an allpowerful adversary limited only by the laws of quantum mechanics [4].She is allowed full control of the quantum channel to introduce losses or errors and may eavesdrop on, but not fabricate, messages exchanged on the classical channel.In order to conduct the PNS attack, Eve replaces the quantum channel with a quantum teleportation channel which enables the lossless transmission of photons from Alice to Bob using the properties of entangled quantum systems [21].An Eve′ entity is also required in close proximity to Bob to regulate the lossless transmission of photons as to not exceed Bob's expected detection rate; thus, avoiding obvious detection.
For each pulse Alice generates, Eve performs a specialized Quantum Non-Demolition (QND) measurement to determine the number of photons in each pulse  = 0, 1, 2, 3, … , N [22].If  ≤ 1, Eve blocks the pulse and sends nothing to Bob.If  ≥ 2, Eve splits one photon from the pulse and stores it in her quantum memory.She then quantum teleports the remaining n − 1photons to Bob.This attack scheme allows Eve to store an identical encoded copy of each photon sent to Bob without introducing additional errors (which are typically used for detecting eavesdroppers).Once Alice and Bob complete their quantum exchange, they must announce measurement basis information over the classical channel where Eve is able to listen.Eve can then correctly measure each stored photon, and thus, obtain a complete copy of the QKD-generated "secure" key bits.

The Decoy State Protocol
In 2003, the decoy state protocol was introduced to detect PNS attacks [23].It was quickly improved upon in a series of works [24][25][26][27][28]; and is now widely employed in commercially viable QKD systems such as Toshiba's record holding system [29] and the world's largest QKD network [30].In particular, the decoy state protocol is advantageous as it is relatively easy to implement (low cost), increases the system's distributed secret key rate (high performance), and mitigates the PNS attack (improves implementation security).Note, while the decoy state protocol is designed to detect PNS attacks, other QKD protocols are not vulnerable to the attack (e.g., Continuous Variable or Measurement-Device Independent [1]); however, despite recent advances of alternative protocols, the decoy state protocol continues to be the most cost effective and practical to implement.For each pulse Alice generates, Eve performs a specialized Quantum Non-Demolition (QND) measurement to determine the number of photons in each pulse n = 0, 1, 2, 3, . . ., N [22].If n ≤ 1, Eve blocks the pulse and sends nothing to Bob.If n ≥ 2, Eve splits one photon from the pulse and stores it in her quantum memory.She then quantum teleports the remaining n − 1 photons to Bob.This attack scheme allows Eve to store an identical encoded copy of each photon sent to Bob without introducing additional errors (which are typically used for detecting eavesdroppers).Once Alice and Bob complete their quantum exchange, they must announce measurement basis information over the classical channel where Eve is able to listen.Eve can then correctly measure each stored photon, and thus, obtain a complete copy of the QKD-generated "secure" key bits.

The Decoy State Protocol
In 2003, the decoy state protocol was introduced to detect PNS attacks [23].It was quickly improved upon in a series of works [24][25][26][27][28]; and is now widely employed in commercially viable QKD systems such as Toshiba's record holding system [29] and the world's largest QKD network [30].In particular, the decoy state protocol is advantageous as it is relatively easy to implement (low cost), increases the system's distributed secret key rate (high performance), and mitigates the PNS attack (improves implementation security).Note, while the decoy state protocol is designed to detect PNS attacks, other QKD protocols are not vulnerable to the attack (e.g., Continuous Variable or Measurement-Device Independent [1]); however, despite recent advances of alternative protocols, the decoy state protocol continues to be the most cost effective and practical to implement.
As described by Ma et al., the decoy state protocol extends the BB84 protocol by configuring Alice to randomly transmit three types of pulses: (1) Signal; (2) Decoy; and (3) Vacuum, as described in Table 2 [25].Thus, Alice randomly generates signal, decoy, and vacuum pulses according to their prescribed occurrence percentages and respective MPNs where the state of each pulse must be indistinguishable to Eve (i.e., identical pulse shape, wavelength, duration, etc.) in order to maintain integrity of the security protocol.Eve cannot know a priori the type of pulse received during quantum exchange, the only information available to her is each pulse's specific number of photons n = 0, 1, 2, 3, . . ., N which she determines using her QND measurement.

Signal µ
The signal state is used to generate secret key and facilitates improved performance by using a higher MPN (i.e., 0.5 is greater than the value 0.1 typically employed in non-decoy state protocol QKD systems).

70% Decoy ν
The decoy state is used to increase the likelihood of detecting unauthorized eavesdropping on the quantum channel through statistical differential analysis with the signal state.

20%
Vacuum Y 0 The vacuum state is used to determine the noise on the quantum channel known as the "dark count" (i.e., detections when no photons are sent).

Unconditionally Secure Key Generation
While the decoy state protocol was introduced to detect PNS attacks, to date it has been primarily used to increase unconditionally secure key rates.More specifically, decoy state research has focused on understanding and bounding Alice's single photon generation rate, Q 1 , as it pertains to the secret key generation rate R [25].
where q is the protocol efficiency (e.g., <1), Q 1 is the estimated single photon contribution, e 1 is the estimated error rate of single photon detections, Q µ is the signal state gain, E µ is the signal state QBER, f E µ is the error reconciliation efficiency, and H 2 ({E µ , e 1 }) is Shannon's binary information function [15].In a general sense, the positive contribution of Equation (2) accounts for pulses emitted by Alice containing a single photon (i.e., Q 1 )-those which can contribute to the QKD-generated "unconditionally secure" key rate R, while the negative contribution accounts for insecure multi-photon pulses and errors which are also consider insecure contributions [25].More specifically, the parameters of Equation (2) are described in Table 3.For a more detailed, yet readily accessible discussion of these parameters, please see [7].For more comprehensive treatments, please see the references listed below.

Parameter Description q
The protocol efficiency represents the overall efficiency of the QKD protocol (e.g., q < 1).For example, in the classical BB84 protocol shown in Table 1, 50% of the detections will be sifted out because of Bob's random choice of basis measurement.
The estimated gain of pulses emitted by Alice with one photon (i.e., the single photons prepared by Alice and successfully measured by Bob).This value is typically calculated (or bounded) by several operational parameters such as, ν, Q µ , and Y 0 .
The estimated error rate associated with pulses emitted by Alice with a single photon.This value is typically calculated (or bounded) by several operational parameters such as, ν, E µ , Q µ and Y 0 .

Q µ
The gain of the signal state is calculated from system measurements, where H 2 e 1 , E µ Uncertainty in the error rate e 1 or E µ is calculated using Shannon's binary entropy limit [15].
In their 2005 work, Ma et al. optimized the single photon generate rate Q 1 while simultaneously bounding the error rates e 1 and E µ to maximize the secure key rate R [25].More specifically to the decoy state protocol configuration, this optimization results in recommend signal and decoy state MPNs of µ ∼ = 0.5 and ν ∼ = 0.1 because of implementation limitations in classical laser sources (as described in Section 2.2) [25].Following this seminal work, many others have studied this optimization problem to more fully understand and bound the single photon estimate Q 1 , the negative impact of associated error rates e 1 and E µ , and expected fluctuations in commercially available laser sources [31][32][33][34][35][36][37][38][39][40].Additionally, considerations for finite key size statistics (i.e., limitations due to the number of detections) have been carefully investigated by others [28,[41][42][43].Here, we also note a recent work that benchmarks secret key rates over ideal quantum communication channels to include the decoy state protocol [44].In addition to these works, several practically-oriented experimental demonstrations have been accomplished as detailed in Table 4 (discussed in Section 3).

Detecting PNS Attacks
The decoy state protocol is designed to detect PNS attacks by comparing the signal and decoy states during quantum exchange, and specifically, the photon number dependent yields of the signal state Y signal n , the decoy state Y decoy n , and the expected yield Y expected n are compared in the security condition [24]. is calculated (or estimated) from a known quantum channel efficiency η.
where Y 0 is the measured dark count rate and η n = 1 − (1 − η) n is the photon number specific efficiency based on the number of photons, n, in each pulse and the measured quantum efficiency η.Note, the joint probability Y 0 η n is typically disregarded because it is insignificant compared to Y 0 and η n .As indicated by Equation (3), under normal operational conditions (i.e., when no PNS attacks are occurring), the signal and decoy state yields should be the same as the expected photon number dependent yield; for example, . This security condition should always be true for a decoy state enabled QKD architecture because the signal and decoy state yields are primarily based on the fixed quantum efficiency η and not the state type.If ever , an eavesdropper is assumed to be actively listening on the key distribution channel and the secret key is considered compromised.While [24] also proposes an error-based condition e signal n = e decoy n = e expected n , it is not considered in this work since the PNS attack does not introduce errors [19].

Research Methodology
Table 4 provides a comprehensive listing of practically-oriented decoy state enabled systems and experiments.With respect to signal and decoy state MPNs, there is relatively little consistency or adherence to Ma and coworkers' 2005 work where they proved the optimal signal state MPN ∼ = 0.5 and decoy state MPN ∼ = 0.1 [25].Similarly, there is considerable disparity in the protocol occurrence percentages with signal states ranging from 50% to ~99%, decoy states ranging from <1% to 40%, and vacuum states ranging from 0% to 25%.Note, while these experimental MPN parameters differ from those proposed by Ma et al., such discrepancies do not indicate that the Ma et al. security model is inappropriate.Furthermore, such differences may be due to differences in system architectures such as end-to-end losses (e.g., channel loss, insertion loss, detection efficiencies, etc.), security bounds, and post-processing techniques.
Despite the decoy state protocol's wide-spread employment, its effectiveness in detecting PNS attacks has not been thoroughly addressed in the literature.For example, in his defining work on the decoy state protocol, Lo states "Any attack by Eve that will change the value of any one of the Y n 's and e n 's substantially will, in principle, be caught with high probability by our decoy state method" [24].Likewise, in the most detailed treatment available on detecting PNS attacks, the author merely states "significant deviation of the measured ratio from this expected value indicates a PNS by Eve" [45].Thus, we desire to study the decoy state QKD system's ability to detect PNS attacks through model and simulation.

Problem Formulation and Research Questions
As the decoy state protocol is often employed in high performance QKD systems, and particularly the most impressive technology demonstrations to date (in terms of delivered key rate [29] and network size [30]), there is a need to understand the protocol's ability to detect PNS attacks more fully.Moreover, it is important for system developers and users to understand how the protocol can be optimized to maximize both quantum throughput for secret key generation and detect PNS attacks with high confidence.Therefore, it is desirable to address the following research questions: (1) How do the signal and decoy state MPN values affect the system's ability to detect PNS attacks?(2) How does the difference between the signal and decoy state MPN values affect the system's ability to detect PNS attacks?(3) How do the signal, decoy, and vacuum state occurrence percentages affect the system's ability to detect PNS attacks?(4) How does variation in the generation and detection of signal and decoy states affect the system's ability to detect PNS attacks?(5) How does propagation distance (i.e., loss) affect the system's ability to differentiate between normal behavior and physical disturbances indicative of PNS attacks?

Experimental Design
From the comprehensive listing of decoy state configurations captured in Table 4, and detailed understanding of the decoy state protocol, five experimental factors are identified as shown in Table 5.First, operational distances of 20 and 50 km are selected to represent common metropolitan network lengths and long-haul backbone links.For those not familiar with quantum communication, losses of ~0.2 dB per km in single mode fiber significantly limit propagation distances where 20 km equates to 4 dB loss (or 40% efficiency) and 50 km equates to 10 dB loss (or 10% efficiency) [1].Next, signal and decoy MPNs representative of normal and high configurations are chosen for examination, 0.5 and 0.8 respectively.As the main focus of this study, five occurrence percentage configurations are selected for analysis.Lastly, each treatment is examined during normal conditions and when subject to PNS attacks in order to baseline the QKD system's performance and ability to detect PNS attacks.Note, the decoy state protocol does not prevent the attack, it merely detects it.All other design and configuration settings are held constant (described in Section 3.3).For this study, a full factorial design was selected, as it is relatively easy to simulate all 80 treatments once the experimental factors are well understood.In order to characterize the modeled system's behavior well across all 80 configurations and make statistically significant conclusions, 1000 simulation runs were executed for each treatment using the DoD's High Performance Computing Modernization Program at Wright-Patterson Air Force Base.In particular, the model was packaged as a single executable application with a series of command line parameters, to account for the design of Table 5, and executed in parallel over 1024 cores for a total of 80,000 simulation runs for a total of nearly 200,000 h of processor time.
Regarding this experimental design, it is important to note that 20 km does not necessarily provide a sufficient loss budget for Eve to conduct PNS attacks without negatively impacting Bob's expected detection rate [59].This is because Eve introduces loss on the quantum channel as she blocks all the single photon pulses sent by Alice.For example, Eve introduces ~7.4 dB loss against an MPN of 0.5, whereas the 20 km link only provides a ~4 dB loss budget for Eve to take advantage of with her lossless quantum teleportation channel.Despite this constraint, analyzing the decoy state protocol's ability to detect PNS attacks at this distance is desirable because many implementations have operational distances of 15-25 km as noted in Table 4.Moreover, if Eve is able to insert herself on the quantum channel before protocol calibration, her presence would go unnoticed with respect to loss and key rate.

Research Model
The research model (i.e., Alice, Bob, Eve, communication channels, and their supporting optical components) is described in detail in [6,7,9]; thus, this section merely provides an overview of the model and its most important configuration parameters.The research model was developed in a discrete event simulation framework specifically designed to study the impact of security and performance implementation non-idealities in QKD systems, algorithms, and protocols [6].For example, performance and security limitations with respect to speed, accuracy, and environmental disturbances are captured in Alice's modeled laser source, decoy state generator, pulse modulator, quantum channel, and Avalanche Photo-Diode (APD) detectors.The decoy state enabled BB84 QKD model was developed in three increments each with increasing capability.The first increment provided a hardware-focused QKD notional architecture built in a modular fashion from a library of optical and electro-optical components with probabilistic weak coherent optical pulses [6].The second increment added the processes and logic required to execute the decoy state protocol [7,60].In the third increment, the behaviors of several modeled components were extended to properly handle the propagation of photon number specific representations of optical pulses (i.e., Fock states) and the PNS attack was fully implemented [9].Throughout model development, considerable effort was spent thoroughly defining, decomposing, modeling, verifying, and validating the decoy state enabled QKD model with each optical component verified against commercial specifications (see Appendix of [6,61]).Additionally, the model was validated against eight fielded QKD systems [7] with additional modeling and simulation details presented in Section 4.
In this study, Alice is configured to generate signal, decoy, and vacuum pulses according to the decoy state protocol and BB84 polarization based prepare and measure modulation scheme as described in Section 2. In particular, Alice is programmed to randomly prepare signal, decoy, and vacuum pulses according to the user's prescribed occurrence percentages at a 5 MHz pulse rate with commercially representative laser fluctuations (see Section 4.2 for details).Alice then transmits the prepared pulses through the appropriate 20 or 50 km quantum channel, which has 4 or 10 dB loss respectively with induced physical disturbances which may cause the pulse's polarization to change over time.In accordance with the polarization based prepare and measure scheme, Bob's model includes beam splitters, polarizing beam splitters, a bandpass filter for a total of 3.5 dB loss.Most importantly, Bob contains models of commercially available APD detectors each configured with 10% detector efficiency, a 5 × 10 −6 dark count rate (spontaneous detections when no photons are present), and a 0.01 after pulse rate (erroneous detections following a successful detection).
The research model allows users and developers to more easily (and collectively) study performance and security considerations of the decoy state protocol configurations as presented in Table 4 than when compared to building hardware implementations.Additionally, the model allows security analysts to uniquely study the security profile of decoy state enabled QKD systems in ways that are difficult or impossible with conventional means.For example, the model enables detailed analysis of the PNS attack using a hardware-focused representation-something that cannot yet be fully realized with current technologies [19,20].In this way, the model allows for detailed traceability of each multiphoton pulse generated by Alice, split by Eve, and detected by Bob.Thus, the security analyst is able to explicitly know which weak optical pulses are compromised yet contribute to the QKD-generated secret key bits.

Analysis of Results
In this section, the decoy state protocol's ability to detect PNS attacks is examined.First, the efficiency based method of detecting PNS attacks is explained, including expected operational variations from non-ideal optical components and processes.Next, simulation results for several common decoy state protocol configurations are described.Based on these results, an optimization of the decoy state protocol is presented and demonstrated.Lastly, implementation security guidance is offered for decoy state enabled QKD systems.

Detecting PNS Attacks
Despite the creativeness of Eve's PNS attack, her detectability is based on the decoy state protocol's ability to differentiate between subtle changes in the signal and decoy states.In lieu of comparing photon number dependent yields which can be statically bounded or directly measurable using expensive Photon Number Resolving (PNR) detectors [62], this work utilizes the efficiency based security condition which provides a direct measurement in a cost-conscience QKD system implementation [8].
where η signal is the signal state efficiency and η decoy is the decoy state efficiency.The efficiency based decoy state security method directly compares the signal and decoy state efficiencies from readily available measurements instead of requiring advanced technologies.The signal (and decoy) state efficiency is defined as where Y 0 is the system's measured dark count rate defined as Y 0 = Number of vacuum state detections Number of vacuum state pulses sent (7) and Q µ is the measured signal state gain defined as and µ is the signal state's prescribed MPN (typically 0.5).This method also allows the QKD system to assure the quantum channel is free from unwanted attacks without a priori knowledge such as a well-characterized quantum channel as required in prior art.

Expected Variation in the Decoy State Protocol
Due to non-ideal devices, physical disturbances, and probabilistic single photon sources, variations are expected in the protocol's operation.These variations directly impact the system's ability to detect PNS attacks and must be accounted for, thus, the security condition becomes where ∆ represents the protocol's expected variation during quantum exchange.Variation in the decoy state efficiency is primarily considered because it exhibits significantly more variation than the signal state due to its reduced occurrence percentage and lower MPN.While there are many potential sources of variation (e.g., fluctuations in laser sources, polarization dependent losses, variations in decoy state MPNs, temperature changes, physical disturbances, unstable detector efficiencies, etc.), many of them can be ignored due to the rapid propagation of photons through optical fiber (i.e., 2/3 the speed of light ≈2 × 10 8 m/s).More explicitly, quantum exchange rounds (i.e., 100,000 signal state detections [63]) are typically very short (e.g., <20 × 10 −3 s) and many of these effects are orders of magnitude slower (e.g., temperature change due to direct sunlight).Thus, Alice's pulse-to-pulse variation is of primary interest, and specifically, variation in her laser source (e.g., a commercially available id300 pulsed laser [64]) and decoy state generator (e.g., an electronically controlled Variable Optical Attenuator (VOA) used to control the MPN of each signal, decoy, and vacuum pulse [65]).
Figure 3 illustrates Alice's modeled variation when calibrated to produce weak coherent optical pulses with an MPN of 0.55.Because of the large number of pulses, the 99.9% Prediction Interval (PI) characterizes her expected MPN variation well.This means Alice will generate pulses with an MPN between 0.49 and 0.61 nearly 100% of the time.Thus, variations in generating signal, decoy, and vacuum pulses should be expected and addressed when considering the effectiveness of the decoy state protocol in detecting PNS attacks.

Studying Detection Results
Figure 4 illustrates the normal operating conditions for 20 configurations over an operational distance of 50 km (the 20 km results are not shown because they are very similar).The results are grouped with respect to signal and decoy MPNs with each treatment labeled across the bottom of the graph by signal-decoy-vacuum occurrence percentages (e.g., 60-30-10 means 60% signal states, 30% decoy states, and 10% vacuum states).The overlapping box plots imply   =   ; thus, the system is operating in a secure state.Of note, variation in the signal state remains relatively fixed, while variation in the decoy state increases as the occurrence percentage lessens from 30% to 0.5%.Likewise, the lower MPN (i.e., 0.1 compared to 0.2) results in slightly more variation in each configuration.This occurs because less decoy states are sent by Alice, and therefore, detected by Bob, causing more variation.In all 40 configurations studied without PNS attacks at both 20 and 50 km, the signal and decoy state efficiencies are overlapping with no statistically significant differentiation.
Figure 5 illustrates results over the 50 km operational distance from 20 configurations when subject to PNS attacks (the 20 km results are not shown because they are very similar).For each configuration studied, there is a clear separation between the decoy state efficiencies and the signal state efficiencies.This is because Eve inadvertently blocks most of the decoy state pulses since the majority of them contain only a single photon due to its lower MPN.Conversely, relatively few signal state pulses are blocked since the higher MPN generates more multi-photon pulses.Thus, Eve significantly reduces the decoy state efficiency.This behavior is precisely why the decoy state protocol requires two different MPNs in otherwise indistinguishable states (i.e., Eve is unaware of the pulse type she is acting upon, since any of the pulses (signal, decoy, or vacuum) could consist of 0, 1, or ≥2 photons).Additionally, as can be seen in the downward trending efficiencies, these

Studying Detection Results
Figure 4 illustrates the normal operating conditions for 20 configurations over an operational distance of 50 km (the 20 km results are not shown because they are very similar).The results are grouped with respect to signal and decoy MPNs with each treatment labeled across the bottom of the graph by signal-decoy-vacuum occurrence percentages (e.g., 60-30-10 means 60% signal states, 30% decoy states, and 10% vacuum states).The overlapping box plots imply η signal = η decoy ; thus, the system is operating in a secure state.Of note, variation in the signal state remains relatively fixed, while variation in the decoy state increases as the occurrence percentage lessens from 30% to 0.5%.Likewise, the lower MPN (i.e., 0.1 compared to 0.2) results in slightly more variation in each configuration.This occurs because less decoy states are sent by Alice, and therefore, detected by Bob, causing more variation.In all 40 configurations studied without PNS attacks at both 20 and 50 km, the signal and decoy state efficiencies are overlapping with no statistically significant differentiation.
Figure 5 illustrates results over the 50 km operational distance from 20 configurations when subject to PNS attacks (the 20 km results are not shown because they are very similar).For each configuration studied, there is a clear separation between the decoy state efficiencies and the signal state efficiencies.This is because Eve inadvertently blocks most of the decoy state pulses since the majority of them contain only a single photon due to its lower MPN.Conversely, relatively few signal state pulses are blocked since the higher MPN generates more multi-photon pulses.Thus, Eve significantly reduces the decoy state efficiency.This behavior is precisely why the decoy state protocol requires two different MPNs in otherwise indistinguishable states (i.e., Eve is unaware of the pulse type she is acting upon, since any of the pulses (signal, decoy, or vacuum) could consist of 0, 1, or ≥2 photons).Additionally, as can be seen in the downward trending efficiencies, these responses are tempered by the protocol's occurrence percentages and Eve's gain matching.In the 40 configurations considered at both 20 and 50 km distances, the PNS attack was successfully detected in all 40,000 trials (i.e., 1000 trials in each of the 40 PNS attack configurations simulated).For example, in the worst case scenario, when the signal and decoy state MPNs are closest (0.5 and 0.2) with the least amount of decoy states (99% signal, 0.5% decoy, and 0.5% vacuum) and    In the 40 configurations considered at both 20 and 50 km distances, the PNS attack was successfully detected in all 40,000 trials (i.e., 1000 trials in each of the 40 PNS attack configurations simulated).For example, in the worst case scenario, when the signal and decoy state MPNs are closest (0.5 and 0.2) with the least amount of decoy states (99% signal, 0.5% decoy, and 0.5% vacuum) and In the 40 configurations considered at both 20 and 50 km distances, the PNS attack was successfully detected in all 40,000 trials (i.e., 1000 trials in each of the 40 PNS attack configurations simulated).For example, in the worst case scenario, when the signal and decoy state MPNs are closest (0.5 and 0.2) with the least amount of decoy states (99% signal, 0.5% decoy, and 0.5% vacuum) and the most loss (10 dB loss over the 50 km channel), there is very strong statistical evidence that the PNS attack will be detected because η signal = η decoy ± ∆.More specifically, based on 1000 simulations in the worst case configuration, the decoy state enabled QKD system has less than one in a thousand chance of not detecting the attack with a low probability of p < 0.001.These results demonstrate the decoy state protocol's ability to detect PNS attacks across a wide set of commonly implemented configurations to include when the decoy state intensity is very weak and the occurrence percentage is very small.Moreover, these results illustrate that the protocol can be further optimized with respect to the signal and decoy state occurrence percentages to maximize quantum throughout on the signal state as identified by the large "white space" between the signal and decoy states efficiencies in Figure 5 for even the most stringent configurations (when the occurrence percentages are: 99% signal, 0.5% decoy, and 0.5% vacuum).

Optimization for Performance and Security
While the decoy state protocol has been optimized with respect to MPNs contributing to secret key distribution [25], the signal and decoy state occurrence percentages have not been optimized for maximizing quantum throughout while simultaneously detecting PNS attacks with high confidence.Hence, we provide an optimization which assures high security confidence and allows the protocol's performance to be maximized based on a detailed study of signal and decoy state MPNs and occurrence percentages, as well as, design decisions and architectural considerations.
From this study, we learn that the protocol's ability to detect PNS attacks is primarily controlled by losses due to each state's occurrence percentage, MPN, and the end-to-end quantum communication path.More specifically, to detect PNS attacks in real-time with high confidence only a few decoy state detections are necessary during each round of quantum exchange (i.e., a predetermined number of detections).For example, the decoy state protocol can be configured to perform the PNS attack check after each round of 100,000 detections.Furthermore, we learn that an arbitrarily high level of confidence (e.g., >99.9%) is possible because statistical confidence is increased through multiple rounds of quantum exchange and not the number of decoy state detections per round.Note this optimization is meant to maximize quantum throughput and requires that other secret key rate estimations such as Q 1 and e 1 for Equation (2) be derived from dedicated, periodic calibration runs.
In order to optimize the decoy state protocol, the developer should choose the highest signal state occurrence percentage possible, while meeting the minimum number of decoy state detections to reliably detect PNS attacks (i.e., choose the minimal decoy occurrence percentage possible).Assuming the suggested MPNs of Ma et al. are used (µ = 0.5, ν = 0.1) [25], the optimized decoy state protocol configuration can be described in a system of equations.First, the signal state occurrence percentage S µ should be as a close to unity as possible where S µ is limited by the decoy and vacuum state occurrence percentages S ν , S Y 0 , respectively Accordingly, it is advantageous to minimize both S ν and S Y 0 ; however, the decoy state occurrence percentage S ν must be high enough to effectively differentiate between noise on the quantum channel and a PNS attack where the decoy state gain Q ν must exceed the system's measured dark count rate Y 0 .
This condition implies at least one decoy state detection N ν per round of quantum exchange which is not due to a dark count (i.e., a signal to noise ratio >1).
Thus, the optimized decoy state configuration can be further clarified For a given architecture, the optimized decoy state protocol can be determined from the minimum number of decoy state detections N ν , the desired number of signal state detections N µ , the signal and decoy state gains Q µ , Q ν , and their occurrence percentages S µ , S ν where ) While the necessary parameters for optimization are readily available, in order maximize performance the system's architecture must be well-characterized in the desired operational environment.This is because the decoy state protocol is being configured to operate at its minimum threshold and is extremely sensitive to implementation non-idealities and performance variations to include Alice's ability to generate weak coherent pulses, losses in the quantum channel, physical disturbances, detector efficiency, and particularly the system's operational dark count rate.

Example Optimization
In this section, an optimization of a fielded decoy state enabled QKD system is demonstrated.As one of the most well documented decoy state protocol implementations and a major milestone in the world's largest QKD network, Chen and coworkers' work lends itself well to detailed analysis [55].The protocol's configuration is provided in Table 6.

Protocol Configuration Operational Results
S µ = 0.75 η = 0.00985 Assuming N µ = 100, 000 detections per quantum exchange and an arbitrarily small vacuum state occurrence percentage S Y 0 = 0.005, the decoy state protocol occurrence percentages can be optimized to S µ = 0.99435, S ν = 0.00065 using the approach described in Equations ( 9)-( 16).This optimized configuration is particularly advantageous as it results in a >30% increase in key rate (i.e., a signal state occurrence percentage 99.435%instead of 75%) and the ability to detect PNS attack with 99.9% confidence at no additional cost.This optimization accounts for expected real-world variations in the source but does not account for significant disturbances in the quantum channel which would quickly eliminate the ability to reliably perform QKD regardless of the decoy state configuration.
Figure 6 presents detailed results of the optimized protocol while operating under normal conditions and when subject to PNS attacks.Shown on the left, during normal operations the signal and decoy state efficiencies (blue and red) overlap as expected.Shown in the middle, PNS attacks cause the signal and decoy state efficiencies (green and purple) to become non-overlapping.In particular, since the protocol is configured to operate with a minimum number of decoy state detections, the PNS attack reduces the decoy state from a small number of detections to zero during nearly every round of quantum exchange.This results in a reported decoy state mean efficiency of 0.000 with relatively little variation (see Figure 7 for further details).Consequently, the optimized decoy state protocol configuration serves to emphasize the negative impact of the PNS attack by forcing the decoy state's efficiency below the measured dark count rate (shown in brown with a detailed inlay) because so few decoy state detections are expected per round of quantum exchange.Figure 7 displays the number of decoy state detections per round of quantum exchange during normal operations (shown in green) and when subject to PNS attacks (shown in red).During normal operations, the optimized configuration results, shown in green, demonstrate at least one decoy state detection per 100,000 detections and a mean of nine detections.Conversely, as shown in red, very few decoy state detections are expected during PNS attacks.Detections occur in only 134 out of the 1000 rounds of quantum exchange, which constitute statistical outliers.In terms of efficiency, the mean decoy state efficiency is 0.0096 during normal operations (shown in red in Figure 6) and drops to 0.0013 (shown in purple in Figure 6) during PNS attacks.As a result, the PNS attack is readily detectable with a high statistical confidence of (i.e., >99.9% or p < 0.001) when considering 1000 rounds of quantum exchange with a total of 100,000 detections per round.
While the decoy state occurrence percentage S ν can be further reduced, statistical significance begins to diminish because the number of decoy state detections per round of quantum exchange approaches zero during normal operations.Moreover, as the occurrence percentage is further reduced the protocol's integrity is jeopardized as the decoy state gain must be larger than the system's dark count rate (i.e., Q ν > Y 0 ).

Implementation Recommendations
In addition to the protocol optimization described above, this research effort brought to our attention several design and implementation recommendations for commercially viable QKD systems.While these recommendations are not entirely new or novel, they are important to highlight for QKD performance, implementation security, and potentially formal certification efforts.
(1) Upon system startup, the decoy state protocol should be configured to quickly perform initial security checks to ensure the quantum channel is free from PNS attacks.For example, 1000 rounds of quantum exchange can be executed in a relatively short amount of time during initial calibration activities.
(2) Configure the decoy state protocol to continuously monitor for PNS attacks in real-time and over several rounds of quantum exchange to increase confidence in the system's security.(3) The noise level (i.e., the dark count rate) should be measured during dedicated calibration activities with very large numbers of vacuum signals (e.g., ≥10 9 ) intermixed with signal and decoy states to well-characterize the operational environment and system architecture.(4) During operation, the dark count rate should be compared to the calibration results in order to detect changes in the operational environment such as temperature changes or additional physical disturbances.(5) Minimize the vacuum state occurrence percentage but do not eliminate it.The state can be used as an indicator to monitor for attacks such as the blinding attack [66].
Additionally, while Ma and coworkers' work optimized the signal state MPN at ~0.5, users may want to consider higher signal state MPNs such as those successfully demonstrated in the world's largest QKD network (i.e., µ = 0.65) [30].Moreover, past work on the subject recommends MPNs on the order of 1.0-1.2based on pragmatic technical assumptions [67].

Conclusions
In this study, the ability of the decoy state enabled QKD systems to detect PNS attacks is analyzed and demonstrated.In contrast to most decoy state protocol research which focus on decoy state security bounds and estimates, this work focuses on the protocol's occurrence percentages to both maximize signal state quantum throughput and assure PNS attacks are detectable with high confidence.Additionally, practical implementation performance and security guidance is provided for system developers and users.Lastly, this work demonstrates a repeatable methodology for studying QKD system implementation security to support formal certification efforts [68].
Future suggested work includes optimization of the decoy state protocol in a fielded QKD system along with a detailed study of how the recommended occurrence percentages should be balanced with other constraints such as the need for bounded error rates.Additionally, in terms of validating the proposed decoy state configuration's ability to detect PNS attacks, a decoy state enabled QKD system should be tested against PNS-like attacks (see [20] for an example), since it is currently impossible to build a fully functional PNS attack.Lastly, the author recommends continued emphasis on studying QKD implementation security issues towards formal certification of decoy state enabled systems as they remain the most commercially viable option in the near future (especially when considering practical issues such as distance limitations and delivered key rates).

Figure 1 .
Figure 1.This is a Quantum Key Distribution (QKD) system context diagram.The sender "Alice" and receiver "Bob" generate shared secret key  for use in data encryption/decryption.Reproduced with permission from [9], Copyright IEEE, 2016.

Figure 1 .
Figure 1.This is a Quantum Key Distribution (QKD) system context diagram.The sender "Alice" and receiver "Bob" generate shared secret key K for use in data encryption/decryption.Reproduced with permission from [9], Copyright IEEE, 2016. ⊗1

Figure 2 .
Figure 2. The eavesdropper (Eve and Eve′) is shown conducting a Photon Number Splitting (PNS) attack against the QKD system (Alice and Bob).Adapted with permission from [9], Copyright IEEE, 2016.

Figure 2 .
Figure 2. The eavesdropper (Eve and Eve ) is shown conducting a Photon Number Splitting (PNS) attack against the QKD system (Alice and Bob).Adapted with permission from [9], Copyright IEEE, 2016.

where Y n
represents the conditional probability that Bob detects a pulse given Alice sent an n-photon pulse.Ideally,

Figure 3 .
Figure 3. Variation in weak coherent pulse Mean Photon Number (MPN) emitted from Alice's modeled laser due to expected fluctuations and performance limitations in the modeled decoy state generator (i.e., the variable optical attenuator).The upper and lower Prediction Intervals (PI) are shown to bound the expected performance.

Figure 3 .
Figure 3. Variation in weak coherent pulse Mean Photon Number (MPN) emitted from Alice's modeled laser due to expected fluctuations and performance limitations in the modeled decoy state generator (i.e., the variable optical attenuator).The upper and lower Prediction Intervals (PI) are shown to bound the expected performance.

Figure 4 .
Figure 4. Simulation results are shown for the for the 50 km decoy state protocol configurations examined when operating under normal conditions.In each configuration studied, the signal and decoy state efficiencies are the same   =   ± Δ (within expected variation tolerances).

Figure 5 .
Figure 5. Simulation results are shown for the 50 km decoy state protocol configurations examined when subject to PNS attacks.In each configuration studied, the signal and decoy state efficiencies are statistically different   ≠   ± Δ (outside expected variation tolerances).

Figure 4 .
Figure 4. Simulation results are shown for the for the 50 km decoy state protocol configurations examined when operating under normal conditions.In each configuration studied, the signal and decoy state efficiencies are the same η signal = η decoy ± ∆ (within expected variation tolerances).

Figure 4 .
Figure 4. Simulation results are shown for the for the 50 km decoy state protocol configurations examined when operating under normal conditions.In each configuration studied, the signal and decoy state efficiencies are the same   =   ± Δ (within expected variation tolerances).

Figure 5 .
Figure 5. Simulation results are shown for the 50 km decoy state protocol configurations examined when subject to PNS attacks.In each configuration studied, the signal and decoy state efficiencies are statistically different   ≠   ± Δ (outside expected variation tolerances).

Figure 5 .
Figure 5. Simulation results are shown for the 50 km decoy state protocol configurations examined when subject to PNS attacks.In each configuration studied, the signal and decoy state efficiencies are statistically different η signal = η decoy ± ∆ (outside expected variation tolerances).

Figure 6 .
Figure 6.Simulation results show the optimized decoy state protocol for detecting PNS attacks based on the fielded QKD system [55].The inlay details the expected dark count rate complete with outliers to illustrate the modeled noise over the QKD communication channel.

Figure 7 .
Figure 7. Simulation results detailing the number of decoy state detections per round of quantum exchange for the optimized decoy state protocol based on the fielded QKD system parameters shown in Table6.

Figure 7
Figure 7 displays the number of decoy state detections per round of quantum exchange during normal operations (shown in green) and when subject to PNS attacks (shown in red).During normal operations, the optimized configuration results, shown in green, demonstrate at least one decoy state

Figure 6 .
Figure 6.Simulation results show the optimized decoy state protocol for detecting PNS attacks based on the fielded QKD system [55].The inlay details the expected dark count rate complete with outliers to illustrate the modeled noise over the QKD communication channel.

Figure 6 .
Figure 6.Simulation results show the optimized decoy state protocol for detecting PNS attacks based on the fielded QKD system [55].The inlay details the expected dark count rate complete with outliers to illustrate the modeled noise over the QKD communication channel.

Figure 7 .
Figure 7. Simulation results detailing the number of decoy state detections per round of quantum exchange for the optimized decoy state protocol based on the fielded QKD system parameters shown in Table6.

Figure 7
Figure 7 displays the number of decoy state detections per round of quantum exchange during normal operations (shown in green) and when subject to PNS attacks (shown in red).During normal operations, the optimized configuration results, shown in green, demonstrate at least one decoy state

Figure 7 .
Figure 7. Simulation results detailing the number of decoy state detections per round of quantum exchange for the optimized decoy state protocol based on the fielded QKD system parameters shown in Table6.

Table 1
describes the BB84 protocol as a prepare and measure protocol where Alice encodes photons in one of four polarization states (e.g., ↔, ,

Table 2 .
Example Decoy State Protocol Configuration.
The error reconciliation efficiency is dependent upon the signal state QBER E µ with typical values of ≤ 1.15 for QBERs ≤ 5%.

Table 4 .
Decoy State Enabled QKD System Configurations.
* Value estimated or assumed from reference; ** Values as reported; *** Multiple systems employed.

Table 6 .
Example Decoy State Protocol Configuration.