Dual-phase-modulated plug-and-play measurement-device-independent continuous-variable quantum key distribution

Qin Liao; Yijun Wang; Duan Huang; Ying Guo

doi:10.1364/OE.26.019907

1. Introduction

Quantum key distribution (QKD) [1,2] is a branch of quantum cryptography, whose goal is to provide an elegant way to allow two remote legitimate partners (Alice and Bob) to generate a random secure key with unconditional security [3, 4] over insecure quantum and classical channels. There are two approaches to implement QKD, i.e., discrete-variable (DV) QKD [5,6] and continuous-variable (CV) QKD [7–10]. In DVQKD, the polarization states of a single photon are usually exploited to transmit the information of key bits, whereas in CVQKD, the sender, Alice, usually encodes key bits in the quadratures (x̂ and p̂) of the optical field with Gaussian modulation [11], and the receiver, Bob, can restore the secret key bits through high-speed and high-efficiency homodyne or heterodyne detection techniques [12].

Currently, the CVQKD protocol has been implemented through the established standard telecommunication facilities, which is more convenient and practical than its DVQKD counterpart. However, there is usually an assumption that devices are perfect and cannot be eavesdropped by the third untrusted party, and consequently doubts about the immaculate CVQKD system have been raised. An ideal model of CVQKD is not enough for the security analysis of the practical CVQKD system. For example, there is no need to consider the effect of local oscillator (LO) in ideal models but it is necessary to take it into account in the practical CVQKD system, since eavesdroppers may exploit the transmitted LO to launch practical attacks such as wavelength attacks [13,14], saturation attacks [15], calibration attacks [16], and LO fluctuation attacks [17]. Furthermore, the imperfections of detectors can be maliciously exploited, which make the CVQKD system vulnerable to various attacks. To remove all existing and yet-to-be-discovered detector side channels, measurement-device-independent (MDI) QKD was proposed [18–20]. It offers an immense security advantage over standard security proofs and has the power to double the secure distance [19].

So far, much progress has been made in MDI-DVQKD [21–25] and MDI-CVQKD [26–29]. In a MDI-CVQKD protocol, both Alice and Bob are senders while an untrusted third party Charlie is introduced to realize Bell measurements. Such measurement results will be used by Alice and Bob in post-processing to generate the secure keys. MDI-CVQKD has become an important research limelight since it has many practical advantages, especially for a metropolitan QKD network [30]. Subsequently, C. Lupo et al. presented the composable security proof of MDI-CVQKD against coherent attacks [31]. However, the theoretical feasibility does not usually mean its experimental implement although its theoretical security has been proven. In the other words, the implementation of MDI-CVQKD at present may be impractical. For example, a strong light (LO) with weak signal light is required for realizing the practical CVQKD [32]. Because these two lights have to be precisely interfered in homodyne or heterodyne detector, the synchronization of the two beams is crucial to implement CVQKD communication. While this problem magnifies doubly in MDI-CVQKD with two senders Alice and Bob, it renders MDI-CVQKD hard to implement stably. Moreover, the Gaussian-modulated coherent states are prepared for Alice and Bob with symmetrical modulation, which is usually implemented by applying an amplitude modulator (AM) and a phase modulator (PM). Unfortunately, most of the widely used AMs, e.g. LiNbO₃ modulators, are polarization sensitive and features a polarizer, which means the part of light cannot be transmitted if its orientation is not aligned correctly [33]. As a result, the performance of the practical MDI-CVQKD system will be degenerated.

To solve the above-mentioned problems, in this paper, we suggest a plug-and-play (PP) scheme for MDI-CVQKD via the dual-phase modulation (DPM). In particular, the proposed scheme waives the necessity of propagation of the LO through the insecure quantum channels from Alice’s and Bob’s sides. Instead, the real LO is generated from the same laser of quantum signal at Charlie’s side, and thus it avoids the problems of synchronization of different lasers as well as the LO-aimed attacks. Moreover, the reference for the two signals can be guaranteed to be identical and the polarization drifts can be compensated automatically since only one laser is needed for the PP DPM-based MDI-CVQKD. Meanwhile, a polarization-insensitive dual-phase modulation strategy is adopted to Alice’s and Bob’s sides respectively, which shows better experimental feasibility of Gaussian modulation in PP configuration. We derive the security bounds against optimal Gaussian collective attacks, which shows that the proposed scheme works equivalently to symmetrically modulated Gaussian-state MDI-CVQKD protocols. Furthermore, we show that when considering the finite-size effect almost entire raw keys generated by the proposed scheme can be used for final secret key generation, rather than sacrifice part of it for parameter estimation, so that the performance of MDI-CVQKD can be improved. At the end of the paper, we give an experimental concept of the proposed scheme which can be deemed guideline for the final implementation.

This paper is structured as follows. In Sec. II, we describe the traditional MDI-CVQKD protocol, and subsequently propose the PP DPM-based MDI-CVQKD. In Sec. III, we focus on the security analysis with numerical simulation in asymptotic limit and finite-size regime. Finally, conclusions are drawn in Sec. IV.

2. PP DPM-based MDI-CVQKD protocol

To make the derivation of the PP DPM-based MDI-CVQKD protocol self-contained, we illustrate the characteristics of the MDI-CVQKD protocol and then extend it to the PP DPM-based MDI-CVQKD protocol.

2.1. Characteristics of the MDI-CVQKD protocol

In the MDI-CVQKD protocol, the side-channel attacks can be eliminated since one does not need to make any assumption on the measurement device. As shown in Fig. 1(a), two lasers are adopted to Alice’s and Bob’s side respectively, where each side modulates information independently using AM and PM. After that, the two Gaussian-modulated pulses are sent to Charlie who measures the incoming modes with Bell state measurement (BSM). In particular, the prepare-and-measure model of MDI-CVQKD protocol can be described as follows.

Step 1. Alice randomly prepares a coherent state with complex amplitudes α′ = (x′_A + ip′_A)/2 and Bob randomly prepares another coherent state with complex amplitudes β′ = (x′_B + ip′_B)/2, where the local variables X′ = (x′_A, p′_A) and Y′ = (x′_B, p′_B) are Gaussian distributed with variances V_A and V_B, respectively. Then Alice and Bob send their coherent states to Charlie.
Step 2. After receiving the transmitted coherent states, Charlie performs BSM-based detections. The coherent states are interfered and measured by the homodyne detectors, and the measurement results described as variable Z with complex value γ = (x_Z + ip_Z)/2 are announced by Charlie.
Step 3. When Alice and Bob receive Charlie’s measurement results, they can estimate the covariance matrix Γ_XYZ of the tripartite state ρ_XYZ, which can be used for the security analysis [11,34,35].
Step 4. Alice and Bob modify their data as X = (x_A, p_A) and Y = (x_B, p_B), where $\begin{array}{l} x_{A} = x_{A}^{'} - k_{x_{A}^{'}} (γ), p_{A} = p_{A}^{'} - k_{p_{A}^{'}} (γ), \\ x_{B} = x_{B}^{'} - k_{x_{B}^{'}} (γ), p_{B} = p_{B}^{'} - k_{p_{B}^{'}} (γ) . \end{array}$ Here k is the amplification coefficient related to channel loss, and the variables X and Y represent the local raw keys of Alice and Bob, respectively.
Step 5. Alice and Bob use an authenticated public channel to finish the error correction and privacy amplification, and finally generate the identical secret key.

Fig. 1 Schematic diagrams of (a) traditional MDI-CVQKD protocol. Alice and Bob prepare coherent states independently, and send them to Charlie for Bell state measurement. (b) PP MDI-CVQKD protocol. Charlie initially launches pulses to Alice and Bob, and then Alice and Bob reflect back the pulses to Charlie after Gaussian modulation. (c) PP DPM-based MDI-CVQKD protocol. Charlie still initially launches pulses to Alice and Bob, Alice and Bob respectively use dual-phase-modulation strategy to encode the information and subsequently send the pulses back to Charlie. AM, Amplitude modulator; PM, Phase modulator; FM, Faraday mirror; BS, Beam splitter; BSM, Bell state measurement.

Download Full Size | PDF

The prepare-and-measure model is usually easy to apply, while considering its security, the prepare-and-measure model is equivalent to the corresponding entanglement-based model for convenient security analysis [36]. As shown in Fig. 2, Alice and Bob first prepare two-mode squeezed vacuum state [Einstein-Podolsky-Rosen (EPR) state] respectively. Each sender keeps one mode A₁(or B₁) and sends another mode A₂(or B₂) to the third party (Charlie) through the untrusted quantum channel. An eavesdropper, says Eve, may replace the quantum channel between the two senders and Charlie with her own quantum channel to launch the entangling cloner attacks, which has been proven to be one kind of the optimal Gaussian collective attack [37, 38]. The incoming modes A₃ and B₃ are received by Charlie and subsequently interfered at a beam spiltter (BS) with two output modes A₄ and B₄. Then both the x-quadrature of A₄ and the p-quadrature of B₄ are measured by homodyne detectors, and the measurement result γ = (x_Z + ip_Z)/2 are announced by Charlie. After receiving Charlie’s measurement results, Alice and Bob respectively displace their own mode A₁(or B₁) by operations D̂_A(γ) and D̂_B(γ). Finally, the yielded modes A and B are measured by heterodyne detectors to generate the raw key {X, Y}.

Fig. 2 Entanglement-based model of MDI-CVQKD protocol with entangling cloner attacks. Alice and Bob respectively generate EPR pairs and send them to the third party Charlie through the untrusted quantum channel. Charlie measures the incoming modes using BSM and subsequently sends the measurement result back to Alice and Bob. ε is excess noise and η is the transmittance of the quantum channel.

Download Full Size | PDF

2.2. Design of the PP MDI-CVQKD protocol

The plug-and-play (PP) MDI-CVQKD protocol can be designed on the basis of the traditional MDI-CVQKD protocol by putting the laser at Charlie’s side instead of applying two lasers at Alice’s and Bob’s sides. As shown in Fig. 1(b), the data-processing is almost similar, but slightly different from that of the traditional MDI-CVQKD protocol. Firstly, Charlie sends strong coherent light to Alice and Bob through a 50:50 beam splitter. Each splited light is transmitted through an optical fiber, and then reflected by a faraday mirror (FM) of Alice (or Bob). An AM and a PM are adopted at each side to encode information using Gaussian modulation. Then, the light is sent back to Charlie, and then BSM and data post-processing are followed to generate the secret keys.

The PP MDI-CVQKD protocol has several remarkable features. It is similar to the traditional MDI-CVQKD because the signal sent from Charlie to Alice and Bob does not contain any Gaussian-modulated information, and hence the useful information is only available in the trusted parts. In addition, the mode matching issue such as the problem of synchronization can be solved since the lights of Alice and Bob are generated from the same laser so that the spectral modes of the pulses are identical. From the viewpoint of its experimental implementation, the polarization drift during the optical fiber transmission can be automatically compensated.

It is necessary to show the effect of the PP configuration on the security of the realistic MDI-CVQKD. The security against any detector side channel attacks is guaranteed since the PP configuration does not disturb the measurement setup of the MDI-CVQKD. Moreover, one does not need to transmit LO through the untrusted channel, but can generate LO locally at Charlie’s side, which eliminates all LO-aimed attacks in the security analysis.

2.3. Design of the PP DPM-based MDI-CVQKD protocol

So far, the Gaussian-modulated CVQKD protocols, including the Gaussian quantum state, Gaussian operation and Gaussian measurement, are experimentally feasible and simple for the mathematical description [30]. As a result, the traditional CVQKD protocols are usually based on Gaussian modulation except some discretely-modulated CVQKD protocols [39–41]. Theoretically, the Gaussian quantum state can be prepared by using AM and PM. Unfortunately, most of the widely used AMs, e.g. LiNbO₃ modulators, are polarization sensitive and features a polarizer, where the part of light cannot be transmitted if its orientation is not aligned correctly [33], resulting in the degenerated performance in practice. To solve this problem, we suggest the PP DPM-based MDI-CVQKD protocol, aiming to eliminate the negative effect of AMs in the MDI-CVQKD system.

As shown in Fig. 1(c), the PP DPM-based MDI-CVQKD protocol can be designed from the PP MDI-CVQKD protocol by replacing AM to an extra fiber link with a PM and a FM at Alice’s and Bob’s sides. This architecture totally removes AMs so that one does not need to consider its practical problem in the experimental implementation. In what follows, we show that the PP DPM-based MDI-CVQKD protocol is equivalent to the Gaussian-modulated MDI-CVQKD protocol.

Generally, the Jones matrix of a Faraday mirror can be expressed by

J_{FM} = [\begin{array}{l} cos θ & sin θ \\ - sin θ & cos θ \end{array}] [\begin{array}{l} 1 & 0 \\ 0 & - 1 \end{array}] [\begin{array}{l} cos θ & - sin θ \\ sin θ & cos θ \end{array}] = [\begin{array}{l} cos (2 θ) & - sin (2 θ) \\ - sin (2 θ) & - cos (2 θ) \end{array}] .

When the input signal reaches FM and reflects back [42], the complete Jones matrix of the rotated element can be expressed by

R = T (- δ) J_{FM} T (δ) = e^{i (φ_{o} + φ_{e})} J_{FM},

where δ is the rotation angle between the reference basis and the eigenmode basis of the birefringence medium, while φ_o and φ_e are the propagation phases of ordinary and extraordinary rays, respectively. T(±δ) are the Jones matrices of birefringence medium when the signal goes forward and backward of the single-mode delay lines, which can be given by

T (\pm δ) = [\begin{array}{l} cos δ & \mp sin δ \\ \pm sin δ & cos δ \end{array}] [\begin{array}{l} e^{i φ_{o}} & 0 \\ 0 & e^{i φ_{e}} \end{array}] [\begin{array}{l} cos δ & \pm sin δ \\ \mp sin δ & cos δ \end{array}] .

Since the PP DPM-based MDI-CVQKD protocol can be constructively symmetric, we consider Alice’s data-processing for simplicity. The transformation matrices of the dual-phase modulation scheme can be given by [33]

J_{{PM}_{A 1} + {FM}_{A 1}} = T (- δ) J_{{PM}_{A 1 x}} R J_{{PM}_{A 1 y}} T (δ) = ς_{A 1} e^{i (φ_{A 1})} R,

J_{{PM}_{A 2} + {FM}_{A 2}} = T (- δ) J_{{PM}_{A 2 x}} R J_{{PM}_{A 2 y}} T (δ) = ς_{A 2} e^{i (φ_{A 2})} R,

where ς_A1 and ς_A2 are the equivalent attenuation coefficient of PM_A1 and PM_A2, φ_A1 and φ_A2 are electronically modulated phases of PM_A1 and PM_A2. Suppose the input Jones vector is Alice_in, the output of dual-phase modulation Alice_out after a round trip can be expressed as

\begin{array}{l} {Alice}_{out} & = \frac{1}{2} {Alice}_{in} (J_{{PM}_{A 1} + {FM}_{A 1}} + J_{{PM}_{A 2} + {FM}_{A 2}}) \\ = \frac{1}{2} (ς_{A 1} {Alice}_{in} e^{i (φ_{A 1})} + ς_{A 2} {Alice}_{in} e^{i (φ_{A 2})}) R . \end{array}

In an ideal dual-phase modulation system with perfect optical components, one can get the same insertion loss in the two arms. Namely we have ς ≈ ς_A1 ≈ ς_A2, and then the output of dual-phase modulation can be simplify as

{Alice}_{out} = ς {Alice}_{in} exp [\frac{i (φ_{A 1} + φ_{A 2})}{2}] cos (\frac{φ_{A 1} - φ_{A 2}}{2}) R .

Similarly, the output of dual-phase modulation at Bob’s side can be given by

{Bob}_{out} = ς {Bob}_{in} exp [\frac{i (φ_{B 1} + φ_{B 2})}{2}] cos (\frac{φ_{B 1} - φ_{B 2}}{2}) R .

According to Eqs. (8) and (9), we find that the Gaussian modulation can be implemented by both senders using two polarization-independent PMs instead of a polarization-dependent AM and PM. Therefore, the PP DPM-based MDI-CVQKD protocol is equivalent to the Gaussian-modulated MDI-CVQKD protocol, leading to the convenient experimental implementation in efficiency.

3. Security analysis

In this section, we analyze the security of the PP DPM-based MDI-CVQKD protocol in both asymptotic case [43] and finite-size regime [44,45]. We find that almost all raw keys generated by the proposed scheme can be used for the final secret key generation when considering the finite-size effect.

3.1. Asymptotic security of PP DPM-based MDI-CVQKD protocol

As shown in Fig. 3, we depicts the entanglement-based model of the PP DPM-based MDI-CVQKD protocol. Since only one laser is used for preparing coherent states at Charlie’s side instead of adopting two separate lasers at each remote side, the source can be modeled by using two EPR pairs at Charlie’s side. After Alice and Bob respectively displace their incoming modes (A₁ and B₁) according to the BSM results that are publicly announced by Charlie, mode A₂ and mode B₂ have the certain correlation. Providing that mode A₂ and mode B₂ come from the same EPR pair, it is similar to the CVQKD protocol with an entangled source in the middle [46,47].

Fig. 3 Entanglement-based model of PP DPM-based MDI-CVQKD protocol with entangling cloner attacks. Charlie prepares two EPR pairs and sends one mode of each to Alice and Bob through the untrusted quantum channel, respectively. Alice and Bob displace the incoming modes according to the public BSM result and subsequently measure them with respective heterodyne detections.

Download Full Size | PDF

We assume that Eve performs the collective Gaussian attack strategy, which is the best attack under the direct and reverse reconciliation protocols [37, 38]. In particular, Eve prepares her ancillary system in a product state for Alice’s and Bob’s side, and the ancilla mode of each side interacts individually with a single pulse sent to Alice and Bob respectively. The combined state reads

ρ_{A_{2} E_{1} B_{2} E_{2}} = \sum_{a, b} {[P (a) | a 〉 〈 a | \otimes ψ_{A_{2} E_{1}}^{a} \oplus P (b) | b 〉 〈 b | \otimes ψ_{B_{2} E_{2}}^{b}]}^{\otimes n} .

Eve then launches the entangling cloner attack. Specifically, Eve replaces the channel with transmittance T and excess noise referred to the input χ by preparing the ancilla |E_i〉 of variance W_i (i = 1, 2) and a beam splitter of transmittance T. The value W_i can be tuned to match the noise of the real channel χ = (1 − T)/T + ε. Note that for the PP DPM-based MDI-CVQKD protocol, both sides of Alice and Bob are symmetric, i.e., T = T₁ = T₂. After that, Eve keeps one mode E_i1 of |E_i〉 and injects the other mode E_i2 into the unused port of each beam splitter and thus acquires the output mode E_i3. After repeating this process for each pulse, Eve stores her ancilla modes, E_i1 and E_i3, in quantum memories. Finally, Eve measures the exact quadrature on E_i1 and E_i3 after Charlie reveals the BSM results.

According to the above-mentioned situation, the lower bound of the asymptotic secret key rate under the collective attack strategy can be given by

K_{asym} = β I (A : B) - χ_{E},

where β is the reconciliation efficiency, I(A : B) is the Shannon mutual information between Alice and Bob, and χ_E is the Holevo bound of Eve’s information [48]. Assuming that Alice and Bob have perfect heterodyne detectors, the covariance matrix of the Gaussian state

ρ_{A B}^{G}

can be given by

Γ_{A B}^{G} = [\begin{array}{l} a 𝕀 & c σ_{z} \\ c σ_{z} & b 𝕀 \end{array}] = [\begin{array}{l} [T_{1} V + (1 - T_{1}) W_{1}] 𝕀 & \sqrt{T_{1} T_{2} (V^{2} - 1)} σ_{2} \\ \sqrt{T_{1} T_{2} (V^{2} - 1)} σ_{2} & [T_{2} V + (1 - T_{2}) W_{2}] 𝕀 \end{array}],

where 𝕀 and σ_z represent diag(1, 1) and diag(1, −1), respectively, V is the variance of mode A and mode B, W_i = T_iχ_i/(1 − T_i) with the added noise referred to the input χ_i = (1 − T_i)/T_i + ε. Therefore, Alice and Bob’s mutual information can be calculated as

I (A : B) = {log}_{2} [\frac{b + 1}{b + 1 - c^{2} / (a + 1)}] .

As the proposed protocol is symmetric, the orientation of reconciliation would not have effect on the performance of the protocol, and thus we only consider the calculation of asymptotic security key rate in direct reconciliation (the identical result can be obtained in reverse reconciliation). The mutual information between Alice and Eve can be expressed as

χ_{E} = S (E) - S (E | A) .

Due to the fact that Eve can provide a purification of Alice and Bob’s density matrix, we obtain S(E) = S(AB), which is a function of the symplectic eigenvalues λ₁_,₂ of

Γ_{A B}^{G}

given by

S (A B) = G [(λ_{1} - 1) / 2] + G [(λ_{2} - 1) / 2],

where G(x) = (x + 1)log₂(x + 1) − xlog₂x is the Von Neumann entropy and the symplectic eigenvalues λ₁_,₂ are calculated as

λ_{1, 2}^{2} = \frac{1}{2} [Δ \pm \sqrt{Δ^{2} - 4 D^{2}}],

with Δ = a² + b² − 2c² and D = ab − c². After Alice performs heterodyne detection over mode A, the system BE is pure. This gives S(E|A) = S(B|A) = G[(λ₃ − 1)/2], where the symplectic eigenvalue λ₃ = b − c²/(a + 1). See [49] for the detailed derivations.

Figure 4 shows the performance of the PP DPM-based MDI-CVQKD protocol in asymptotic case. As a comparison, we also plot the asymptotic secret key rate of the traditional MDI-CVQKD protocol [27]. We find that the performances of both protocols are similar except for a few minor discrepancies, i.e. the slight differences in maximal secret key rate and maximal transmission distance. It shows that the PP DPM-based MDI-CVQKD protocol features the same security level as the traditional MDI-CVQKD protocol. It is worth noticing that the aim of this scheme is not to improve the performance of the MDI-CVQKD protocol, but to show the feasibility and substitutability of the MDI-CVQKD protocol in experimental implementation. As a result, we only consider the symmetric case of MDI-CVQKD protocol, i.e., L_AC = L_BC, regardless of the asymmetric one, although the latter case can largely improve the transmission distance of the MDI-CVQKD protocol [26,27].

Fig. 4 The performance of MDI-CVQKD protocols. Blue solid line and red dashed line denote the asymptotic secret key rate and the tolerable excess noise of the proposed PP DPM-based MDI-CVQKD protocol as a function of transmission distance from Alice to Bob, respectively. As a comparison, blue dotted line denotes the asymptotic secret key rate of traditional MDI-CVQKD protocol in [27]. The simulation parameters are set as follows: modulation variance is V = 20, reconciliation efficiency is β = 95% and excess noise for blue solid line is ε = 0.001.

Download Full Size | PDF

3.2. Security of the PP DPM-based MDI-CVQKD protocol in finite-size regime

The above asymptotic security proof is based on an assumption that one considers the security of a protocol in asymptotic limit of infinitely many signals that are transmitted between Alice and Bob. However, it is unpractical for implementations. Fortunately, a security framework of finite-size for the CVQKD protocols has been proposed in [50]. In this framework, the raw key is no longer infinite and one needs to use part of it to estimate the parameters of the communication channel. However, it would introduce a tradeoff between the final secret key rate and the accuracy of parameter estimation step in the finite-size regime. Very recently, [51] shows that this problem can be solved in traditional MDI-CVQKD protocol. We, here, extend it to the proposed PP DPM-based MDI-CVQKD protocol and give the detailed security proof in finite-size regime.

An important procedure of data post-processing is parameter estimation, aiming to acquire the information of quantum channel such as transmissivity and excess noise, which are relevant for estimating the security of the CVQKD protocol. In general, local information without classical communication is not sufficient for parameter estimation, and the only way for obtaining the precise result of parameter estimation is to sacrifice part of raw key. However, the more raw key data are used for parameter estimation, the lower is the final secret key rate. In fact, the estimation of the covariance matrix Γ_XYZ of the tripartite state ρ_XYZ could be done locally by Alice or Bob without using part of the raw key. In particular, the covariance matrix Γ_XYZ can be expressed as

Γ_{X Y Z} = [\begin{matrix} X & 0 & c_{X Z} \\ 0 & Y & c_{Y Z} \\ c_{X Z}^{T} & c_{Y Z}^{T} & Z \end{matrix}],

where

X = Y = [\begin{matrix} V & 0 \\ 0 & V \end{matrix}]

, the matrix

Z = [\begin{matrix} 〈 x_{Z}^{2} 〉 & 〈 x_{Z} p_{Z} 〉 \\ 〈 x_{Z} p_{Z} 〉 & 〈 p_{Z}^{2} 〉 \end{matrix}],

is the empirical covariance matrix of (x_Z, p_Z), and

c_{X Z} = [\begin{matrix} 〈 x_{A}^{'} x_{Z} 〉 & 〈 x_{A}^{'} p_{Z} 〉 \\ 〈 p_{A}^{'} x_{Z} 〉 & 〈 p_{A}^{'} x_{Z} 〉 \end{matrix}], c_{Y Z} = [\begin{matrix} 〈 x_{B}^{'} x_{z} 〉 & 〈 x_{B}^{'} p_{Z} 〉 \\ 〈 p_{B}^{'} x_{Z} 〉 & 〈 p_{B A}^{'} x_{Z} 〉 \end{matrix}]

are the correlation items.

Since the proposed protocol is based on the MDI-CVQKD structure, where Alice and Bob modulate coherent states using the DPM scheme and do not perform any measurement at their own side, the variances of x′_A, p′_A, x′_B and p′_B can be known locally by Alice and Bob. After Charlie announces the measurement result γ = (x_Z + ip_Z)/2, Alice computes the empirical correlations of the matrix c_XZ, namely 〈x′_Ax_Z〉, 〈x′_Ap_Z〉, 〈p′_Ax_Z〉 and 〈p′_Ap_Z〉. Similarly, Bob can obtain the empirical correlations of the matrix c_YZ. As a result, all the entries of the covariance matrix Γ_XYZ can be calculated locally by Alice and Bob without any extra communication. Finally, the covariance matrix $Γ_{A B}^{G}$ of the Gaussian state $ρ_{A B}^{G}$ can be achieved by exploiting the relations Eq. (1). Note that the amplification coefficient k has to be well selected to optimalize the conditional displacements in both Alice’s and Bob’s sides [27,51].

Based on the derived covariance matrix $Γ_{A B}^{G}$ , the performance of the PP DPM-based MDI-CVQKD protocol can be estimated by Alice or Bob in finite-size regime. Specifically, the secret key rate calculated by taking finite-size effect into account is expressed as [50]

K_{fini} = \frac{n}{N} [β I (A : B) - S_{∊_{PE}} - Δ (n)],

where β and I(A : B) are as the same as the afore-mentioned definitions, ∊_PE is the failure probability of parameter estimation and the parameter Δ(n) is related to the security of the privacy amplification given by

Δ (n) = (2 dim ℋ + 3) \sqrt{\frac{{log}_{2} (2 / \bar{∊})}{n}} + \frac{2}{n} {log}_{2} (1 / ∊_{P A}),

where ∊̄ is a smoothing parameter, ∊_PA is the failure probability of privacy amplification, and H is the Hilbert space corresponding to the raw key. Since the raw key is usually encoded on binary bits, we have dim ℋ = 2. We denote N the total exchanged signals and n the number of signals that is used for sharing key between Alice and Bob. Note that in the conventional calculation the remained m = N − n signals are used for parameter estimation so that the values are usually set to be

m = n = \frac{1}{2} N

. However, as we pointed above, the remained signals can be neglected since parameter estimation can be locally performed without extra information. Therefore, the signals that are used for estimating can be exploited for transporting more secret keys. That is to say, almost all raw keys can be used for the final secret key generation without parameter estimation using part of them, leading to the increased secret key rate of the MDI-CVQKD protocol. In fact, Alice and Bob still need to share the entries of the estimated covariance matrix, which contain an amount of raw keys. Fortunately, that amount is negligible as the secret key is very long. As a result, the value can be set to n ≈ N.

In the conventional finite-size case (needing to sacrifice part of raw keys), S_{∊_PE} needs to be calculated in parameter estimation procedure where one can find a covariance matrix Γ_{∊_PE} minimizing the secret key rate with a probability of 1− _{∊_PE}. It can be calculated by m couples of correlated variables (x_i, y_i)_i=1···m given by

Γ_{∊_{PE}} = (\begin{matrix} V 𝕀 & t Z σ_{z} \\ t Z σ_{z} & (t^{2} V + σ^{2}) 𝕀 \end{matrix}),

where

t = \sqrt{η}

and σ² = 1 + ηε are compatible with m sampled data except with probability ∊_PE/2. The maximum-likelihood estimators t̂ and σ̂² respectively has the follow distributions

\hat{t} ~ (t, \frac{σ^{2}}{\sum_{i = 1}^{m} x_{i}^{2}}) and \frac{m {\hat{σ}}^{2}}{σ^{2}} ~ χ^{2} (m - 1),

where t and σ² are the authentic values of the parameters. In order to maximize the value of the Holevo information obtained by Eve with the statistics except with probability ∊_PE, the value of t_min (the lower bound of t) and

σ_{\max}^{2}

(the upper bound of σ²) in the limit of m must be computed, namely

\begin{array}{l} t_{\min} = \sqrt{η} - z_{∊_{PE} / 2} \sqrt{\frac{1 + η ε}{m X^{'}}}, \\ σ_{\max}^{2} = 1 + η ε + z_{∊_{PE} / 2} \frac{\sqrt{2} (1 + η ε)}{\sqrt{m}}, \end{array}

where z_{∊_PE/2} is such that

1 - erf (z_{∊_{PE} / 2} / \sqrt{2}) / 2 = ∊_{PE} / 2

and erf is the error function defined as

erf (x) = \frac{2}{π} \int_{0}^{x} e^{- t^{2}} d t .

The above-mentioned error probabilities can be set to ∊̄ = ∊_PE = ∊_PA = 10¹⁰. Finally, one can derive the secret key rate using the derived bounds t_min and

σ_{\max}^{2}

.

Actually, we do not need to estimate the secret key rate of the PP DPM-based MDI-CVQKD protocol like above, but would directly calculate it by the locally obtained covariance matrix Γ_XYZ without complicated estimation process. This is feasible since the correlations between Alice’s and Bob’s raw keys are post-selected by the relay so that the public variable Z contains all the information about the correlations between Alice and Bob [51].

Figure 5 shows the performance of the PP DPM-based MDI-CVQKD protocol with almost all raw keys are used for generating the final secret key (solid lines) comparing with conventional finite-size calculation (dashed lines). We find that for each block, especially for the small-length block, the maximal transmission distance can be extended by directly calculating the locally obtained covariance matrix, since part of raw key data that should be used for parameter estimation now is used for generating more final secret keys, giving birth to the increased secret key rate of the MDI-CVQKD protocol using conventional finite-size calculation.

Fig. 5 Finite-size secret key rate of the proposed PP DPM-based MDI-CVQKD protocol as a function of transmission distance. Solid lines show the secret key rate generated from almost all raw keys (N = n), dashed lines show the secret key rate using conventional finite-size calculation (N = 2n). From left to right, both lines correspond to block lengths of N = 10⁴, 10⁵, 10⁶, 10⁷ and 10⁸. The parameters are set as same as Fig. 4.

Download Full Size | PDF

We note that the CVQKD protocols has been recently proved to be secure against collective attacks in a composable security framework [52], which is the enhancement of security based on uncertainty of the finite-size effect so that one can obtain the tightest secure bound of the protocol by considering each data-processing step in the CVQKD system [53]. We do not give the detailed proof of the composable security for MDI-based CVQKD protocols here, but it is reasonable to believe that the performance of the proposed protocol can be improved either since the conventional proof of composable security also needs to sacrifice part of raw keys for parameter estimation.

4. Discussion and conclusion

So far we have illustrate the characteristics of the PP DPM-based MDI-CVQKD protocol. As for its practical implementations, we demonstrate its setup shown in Fig. 6. Charlie generates a series of strong pulses using continuous-wave (CW) laser. These pulses are splitted into two portions with an intensity ratio of 99:1, a fraction (1%, red line) of which is used to carry signals while another fraction (99%, blue line) is used as a locally generated LO. The signals are divided into two branches by the PBS and then sent to Alice and Bob respectively. For both Alice and Bob, after being reflected by FM₁, the signals are modulated by the DPM scheme and reversely sent back to Charlie. The incoming modulated signals, subsequently, are interfered with respective local LOs, aiming to calibrate the incoming signals and monitor its variance in real time. Finally, the yielded signals from Alice and Bob are used for the BSM.

Fig. 6 Experimental concept of the PP DPM-based MDI-CVQKD protocol. CW, Continuous-wave laser; BS, Beam splitter; PM, Phase modulator; PBS, Polarizing beam splitter; DL, Delay line; FM, Faraday mirror; PD, Photoelectric detector; BSM, Bell state measurement.

Download Full Size | PDF

There are several remarks on the proposed protocol for its implementation. First of all, all LO-aimed attacks e.g. wavelength attacks, saturation attacks, calibration attacks and LO fluctuation attacks, can be well defended due to fact that the LO is locally generated by Charlie. Secondly, the synchronization problem of Alice and Bob is eliminated because both signal and LO come from the same laser. Thirdly, the reference for the two signals can be guaranteed to be identical and the polarization drifts can be compensated automatically since only one laser is required for the proposed scheme. Moreover, there is no need to use the traditional LiNbO₃ modulators by applying DPM scheme, which takes advantage of the polarization-insensitive properties of phase modulators so that the coherent-state preparation would not be affected by the polarization drifts of the fiber channel.

In conclusion, we have suggested the design of the PP DPM-based MDI-CVQKD with no extra performance penalty. The proposed scheme waives the necessity of propagation of LO through the insecure quantum channels. Because a real local LO can be generated from the same laser of quantum signal at Charlie’s side, it avoids the problems of synchronization of different lasers as well as the LO-aimed attacks. Moreover, the reference of two signals can be guaranteed identically and the polarization drifts can be compensated automatically since only one laser is required for the proposed scheme. Meanwhile, a polarization-insensitive dual-phase modulation strategy is adopted to Alice’s and Bob’s sides respectively, which shows better experimental feasibility of Gaussian modulation in PP configuration. We derive the security bounds against optimal Gaussian collective attacks. It shows that the proposed scheme works equivalently to symmetrically modulated Gaussian-state MDI-CVQKD protocols. Since almost entire raw keys generated by the proposed scheme can be used for final secret key generation when considering the finite-size effect, the secret key rates of MDI-CVQKD in finite-size regime can be increased. Moreover, an experimental concept of the proposed scheme, which can be deemed guideline for final implementation, is demonstrated. In terms of possible future research, we will give the concrete experimental implementation of the PP DPM-based MDI-CVQKD protocol.

Funding

National Natural Science Foundation of China (NSFC) (61379153, 61572529).

Acknowledgments

We would like to thank Professor S. Pirandola for his helpful suggestion.

Disclosures

The authors declare that there are no conflicts of interest related to this article.

References and links

1. C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in Proceedings of the IEEE International Conference on Computers Systems and Signal Processing, Bangalore, India (IEEE, New York, 1984), pp. 175–179.

2. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74, 145 (2002). [CrossRef]

3. W. K. Wootters and W. H. Zurek, “A single quantum cannot be cloned,” Nature (London) 299(5886), 802–803 (1982). [CrossRef]

4. J. Y. Bang and M. S. Berger, ”Quantum mechanics and the generalized uncertainty principle,” Phys. Rev. D 74(12), 125012 (2006). [CrossRef]

5. S. Takeda, M. Fuwa, P. van Loock, and A. Furusawa, “Entanglement swapping between discrete and continuous variables,” Phys. Rev. Lett. 114(10), 100501 (2015). [CrossRef] [PubMed]

6. M. Gessner, L. Pezzé, and A. Smerzi, “Efficient entanglement criteria for discrete, continuous, and hybrid variables,” Phys. Rev. A 94(2), 020101 (2016). [CrossRef]

7. A. M. Lance, T. Symul, V. Sharma, C. Weedbrook, T. C. Ralph, and P. K. Lam, “No-switching quantum key distribution using broadband modulated coherent light,” Phys. Rev. Lett. 95(18), 180503 (2005). [CrossRef] [PubMed]

8. P. Huang, J. Fang, and G. H. Zeng, “State-discrimination attack on discretely modulated continuous-variable quantum key distribution,” Phys. Rev. A 89, 042330 (2014). [CrossRef]

9. X. C. Ma, S. H. Sun, M. S. Jiang, M. Gui, and L. M. Liang, “Gaussian-modulated coherent-state measurement-device-independent quantum key distribution,” Phys. Rev. A 89, 042335 (2014). [CrossRef]

10. Q. Liao, Y. Guo, C. L. Xie, D. Huang, P. Huang, and G. H. Zeng, “Composable security of unidimensional continuous-variable quantum key distribution,” Quantum Inf Process , 17, 113 (2018). [CrossRef]

11. R. García-Patrón and N. J. Cerf, “Unconditional optimality of Gaussian attacks against continuous-variable quantum key distribution,” Phys. Rev. Lett. 97, 190503 (2006). [CrossRef] [PubMed]

12. F. Grosshans and P. Grangier, “Continuous variable quantum cryptography using coherent states,” Phys. Rev. Lett. 88, 057902 (2002). [CrossRef] [PubMed]

13. J. Z. Huang, C. Weedbrook, Z. Q. Yin, S. Wang, H. W. Li, W. Chen, G. C. Guo, and Z. F. Han, “Quantum hacking of a continuous-variable quantum-key-distribution system using a wavelength attack,” Phys. Rev. A 87, 062329 (2013). [CrossRef]

14. X. C. Ma, S. H. Sun, M. S. Jiang, and L. M. Liang, “Wavelength attack on practical continuous-variable quantum-key-distribution system with a heterodyne protocol,” Phys. Rev. A 87, 052309 (2013). [CrossRef]

15. H. Qin, R. Kumar, and R. Alleaume, “Saturation attack on continuous-variable quantum key distribution system,” Proc. SPIE 8899(2), 717–718 (2013).

16. P. Jouguet, S. Kunz-Jacques, and E. Diamanti, “Preventing calibration attacks on the local oscillator in continuous-variable quantum key distribution,” Phys. Rev. A 87, 062313 (2013). [CrossRef]

17. X. C. Ma, S. H. Sun, M. S. Jiang, and L. M. Liang, “Local oscillator fluctuation opens a loophole for Eve in practical continuous-variable quantum-key-distribution systems,” Phys. Rev. A 88, 022339 (2013). [CrossRef]

18. S. L. Braunstein and S. Pirandola, “Side-channel-free quantum key distribution,” Phys. Rev. Lett. 108, 130502 (2012). [CrossRef] [PubMed]

19. H. K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108, 130503 (2012). [CrossRef] [PubMed]

20. A. Acín, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, “Device-independent security of quantum cryptography against collective attacks,” Phys. Rev. Lett. 98, 230501 (2007). [CrossRef] [PubMed]

21. Y. Choi, O. Kwon, M. Woo, K. Oh, S. W. Han, Y. S. Kim, and S. Moon, “Plug-and-play measurement-device-independent quantum key distribution,” Phys. Rev. A 93, 032319 (2016). [CrossRef]

22. M. Curty, F. H. Xu, W. Cui, C. C. Lim, K. Tamaki, and H. K. Lo, “Finite-key analysis for measurement-device-independent quantum key distribution,” Nat. Commun. 5(4), 643–648 (2014). [CrossRef]

23. F. H. Xu, M. Curty, B. Qi, L. Qian, and H. K. Lo, “Discrete and continuous variables for measurement-device-independent quantum cryptography,” Nat. Photon. 9(12), 772 (2015). [CrossRef]

24. H. W. Li, Z. Q. Yin, M. Pawlowski, G. C. Guo, and Z. F. Han, “Detection efficiency and noise in a semi-device-independent randomness-extraction protocol,” Phys. Rev. A 91, 032305 (2015). [CrossRef]

25. H. W. Li, Z. Q. Yin, W. Chen, S. Wang, G. C. Guo, and Z. F. Han, “Quantum key distribution based on quantum dimension and independent devices,” Phys. Rev. A 89, 032302 (2014). [CrossRef]

26. S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook, S. L. Braunstein, S. Lloyd, T. Gehring, C. S. Jacobsen, and U. L. Andersen, “High-rate measurement-device-independent quantum cryptography,” Nat. Photon. 9, 397 (2015). [CrossRef]

27. Z. Y. Li, Y. C. Zhang, F. H. Xu, X. Peng, and H. Guo, “Continuous-variable measurement-device-independent quantum key distribution,” Phys. Rev. A 89, 052301 (2014). [CrossRef]

28. C. Ottaviani, G. Spedalieri, S. L. Braunstein, and S. Pirandola, “Continuous-variable quantum cryptography with an untrusted relay: Detailed security analysis of the symmetric configuration,” Phys. Rev. A 91, 022320 (2015). [CrossRef]

29. Y. Guo, Q. Liao, D. Huang, and G. H. Zeng, “Quantum relay schemes for continuous-variable quantum key distribution,” Phys. Rev. A 95, 042326 (2017). [CrossRef]

30. C. Weedbrook, S. Pirandola, R. García-Patrón, N. J. Cerf, T. C. Ralph, J. H. Shapiro, and S. Lloyd, “Gaussian quantum information,” Rev. Mod. Phys. 84, 621 (2012). [CrossRef]

31. C. Lupo, C. Ottaviani, P. Papanastasiou, and S. Pirandola, “CV MDI QKD: Composable security against coherent attacks,” arXiv:1704.07924 (2017).

32. D. Huang, P. Huang, D. K. Lin, and G. H. Zeng, “Long-distance continuous-variable quantum key distribution by controlling excess noise,” Scientific Reports , 6, 19201 (2016). [CrossRef] [PubMed]

33. D. Huang, P. Huang, T. Wang, H. S. Li, Y. M. Zhou, and G. H. Zeng, “Continuous-variable quantum key distribution based on a plug-and-play dual-phase-modulated coherent-states protocol,” Phys. Rev. A 94, 032305 (2016). [CrossRef]

34. M. Navascués, F. Grosshans, and A. Acín, “Optimality of Gaussian attacks in continuous-variable quantum cryptography,” Phys. Rev. Lett. 97, 190502 (2006). [CrossRef] [PubMed]

35. M. M. Wolf, G. Giedke, and J. I. Cirac, “Extremality of Gaussian Quantum States,” Phys. Rev. Lett. 96, 080502 (2006). [CrossRef] [PubMed]

36. F. Grosshans, N. J. Cerf, J. Wenger, R. Tualle-Brouri, and Ph. Grangier, “Virtual entanglement and reconciliation protocols for quantum cryptography with continuous variables,” Quantum Inf. Comput. 3(7), 535–552 (2003).

37. M. Navascués and A. Acín, “SecurityBounds for continuous variables quantum key distribution,” Phys. Rev. Lett. 94, 020505 (2005). [CrossRef]

38. S. Pirandola, S. L. Braunstein, and S. Lloyd, “Characterization of collective Gaussian attacks and security of coherent-state quantum cryptography,” Phys. Rev. Lett. 101, 200504 (2008). [CrossRef] [PubMed]

39. A. Leverrier and P. Grangier, “Unconditional security proof of long-distance continuous-variable quantum key distribution with discrete modulation,” Phys. Rev. Lett. 102(18), 180504 (2009). [CrossRef] [PubMed]

40. A. Leverrier and P. Grangier, “Erratum: Unconditional security proof of long-distance continuous-variable quantum key distribution with discrete modulation [Phys. Rev. Lett. 102, 180504 (2009)],” Phys. Rev. Lett. 106259902 (2011). [CrossRef]

41. Y. Guo, R. J. Li, Q. Liao, J. Zhou, and D. Huang, “Performance improvement of eight-state continuous-variable quantum key distribution with an optical amplifier,” Phys. Lett. A 382(6), 372–381 (2018). [CrossRef]

42. X. F. Mo, B. Zhu, Z. F. Han, Y. Z. Gui, and G. C. Guo, “Faraday-Michelson system for quantum cryptography,” Opt. Lett. 30(19), 2632–2634 (2005). [CrossRef] [PubMed]

43. R. Renner and J. I. Cirac, “de Finetti representation theorem for infinite-dimensional quantum systems and applications to quantum cryptography,” Phys. Rev. Lett. 102, 110504 (2009). [CrossRef] [PubMed]

44. F. Furrer, T. Franz, M. Berta, A. Leverrier, V. B. Scholz, M. Tomamichel, and R. F. Werner, “Continuous variable quantum key distribution: Finite-key analysis of composable security against coherent attacks,” Phys. Rev. Lett. 109, 100502 (2012). [CrossRef] [PubMed]

45. A. Leverrier, R. García-Patrón, R. Renner, and N. J. Cerf, “Security of continuous-variable quantum key distribution against general attacks,” Phys. Rev. Lett. 110, 030502 (2013). [CrossRef] [PubMed]

46. Y. Guo, Q. Liao, Y. Wang, D. Huang, P. Huang, and G. H. Zeng, “Performance improvement of continuous-variable quantum key distribution with an entangled source in the middle via photon subtraction,” Phys. Rev. A 95, 032304 (2017). [CrossRef]

47. C. Weedbrook, “Continuous-variable quantum key distribution with entanglement in the middle,” Phys. Rev. A 87, 022308 (2013). [CrossRef]

48. M. A. Nielsen and I. L. Chuang, Quantum computation and quantum information, Cambridge University, Cambridge, (2000).

49. R. García-Patrón, Quantum information with optical continuous variables: from Bell tests to key distribution, Universite Libre De Bruxelles, (2007).

50. A. Leverrier, F. Grosshans, and P. Grangier, “Finite-size analysis of a continuous-variable quantum key distribution,” Phys. Rev. A 81(6), 062343 (2010). [CrossRef]

51. C. Lupo, C. Ottaviani, P. Papanastasiou, and S. Pirandola, “Parameter estimation with almost no public communication for continuous-variable quantum key distribution,” arXiv: 1712.00743 (2017).

52. A. Leverrier, “Composable security proof for continuous-variable quantum key distribution with coherent states,” Phys. Rev. Lett. 114, 070501 (2015). [CrossRef] [PubMed]

53. Q. Liao, Y. Guo, D. Huang, P. Huang, and G. H. Zeng, “Long-distance continuous-variable quantum key distribution using non-Gaussian state-discrimination detection,” New J. Phys. 20(2), 023015 (2018). [CrossRef]

Dual-phase-modulated plug-and-play measurement-device-independent continuous-variable quantum key distribution

Abstract

1. Introduction

2. PP DPM-based MDI-CVQKD protocol

2.1. Characteristics of the MDI-CVQKD protocol

2.2. Design of the PP MDI-CVQKD protocol

2.3. Design of the PP DPM-based MDI-CVQKD protocol

3. Security analysis

3.1. Asymptotic security of PP DPM-based MDI-CVQKD protocol

3.2. Security of the PP DPM-based MDI-CVQKD protocol in finite-size regime

4. Discussion and conclusion

Funding

Acknowledgments

Disclosures

References and links

Cited By

Figures (6)

Equations (25)

Optics Express