We introduce a new class of quantum quantum key distribution protocols, tailored to be robust against photon number splitting (PNS) attacks. We study one of these protocols, which differs from the BB84 only in the classical sifting procedure. This protocol is provably better than BB84 against PNS attacks at zero error.Quantum cryptography, or more precisely quantum key distribution (QKD) is the only physically secure method for the distribution of a secret key between two distant partners, Alice and Bob [1]. Its security comes from the well-known fact that the measurement of an unknown quantum state modifies the state itself: thus an eavesdopper on the quantum channel, Eve, cannot get information on the key without introducing errors in the correlations between Alice and Bob. In equivalent terms, QKD is secure because of the no-cloning theorem of quantum mechanics: Eve cannot duplicate the signal and forward a perfect copy to Bob.In the last years, several long-distance implementations of QKD have been developed, that use photons as information carriers and optical fibers as quantum channels [1]. Most often, although not always [2], Alice sends to Bob a weak laser pulse in which she has encoded the bit. Each pulse is a priori in a coherent state | √ µe iθ of weak intensity, typically µ ≈ 0.1 photons. However, since no reference phase is available outside Alice's office, Bob and Eve have no information on θ. Consequently, they see the mixed state ρ = dθ 2π | √ µe iθ √ µe iθ |. This state can be re-written as a mixture of Fock states, n p n |n n|, with the number n of photons distributed according to the Poissonian statistics of mean µ, p n = p n (µ) = e −µ µ n /n!. Because two realizations of the same density matrix are indistinguishable, QKD with weak pulses can be re-interpreted as follows: Alice encodes her bit in one photon with frequency p 1 , in two photons with frequency p 2 , and so on, and does nothing with frequency p 0 . Thus, in weak pulses QKD, a rather important fraction of the non-empty pulses actually contain more than one photon. For these pulses, Eve is then no longer limited by the no-cloning theorem: she can simply keep some of the photons while letting the others go to Bob. Such an attack is called photon-number splitting (PNS) attack. Although PNS attacks are far beyond today's technology [3], if one includes them in the security analysis, the consequences are dramatic [4,5].In this Letter, we present new QKD protocols that are secure against PNS attack up to significantly longer distances, and that can thus lead to a secure implementation of QKD with weak pulses. These protocols are better tailored than the ones studied before to exploit the correlations that can be established using ρ. The basic idea is that Alice should encode each bit into a pair of non-orthogonal states belonging to two or more suitable sets.The structure of the paper is as follows. First, we review the PNS attack on the first and best-known QKD protocol, the BB84 protocol [6], in order to understand why this attack is ...
