SARG04 (named after Valerio Scarani, Antonio Acín, Gregoire Ribordy, and Nicolas Gisin) is a 2004 quantum cryptography protocol derived from the first protocol of that kind, BB84.
Researchers built SARG04 when they noticed that by using the four states of BB84 with a different information encoding they could develop a new protocol which would be more robust, especially against the photon-number-splitting attack, when attenuated laser pulses are used instead of single-photon sources.
SARG04 was defined by Scarani et al. in 2004 in Physical Review Letters as a prepare and measure version (in which it is equivalent to BB84 when viewed at the level of quantum processing).
[1] In the SARG04 scheme, Alice wishes to send a private key to Bob.
The qubits are now in states which are not mutually orthogonal, and thus it is impossible to distinguish all of them with certainty without knowing
represents the effects of noise in the channel as well as eavesdropping by a third party we'll call Eve.
, it makes it virtually impossible for either Bob or Eve to distinguish the states of the qubits.
Bob proceeds to generate a string of random bits
, and uses those bits for his choice of basis when measuring the qubits transmitted by Alice.
At this point, Bob announces publicly that he has received Alice's transmission.
Alice will note whether the state is the computational basis state or the Hadamard basis state; that piece of information makes up the secret bit that Alice wishes to communicate to Bob.
To determine the secret bit, Bob must distinguish between the two candidate states.
For each qubit, Bob can check to see whether his measurement is consistent with either possible state.
If on the other hand, one of the two candidate states was inconsistent with the observed measurement, Bob announces that the bit is valid since he can deduce the state (and therefore the secret bit).
Thus in the case that Bob measures in the Hadamard basis and observes state
(and only in that case), Bob can deduce which state he was sent and therefore what the secret bit is.
bits where both Bob's measurement was conclusive, Alice randomly chooses
bits and discloses her choices over the public channel.
Both Alice and Bob announce these bits publicly and run a check to see if more than a certain number of them agree.
If this check passes, Alice and Bob proceed to use privacy amplification and information reconciliation techniques to create some number of shared secret keys.
The advantage of this scheme relative to the simpler BB84 protocol is that Alice never announces the basis of her bit.
As a result, Eve needs to store more copies of the qubit in order to be able to eventually determine the state than she would if the basis were directly announced.
The intended use of SARG04 is in situations where the information is originated by a Poissonian source producing weak pulses (this means: mean number of photons < 1) and received by an imperfect detector, which is when attenuated laser pulses are used instead of single photons.
[1] In the original "prepare and measure" version, SARG04's two conjugated bases are chosen with equal probability.
In SARG04, they are also discarded, "for simplicity", but their occurrence is monitored to prevent eavesdropping.
See the paper for a full quantum analysis of the various cases.
[1] Kiyoshi Tamaki and Hoi-Kwong Lo were successful in proving security for one and two-photon pulses using SARG04.
[1] It has been confirmed that SARG04 is more robust than BB84 against incoherent PNS attacks.
[1] Unfortunately an incoherent attack has been identified which performs better than a simple phase-covariant cloning machine, and SARG04 has been found to be particularly vulnerable in single-photon implementations when Q >= 14.9%.
[1] In single-photon implementations, SARG04 was theorised to be equal with BB84, but experiments have shown that it is inferior.