Photon-Number-Splitting Attack in QKD

• Photon-Number-Splitting (PNS) Attack is a strategy where an eavesdropper uses quantum non-demolition measurements to extract information from multi-photon pulses in weak coherent QKD sources.
• The attack’s impact is modeled mathematically by relating multi-photon probabilities to information leakage, showing increased vulnerability with channel loss and higher mean photon numbers.
• Countermeasures like decoy-state protocols, passive photon-number monitoring, and statistical estimation techniques are implemented to detect and mitigate PNS attacks in practical QKD deployments.

A photon-number-splitting (PNS) attack constitutes a fundamental vulnerability for quantum key distribution (QKD) protocols that employ phase-randomized weak coherent pulse (WCP) sources or other multi-photon emitting quantum sources. In a PNS attack, an eavesdropper (Eve) leverages a quantum non-demolition measurement to extract photon number information from each pulse, subsequently splitting off one or more photons from pulses containing two or more photons while forwarding the remaining photons to the legitimate receiver (Bob) over a lossless channel. By storing her extracted photons in quantum memory, Eve can learn the corresponding secret key bits after basis reconciliation, typically without introducing any detectable disturbance or error. The PNS threat necessitated the development of decoy-state protocols, passive photon-number monitoring, and advanced statistical estimation techniques to preserve QKD security in practical deployments.

1. PNS Attack: Concept and Mechanism

The PNS attack exploits the inherent Poissonian statistics of weak coherent QKD sources, in which the probability for Alice to emit an $n$-photon pulse is $P(n|\mu) = e^{-\mu} \mu^n / n!$, with $\mu\ll1$ the mean photon number. Eve performs an ideal quantum-nondemolition (QND) measurement on each pulse to learn $n$. For $n\geq 2$, she splits off a single photon (or, in some variants, more) and forwards the rest to Bob over a perfect channel, storing her photon(s) for later measurement. For $n=1$, Eve typically blocks the pulse or forwards it undisturbed; for $n=0$, nothing is done. This attack allows Eve to remain hidden as she can mimic the channel loss statistics seen by Bob by selectively blocking or forwarding pulses, thus circumventing detection by standard QBER monitoring (Mailloux et al., 2016).

2. Mathematical Modeling and Information Leakage

The fraction of pulses in which Eve gains full information scales with the multi-photon component $P_{\text{multi}} = 1 - e^{-\mu}(1+\mu)$. Eve's share of the final sifted key, $I_E$, can be computed precisely for both threshold and photon-number-resolving detector cases, and increases sharply with channel loss and growing $\mu$ (Yuen, 2012). The secure key rate becomes

$P(n|\mu) = e^{-\mu} \mu^n / n!$0

where $P(n|\mu) = e^{-\mu} \mu^n / n!$1 and $P(n|\mu) = e^{-\mu} \mu^n / n!$2 (single-photon yield and error rate) must be estimated tightly, as multi-photon events are fully compromised under the GLLP security framework. In high-loss regimes, $P(n|\mu) = e^{-\mu} \mu^n / n!$3 can approach $P(n|\mu) = e^{-\mu} \mu^n / n!$4 for $P(n|\mu) = e^{-\mu} \mu^n / n!$5 unless mitigations are implemented.

In variants such as the "symmetrized PNS" (SPNS) attack, Eve forwards a random subset of the detected photons to precisely reproduce the observed channel loss, making the attack entirely indistinguishable to Alice and Bob within observed photon statistics (Yuen, 2012).

3. Countermeasures: Decoy-State Protocols and Statistical Estimation

Decoy-state QKD protocols are the primary defense against PNS attacks. Alice randomly varies each pulse's intensity between several mean photon numbers ($P(n|\mu) = e^{-\mu} \mu^n / n!$6, $P(n|\mu) = e^{-\mu} \mu^n / n!$7, and a vacuum), producing "signal" and "decoy" states. Since Eve cannot distinguish signal from decoy pulses, any photon-number–dependent intervention will differentially alter the detection efficiencies and yields for the two classes, which Alice and Bob can monitor. By solving linear systems using observed overall gains $P(n|\mu) = e^{-\mu} \mu^n / n!$8, $P(n|\mu) = e^{-\mu} \mu^n / n!$9, and vacuum yields $\mu\ll1$0, one can lower bound the single-photon yield $\mu\ll1$1 and upper bound its error rate $\mu\ll1$2, enabling secure key extraction even in the presence of significant multi-photon components (Mailloux et al., 2016, Mousavi et al., 2014, Krapick et al., 2014, Somma et al., 2013).

Finite-statistics and general (possibly correlated) PNS attacks are addressed via rigorous estimation frameworks where Eve is allowed to correlate the forwarding/blocking of pulses. Analytical techniques provide confidence-bounded lower estimates of single-photon contributions by convex optimization and binomial tail inversion, ensuring composable security under all quantum attacks (Somma et al., 2013). Under these methods, key rate formulas are robust to both statistical fluctuations and all theoretically possible PNS strategies.

4. Detection Strategies and Experimental Countermeasures

Beyond the standard detection of yield discrepancies via decoy statistics, advanced protocols exploit direct monitoring of photon-number statistics, second-order correlations, or interferometric visibility. For example, protocols may use continuous monitoring of $\mu\ll1$3—the second-order correlation function—which is invariant under linear loss but altered by PNS interference, allowing for in situ PNS detection with high confidence and enabling secure key extraction from both single and well-characterized multi-photon pulses (Cholsuk et al., 10 Oct 2025). Likewise, entanglement-enhanced protocols leverage the non-commutation of photon number and phase, employing phase-sensitive measurements as an explicit test for QND-like PNS attacks (Sabottke et al., 2011).

Event-by-event impairment enumeration models, as in (Datta, 30 Jan 2025), account for physical-layer effects, combining Poissonian statistics, loss, polarization, and detector imperfections to numerically evaluate observed yields and their ratios under both honest and attacked scenarios. The critical indicator is the yield ratio $\mu\ll1$4 between signal and decoy modes, which diverges sharply under attack and can be real-time monitored to flag PNS (Datta, 30 Jan 2025).

5. Parameter Selection and Practical Implementation

The selection of optimal protocol parameters—mean photon numbers $\mu\ll1$5 (signal) and $\mu\ll1$6 (decoy), pulse fractions, and block sizes—is driven by the trade-off between throughput and security. Analysis shows that $\mu\ll1$7 and $\mu\ll1$8 maximize both key generation rate and detection confidence for standard fiber links (Mailloux et al., 2016, Krapick et al., 2014). Occurrence probabilities for the signal, decoy, and vacuum states are tuned to guarantee observable statistical differences under PNS conditions while retaining high quantum throughput. Advanced implementations combine these choices with robust calibration, real-time monitoring of yields, vacuum fraction injections to measure background, and MPN stability control (Mailloux et al., 2016).

Experimental QKD systems employing passive decoy schemes and photon-number resolving detectors have demonstrated extraction of yields $\mu\ll1$9 up to $n$0, enabling high-confidence detection of deviations introduced by any PNS strategy (Krapick et al., 2014). Careful authentication routines and active monitoring of source parameters (as in energy-monitoring detectors) further underpin practical security (Sajeed et al., 2014).

6. Advanced Protocol Architectures and Security Extensions

Innovative QKD protocol designs have been developed that provide intrinsic resistance to PNS attacks. These range from sifting-less, reverse-reconciliation protocols exploiting weak coherent pulses polarized along an expanded alphabet, which achieve improved scaling $n$1 for $n$2-state signaling (with $n$3 yielding a 75.96% higher keyrate prefactor than standard BB84/decoy) (Grazioso et al., 2013), to multi-stage, multi-photon double-lock encryption protocols. The latter utilize authentication and measurement asymmetries to monitor for systematic errors or bias induced by PNS, allowing safe use of $n$4–$n$5 in high-efficiency regimes, provided authentication subroutines and decoy extensions are in place (Chan et al., 2015).

Even in two-way protocols such as LM05, PNS attacks are mitigated by active control runs and optimized $n$6, but security remains fundamentally limited by unavoidable multi-photon emission in the absence of decoy state adaptations (Khir et al., 2011).

7. Limitations, Security Implications, and Open Problems

Despite these advancements, certain PNS attack variants—specifically, those based on perfect simulation of all loss statistics via photon-number-non-demolition measurements and binomial forwarding—remain fundamentally undetectable by standard decoy methods if the source exhibits any multi-photon fraction (Yuen, 2012). This raises irrevocable challenges to claims of "unconditional security" for conventional decoy-state BB84: any residual multi-photon emission paired with unavoidable channel loss provides a nonzero information leakage channel to a powerful adversary.

Comprehensive, correlated PNS attacks reveal weaknesses in prior independent-and-identically-distributed (iid) statistical assumptions, forcing a downward revision in protocol reuse cycles and demanding longer block sizes or stricter parameter control to maintain composable security (Somma et al., 2013). As a result, true physical-layer single-photon sources or fundamentally new quantum cryptographic primitives are required to close this loophole, while rigorous finite-size statistical analyses must be applied in all deployments.

In summary, the photon-number-splitting attack embodies a central challenge in practical QKD and continues to drive both protocol innovation and fundamental security analysis within the quantum cryptography community.