Decoy-State QKD — padho.wiki

In short

Weak-coherent lasers — the sources used in every real QKD deployment — emit a Poisson-distributed number of photons per pulse. Some pulses contain zero photons, most contain one, and a non-zero fraction contain two or more. The multi-photon pulses open a devastating loophole called the photon-number-splitting (PNS) attack: Eve intercepts only the multi-photon pulses, keeps one photon in quantum memory, forwards the rest to Bob, and waits for Alice to announce her basis before measuring. She learns Alice's bit with zero disturbance — the single-photon pulses pass through untouched, so Bob sees no QBER. Without protection, practical BB84 would be broken past a few tens of kilometres. Decoy-state QKD (Hwang, Lo-Ma-Chen, Wang, 2003–2005) solves this without changing the hardware. Alice randomly interleaves her signal pulses (mean photon number \mu) with decoy pulses of different intensities (\nu_1, \nu_2, \ldots). After transmission she announces which was which. By comparing the detection rates at different intensities, Alice and Bob solve a small system of linear equations to extract the single-photon yield Y_1 and single-photon error rate e_1 — the only quantities that matter for PNS-safe key extraction. The resulting secure key rate is high enough to push fibre QKD past 200\,\text{km} and makes satellite QKD practical. ISRO's 2022 Bengaluru–Mount Abu demonstration, and every modern deployed QKD system, runs decoy-state BB84.

BB84's security proof assumes Alice sends one photon per pulse. Real Alice sends light from a laser that has been attenuated down to "about one photon on average." That phrase hides a statistical truth: the number of photons in each pulse is random, following a Poisson distribution. Some pulses carry zero photons (Bob never hears from them, no harm done). Most carry one. A small but non-zero fraction carry two or more — and those multi-photon pulses are an open door for an eavesdropper.

This chapter is about that open door and how decoy states nail it shut. You will see why the PNS attack works, why naïve BB84 cannot detect it, what a decoy state actually is, and the key-rate formula that has been in the security proof of every deployed QKD product for the past twenty years. By the end, you should be able to explain why the 2022 ISRO demonstration between Bengaluru and Mount Abu — and every other production QKD link on Earth — uses decoy states as a matter of course.

Why real photon sources are not single-photon sources

A true single-photon source — a device that emits exactly one photon, on demand, with perfect timing and indistinguishability — is extraordinarily difficult to build. Prototypes exist (quantum dots, NV centres in diamond, heralded parametric down-conversion), but none of them deliver the clock rate, wavelength, and ruggedness a telecom QKD system needs. What every deployed QKD system actually uses is a weak coherent pulse (WCP) source: an ordinary semiconductor laser, attenuated with optical filters until the average photon number per pulse is below one.

A coherent laser pulse has a well-defined amplitude but not a well-defined photon number. The number of photons n detected in a pulse is a random variable. For a coherent state of mean photon number \mu, the probability of detecting exactly n photons follows the Poisson distribution:

P(n; \mu) = \frac{\mu^n e^{-\mu}}{n!}.

Why Poisson: a coherent state |\alpha\rangle with |\alpha|^2 = \mu is a superposition of photon-number states |n\rangle with amplitudes e^{-\mu/2}\,\alpha^n/\sqrt{n!}. Squaring gives P(n) = e^{-\mu}\mu^n/n!. This is the fingerprint of classical light: photon-number fluctuations you cannot remove by any filtering, because they are built into the laser's quantum state.

Typical QKD sources run at \mu \approx 0.1 to 0.5 photons per pulse. At \mu = 0.5, the distribution reads:

P(0) = e^{-0.5} \approx 0.607 — about 61% of pulses are empty.
P(1) = 0.5\,e^{-0.5} \approx 0.303 — about 30% are genuine singles.
P(2) = 0.25\,e^{-0.5}/2 \approx 0.0758 — about 7.6% are doubles.
P(\ge 2) \approx 1 - P(0) - P(1) \approx 0.090 — about 9% are multi-photon.

Poisson photon-number distributions at three source intensities. At $\mu = 0.5$, about 7.6% of non-empty pulses contain two or more photons. These multi-photon pulses are the attack surface the PNS eavesdropper will exploit.

The multi-photon fraction matters because a pulse with two photons carries two copies of the same quantum state. Alice, preparing a |+\rangle state in a weak coherent pulse that happens to contain two photons, has accidentally sent |+\rangle \otimes |+\rangle. No-cloning is not violated — Alice did not clone an unknown state, she prepared two copies of a state she chose. But from Eve's perspective, one of those copies is a free gift.

The photon-number-splitting attack

The PNS attack (first studied in detail by Brassard, Lütkenhaus, Mor, and Sanders around 2000) works as follows. Eve sits on the quantum channel with a quantum non-demolition measurement device that can count the number of photons in a pulse without disturbing the polarisation. For each pulse she counts photons and reacts:

0 photons. Block the pulse — it would not have reached Bob anyway because of fibre loss.
1 photon. Block the pulse. (This is conservative: single-photon pulses are the ones Eve cannot gain information from without introducing QBER, so she drops them entirely.)
2+ photons. Split off one photon, store it in quantum memory, forward the remaining photon(s) to Bob.

After Bob has received everything, Alice announces the basis for each pulse (step 4 of BB84). Eve now measures her stored photon in the correct basis — zero disturbance, perfect information. Eve has learned the bit; Bob has received a single photon in the correct state; neither Alice nor Bob sees any QBER.

Eve sits on the line with a photon counter and a quantum memory. She lets only multi-photon pulses through (the ones she can split), stores one photon from each, and after Alice announces the basis, measures her stored photons in the right basis. From Bob's side, everything looks like ordinary channel loss. The key Eve obtains is exactly the fraction of the sifted key that came from multi-photon pulses.

The devastating part is that fibre loss masks the attack. Over 100\,\text{km} of telecom fibre, single-photon transmission is about 10^{-2}. Bob already expects to receive only one pulse in a hundred. If Eve blocks all single-photon pulses and forwards only multi-photon ones, Bob's detection rate drops to the multi-photon fraction — roughly the same order of magnitude as what fibre loss would produce at the same distance. Bob cannot tell from his count rate that anything is wrong.

The fraction of Bob's sifted key that Eve has captured is the fraction that came from multi-photon pulses. At \mu = 0.5 over 100\,\text{km} of fibre with no decoy protection, this fraction approaches 100% — Eve has effectively the whole key while Bob and Alice see no error rate increase.

Hype check. Popular articles sometimes claim BB84 is "unconditionally secure." The protocol is, against an adversary bound only by quantum mechanics. The devices are not. PNS is not a break of the BB84 security theorem — it is a break of the idealisation that Alice's pulses contain one photon each. Decoy states fix the idealisation without replacing the source.

The decoy-state idea

In 2003, Won-Young Hwang published a short paper with a startling proposal: make Alice's source lie about its intensity. Specifically, Alice randomly chooses the intensity of each pulse from a small menu. A "signal" pulse has intensity \mu; one or more "decoy" pulses have different intensities \nu_1, \nu_2, \ldots, with \nu_1 < \mu typically. Alice records which was which; she does not tell Bob until after transmission.

The key observation: Eve cannot tell a signal from a decoy. Both are weak coherent pulses. Both are Poisson-distributed in photon number. Eve's PNS attack depends on photon count, not intensity label — she will treat a decoy pulse exactly as she treats a signal pulse of the same photon count.

So Eve's behaviour at each photon number n is the same for signal and decoy pulses. This means the probability that a pulse with n photons reaches Bob and produces a click — call it Y_n, the yield at photon number n — is the same whether the pulse was labelled signal or decoy. Eve cannot make Y_1 different for signals than for decoys; she does not know which is which.

But the overall detection rate at each intensity depends on which yields Y_n dominate. At low intensity, most pulses with detections came from n = 1; at higher intensity, the contribution of n = 2, 3, \ldots grows. By comparing the detection rates at different intensities, Alice and Bob can disentangle the yields Y_n.

Decoy states in cartoon form. Alice randomly interleaves three intensities — signal $\mu$, decoy $\nu_1$, vacuum $\nu_2 \approx 0$ — and announces the labels after transmission. Eve sees only photons, not labels, so her attack behaves identically at each label. The three observed gains $Q_\mu, Q_{\nu_1}, Q_{\nu_2}$ are linear combinations of the same photon-number yields $Y_n$; solving for $Y_1$ exposes any PNS behaviour.

What Bob actually measures: gain and error rate

Let's nail down the observable quantities. After transmission and basis sifting, for each intensity \lambda \in \{\mu, \nu_1, \nu_2, \ldots\}:

Gain Q_\lambda: the probability that Bob records a detection (a click in his detector), per pulse Alice sent at intensity \lambda, on positions where bases matched. This is just a fraction of total sifted pulses.
Error rate E_\lambda: the QBER — fraction of clicks where Bob's recorded bit disagrees with Alice's — conditional on Bob having clicked.

Now each pulse at intensity \lambda contains n photons with probability P(n;\lambda) = e^{-\lambda}\lambda^n/n!. Given n photons, let Y_n be the yield — the probability Bob registers a click — and let e_n be the error rate given a click. These Y_n and e_n depend on the channel (loss, Bob's detector efficiency, Eve's behaviour), but not on \lambda — because Eve cannot tell \lambda from the photon count alone.

Summing over all photon numbers:

Q_\lambda = \sum_{n=0}^\infty P(n;\lambda)\,Y_n = e^{-\lambda} \sum_{n=0}^\infty \frac{\lambda^n}{n!}\,Y_n.

Q_\lambda E_\lambda = \sum_{n=0}^\infty P(n;\lambda)\,Y_n\,e_n.

Why Y_n and e_n are intensity-independent: Eve's strategy can depend on the photon count she measures (she does QND counting), but it cannot depend on the label \lambda because Alice has not yet announced the labels. Whatever probability of detection she grants a 2-photon pulse, she grants it the same regardless of whether Alice wrote "signal" or "decoy" on the back of the pulse.

With three intensities — one signal, one weak decoy, and one vacuum decoy (\nu_2 = 0) — Alice and Bob have three equations in the infinitely many unknowns Y_0, Y_1, Y_2, \ldots That looks hopeless, but for security we only need a lower bound on Y_1 (the single-photon yield) and an upper bound on e_1 (the single-photon error). Both bounds can be extracted from the three equations using a handful of algebraic inequalities. The exact bounds were derived by Lo, Ma, and Chen in their 2005 paper and are what every deployed system uses.

The Lo-Ma-Chen bounds

For the two-decoy protocol with intensities \mu > \nu_1 > \nu_2 = 0, the estimates are:

Vacuum yield. Y_0 \approx Q_{\nu_2}. Because at \nu_2 = 0, every pulse has zero photons, so the only source of clicks is detector dark counts and stray light: Q_0 = Y_0.

Single-photon yield lower bound.

Y_1 \ge \frac{\mu}{\mu \nu_1 - \nu_1^2}\left(Q_{\nu_1} e^{\nu_1} - Q_\mu e^\mu \frac{\nu_1^2}{\mu^2} - \frac{\mu^2 - \nu_1^2}{\mu^2}\,Y_0\right).

Single-photon error upper bound.

e_1 \le \frac{E_{\nu_1} Q_{\nu_1} e^{\nu_1} - e_0 Y_0}{Y_1 \nu_1}.

These expressions are intimidating but mechanical: feed in the four observed quantities (Q_\mu, Q_{\nu_1}, E_\mu, E_{\nu_1}) plus the pre-set intensities (\mu, \nu_1), out come numerical bounds on (Y_1, e_1). The security proof then uses only those bounds.

The secure key rate

With Y_1 and e_1 in hand, the secure key rate per pulse transmitted is (the GLLP–decoy formula):

R \ge q\Bigl\{-Q_\mu\,f(E_\mu)\,H_2(E_\mu) + Q_1\bigl[1 - H_2(e_1)\bigr]\Bigr\},

where q is the sifting fraction (typically 1/2), Q_1 = \mu e^{-\mu} Y_1 is the single-photon gain, H_2(x) = -x\log_2 x - (1-x)\log_2(1-x) is the binary entropy function, and f(E) \ge 1 is the efficiency of the classical error-correction code (typically 1.1–1.2).

The structure of the formula tells a clear story:

The negative term -Q_\mu f(E_\mu) H_2(E_\mu) is the cost of error correction: Alice must leak H_2(E_\mu) bits per signal click to reconcile Bob's errors, times a code-overhead factor f.
The positive term Q_1 [1 - H_2(e_1)] is the raw secrecy from single-photon pulses: of every bit Bob received from a single-photon pulse, 1 - H_2(e_1) bits are demonstrably unknown to Eve.
Multi-photon bits contribute nothing to the positive term. They are correctable (so they enter the negative term) but not secret (Eve has them).

Why only single-photon pulses count as secret: a single-photon pulse carries one quantum of the key state; no-cloning forbids Eve from copying it without disturbance. A multi-photon pulse carries multiple identical copies; Eve can take one and leave the rest undisturbed — she gets the bit for free. Decoy states let us count the single-photon pulses even though we cannot mark them individually.

Without decoy states, Q_1 would have to be bounded pessimistically by assuming Eve did the worst thing possible with every pulse — which at \mu = 0.5 leaves Q_1 negligible beyond a few tens of kilometres and kills the key rate. With decoy states, Q_1 is measured (well, bounded), not guessed, and the key rate stays healthy out to 200\,\text{km} of fibre and beyond.

Secure key rate versus fibre distance. Without decoy states, pessimistic bounds on $Y_1$ crash the secure rate past about $40\,\text{km}$. With decoy states, $Y_1$ is tightly bounded from the observed statistics, and the rate decays only as fast as the single-photon channel loss allows — around $200$–$250\,\text{km}$ of telecom fibre with current hardware.

Worked example 1 — decoding Y_1 from two intensities

Example 1 — two-intensity decoy with $\mu = 0.5$ and $\nu_1 = 0.1$

Setup. Alice runs a BB84 session at 850\,\text{nm} with a weak coherent source. Each pulse is randomly labelled signal or decoy with equal probability; the signal intensity is \mu = 0.5 photons/pulse, the decoy intensity is \nu_1 = 0.1 photons/pulse. Bob also runs a vacuum decoy at \nu_2 = 0 for background calibration. After the run, Alice announces intensities over the classical channel and they tabulate sifted-key statistics per intensity.

Observed quantities. Suppose the measurements give:

Q_\mu = 1.4 \times 10^{-2} (signal gain).
Q_{\nu_1} = 3.1 \times 10^{-3} (decoy gain).
Q_{\nu_2} = 1.0 \times 10^{-5} (vacuum gain — detector dark counts).
E_\mu = 2.5\%, E_{\nu_1} = 3.0\%.

Step 1 — estimate vacuum yield. Y_0 \approx Q_{\nu_2} = 1.0 \times 10^{-5}. These are the clicks produced by detector noise alone, unrelated to any photon Alice sent.

Step 2 — bound Y_1 from below using the Lo-Ma-Chen formula.

Y_1 \ge \frac{\mu}{\mu\nu_1 - \nu_1^2}\left(Q_{\nu_1}\,e^{\nu_1} - Q_\mu\,e^\mu\,\frac{\nu_1^2}{\mu^2} - \frac{\mu^2 - \nu_1^2}{\mu^2}\,Y_0\right).

Plug in \mu = 0.5, \nu_1 = 0.1:

Prefactor: \mu / (\mu\nu_1 - \nu_1^2) = 0.5 / (0.05 - 0.01) = 0.5/0.04 = 12.5.
First term: Q_{\nu_1} e^{\nu_1} = 3.1 \times 10^{-3} \times 1.105 \approx 3.43 \times 10^{-3}.
Second term: Q_\mu e^\mu (\nu_1/\mu)^2 = 1.4 \times 10^{-2} \times 1.649 \times 0.04 \approx 9.23 \times 10^{-4}.
Third term: ((0.25 - 0.01)/0.25) \times 10^{-5} = 0.96 \times 10^{-5} \approx 1.0 \times 10^{-5}.

Combine: Y_1 \ge 12.5 \times (3.43 \times 10^{-3} - 9.23 \times 10^{-4} - 1.0 \times 10^{-5}) = 12.5 \times 2.50 \times 10^{-3} \approx 3.12 \times 10^{-2}.

So the single-photon yield is at least about 3\%. Why the number matters: without the decoy analysis, a conservative security proof would bound Y_1 \ge Q_\mu - \Delta_{\ge 2}, where \Delta_{\ge 2} is the maximum multi-photon contribution Eve could control — often giving Y_1 \ge 0 at this distance. The decoy bound turns "Y_1 \ge 0" into "Y_1 \ge 3\%," unlocking a usable key rate.

Step 3 — compute single-photon gain. Q_1 = \mu\,e^{-\mu}\,Y_1 \ge 0.5 \times 0.607 \times 0.0312 \approx 9.5 \times 10^{-3}. About 68\% of Bob's signal clicks come from genuinely single-photon pulses.

Step 4 — bound e_1.

e_1 \le \frac{E_{\nu_1} Q_{\nu_1} e^{\nu_1} - e_0 Y_0}{Y_1 \nu_1},

with e_0 = 1/2 (dark count clicks are random — equal chance of matching Alice or not).

Numerator: 0.030 \times 3.1 \times 10^{-3} \times 1.105 - 0.5 \times 10^{-5} = 1.028 \times 10^{-4} - 0.5 \times 10^{-5} \approx 9.78 \times 10^{-5}.
Denominator: Y_1 \nu_1 \ge 0.0312 \times 0.1 = 3.12 \times 10^{-3}.
Ratio: 9.78 \times 10^{-5} / 3.12 \times 10^{-3} \approx 3.1\%.

So the single-photon error rate is at most e_1 \le 3.1\% — well below the BB84 security threshold of about 11\%.

Step 5 — secure rate per sifted bit. Using the key-rate formula with f = 1.16:

R/q \ge -Q_\mu \cdot 1.16 \cdot H_2(0.025) + Q_1 \cdot [1 - H_2(0.031)].

H_2(0.025) \approx 0.168, H_2(0.031) \approx 0.198.
-Q_\mu \cdot 1.16 \cdot 0.168 \approx -1.4 \times 10^{-2} \times 0.195 \approx -2.7 \times 10^{-3}.
Q_1 \cdot (1 - 0.198) \approx 9.5 \times 10^{-3} \times 0.802 \approx 7.6 \times 10^{-3}.
Net: R/q \ge 4.9 \times 10^{-3} bits per sifted click — healthy.

The decoy-state analysis pipeline for this example. Four observed quantities yield two PNS-safe bounds, which yield a secure rate. Every step is elementary algebra once you accept the Lo-Ma-Chen formulae.

What this shows. Decoy-state analysis is arithmetic: plug observed gains and errors into a closed-form formula, get numerical bounds on the PNS-safe yield and error, extract a secure rate. No new hardware, no new measurement — just a disciplined labelling of Alice's pulses and a small amount of post-processing.

Worked example 2 — with and without decoy, 100 km

Example 2 — same hardware, $100\,\text{km}$ fibre, two security models

Setup. A 1550\,\text{nm} fibre at 0.2\,\text{dB/km} over 100\,\text{km} gives a one-way transmission of \eta = 10^{-100 \times 0.02} = 10^{-2} = 1\%. Bob's detector efficiency is \eta_B = 20\%, his dark-count rate gives Y_0 = 10^{-6}, and the intrinsic QBER from polarisation drift and detector noise is \sim 1\%. Alice uses \mu = 0.5 for the signal intensity; decoy intensities are \nu_1 = 0.1 and \nu_2 = 0.

Channel yields. The yield for an n-photon pulse, if Eve is passive, is approximately Y_n \approx 1 - (1 - \eta\eta_B)^n \approx n\eta\eta_B for small \eta\eta_B.

Y_1 \approx 1 \times 10^{-2} \times 0.2 = 2 \times 10^{-3}.
Y_2 \approx 2 \times Y_1 = 4 \times 10^{-3}.

So single-photon pulses click at rate \sim 0.2\% and 2-photon pulses at \sim 0.4\%.

Case A — no decoy (naïve GLLP). Without the decoy analysis, the security proof must assume Eve has done the worst possible PNS attack: she blocks every single-photon pulse and passes only multi-photon pulses (where she has a copy). In that model the single-photon contribution to the click rate is bounded below by

Q_1^{\text{naïve}} \ge Q_\mu - P_{\ge 2}(\mu),

where P_{\ge 2}(\mu) = 1 - e^{-\mu}(1 + \mu) \approx 0.090 for \mu = 0.5. Meanwhile Q_\mu \approx \mu \eta \eta_B = 0.5 \times 0.01 \times 0.2 = 10^{-3}.

Q_\mu = 10^{-3} < P_{\ge 2} \approx 0.09. The naïve bound gives Q_1 \ge 10^{-3} - 0.09, which is negative — useless. The proof fails: no positive secure rate can be established. In practice, one would set \mu much lower (say \mu \approx 0.01) to shrink P_{\ge 2}, but then Q_\mu shrinks even faster and the key rate crashes.

Case B — decoy-state. With two decoy intensities Alice and Bob measure Q_\mu, Q_{\nu_1}, Q_{\nu_2} and solve for Y_1. In a realistic 100\,\text{km} run the decoy bound gives Y_1 \ge \sim 2 \times 10^{-3} (almost the true value, because at this loss, multi-photon pulses contribute a small fraction of clicks).

Single-photon gain: Q_1 = \mu e^{-\mu} Y_1 \approx 0.5 \times 0.607 \times 2 \times 10^{-3} = 6.1 \times 10^{-4}.

Substituting into the key-rate formula with E_\mu \approx 1.5\%, e_1 \approx 1.5\%:

R \ge 0.5 \times \bigl[-10^{-3} \times 1.16 \times H_2(0.015) + 6.1 \times 10^{-4} \times (1 - H_2(0.015))\bigr].

H_2(0.015) \approx 0.112.
-10^{-3} \times 1.16 \times 0.112 \approx -1.3 \times 10^{-4}.
6.1 \times 10^{-4} \times 0.888 \approx 5.4 \times 10^{-4}.
Net: R \ge 0.5 \times 4.1 \times 10^{-4} = 2.1 \times 10^{-4} bits per pulse sent.

At a pulse rate of 1\,\text{GHz}, that is about \mathbf{2 \times 10^5} bits per second of secure key — a comfortable rate for refreshing AES keys on a one-second cadence.

Compare. Without decoy: zero secure rate at 100\,\text{km}. With decoy: \sim 200\,\text{kbit/s}. The decoy-state modification has added nothing to the hardware — Alice's attenuator just cycles between two voltage levels instead of one — but has converted a broken protocol into a deployable one.

The same hardware, the same fibre, the same $100\,\text{km}$ distance — the only difference is whether Alice randomised her pulse intensity and applied the Lo-Ma-Chen bounds. Decoy states are free, in the sense that they cost nothing but firmware.

What this shows. Decoy states are the paradigmatic example of a protocol-level fix for a hardware-level limitation. The weak-coherent source is unchanged; Eve's attack is unchanged; what changes is the discipline with which Alice varies pulse intensity and the math with which Alice and Bob post-process the statistics. The deployed QKD industry exists because of this one move.

Deployments today

Decoy-state BB84 is the engine of every major QKD deployment:

ID Quantique (Switzerland, founded 2001) shipped decoy-state BB84 in its Cerberis product line from the late 2000s onward, initially protecting bank-to-bank links in Geneva and now deployed at dozens of enterprise sites.
Toshiba's Cambridge Research Lab (UK) has run decoy-state BB84 over installed fibre for the BT and NICT collaborations, with a London metro network demo in 2019 at rates above 10\,\text{Mbit/s} over 50\,\text{km}.
China's Micius satellite (launched 2016) executed decoy-state BB84 between orbit and ground stations in Xinglong and Graz, the first satellite-to-ground QKD.
India's ISRO–RRI satellite QKD demonstration (March 2022) used decoy-state BB84 at 850\,\text{nm} over a \sim 300\,\text{km} free-space Bengaluru-to-Mount-Abu link via a Low Earth Orbit platform. The protocol used \mu = 0.5, \nu_1 = 0.1, \nu_2 \approx 0. Achieved QBER on clear-sky passes was < 6\%, well under threshold.
QNu Labs (Bengaluru) — India's first commercial QKD vendor — ships decoy-state BB84 in its Armos product. Deployments include inter-branch links for Indian banks and the Indian Navy.
China's Beijing–Shanghai backbone (\sim 2000\,\text{km}, 32 trusted nodes) uses decoy-state BB84 on every hop.

You will not find a deployed QKD system that does not use decoy states. The 2003–2005 invention replaced the textbook-idealisation assumption about the source with a protocol-level workaround that is simpler, cheaper, and more robust than building a true single-photon source. It is one of the quietly successful pieces of cryptographic engineering of the twenty-first century.

Common confusions

"Decoy pulses are sent to fool Eve into attacking them." Not quite. Decoy pulses are not fake; they are real, they carry real photons (possibly zero in the \nu_2 case), and Bob really measures them. The "decoy" naming is misleading — these are statistical calibration pulses, not honeypots. They fool Eve because Eve cannot tell them apart from signal pulses, but they are not themselves deceptive — they simply have a different intensity.
"Only Alice's source needs decoys — Bob is fine." Correct — decoy states address the source-side PNS attack. Detector-side attacks (blinding, time-shift) need different countermeasures like MDI-QKD. Decoy states are a source-side fix, and modern systems often combine them with detector-side countermeasures.
"With decoy states, single-photon sources are obsolete." Not quite. Decoy states achieve PNS-safe rates comparable to a true single-photon source at practical distances. But true single-photon sources still have advantages — no e^{-\mu} vacuum penalty, cleaner security proofs, higher Q_1 per pulse. Research on single-photon sources (quantum dots, NV centres) continues alongside decoy-state-in-production deployments.
"Any number of decoys is fine." Two decoys (one vacuum, one weak) gives tight bounds; three or more gives marginal improvement. Most production systems use the two-decoy (or even one-decoy) protocol for simplicity. Asymptotic analysis favours three; finite-key analysis often favours two, because statistical fluctuations in the third intensity can loosen the bounds.
"Decoy states add latency." Decoy states are interleaved at the pulse level (hundreds of megahertz). Alice's intensity randomisation is done with an electro-optic modulator in front of the laser. Labels are announced in the same classical-channel message that carries basis announcements. No extra round trips; latency is identical to plain BB84.

Going deeper

If you understand that weak-coherent laser pulses have Poisson-distributed photon numbers, that multi-photon pulses let Eve split off a copy (PNS attack), that decoy-state BB84 varies intensity randomly and uses the observed gains to lower-bound Y_1 and upper-bound e_1 via the Lo-Ma-Chen formula, and that every deployed QKD system (ID Quantique, Toshiba, Micius, ISRO's 2022 demonstration) uses this technique — you have chapter 155. The material below is for readers who want the sharper version: the formal PNS attack analysis, the Lo-Ma-Chen proof sketch, finite-key effects, and a comparison to twin-field QKD.

The formal PNS attack

The PNS attack was formalised by Brassard, Lütkenhaus, Mor, and Sanders in 2000. Eve's optimal strategy has three stages.

Stage 1 — photon counting. Eve uses a quantum non-demolition (QND) measurement to determine the photon number n of each pulse without touching the polarisation. QND photon counters exist in principle (photonic crystal cavities, cross-Kerr interactions) though they are not yet practical at telecom wavelengths; Eve's capability is assumed but not experimentally demonstrated.

Stage 2 — selective forwarding. For n \ge 2, Eve extracts one photon and stores it in quantum memory. She forwards the other n-1 photons on a lossless bypass channel (Eve is assumed to have a better fibre than Alice). For n = 0, 1, Eve either blocks the pulse or forwards it without touching it, depending on the variant.

Stage 3 — delayed measurement. After Alice announces the basis (step 4 of BB84), Eve measures her stored photon in the correct basis and learns the bit perfectly.

The classic naïve-bound attack (stage-two "block all n=1") gives Eve perfect information on a fraction P_{\ge 2}(\mu) / [P_{\ge 2}(\mu) + \text{losses}] of Bob's key. At high loss, this fraction approaches 1. Decoy states defeat the attack because Eve cannot selectively attack signal pulses — she would attack decoy pulses the same way, changing the observed Q_{\nu_1} in ways that decoy analysis catches.

Lo-Ma-Chen proof sketch

The Lo-Ma-Chen 2005 paper [2] proves the inequality chain as follows. Starting from

Q_\lambda e^\lambda = \sum_n \frac{\lambda^n}{n!} Y_n,

consider the weighted difference

\mu^2\,Q_{\nu_1}\,e^{\nu_1} - \nu_1^2\,Q_\mu\,e^\mu = \mu^2 \sum_n \frac{\nu_1^n}{n!} Y_n - \nu_1^2 \sum_n \frac{\mu^n}{n!} Y_n.

For n = 0, 1, the coefficient of Y_n is \mu^2\,\nu_1^n/n! - \nu_1^2\,\mu^n/n!, which evaluates to \mu^2 - \nu_1^2 at n = 0 and \mu^2 \nu_1 - \nu_1^2 \mu = \mu\nu_1(\mu - \nu_1) at n = 1. For n \ge 2, the coefficient is positive, so dropping those terms only strengthens the inequality:

\mu^2\,Q_{\nu_1}\,e^{\nu_1} - \nu_1^2\,Q_\mu\,e^\mu \ge (\mu^2 - \nu_1^2)\,Y_0 + \mu\nu_1(\mu - \nu_1)\,Y_1.

Rearranging for Y_1 gives the lower-bound formula. The proof is a clever use of the Poisson-moment inequality: \sum_n (\nu_1^n/n!) Y_n \le \sum_n (\mu^n/n!) Y_n \cdot (\nu_1/\mu)^n for monotone Y_n, which is always true because all Y_n \ge 0.

Finite-key effects

The asymptotic formula assumes infinitely many pulses. In practice, finite-key security analysis (Tomamichel, Lim, Gisin, Renner 2012) corrects the bounds using concentration inequalities. For N signal pulses at \mu = 0.5 over 100\,\text{km}, finite-key security requires N \gtrsim 10^8 to reach most of the asymptotic rate; below that, statistical penalties from small sample sizes in each intensity class eat into the secure key. Production systems run for hours or days to accumulate 10^9–10^{12} signal pulses and saturate the asymptotic bounds.

Asymptotic vs. one-decoy and two-decoy

Three-intensity decoy (signal + two decoys + vacuum) gives the tightest asymptotic bounds. Two-intensity decoy (one decoy + vacuum) is slightly looser but simpler to implement and often finite-key-optimal because the vacuum is so easy to measure that dark-count calibration is near-perfect. One-decoy protocols (signal + vacuum, no middle intensity) are the simplest but require \mu tuning to be competitive.

Comparison to twin-field QKD

Twin-field QKD (Lucamarini et al. 2018) changes the distance-rate scaling from O(\eta) (standard decoy-state) to O(\sqrt\eta) — a square-root improvement in key rate per fibre kilometre. TF-QKD uses an interferometric measurement at the midpoint, similar in spirit to MDI-QKD. It still needs decoy states to handle the weak-coherent sources at Alice and Bob; decoy-state analysis is compositional with the MDI/TF structure. TF-QKD demonstrations have pushed point-to-point QKD past 500\,\text{km} of fibre — all with decoy states on top.

Where this leads next

BB84 Protocol — the base protocol that decoy states upgrade. Every section here assumes you have that chapter's seven steps and no-cloning argument at hand.
B92 and Variants — the broader family of prepare-and-measure QKD protocols including MDI-QKD and twin-field QKD.
Device-Independent QKD — the next level of paranoia: remove trust in the devices themselves, using Bell-inequality violation as the security certificate.
Quantum Crypto Threat Model — why QKD exists at all, and how decoy-state BB84 fits into the post-quantum cryptography landscape.

References

Won-Young Hwang, Quantum key distribution with high loss: toward global secure communication (2003) — arXiv:quant-ph/0211153.
Hoi-Kwong Lo, Xiongfeng Ma and Kai Chen, Decoy state quantum key distribution (2005) — arXiv:quant-ph/0411004.
Xiang-Bin Wang, Beating the photon-number-splitting attack in practical quantum cryptography (2005) — arXiv:quant-ph/0410075.
Wikipedia, Decoy-state quantum key distribution.
John Preskill, Lecture Notes on Quantum Computation, Chapter 8 — theory.caltech.edu/~preskill/ph229.
ISRO Space Applications Centre, Satellite-based Quantum Communication demonstration (March 2022) — ISRO press release.