# Decoy State Protocol for Secure QKD

## Introduction

The **decoy state protocol** is a crucial enhancement to weak coherent state (WCS) QKD that provides information-theoretic security against photon number splitting (PNS) attacks. While WCS systems are practical and cost-effective, they suffer from a fundamental vulnerability: multi-photon pulses enable eavesdropping without detection.

## The Security Problem with WCS

### Photon Number Statistics

For a weak coherent state with average photon number $\mu$, the probability of having exactly $n$ photons follows a Poisson distribution:

$$P_n(\mu) = \frac{\mu^n e^{-\mu}}{n!}$$

**Example with $\mu = 0.1$:**
- $P_0(0.1) = e^{-0.1} \approx 90.5\%$ (vacuum pulses)
- $P_1(0.1) = 0.1 \times e^{-0.1} \approx 9.0\%$ (secure single-photon pulses)
- $P_{\geq 2}(0.1) \approx 0.5\%$ (vulnerable multi-photon pulses)

### PNS Attack Vulnerability

Eve can perform an undetectable attack by:
1. **Intercepting** multi-photon pulses
2. **Splitting** photons and keeping some for herself
3. **Forwarding** remaining photons to Bob
4. **Measuring** her stored photons after basis reconciliation

Since all photons in a coherent state carry the same information, this attack gives Eve perfect knowledge without introducing errors.

---

## Decoy State Solution

### Variable Intensity Protocol

Instead of using a fixed intensity $\mu$, Alice randomly chooses from multiple intensities:

| Pulse Type | Intensity $\mu$ | Probability | Purpose |
|------------|----------------|-------------|---------|
| **Signal** | $\mu_s = 0.1$ | 70% | Key generation |
| **Decoy** | $\mu_d = 0.05$ | 20% | Security monitoring |
| **Vacuum** | $\mu_v = 0$ | 10% | Background check |

### Detection Rate Formula

The fundamental equation linking observable quantities to physical parameters:

$$Q_{\mu_i} = \sum_{n=0}^{\infty} P_n(\mu_i) \times Y_n$$

Where:
- $Q_{\mu_i}$ = **observed detection rate** for intensity $\mu_i$
- $P_n(\mu_i)$ = **Poisson probability** of $n$ photons
- $Y_n$ = **detection efficiency** for $n$-photon states

### System of Equations

With multiple intensities, we obtain a system of equations:

$$Q_{\mu_s} = P_0(\mu_s)Y_0 + P_1(\mu_s)Y_1 + P_2(\mu_s)Y_2 + \cdots$$

$$Q_{\mu_d} = P_0(\mu_d)Y_0 + P_1(\mu_d)Y_1 + P_2(\mu_d)Y_2 + \cdots$$

$$Q_{\mu_v} = Y_0$$

This system allows extraction of individual $Y_n$ values, particularly the crucial single-photon yield $Y_1$.

---

## Single-Photon Parameter Estimation

### Single-Photon Yield

The lower bound on single-photon detection probability:

$$Y_1^{(L)} = \frac{\mu_d Q_{\mu_s} - \mu_s Q_{\mu_d}}{\mu_d - \mu_s} \times \frac{e^{\mu_d - \mu_s}}{\mu_s \mu_d (e^{-\mu_s} - e^{-\mu_d})}$$

### Single-Photon Error Rate

The upper bound on single-photon quantum bit error rate:

$$e_1^{(U)} = \frac{E_{\mu_s} Q_{\mu_s} e^{\mu_s} - E_{\mu_d} Q_{\mu_d} e^{\mu_d}}{Y_1^{(L)} \mu_s e^{\mu_s} - Y_1^{(L)} \mu_d e^{\mu_d}}$$

Where $E_{\mu_i}$ is the observed error rate for intensity $\mu_i$.

---

## Security Analysis

### Attack Detection Mechanism

**Without eavesdropper:**
- $Y_1 \approx \eta$ (detection efficiency)
- $Y_2 \approx 1 - (1-\eta)^2$ (higher than $Y_1$)
- Statistics consistent across intensities

**With PNS attack:**
- $Y_1$ remains unchanged (single photons unaffected)
- $Y_2$ drops significantly (Eve steals from multi-photon pulses)
- **Statistical inconsistency reveals eavesdropping**

### Security Conditions

The protocol is secure if:

1. **Error rate condition:** $e_1^{(U)} \leq e_{th}$ where $e_{th} = 0.11$ (GLLP bound)
2. **Yield condition:** $Y_1^{(L)} \geq Y_{min}$ for meaningful key generation
3. **Vacuum condition:** $Q_{\mu_v} \leq \delta$ for negligible background

### Secure Key Rate

When security conditions are met, the secure key rate is:

$$R \geq q_1 \times Y_1^{(L)} \times [1 - H_2(e_1^{(U)})] - f \times Q_{\mu_s} \times H_2(E_{\mu_s})$$

Where:
- $q_1$ = lower bound on single-photon fraction in signal pulses
- $H_2(x) = -x\log_2(x) - (1-x)\log_2(1-x)$ = binary entropy function
- $f$ = error correction efficiency factor

---

## Mathematical Example

### Without Eavesdropper

**Expected values:**
- Signal: $Q_{0.1} = 0.085$, $E_{0.1} = 0.02$
- Decoy: $Q_{0.05} = 0.045$, $E_{0.05} = 0.02$  
- Vacuum: $Q_0 = 0.001$

**Extracted parameters:**
- $Y_1^{(L)} \approx 0.8$ ✓ (normal detection efficiency)
- $e_1^{(U)} \approx 0.02$ ✓ (low error rate)

### With PNS Attack

**Observed values:**
- Signal: $Q_{0.1} = 0.081$, $E_{0.1} = 0.02$ 
- Decoy: $Q_{0.05} = 0.043$, $E_{0.05} = 0.02$
- Vacuum: $Q_0 = 0.001$

**Extracted parameters:**
- $Y_1^{(L)} \approx 0.3$ ✗ (suspiciously low)
- $e_1^{(U)} \approx 0.05$ ✓ (still acceptable)

**Result:** Statistical inconsistency reveals eavesdropping!

---

## Advantages of Decoy State Protocol

### Security Benefits
- ✅ **Information-theoretic security** against all known attacks
- ✅ **Detects PNS attacks** through statistical analysis
- ✅ **Provides security bounds** even with imperfect sources
- ✅ **Prevents denial-of-service** attacks on key generation

### Practical Benefits  
- ✅ **Uses existing hardware** (just software modification)
- ✅ **High key rates** (MHz repetition rates achievable)
- ✅ **Long distances** (>100 km demonstrated)
- ✅ **Cost-effective** compared to true single-photon sources

### Performance Metrics
- **Key rate improvement:** ~1000× over ideal single-photon systems
- **Security level:** Information-theoretic (not computational)
- **Implementation overhead:** Minimal (just intensity modulation)
- **Commercial viability:** Enabled practical QKD networks

---

## Conclusion

The decoy state protocol transforms weak coherent state QKD from a vulnerable laboratory demonstration into a **commercially viable quantum communication technology**. By cleverly using multiple pulse intensities and statistical analysis, it provides:

1. **Practical security** against realistic attacks
2. **High performance** with existing technology  
3. **Mathematical guarantees** of information-theoretic security
4. **Economic feasibility** for real-world deployment

This breakthrough made modern QKD networks possible and demonstrates how clever protocol design can overcome fundamental physical limitations.