- Research
- Open Access
- Published:

# Decoy state semi-quantum key distribution

*EPJ Quantum Technology*
**volume 10**, Article number: 18 (2023)

## Abstract

Semi-quantum key distribution describes a system in which a fully quantum user and classical user perform key distribution. The main advantage of key distribution is its security. Owing to the bottlenecks of existing technology, highly attenuated lasers and threshold detectors are required for semi-quantum key distribution; however, these components make semi-quantum key distribution susceptible to eavesdroppers. Our previous study presented the first semi-quantum key distribution experiment and verified the feasibility of the mirror protocol in 2021. Herein, we first build a semi-quantum key distribution channel model and use Gottesman-Lo-Lütkenhaus-Preskill theory to evaluate its safety performance in the case of a quasi-single photon source. Moreover, we determine that an eavesdropper can steal all information through the photon-number-splitting attack without being detected. Therefore, we add decoy states to the semi-quantum key distribution to estimate the furthest transmission distance and secure bit rate under asymptotic conditions. Semi-quantum key distribution can still be achieved safely with highly attenuated lasers and threshold detectors in 150 km.

## 1 Introduction

Quantum key distribution (QKD) allows two quantum users, Alice and Bob, to securely share a string of keys. In theory, the distribution of secret quantum keys is unconditionally secure based on the laws of quantum physics. Its protocol [1] and its security has been fully proved. Furthermore, various experimental schemes have been proposed to demonstrate the practical feasibility of QKD [2–6]. Some state-of-the art QKD protocols, e.g. MDI-QKD and TF-QKD make the transmission distance of QKD become longer and the performance become better [7–10]. With the gradual development and maturity of practical systems, security evaluations for real systems have been gradually recognized and valued [11–13]. However, these security analyses are limited to the utilization of single-photon sources. In practice, a highly attenuated laser is used as the light source; therefore, an eavesdropper, Eve, can steal information via the photon-number-splitting (PNS) attack without being detected [14–17]. The decoy state [18–23] and SARG04 protocol [24] were successively proposed to counteract PNS attacks. Of the two, the decoy states protocol is widely used because it is more effective.

Semi-quantum key distribution (SQKD) was proposed to share keys between a quantum user and classical user. At present, there are no actual full quantum computers; thus, it is unpractical to implement the quantum communications via using fully quantum devices. And the SQKD protocol could be enabled in a limited quantum resource environment without losing their security. In 2007, Boyer, Kenigsberg, and Mor proposed a new quantum communication protocol—the semi-quantum key distribution protocol (BKM07 protocol) [25]. Subsequently, BGKM-09 [26], the less than four state protocol [27], and mirroring protocol [28] were proposed. When the design of the SQKD protocol was proposed, its theoretical security was subsequently proven, particularly for independent attacks and collective attacks [29–31]. Additionally, SQKD’s security bit rate was also determined.

Our previous study presented the first SQKD experiment and verified SQKD’s feasibility in 2021 [32]. However, the experiment utilized highly attenuated lasers and threshold detectors. A safety analysis of SQKD with a strongly attenuated laser has not been presented. Strongly attenuated pulses inevitably result in multi-photon pulses, which opens a door for PNS attacks. Therefore, it is necessary to determine if SQKD can resist PNS attacks. If SQKD cannot detect PNS attacks, it is important to investigate if SQKD can also use decoy state methods to make experiments more secure using essentially the same hardware. Therefore, the experimental safety of SQKD must be evaluated. These three points of investigation are essential for SQKD’s development. In this study, we first build an SQKD channel model based on the BKM-07 protocol and identified that Eve can steal all information through PNS attacks without being detected. Moreover, we use Gottesman-Lo-Lütkenhaus-Preskill(GLLP) theory [33] to evaluate its safety performance when using a strongly attenuated laser. Therefore, we added decoy states to the SQKD and estimated the maximum transmission distance and secure bit rate under asymptotic conditions. Semi-quantum key distribution can still be achieved safely with highly attenuated lasers and threshold detectors in 150 km. Decoy SQKD and decoy QKD [18–22] can increase the safe transmission distance. From the perspective of scheme architecture, SQKD has two channels, so when estimating some backward channel’s parameters, such as \(\mu_{2}\), \(\nu_{2}\), the length of the forward channel will be associated with \(\mu_{2}\), \(\nu_{2}\). This is the difference between SQKD decoy and QKD decoy. In the processing of the result, QKD decoy only needs \(R_{qkd}>0\). For SQKD decoy, it need \(I_{f}>0\), \(I_{b}>0\) and \(R_{sqkd}>0\). This condition limits the maximum transmission distance of SQKD.

The organization of this paper is as follows. In Sec. 2, we build an SQKD channel model and prove SQKD is not secure against PNS. Moreover, we establish the secure bit rate of SQKD with GLLP theory. In Sec. 3, we analyze several decoy states of SQKD. The results are showed and discussed in Sec. 4. In Sec. 5, we present some concluding remarks.

## 2 Theoretical model

The BKM-07 protocol [25] model shown in Fig. 1. The SQKD we discuss later is based on this model. We call Bob select the reflected photon CTRL, and Bob select the measured resend photon SIFT.

### 2.1 SQKD channel model

SQKD has two logical channels, a forward channel and back channel; however, they share the same physical channel. Bob can choose to use the SIFT operation to detect the photon using the forward channel and resend the photon to Alice through the backward channel. Moreover, if Bob chooses the CTRL operation to return the photon, the whole process can be viewed as Alice sending the photons and then measuring them after they are transmitted through the whole channel (forward and backward channel). Alice needs to perform both sending and receiving operations; therefore, we call the Alice of the sender as Alice and the Alice of the receiver as \(Alice'\).

We start with two assumptions.

First, we assume that these two logical channels are independent when Bob chooses the SIFT operation. This assumption limits the cases in which Eve can make a joint attack on the forward and backward channels, and we will consider more complex cases in the future. In fact, the backward and forward channels are essentially the same physical channels. Thus, they are subject to the same constraints, such as losses and transmission distance (\(L=L_{f}=L_{b}\)).

Second, we simplify the analysis by considering \(Alice'\) as the third user. In SQKD, no matter what operation Bob chooses and what state Alice sends, \(Alice'\) can measure the photon based on the state of Alice. This correlation is equivalent to the fact that Alice and Bob need to have compatible bases only once. (If Alice, Bob, and \(Alice'\) are independent of each other, in the absence of SQKD, two information transfers need to have compatible bases twice).

Based on the above two assumptions, the whole channel can be regarded as a cascade of the forward channel and backward channel. Moreover, the two channels are independent; therefore, the information of \(Alice'\) only depends on Bob and has no direct relationship with Alice. That is, Alice, Bob, and \(Alice'\) constitute a first-order Markov chain. We study this channel model to obtain a secure bit rate evaluation formula. Therefore, the following analysis is based on the case where Alice chooses to send a Z-basis state, and Bob chooses the SIFT operation. The Z-basis channel noise can be used to describe channels parameters and will lead to the generation of the quantum bit error. We let \(E_{BS}\) and \(E_{AS}\) denote the quantum bit error rate (QBER) in the Z-basis for Bob and \(Alice'\), respectively. Additionally, \(E_{BS}\) and \(E_{AS}\) can be estimated from the detections made by Bob and \(Alice'\), respectively.

This SQKD channel model and its parameters are shown in Fig. 2. The transition probability matrixes for the forward channel is

And the transition probability matrixes for the backward channel is

Here we emphasize that when the state sent by Alice is different from that received by \(Alice'\), i.e., Alice sends \(|0\rangle (|1\rangle )\) and \(Alice'\) detects \(|1\rangle (|0\rangle )\), such bits should be discarded in the protocol. When the state sent by Alice is the same as that detected by \(Alice'\), and if Bob and \(Alice'\) receive the same state, they share a bit. If Bob and \(Alice'\) obtain different states, the bit is considered an error bit. The SQKD total model are shown in Fig. 2. The following matrix is the transition probability matrix of the equivalent SQKD

### 2.2 PNS in SQKD

We briefly describe the PNS attack. If a pulse does not contain photons, Eve does nothing. However, if a pulse contains a single photon, Eve blocks the single photon with probability *P*. If a pulse contains multiple photons, Eve can extract one of them and store it in a quantum memory, and the remaining photons will be sent back to Bob through a lossless channel. If \(P>1\), Eve may even block some of the multi-photon pulses to keep \(Q_{\mu}\) constant.

\(Q_{BS}\) is the gain of the SIFT photons detected by Bob. \(Q_{AC}\) and \(Q_{AS}\) are the gain of the CTRL and SIFT photons detected by \(Alice'\). When Eve only attacks one channel, Eve cannot keep \(Q_{AC}\) and \(Q_{BS}\) constant. Moreover, the two gains will not be equal because SIFT photons have a higher detection loss. Thus, Alice and Bob can detect anomalies.

Here, we assume that Eve’s attacks on the forward and backward channels are independent, based on the first assumption. Eve attacks the forward channel first, then the backward channel. The CTRL photon goes through the forward and backward channels, whereas the SIFT photon only goes through the backward channel. Eve can block single photons and extract them out of all the multi-photon pulses in the forward channel with probability \(P_{1}\). It is possible for Eve to block a single photon with probability \(P_{2}\) and extract it from any multi-photon pulses in the backward channel. \(P_{1}\) affects only CTRL photons, and \(P_{2}\) affects SIFT and CTRL photons. Therefore, an appropriate \(P_{1}\) and \(P_{2}\) can always be determined to keep \(Q_{AC}\) and \(Q_{BS}\) unchanged [34].

Let the average photon number of SIFT be *μ*, which is also the average number of photons sent by Alice. And that of CTRL be *ν*, which is the average number of CTRL photons sent by Bob. Assume that Eve attacks the forward and backward channels with probabilities of \(P_{1}\) and \(P_{2}\), respectively.

For SIFT photons:

For CTRL photons:

Through the forward channel, the photon number distribution is

Through the backward channel, the photon number distribution is

Now, we assume that Eve can control the total loss inside Bob and \(Alice'\); thus, \(Y_{n}^{PNS} = 1\) (\(n \ge1\)).

To keep \(Q_{BS}\) unchanged, it needs to satisfy the following: \({Q_{BS}} = 1 - {{\mathrm{e}}^{ - \eta\mu}} = (1 - {P_{2}})\mu{{\mathrm{e}}^{ - \mu}} + \sum_{n = 2}^{\infty}{{{\mathrm{e}}^{ - \mu}}\frac{{{\mu ^{n}}}}{{n!}}} \). Then, we obtain:

To keep \(Q_{AC}\) unchanged, it needs to satisfy the following: \({Q_{AC}} = 1 - {{\mathrm{e}}^{ - \eta\nu}} = [1 - {P_{2}}][(1 - {P_{1}})\nu {{\mathrm{e}}^{ - \nu}} + \frac{{{\nu^{2}}}}{2}{e^{ - v}}] + \frac {{{v^{3}}}}{{3!}}{e^{ - v}} + \sum_{{\mathrm{n}} = 4}^{\infty}{{e^{ - v}}\frac{{{v^{n}}}}{{n!}}}\). Then, we obtain:

The limiting condition is \(P_{2}>1\). That is, Eve needs to block some multi-photon pulses to ensure a constant \(Q_{BS}\) and \(Q_{AC}\).

Through mathematical analysis, when the average number of photons is smaller than 0.7, \(P_{1}>1\). Both \(P_{1}\) and \(P_{2}\) are bigger than 1; thus, we believe that Eve blocks all single photons, that is, \(P_{1}=1\), \(P_{2}=1\), and Eve blocks two-photons from multi-photon pulses with a probability of \(P_{3}\) to keep \(Q_{BS}\). And Eve blocks three-photons from multi-photon pulses with a probability of \(P_{4}\) to keep \(Q_{AC}\) unchanged.

We can get the distribution

To keep \(Q_{BS}\) unchanged, we obtain

Through the backward channel, the photon number distribution is

To keep \(Q_{\nu}\) unchanged, we can get

Eve can block all single photons and some photons from multi-photon pulses to keep \(Q_{BS}\) and \(Q_{AC}\) unchanged. In conclusion, SQKD is not secure against PNS attacks.

### 2.3 The secure bit rate of SQKD with GLLP theory

According to the Csiszár–Körner theory [35], the lower bound of a QKD system secure bit rate is equal to the mutual information between Alice and \(\operatorname{Bob}(I(A;B))\) minus the mutual information between Eve and Bob (or Alice). Because reverse data reconciliation is adopted in QKD, the lower bound of the secure bit rate is: \(R=I(A;B)_{QKD}-I(A;E)_{QKD}\).

The mutual information between Alice and Bob and \(Alice'\) is \(I(A;A')\). Reverse data reconciliation is also adopted in SQKD; therefore, the lower bound of the secure bit rate is: \(R=I(A;A')-I(A;E)\).

According to the Shor-Preskill theory [36], \(I(A;B)=qQ_{\mu}[1-{H_{2}}(E_{\mu})]\), where \(Q_{\mu}\) and \(E_{\mu}\) are the gain and QBER of the QKD, respectively, and \(H_{2}\) is the binary Shannon entropy. \({E_{\mu}} = \frac{{{e_{0}}{Y_{0}} + {e_{\det}}(1 - {e^{ - \eta\mu}})}}{{{Q_{\mu} }}}\), where, \(e_{0}\) is the secret number of zero photon signal. \(e_{\det}\) is the bit error rate of the system optical path. In SQKD, the QBER should be corrected to \({E_{BS}} + E{}_{AS} - 2{E_{BS}}{E_{AS}}\) through the channel model; \(I(A;E)=q(Q_{1}{H_{2}}(e_{1})+Q_{\mu}-Q_{0}-Q_{1})\), where \(Q_{1}\) is the single photon error rate. The QBER requires further discussion for SQKD.

In SQKD, we can get experimental data \(Q_{BS}\) and \(Q_{A}\), where \(Q_{BS}\) and \(Q_{A}\) are the gains of Bob and \(Alice'\), respectively. When Alice sent a Poisson source with an average number of photons \(\mu_{1} \), \({Q_{BS}} = {Y_{0}} + 1 - {e^{ - \eta\mu_{1}}}\), where \(Y_{0}\) is the gain of dark count. \(Y_{0} \approx2{p_{d}}\), where \({p_{d}}\) is the secret count rate of a detector. *η* is the forward channel transmittance of a single photon signal. \(\eta = {10^{ - \alpha L/10}}{\eta_{\mathrm{b}}}{\eta_{d}}\), where \({\eta_{d}}\) is the detection efficiency, \({\eta_{b}}\) is the transmittance of Bob. \({Q_{A}=Q_{AS}+Q_{AC}}\), where \(Q_{AS}\) and \(Q_{AC}\) are the gains when Bob choose SIFT and CTRL operations. When Bob resent a Poisson source with an average number of photons \(\mu_{3}\), \({Q_{AS}} = {Y_{0}} + 1 - {e^{ - \eta\mu_{3} }}\). The CTRL photons through total channel sent by Alice: \({Q_{AC}} = {Y_{0}} + 1 - {e^{ - 2\eta\mu_{1}}}\). We can divide \(Q_{A}\) into \(Q_{AS}\) and \(Q_{AC}\) through Alice publishes which were her Z bits and Bob publishes which ones he chose to SIFT.

We first analyze \(I(A;A')\). When the detectors of \(Alice'\) and Bob do not respond or their bases are incompatible, there is no correlation between the measurement result obtained by \(Alice'\) and the state sent by Alice. In this case, \(I(A;A')=0\). When the detectors of \(Alice'\) and Bob respond and their measurement bases are in agreement, the measurement result can share a sifted bit. In this case,

where *q* is the probability that Alice sends a Z-basis (\(q = 1/2\)).

Eve needs to attack both channels to obtain more information. Based on our second assumption, we now suggest that Eve attacks independently in the forward and backward channels. According to the Shor-Preskill theory, Eve can extract all the information from multi-photon pulses. At this stage, the transmission channel is equivalent to a noiseless lossless channel for Bob and \(Alice'\). When single-photon pulses are received, Eve can also steal information. However, for Bob and \(Alice'\), the transmission channel is equivalent to a binary symmetric channel, such as the SQKD model that we previously built; the channel parameter is the QBER of the single-photon pulses.

When both \(Alice'\) and Bob respond with single-photon pulses, the channel is equivalent to two binary symmetric channels in series. The amount of information obtained by Eve is as follows:

where \(Q_{BS1}\) and \(Q_{AS1}\) are the gains of Bob and \(Alice'\) for single-photon pulses, respectively, and \(e_{BS1}\) and \(e_{AS1}\) are the QBERs of Bob and \(Alice'\)’s SIFT part for single-photon pulses, respectively.

When the responses of Bob and \(Alice'\) are a single photon and multiple photons, respectively, the channel is equivalent to a binary symmetric channel and a noiseless lossless channel in series. Moreover, the amount of information obtained by Eve is as follows

where \(Q_{ASm}\) is the multi-photon response rate of \(Alice'\)’s SIFT part.

When Bob has a multi-photon response and \(Alice'\) a single photon, the channel is equivalent to a binary symmetric channel and noiseless lossless channel in series. Moreover, the amount of information obtained by Eve is as follows:

where \(Q_{BSm}\) is Bob’s gain of the multi-photon pulses.

When both \(Alice'\) and Bob’s responses are multi-photon pulses, the channel is equivalent to two noiseless lossless channels in series. Then, the amount of information obtained by Eve is as follows:

In other cases, \(I(A;E)=0\).

In the case of \(Q_{0}=0\), Eve has the highest advantage. At this time, the security bit rate of SQKD is as follows:

where *q* is the probability that Alice sends a Z-basis (\(q = 1/2\)), \({\Delta_{B}} = \frac{{{Q_{BS1}}}}{{{Q_{BS}}}}\), \({\Delta_{A}} = \frac {{{Q_{AS1}}}}{{{Q_{AS}}}}\).

It can be observed from Eq. (18) that the parameters we need to estimate are \(Q_{AS1}\), \(e_{AS1}\), \(Q_{BS1}\), and \(e_{BS1}\). The GLLP theory uses two worst-case assumptions to estimate these parameters. The first assumption is that all the multi-photon pulses are detected: \({Q_{BS1}} = {Q_{BS}} - {P_{mA}}\), \({Q_{AS1}} = {Q_{BS}} - {P_{mB}}\), where \(P_{mA}\) and \(P_{mB}\) are the probability that Alice and Bob send multiple photons, respectively. The second assumption is that the multi-photon pulses do not introduce an error rate: \({e_{BS1}}=\frac{{{E_{BS}}}}{{{\Delta_{B}}}}\), \({e_{AS1}}=\frac {{{E_{AS}}}}{{{\Delta_{A}}}}\). We construct the secure bit rate through the whole channel.

Additionally, we can analyze forward and backward channels separately using the GLLP theory. It is important to note that the analysis of forward and backward channels can only estimate the longest SQKD transmission distance. Eq. (19) and Eq. (20) denote the mutual information of the forward and backward channels, respectively:

We need to estimate the theoretical values of \(Q_{\mu}\) and \(E_{\mu}\), so we need to set some parameters. We set \({\eta_{d}} = 0.15\) and \(p_{d} = 2*{10^{ - 6}}\); \(e_{\det} = 0.01\); \(\eta_{b} = 0.4\). The results are shown in Fig. 3(a). The longest transmission distance estimated using the SQKD secure bit rate can reach 8 km, which is the same as the QKD transmission distance under the same conditions. The maximal distance of forward and backward channel are 16 km and 2 km, respectively. Obviously, since the average number of photons transmitted in the backward channel is smaller than that transmitted in the forward channel, the transmission distance in the forward channel is larger than that in the backward channel when the furthest transmission distance in the forward channel is calculated independently. To ensure the safety of any channel, the actual longest distance is limited to the shortest distance out of the three lengths. Therefore, the longest distance should be 2 km. It is the same as the QKD transmission distance when the \(\mu=0.1\). The security bit rate of SQKD depends on the soild blue line.

## 3 Analysis

### 3.1 Decoy state in backward channel

In reality, the photon-number distribution of a strongly attenuated source follows a Poisson distribution with a small average number of photons. In the above analysis, we ignore the average number of photons that Bob resends. The following describes the constraints on Bob when resending photons.

Suppose the average number of photons sent by Alice is \(\mu_{1}\), and the average number of photons sent by Bob is \(\mu_{3}\).

We use *η* to describe the channel loss. After the channel loss, the average number of photons that reaches Bob decreases to \(\mu_{2}\), \(\mu _{2} = \eta\mu_{1}\). Moreover, the Poisson distribution of photons is

If Bob chooses the SIFT operation, the SIFT operation will cause a measurement loss \(\eta_{\det}\). Then, after the channel loss and detection loss are accounted for, the Poisson distribution of Bob’s transmission is

We should first ensure that \(P_{\mathrm{loss}}[n] \ge P_{\det}[n]\). Bob can control the corresponding part of a pulse and separate it to send an empty pulse; therefore, he can ensure \(P_{\mathrm{loss}}[0]=P_{\det }[0]\). However, \({P_{\mathrm{loss}}}[0] = {e^{ - \eta\mu_{1} }} \le{e^{ - {\eta_{\det}}\eta\mu_{1} }} = {P_{\det}}[0]\), \(0 < {\eta_{\det }} \le1\).

Therefore, although Bob can control the photon-number distribution, he cannot transmit a Poisson distribution that is the same as the CTRL average number of photons. Bob can only transmit Poisson distributions with a smaller average number of photons. That is, the number of photons that are resent is \(\mu_{2} < {\eta_{\det}}{\eta\mu_{1} }\).

In the above analysis, we assumed that Bob can control the photon-number distribution. However, such an assumption is meaningless because current technology cannot achieve this condition.

Here, we propose a solution: Bob still emits a Poisson distribution with an average photon number of \(\mu_{2}\) whether Bob is unresponsive or detected. Although there is no response to Bob, Bob just attaches polarization information (\(|0\rangle\) or \(|1\rangle \)) to the photon. Thus, Bob can send a Poisson distribution with an average photon number that is fully \(\mu_{2}\). Moreover, it can be significantly greater than \(\eta\mu_{1} \) to increase the signal-to-noise ratio (SNR). In the actual key-distribution process, after confirming basis compatibility, Alice and Bob can conduct error-code detection. If the error code detection is verified, Bob can announce which bits were unresponsive so that secure bits can be formed between Alice and Bob.

In addition, we can make the average number of CTRL photons different from that of SIFT photons so that we can create a decoy state in the backward channel. We add decoy state to accurately estimate \(Q_{AS1}\) and \(e_{AS1}\). he result is shown in Fig. 3(b). The longest transmission distance estimated using the SQKD secure bit rate can reach 35 km. The maximal distance of forward channel is 16 km. The maximal distance of backward channel is 61 km. Although the furthest distance of the backward channel is estimated to be longer, the longest SQKD distance is determined using the shortest of the three distances. Therefore, the longest SQKD transmission distance can be increased to 16 km only by adding decoy states to the backward channel.

### 3.2 Setting decoy states

Based on the previous analysis of PNS attacks, the forward channel is less secure than the backward channel. Adding decoy states to Alice is equivalent to adding decoy states to the whole channel. First, we consider the case where Alice sends the signal state and decoy states with different average photon numbers, that is, \(\mu_{1}\) and \(\nu_{1}\), respectively. This ensures that the forward channel is capable of detecting PNS attacks. Then, Bob resends the signal states with an average photon number of \(\mu_{3}\). We scan \(\mu_{3}\), \(\mu_{1}\), \(\nu_{1}\) from 0.1 to 1.0 in step size 0.01 to find the maximum bit rate for each 10 km to 130 km. We chose to be under \(\mu_{3}>\mu _{1}>\nu_{1}\) conditions [21]. The result shows in Table 1. We set \(\mu_{1}= 0.36\); \(\nu_{1}= 0.08\); and \(\mu_{3}= 0.68\). In the one decoy state, estimation of \(Y_{1}\) is:

And the estimation of \(e_{1}\) is:

#### 3.2.1 The average number of photons in a signal state resent by Bob

After the above discussion, Bob resends a Poisson distribution with an average photon number of \(\mu_{3}\) for all photons (with and without responses), where \(\mu_{3}\) can have an arbitrary value.

At the time when the photon sent from Alice reaches Bob, the average number of photons is \(\mu_{2}(\nu_{2})\), \(\mu_{2}(\nu_{2}) = \eta\mu _{1} (\nu_{1} )\).

If \(\mu_{3}=\mu_{2}\), Bob should resend photons that are physically related to the forward channel using the same average photon number. The resent photons in the backward channel have their own losses in the forward channel, but in this way, the backward channel has only one decoy state. Figure 4 shows that the furthest transmission distance reaches 84 km because the decoy state is added.

If \(\mu_{3}>\mu_{2}>\nu_{2}\), the larger average photon number \(\mu_{3}\) of the signal-state can result in a two decoy states in the backward channel. Moreover, it can increase the SNR and secure bit rate.

The result in Fig. 5(a) shows that adding decoy states to Alice increases the SQKD transmission distance up to 140 km. The maximal distance of forward channel is 134 km. The maximal distance of backward channel is 155 km. This shows that adding one decoy state to the forward channel can increase the transmission distance of the forward channel and enable the backward channel to add two decoy states to increase the transmission distance. Although the transmission distance of SQKD still depends on the forward channel, the longest SQKD transmission distance reaches 134 km with the addition of one decoy states. It is 21 km shorter than the farthest transmission of QKD when \(\mu=0.68\) and \(\nu=0.08\).

#### 3.2.2 Adding decoy states to Bob

If Bob also chooses to add one decoy state, Alice sends two pulses with different photon numbers, and Bob also resends two pulses with different photon numbers. Thus, the forward channel has a one decoy state, and the backward channel has a three decoy states.

If Bob resends a signal state without the decoy state, Alice sends two pulses of different photon numbers, and Bob sends only one pulse with a photon number. Thus, the forward channel has one decoy state, and the backward channel has two decoy states.

The backward channel always has more decoy states than the forward channel. Moreover, the longest transmission distance of the forward channel \(L_{f}\) must be less than that of the backward channel \(L_{b}\). If a decoy state is also added to the backward channel, the vacuum state can be added to obtain a tighter \(Y_{0}\) and increase the transmission distance of the backward channel; however, the final distance is the shortest result because \(L_{f}=L_{b}\) (same physical channel). Therefore, adding a decoy state to the backward channel is unnecessary and makes the experiment more complicated.

#### 3.2.3 Comparing different decoy states

We can add weak+vacuum decoy states to Alice. We set \(\mu_{1}= 0.36\); \(\nu_{1}= 0.08\); and \(\mu_{3}= 0.68\). Although this configuration is not the optimal setting for two decoy states, we can conclude by a simple comparison with one decoy state. Then, we add \(\nu _{2}=0\) to Alice. In the two decoy states, estimation of \(Y_{0}\) is:

The estimation of \(Y_{1}\) is:

And the estimation of \(e_{1}\) is:

In Fig. 5(b), we can observe that the transmission distance of two decoy states is longer than that of one decoy state. The longest transmission distance using the SQKD secure bit rate can reach 149 km. The maximal distance of forward channel is 152 km. The maximal distance of backward channel is 155 km. Therefore, the SQKD transmission distance is 149 km. This significantly lengthens the transmission distance of the forward channel, but in general, the SQKD transmission distance increases 15 km.

## 4 Results and discussion

By modeling an SQKD channel and adding decoy states, an SQKD system was able to detect a PNS attack. We estimated the longest transmission distance and secure bit rate using the GLLP theory and decoy states under an asymptotic condition. In this study, we assumed that the two channels were independent and that Eve’s attacks were also independent. Owing to the correlation between Alice and \(Alice'\), it is important to determine the physical model of the channels if they are not independent. Eve will definitely attack the correlation between the two channels; therefore, we will address this issue in future work. Optimizing the strength of different kinds of decoy states to maximize SQKD performance is also our subsequent research work. Moreover, we will also consider the finite-key in practical application.

## 5 Conclusion

We determine SQKD can’t resist PNS attacks. We first model the SQKD channel model and get the secure bit rate formula of SQKD to evaluate the experimental safety of SQKD. Moreover, we add decoy states to SQKD to estimated the longest transmission distance. it is important that SQKD can also use decoy state methods to make experiments more secure using essentially the same hardware.

## Availability of data and materials

The data that support the findings of this study are available from the corresponding author upon reasonable request.

## References

Bennett CH, Brassard G. Quantum cryptography: public key distribution and coin tossing. Theor Comput Sci. 2014;560:7–11.

Muller A, Herzog T, Huttner B, Tittel W, Zbinden H, Gisin N. “Plug and play” systems for quantum cryptography. Appl Phys Lett. 1997;70(7):793–5. https://doi.org/10.1063/1.118224.

Wang J, Qin X, Jiang Y, Wang X, Chen L, Zhao F, Wei Z, Zhang Z. Experimental demonstration of polarization encoding quantum key distribution system based on intrinsically stable polarization-modulated units. Opt Express. 2016;24(8):8302–9. https://doi.org/10.1364/OE.24.008302.

Mo X-F, Zhu B, Han Z-F, Gui Y-Z, Guo G-C. Faraday–Michelson system for quantum cryptography. Opt Lett. 2005;30(19):2632–4. https://doi.org/10.1364/OL.30.002632.

Zhang C-H, Zhou X-Y, Ding H-J, Zhang C-M, Guo G-C, Wang Q. Proof-of-principle demonstration of passive decoy-state quantum digital signatures over 200 km. Phys Rev Appl. 2018;10:034033. https://doi.org/10.1103/PhysRevApplied.10.034033.

Wang J, Qin X, Jiang Y, Wang X, Chen L, Zhao F, Wei Z, Zhang Z. Experimental demonstration of polarization encoding quantum key distribution system based on intrinsically stable polarization-modulated units. Opt Express. 2016;24(8):8302–9. https://doi.org/10.1364/OE.24.008302.

Zhou X-Y, Zhang C-H, Zhang C-M, Wang Q. Asymmetric sending or not sending twin-field quantum key distribution in practice. Phys Rev A. 2019;99:062316. https://doi.org/10.1103/PhysRevA.99.062316.

Liu J-Y, Ding H-J, Zhang C-M, Xie S-P, Wang Q. Practical phase-modulation stabilization in quantum key distribution via machine learning. Phys Rev Appl. 2019;12:014059. https://doi.org/10.1103/PhysRevApplied.12.014059.

Chen Y-P, Liu J-Y, Sun M-S, Zhou X-X, Zhang C-H, Li J, Wang Q. Experimental measurement-device-independent quantum key distribution with the double-scanning method. Opt Lett. 2021;46(15):3729–32. https://doi.org/10.1364/OL.431061.

Yuan Y-P, Du C, Shen Q-Q, Wang J-D, Yu Y-F, Wei Z-J, Chen Z-X, Zhang Z-M. Proof-of-principle demonstration of measurement-device-independent quantum key distribution based on intrinsically stable polarization-modulated units. Opt Express. 2020;28(8):10772–82. https://doi.org/10.1364/OE.387968.

Lutkenhaus N. Security of quantum cryptography with realistic sources. Acta Phys Slovaca. 1999;

**49**.Kraus B, Gisin N, Renner R. Lower and upper bounds on the secret-key rate for quantum key distribution protocols using one-way classical communication. Phys Rev Lett. 2005;95:080501. https://doi.org/10.1103/PhysRevLett.95.080501.

Hwang WY, Ahn DD, Hwang SW. Eavesdropper’s optimal information in variations of Bennett–Brassard 1984 quantum key distribution in the coherent attacks. Phys Lett A. 2001;279(3):133–8. https://doi.org/10.1016/S0375-9601(00)00825-2.

Dušek M, Haderka O, Hendrych M. Generalized beam-splitting attack in quantum cryptography with dim coherent states. Opt Commun. 1999;169(1):103–8. https://doi.org/10.1016/S0030-4018(99)00419-8.

Brassard G, Lütkenhaus N, Mor T, Sanders BC. Limitations on practical quantum cryptography. Phys Rev Lett. 2000;85:1330–3. https://doi.org/10.1103/PhysRevLett.85.1330.

Bennett CH. Quantum cryptography using any two nonorthogonal states. Phys Rev Lett. 1992;68:3121–4. https://doi.org/10.1103/PhysRevLett.68.3121.

Huttner B, Imoto N, Gisin N, Mor T. Quantum cryptography with coherent states. Phys Rev A. 1995;51:1863–9. https://doi.org/10.1103/PhysRevA.51.1863.

Hwang W-Y. Quantum key distribution with high loss: toward global secure communication. Phys Rev Lett. 2003;91:057901. https://doi.org/10.1103/PhysRevLett.91.057901.

Lo H-K, Ma X, Chen K. Decoy state quantum key distribution. Phys Rev Lett. 2005;94:230504. https://doi.org/10.1103/PhysRevLett.94.230504.

Wang X-B. Beating the photon-number-splitting attack in practical quantum cryptography. Phys Rev Lett. 2005;94:230503. https://doi.org/10.1103/PhysRevLett.94.230503.

Ma X, Qi B, Zhao Y, Lo H-K. Practical decoy state for quantum key distribution. Phys Rev A. 2005;72:012326. https://doi.org/10.1103/PhysRevA.72.012326.

Wang Q, Wang X-B, Guo G-C. Practical decoy-state method in quantum key distribution with a heralded single-photon source. Phys Rev A. 2007;75:012312. https://doi.org/10.1103/PhysRevA.75.012312.

Ma X, Fung C-HF, Dupuis F, Chen K, Tamaki K, Lo H-K. Decoy-state quantum key distribution with two-way classical postprocessing. Phys Rev A. 2006;74:032330. https://doi.org/10.1103/PhysRevA.74.032330.

Scarani V, Acín A, Ribordy G, Gisin N. Quantum cryptography protocols robust against photon number splitting attacks for weak laser pulse implementations. Phys Rev Lett. 2004;92:057901. https://doi.org/10.1103/PhysRevLett.92.057901.

Boyer M, Kenigsberg D, Mor T. Quantum key distribution with classical Bob. Phys Rev Lett. 2007;99:140501. https://doi.org/10.1103/PhysRevLett.99.140501.

Boyer M, Gelles R, Kenigsberg D, Mor T. Semiquantum key distribution. Phys Rev A. 2009;79:032341. https://doi.org/10.1103/PhysRevA.79.032341.

Zou X, Qiu D, Li L, Wu L, Li L. Semiquantum-key distribution using less than four quantum states. Phys Rev A. 2009;79:052312. https://doi.org/10.1103/PhysRevA.79.052312.

Boyer M, Katz M, Liss R, Mor T. Experimentally feasible protocol for semiquantum key distribution. Phys Rev A. 2017;96:062335. https://doi.org/10.1103/PhysRevA.96.062335.

Amer O, Krawec WO. Semiquantum key distribution with high quantum noise tolerance. Phys Rev A. 2019;100:022319. https://doi.org/10.1103/PhysRevA.100.022319.

Zhang W, Qiu D, Mateus P. Single-state semi-quantum key distribution protocol and its security proof. Int J Quantum Inf. 2020;18(04):2050013. https://doi.org/10.1142/S0219749920500136.

Krawec WO, Liss R, Mor T. Security proof against collective attacks for an experimentally feasible semi-quantum key distribution protocol. 2020. arXiv preprint. arXiv:2012.02127.

Han S, Huang Y, Mi S, Qin X, Wang J, Yu Y, Wei Z, Zhang Z. Proof-of-principle demonstration of semi-quantum key distribution based on the mirror protocol. EPJ Quantum Technol. 2021;8(1):28. https://doi.org/10.1140/epjqt/s40507-021-00117-8.

Gottesman D, Lo H-K, Lutkenhaus N, Preskill J. Security of quantum key distribution with imperfect devices. In: International symposium onInformation theory, 2004. Proceedings. 2004. p. 136. https://doi.org/10.1109/ISIT.2004.1365172.

Lütkenhaus N, Jahma M. Quantum key distribution with realistic states: photon-number statistics in the photon-number splitting attack. New J Phys. 2002;4(1):44.

Csiszár I, Korner J. Broadcast channels with confidential messages. IEEE Trans Inf Theory. 1978;24(3):339–48.

Shor PW, Preskill J. Simple proof of security of the bb84 quantum key distribution protocol. Phys Rev Lett. 2000;85:441–4. https://doi.org/10.1103/PhysRevLett.85.441.

## Acknowledgements

The authors thank the Guangdong Provincial Key Laboratory of Quantum Engineering and Quantum Materials and Bluedon Information Security Technology Co., Ltd.

## Funding

National Science Foundation of China (62071186, 61771205); National Science Foundation of Guangdong Province (2015A030313388); Science and Technology Planning Projects of Guangdong Province (2015B010128012, 2017KZ010101); Guangdong Provincial Key Laboratory (grant no. 2020B1212060066).

## Author information

### Authors and Affiliations

### Contributions

All authors read and approved the final manuscript.

### Corresponding author

## Ethics declarations

### Competing interests

The authors declare no competing interests.

## Additional information

### Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

## Rights and permissions

**Open Access** This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

## About this article

### Cite this article

Dong, S., Mi, S., Hou, Q. *et al.* Decoy state semi-quantum key distribution.
*EPJ Quantum Technol.* **10**, 18 (2023). https://doi.org/10.1140/epjqt/s40507-023-00175-0

Received:

Accepted:

Published:

DOI: https://doi.org/10.1140/epjqt/s40507-023-00175-0

### Keywords

- Semi-quantum key distribution
- Channel model
- Photon-number-splitting attack
- Decoy state