Decoy Photon Authentication

Updated 19 December 2025

Decoy photon authentication is a quantum cryptographic technique that uses signal, decoy, and vacuum pulses to detect and neutralize photon-number splitting attacks.
It employs rigorous parameter estimation and hypothesis testing to compare yield ratios, ensuring anomalies in pulse statistics are identified in real time.
Optimized protocol parameters and correlation-based methods enable secure key distribution even under high losses and with imperfect single-photon sources.

Decoy photon authentication refers to a class of quantum cryptographic protocols that leverage engineered variations in pulse statistics—typically the insertion of “decoy” optical pulses with lower mean photon number—to robustly detect and neutralize photon-number–dependent eavesdropping attacks in quantum key distribution (QKD). The technique transforms physically untrusted or lossy quantum communication channels into authenticated links, enabling composable and information-theoretic security, particularly against photon-number splitting (PNS) attacks. With rigorous parameter estimation, event-by-event tracking, and refined statistical hypothesis testing, decoy photon authentication has become a foundational tool for experimental and commercial QKD platforms.

1. Protocol Foundations: Signal, Decoy, and Vacuum States

Standard QKD systems based on weak coherent pulses, such as BB84, suffer vulnerability because multiphoton emissions—following Poisson photon-number statistics—enable attacks that selectively harvest photons without disturbing the encoded qubit (Datta, 30 Jan 2025, Trushechkin et al., 2021, Mailloux et al., 2016). Decoy photon authentication inserts, randomly and covertly, additional pulses with lower mean photon number (“decoys”) and vacuum pulses for dark-count calibration.

In typical implementations, each “frame” consists of $m_s$ signal pulses (mean $\lambda_s$ ), $m_d$ decoy pulses (mean $\lambda_d$ , typically $\lambda_d \ll \lambda_s$ or even zero), and $m_v$ vacuum slots. Both signal and decoy pulses are phase-randomized, and physically indistinguishable to eavesdroppers except for statistical photon content. Alice informs Bob via a public announcement after detection which slots corresponded to which pulse type; Bob then compares detection statistics across signal, decoy, and vacuum classes.

This structure forms the statistical basis for decoy-based channel authentication: the differences in signal versus decoy yields become diagnostic signatures for eavesdropping.

2. PNS Attack Model and Authentication via Yield Ratios

Photon-number splitting (PNS) attacks leverage multiphoton pulses (Trushechkin et al., 2021, Datta, 30 Jan 2025) by intercepting each pulse, measuring its photon number, and:

Blocking single-photon pulses entirely;
For two-photon pulses, retaining one photon and transmitting the other to Bob;
Forwarding all photons for $n \geq 3$ pulses.

The critical effect is distortion of the Poisson statistics of received pulses: eavesdropping increases the apparent yield and detection probability for signal pulses (with higher $\lambda_s$ ) relative to decoy pulses. By enumerating each possible photon transmission event (event-by-event impairment enumeration (Datta, 30 Jan 2025)), one calculates the signal and decoy yields,

$Y_s = \frac{n_{op}^{bs}}{m_s}, \qquad Y_d = \frac{n_{op}^{bd}}{m_d}$

where $n_{op}^{bs}$ and $n_{op}^{bd}$ tally arrivals (pre-detection) at Bob’s receiver. The signal/decoy yield ratio,

$\rho^y_{sd} = \frac{Y_s}{Y_d}$

is expected to satisfy $\rho^y_{sd} \approx 1$ in the absence of adversarial splitting. Significant deviation above unity triggers authentication failure and protocol abort.

3. Parameter Estimation: Single-Photon Yield Bounds and Key Rate Calculation

Decoy photon authentication rigorously bounds the yields ( $Y_1$ ) and error rates ( $e_1$ ) for single-photon pulses through multiple decoy intensities. For three-intensity decoy protocols (Mailloux et al., 2016, Trushechkin et al., 2021), one applies analytic expressions:

Lower bound on single-photon yield $Y_1^L$ :

$Y_1^L = \frac{\mu}{\mu \nu - \nu^2}\left[ Q_\nu e^\nu - Q_\mu e^\mu \frac{\nu^2}{\mu^2} - \frac{\mu^2 - \nu^2}{\mu^2} Y_0 \right]$

Upper bound on single-photon error rate $e_1^U$ :

$e_1^U = \frac{E_\nu Q_\nu e^\nu - e_0 Y_0}{\nu Y_1^L}$

where $Q_\mu$ , $Q_\nu$ are gains for signal and decoy intensities, $E_\mu$ , $E_\nu$ are corresponding QBERs, $Y_0$ the vacuum yield, and $e_0$ the vacuum error rate (~0.5).

The secure key rate under Devetak–Winter or Lo–Ma–Chen formalism is:

$R \ge q \left\{ - Q_\mu f(E_\mu) H_2(E_\mu) + Q_1[1-H_2(e_1)] \right\}$

where $q$ is protocol efficiency ($1/2$ for BB84), $f(E_\mu)$ is error correction inefficiency, $H_2(x)$ is binary entropy, and $Q_1 = \mu e^{-\mu} Y_1^L$ is the signal’s single-photon detection rate (Mailloux et al., 2016, Trushechkin et al., 2021).

4. Statistical Hypothesis Testing and Implementation Strategy

Authentication against PNS attacks proceeds via real-time statistical hypothesis tests on yield and efficiency differences between signal and decoy pulses (Mailloux et al., 2016):

Compute efficiencies:

$\eta_\mu = \frac{Q_\mu - Y_0}{1 - e^{-\mu}}, \qquad \eta_\nu = \frac{Q_\nu - Y_0}{1 - e^{-\nu}}$

Formulate $H_0$ : $\eta_\mu$ , $\eta_\nu$ agree within normal system fluctuation band $A$ .
$H_1$ : $\eta_\mu - \eta_\nu > A$ indicates PNS attack.
Estimate $A$ from run-to-run fluctuations (via sample variances over blocks of $10^4$ – $10^5$ pulses).
Apply hypothesis test with a stringent confidence interval (e.g. 99.9%)—any violation results in protocol abort and PNS alarm.

Blockwise monitoring with binomial confidence intervals for decoy counts further amplifies the discrimination power (Mailloux et al., 2016).

5. Optimization of Protocol Parameters

Optimal selection of signal ( $\mu_s$ ), decoy ( $\mu_d$ ), and vacuum intensities depends on maximizing secure throughput while ensuring detectability of PNS attacks. Typical choices are $\mu_s \sim 0.5$ –$0.65$, $\mu_d \sim 0.08$ –$0.2$, with the minimal decoy fraction $S_y$ that yields at least one secure decoy detection per block:

$S_y Q_\nu N_{\text{pulses}} \gtrsim 1, \quad S_y = \frac{1}{Q_\nu N_{\text{pulses}}}$

Under this regime, the protocol maintains $>$ 99% signal throughput with robust authentication: decoy detection collapses under a simulated PNS attack, providing rapid discrimination (Mailloux et al., 2016).

Frequent calibration (dark-count estimation via vacuum pulses, intensity tracking within $\pm 10\%$ , blockwise parameter monitoring) forms essential implementation guidance (Xu et al., 2010, Mailloux et al., 2016).

6. Correlation-Based Decoy Authentication with Imperfect SPSs

Recent variants replace classical decoy intensity modulation with second-order correlation measurements $g^{(2)}(0)$ obtained from imperfect single-photon sources (SPSs) such as hexagonal boron nitride emitters (Cholsuk et al., 10 Oct 2025). In this approach:

Alice emits pulses without intensity modulation; Bob measures $g^{(2)}(0)$ via a beam splitter and two SPADs.
Pure linear loss preserves $g^{(2)}(0)$ statistic; a PNS attack distorts it, triggering protocol abort.
Key-rate formula incorporates both single- and two-photon contributions, as bounded by measured $g^{(2)}(0)$ and $g^{(3)}(0,0)$ .

Experimental and Monte Carlo validation demonstrates high deployment feasibility (e.g., satellite links with $>38$ dB loss, $10^5$ pulses per flyover). The method relaxes stringent SPS purity requirements and enables secure key rates at much higher losses than previous frameworks, due to secure inclusion of two-photon events (Cholsuk et al., 10 Oct 2025).

7. Security Proofs and Composability

Formal proofs of security employ composable frameworks (Devetak–Winter, entropy accumulation) in the information-theoretic model. The decoy-state method reduces any multiphoton-enabled attack—especially PNS—to convex mixtures over photon-number subspaces (Trushechkin et al., 2021): key rate is bounded by the single-photon channel, with composable security proven against all number-diagonal attacks (including beam-splitting and general collective strategies).

Parameter estimation and privacy amplification then process error-corrected, sifted single-photon bits, achieving universally composable trace-distance security in the asymptotic limit.

A plausible implication is that the decoy-state authentication paradigm maintains rigorous symmetric security for polarization and phase encoding, with direct equivalence shown via unitary transformations of global modes (Trushechkin et al., 2021).

Decoy photon authentication represents a robust, widely validated strategy for quantum channel authentication and key distillation, enabling practical deployment of QKD systems in the presence of lossy channels, imperfect SPSs, and adversarial photon-number probing. The method’s composable security, statistical detectability, and optimization flexibility make it integral to current and future quantum cryptographic infrastructure.