A simple security analysis of phase-matching measurement-device independent quantum key distribution

A simple security analysis of phase-matching measurement-device independent quantum key distribution

Jie Lin Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1    Norbert Lütkenhaus Institute for Quantum Computing and Department of Physics and Astronomy, University of Waterloo, Waterloo, Ontario, Canada N2L 3G1
July 16, 2019

Variations of phase-matching measurement-device independent quantum key distribution (PM-MDI QKD) protocols have been investigated before, but it was recently discovered that this type of protocol (under the name of twin-field QKD) can beat the linear scaling of the repeaterless bound on secret key rate capacity. We propose a variation of PM-MDI QKD protocol, which reduces the sifting cost and uses non-phase-randomized coherent states as test states. We provide a security proof in the infinite key limit. Our proof is conceptually simple and gives tight key rates. We obtain an analytical key rate formula for the loss-only scenario, confirming the square root scaling and also showing the loss limit. We simulate the key rate for realistic imperfections and show that PM-MDI QKD can overcome the repeaterless bound with currently available technology.


I Introduction

Quantum key distribution (QKD) Bennett and Brassard (1984); Ekert (1991) protocols enable two distant parties (Alice and Bob) to establish information-theoretically secure private keys using a quantum channel and an authenticated classical channel. There is a wealth of QKD protocols around (see Scarani et al. (2009) for a review). A bottleneck for QKD applications, be it as individual link or as part of a network, is the scaling of the generated secret key rate with the loss in the channel represented by the single-photon transmissivity . The best known QKD protocols have a scaling of their key rate in the limit of infinite channel uses (infinite key limit) as , and by now we have bounds on repeaterless optical channels which show that this is the optimal rate scaling that can be achieved Takeoka et al. (2014); Pirandola et al. (2017). The tight bound on the performance of QKD in terms of secret key rate per employed optical mode is given by Pirandola et al. (2017), which can be saturated by continuous variable QKD protocols with Gaussian modulated coherent states Grosshans and Grangier (2002); Grosshans et al. (2003); Weedbrook et al. (2004). In principle, inserting intermediate stations performing some operations can improve the performance, and quantum repeaters Briegel et al. (1998) aim at this. The field of quantum repeater research is very active and made conceptual and practical advances over the recent years, but as of today, no quantum repeater has been demonstrated yet that would outperform the direct use of optical channels, and thus breaking the repeaterless bounds.

While proposals have been made for simplest possible devices that allow a demonstration of quantum repeater action by beating repeaterless bounds using a simple single node layout Luong et al. (2016), the corresponding quantum advantage has not been experimentally demonstrated yet. In a pleasant surprise to the field, the phase-matching measurement-device independent protocols (PM-MDI) Tamaki et al. (2012); Ferenczi (2013) were recently shown to beat the repeaterless bound when using suitable test states Lucamarini et al. (2018). This important observation justifiably creates quite an interest in the community. In the original paper Lucamarini et al. (2018), it has been argued that the secret key rate in the infinite key limit indeed scales as , where we keep as the single-photon transmissivity of the total distance, rather than that of a segment. It is interesting to see that an MDI protocol can achieve that performance without the use of any quantum memory or similar advanced components. Remarkably, the only difference to previous MDI QKD protocols that show a scaling of is the change from single-photon signals (or mixture of photon number states) with two-photon interference events at the beamsplitter, to coherent states as signal states and single-photon interference events at the beamsplitter.

So far, the security analyses Ma et al. (2018); Tamaki et al. (2018) of the PM-MDI QKD protocols have been done in a framework based on the quantum error correction inspired approach by Shor-Preskill Shor and Preskill (2000), which is improved by Koashi Koashi (2009). The goal of the present paper is two-fold: we propose a variation of the PM-MDI QKD protocol that clearly distinguishes between test states, meant to probe potential eavesdropping activities, and signal states, which are meant to establish secret keys. For this modified protocol we then execute a security analysis which is expected to be tight as it uses the framework by Renner Renner (2005). This framework is known to be flexible in terms of error correction and privacy amplification methods, and is general to be adaptable to any generic QKD protocol.

We will first analyze the security of the protocol in a setting with infinitely many different test states, similar to the initial discussion of decoy states in weak coherent pulse BB84 protocols Lo et al. (2005). In this setting, we can derive an analytical key rate formula for the scenario where Alice and Bob observe correlations coming from a loss-only scenario. We derive the general framework that includes also the noisy case, for which we then resort to numerical evaluations to demonstrate the stability of the proposed protocol.

This paper is organized as follows. Section II.1 describes our version of the PM-MDI protocol. Section II.2 compares different variations of the PM-MDI protocol. Section III describes the framework for our security proof and procedures for key rate calculation. Section IV simulates the key rates with the loss-only scenario and with realistic experimental imperfections. Section V summarizes our results and provides insights for future work. Some technical details relevant for the key rate calculation are presented in appendices.

Figure 1: (a). Schematic setup of the PM-MDI QKD protocol. Alice and Bob send coherent states to the untrusted third party Charlie in the middle, who performs measurements and broadcasts outcomes. BS: 50-50 beamsplitter. , : single-photon detectors. (b). Equivalent view of the protocol. Eve is assumed to perform the measurements in the middle. Effectively, Eve performs a 4-element POVM, denoted as , corresponding to four possible announcements clicks, clicks, no detectors click, both detectors click which are abbreviated as

Ii PM-MDI QKD protocols

In this section, we first present an idealized version of PM-MDI QKD in the sense that Alice and Bob use infinitely many coherent states as test states in the protocol, similar to the initial discussion of decoy states in weak coherent pulse BB84 protocols Lo et al. (2005). We will prove its security in this paper. Then, we will compare different variations of PM-MDI QKD protocols. In the next section, when we prove the security of the idealized version of our protocol, we will also provide insights for the security analysis of a practical version of this protocol with a small number of choices of test states.

ii.1 Description of our protocol

  1. Test/key-generation mode selection. Alice (Bob) chooses a random bit () according to a priori probability distribution (). If , Alice then labels this round as in the key-generation mode. If , Alice labels this round as in the test mode. Similarly for Bob.

  2. State preparation. If the test mode is chosen, Alice (Bob) then randomly chooses a phase () and randomly chooses an intensity (). Then she (he) prepares a coherent state ( ) and sends it to the untrusted third party Charlie through the quantum channel.

    If the key-generation mode is chosen, Alice (Bob) randomly generates a bit value ( ) with a uniform probability distribution. Alice (Bob) chooses the pre-agreed intensity and sends a coherent state () to Charlie.

  3. Measurements. For each round, Charlie performs a joint measurement on the signals received from Alice and Bob, and then makes an announcement about the measurement outcome. If Charlie is honest, he is supposed to perform the measurement as shown in Fig. LABEL:sub@fig:scheme_a and announces one of the following outcomes “Only detector clicks”, “Only detector clicks”, “No detectors click”, “Both detectors click”, which, for the later convenience of notation, we abbreviate as , respectively. We denote Charlie’s announcement as throughout this paper.

    After steps 1-3 are repeated for many times, and after Charlie has made all the announcements, Alice and Bob then proceed with the following steps.

  4. Sifting. Alice and Bob use an authenticated classical channel to communicate and sort all rounds into two disjoint sets, where one set is used for the key generation and the other is for the parameter estimation. To do so, they disclose the choices of and for each round and also use the announcement . If , that is, they both selected the key-generation mode for a given round, and Charlie announced , they save their data corresponding to this round for the key generation. All remaining rounds are used for parameter estimation.

  5. Parameter estimation. To perform parameter estimation, Alice and Bob disclose the choices of (also if they have chosen one for that round) for the rounds in the set labeled for parameter estimation and also use the announcement result for each of these rounds to estimate how Eve has interacted with the signals during their exchange in the protocol. If, from their analysis, they find out that Eve has learned too much about the signals and no secret keys can be generated, then they abort the protocol. Otherwise, they continue.

  6. Key map. Alice forms a raw key using her bit value from each of the rounds saved for the key generation. (In principle, Bob does not need to do anything in this step since he can correctly determine Alice’s key by the error correction. In practice, depending on the choice of error correction code, it might be convenient for Bob to flip his bit value when the announcement is .)

  7. Error correction and privacy amplification. Alice and Bob then apply the procedures of error correction and privacy amplification as in a typical QKD protocol to generate a secret key.

We remark that since this protocol uses an MDI setup, it is inherently immune to all side channels in the measurement devices once its security is proven. However, Alice and Bob’s sources have to be trusted and protected. In our security analysis, we assume that Alice and Bob’s devices are fully characterized and Eve has no access. This assumption needs to be justified in the experimental implementations of the protocol. In particular, we want to remark that the choices of and (also and ) should not be leaked to Eve by side channels before the announcement is made. In the implementation of the protocol, Alice and Bob need to make sure that Eve cannot distinguish the key-generation mode from test mode by any classical side information leaked from their devices before Charlie’s announcement. Just like other MDI QKD protocols, this protocol can be vulnerable to side-channel attacks on the sources.

We also comment on the the choices of parameters , . While values of , need to be optimized in the finite-key regime, in the infinite key limit, we can choose and arbitrarily close to 1 so that the sifting factor is asymptotically 1, like the efficient BB84 protocol Lo et al. (2004).

Finally, we remark on the choices of and and their corresponding probability distributions. Since states in the test mode essentially are used to perform a tomography on Eve’s attacks on the subspace of signal states used in the key-generation mode, for the purpose of this paper, we initially use coherent states whose complex amplitudes cover the entire complex space. In the infinite key limit, the probability distribution (with no zeros) does not matter. We will remark on how a finite number of choices of test states can approximately accomplish the same task and the choices of and will then be closely related to the value of .

ii.2 Comparison of different variations of PM-MDI QKD protocols

Many variations of the PM-MDI QKD protocol have been proposed and investigated. Different names have been assigned to different variations, such as, phase-encoding scheme for MDI Tamaki et al. (2012), MDI-B92 Ferenczi (2013), twin-field QKD (TF-QKD) Lucamarini et al. (2018) and phase-matching QKD (PM-QKD) Ma et al. (2018). However, they all have the essential components needed to achieve the rate scaling of , namely, they all use coherent states as signal states and rely on single-photon interference events at the beamsplitter of an untrusted intermediate node, even though not all variations can indeed achieve this scaling.

We first describe the common features of all those protocols and then discuss how each variation differs in the following two aspects: choices of signal states used for establishing secret keys and choices of test states used to probe Eve’s attacks.

In an ideal PM-MDI QKD protocol, Alice and Bob will only establish keys from the rounds where each of them has selected a state from the set , where can be an arbitrary complex number. In other words, Alice and Bob will only establish keys from the rounds that satisfies the phase-matching condition, that is, they have chosen the same global phase and same intensity for their states. We call two coherent states with only a phase difference as a phase-matching pair. In addition, Alice and Bob may decide to send some states as test states to probe eavesdropping activities for randomly selected rounds and those rounds will be used in the parameter estimation step only. Alice and Bob will send their states to an untrusted party Charlie at the intermediate node for measurements. An honest Charlie will use the single-photon interference events at the beamsplitter for his announcement.

Since this type of protocol is measurement-device independent and generates keys when Alice and Bob use the same phase-matching pair of coherent states, phase-matching measurement-device independent QKD is in our view a more descriptive name that captures important features of this type of protocol.

Now, we compare some variations of PM-MDI QKD. Different variations may use different number of phase-matching pairs as signal states and may use different types of states as test states, such as a mixture of photon number states (phase-randomized coherent states), partially phase-randomized coherent states, or coherent states without phase randomization. Some variations may use the same number of phase-matching pairs as signal states, but differ in how to handle them. We present those variations just for the comparison purpose and we do not neither claim this is an exhausted list nor verify the security analysis of each work.

  1. The variation proposed in Tamaki et al. (2012) is called phase encoding scheme I for MDI. This protocol essentially uses two phase-matching pairs of coherent states. In the original description of the protocol, these two pairs are labeled as two bases, similar to a BB84-type protocol, due to the proof technique adopted. In an abstract description, we can view this protocol as essentially using one phase-matching pair of coherent states as signal states and an additional pair as test states. Due to the proof technique and a limited number of test states, the scaling was not found.

  2. The variation studied in Ferenczi (2013) is called MDI-B92 protocol. Ref. Ferenczi (2013) analyzes different types of measurements for the intermediate node. Under the investigation of unambiguous state discrimination attacks, it basically proposes a variation of PM-MDI protocol with exactly one phase-matching pair of coherent states as the signal states and no test states. Because there are no test states, this protocol is not expected to have the scaling .

  3. The variation proposed in Lucamarini et al. (2018) has the name of TF-QKD protocol. This protocol uses infinitely many phase-matching pairs of coherent states (phase-randomized coherent states) as signal states. In addition, for the purpose of security analysis, each round is assigned to one of two bases to mimic a BB84-type protocol. Instead of achieving the perfect phase-matching conditions, this protocol allows some small errors in identifying whether Alice and Bob have chosen the same phase-matching pair. To distill keys, Alice and Bob disclose some partial information about the global phases. If their global phases only differ by a small amount, they assume they have used the same phase-matching pair. Due to the phase-matching condition, the sifting cost of this protocol can be large, which affects the prefactor of key rate. In this protocol, states used as test states are effectively the same as states used for signal states. These test states are partially phase-randomized coherent states as Eve knows some partial information about the global phase. Ref. Lucamarini et al. (2018) argued that this type of protocol can have the rate scaling.

  4. The variation investigated in Ma et al. (2018) uses the name PM-QKD protocol. Similar to TF-QKD Lucamarini et al. (2018), it also uses infinitely many phase-matching pairs of coherent states as signal states and adopts a similar procedure as Lucamarini et al. (2018) in identifying whether Alice and Bob have chosen the same phase-matching pair for each round. It also uses partially phase-randomized coherent states as test states. The difference from TF-QKD is that there is no assignment of basis choice for each round. The security analysis does not use the standard decoy state methods.

  5. The variation studied in Tamaki et al. (2018) is called TF-QKD protocol. This protocol, similar to the original TF-QKD protocol, uses infinitely many phase-matching pairs as signal states and later post-selects on rounds where the global phases are different by less than a small amount. Effectively, by allowing some errors, Alice and Bob assume that they have chosen the same phase-matching pair when the difference in their global phases is small. This protocol also has an assignment of basis choice for each round in order to apply a BB84-type security argument. Different from the original TF-QKD protocol, this protocol uses a mixture of photon number states as test states. The security analysis applies the standard decoy state methods.

  6. The variation proposed in Cui et al. (2018) is also called PM-QKD protocol. It uses exactly one phase-matching pair as signal states and uses a mixture of photon number states as test states.

  7. The variation studied in Curty et al. (2018) is referred as a TF-QKD type protocol. This variation essentially is the same as in Cui et al. (2018). It uses exactly one phase-matching pair as signal states and uses a mixture of photon number states as test states. These two works differ by the security proof methods.

  8. In this paper, we propose a modified PM-MDI protocol. Our protocol uses exactly one phase-matching pair as signal states and infinitely many different coherent states (without phase randomization) as test states. Our security analysis does not use the standard decoy state method since our test states are not mixtures of photon number states. We rely on the tomographic reconstruction of POVM elements using the coherent states as test states to prove the security.

In the end, we remark that the advantages of different types of test states. Using a mixture of photon number states as test states allows the standard decoy state analysis, which has been investigated and well understood. In addition, using a small number of decoy states as test states has been investigated in many other protocols and might be readily adapted to some variations of PM-MDI QKD protocol. On the other hand, using coherent states as test states has the potential to give tighter key rates, as we will demonstrate in this paper when using infinitely many coherent states. Also, it does not require the phase randomization in the experimental implementations.

Iii Security proof

To prove the security of a QKD protocol, the ultimate goal is to provide a full security proof following the -security definition of QKD Renner (2005); Müller-Quade and Renner (2009) in the framework of universal composability. Currently, there are well-developed techniques to simplify the problem, such as, the quantum de Finetti theorem Renner (2005), so-called post-selection technique Christandl et al. (2009), or the entropy accumulation theorem Dupuis et al. (2016); Dupuis and Fawzi (2018). These techniques allow us to prove the security in a two-step procedure. In the first step we prove the security against collective attacks in the infinite key scenario, and in the second step we apply one of the mentioned techniques to extend the analysis to a full security proof against general attacks, including finite size effects. The scope of this paper is to prove the first step, namely the analysis of the collective attack in the infinite key limit. We leave technical details of the extension to the full security for the future work.

To prove the security of this protocol against collective attacks, we first apply the source-replacement scheme Curty et al. (2004); Ferenczi and Lütkenhaus (2012) to both Alice and Bob’s sources and convert this protocol to its equivalent entanglement-based protocol. Then we proceed to prove the security of the entanglement-based version by evaluating the secret key generation rate.

iii.1 Source-replacement scheme

For the purpose of clarifying notations, let us start with a more abstract view of the protocol. In each round, Alice chooses a state from the set of possible signal states according to a priori probability distribution and similarly, Bob chooses a state from the same set with a priori probability distribution . Then in the source-replacement scheme, Alice and Bob’s sources effectively prepare the following state


where the register records the choices of states prepared in the register and similarly the register records the choices of states in the register . We introduce an orthonormal basis for the register system corresponding to states , and an orthonormal basis for the register system corresponding to states . It is crucial that Eve has no access to the registers and . Then, Alice keeps the register and sends the system to Charlie, and similarly, Bob keeps and sends . To learn their choices of states sent to Charlie for each round, Alice performs a local measurement described by a positive-operator valued measure (POVM) on her register and likewise, Bob applies his POVM to his register .

Importantly, we only apply the source-replacement scheme for the signal states in the key-generation mode since the test states in the test mode are only used to put constraints on how Eve acts in the subspace spanned by signal states. We denote the set of signal states in the key-generation mode as , that is,


where each state is a two-mode coherent state coming from both Alice and Bob, and we dropped the subscript for the ease of writing. Since finitely many coherent states are linearly independent, we want to point out that is indeed a basis of .

iii.2 Description of Eve’s attack

As an MDI QKD protocol, Eve has a full control of both the quantum channels connecting Alice, Bob and the intermediate node Charlie, and the measurement devices at the intermediate node. Since measurement devices are neither characterized nor trusted, Eve is assumed to play the role of Charlie to perform the measurement. Therefore, in the PM-MDI QKD protocol, we can view the protocol in an alternative and equivalent picture, as shown in the Fig. LABEL:sub@fig:scheme_b. In order to make an announcement strategy, Eve performs some measurement, which can be described by a POVM , directly on the states from Alice and Bob in the registers and . Moreover, without loss of generality, we can assume that only has four elements since only outcomes are meaningful for Alice and Bob, and all other outcomes are simply discarded in the protocol. (Even though Alice and Bob may only keep outcomes to distill keys, we are allowed to include outcomes for parameter estimation.) We write this POVM as , or abbreviate it as for . The probability of announcing the outcome is for an input state .

From Alice and Bob’s point of view, they can only know the probability of each announcement, not the post-measurement states in Eve’s hand. They can infer what POVM that Eve applied from their observed correlations. However, Eve can perform a nondestructive measurement and keep her post-measurement states for further analysis. That is, Eve applies a completely positive trace-preserving (CPTP) map on the input quantum states in the registers and . Her announcement about the measurement outcome is stored in the classical register and she keeps the post-measurement state in the register . Here, we introduce an orthonormal basis for the register , each of which corresponds to every possible announcement outcome. In general, we can write as follows:


where each is a completely positive trace non-increasing map and is an arbitrary linear operator on the systems .

In the Choi-Kraus representation, each can be written as


with and the summation going over some index set that depends on . Without loss of generality we can use maps with a single Kraus operator . The reason for this is that the general case of Eqs. (3) and (4) can be represented as a concatenation of two maps, the first one using the case of , followed by a second channel operation that is conditioned on the classical register and uses Kraus operators . To see this we need only to verify two things: (a) the concatenation of both operations gives the general form, and (b) the Kraus operators for each value of define a valid CPTP map. The proof of (a) is trivial, and for (b) we need only to verify that , where is the projector onto the support of and is the corresponding pseudoinverse of . We insert the definition to find


Clearly, since the general case can thus be considered as a two-step procedure, where the first step gives rise to the announcement and the second step acts only on Eve’s conditional states, it can only strengthen Eve’s position by not forcing her to do this second step. Without loss of generality, we can thus assume that Eve’s optimal strategy performs only the first step.

Since we assume the sources are protected, Eve cannot have the access to the registers and and cannot modify the states in those registers. Therefore, when Eve directly acts on the state shown in the Eq. (1) from the source-replacement scheme, the joint state shared by Alice, Bob and Eve along with the classical register for announcements is as follows:


iii.3 Key rate evaluation with Devetak-Winter formula

To distill keys from , Alice and Bob perform measurements using POVMs on the register and on the register , respectively. Upon measurements, Alice stores her measurement outcomes in a classical register and Bob stores his in a classical register . Alice then applies a key map that maps her measurement result in the register to a raw key bit in the register . We want to point out that the key map step is necessary, but the key map can be trivial, as it is in this PM-MDI QKD protocol. The key map here is an identity map from the register to the register . Let denote the effective CPTP map that transforms to . In the end, we generate keys from the state , which has the form


where is Eve’s conditional state conditioned on Alice holding in the register , Bob having in the register and the central node announcing . Here, is a marginal probability of the joint probability distribution and is a conditional probability.

Under collective attacks, we can evaluate the secret key generation rate using Devetak-Winter formula Devetak and Winter (2005), which is expressed in terms of a single-copy state shared by Alice, Bob and Eve.

As is typical in the MDI protocols, we can choose to generate keys from each announcement outcome independently as the announcement is available to all parties. We rewrite by defining conditional states of Alice, Bob and Eve conditioned on the announcement outcome as



We adapt the Devetak-Winter formula to a general case where the error correction is not necessarily performed at the Shannon limit. In that case the number of secret bits that we can distill from the state is , which is defined as


where Leak is the amount of information leakage per signal during the error correction step for the rounds corresponding to the announcement outcome , and


is the Holevo information, where is the von Neumann entropy. The states and are defined as:


In the Shannon limit, we have and thus we recover the original Devetak-Winter formula in the Eq. (9). Another important observation is that Leak is directly determined from the experimentally observed correlations.

The total number of secret bits that we can distill from the state , denoted by , is defined as


From the Eq. (6), we can calculate Eve’s conditional states as


where we define


Then, by substituting Eq. (13) into Eq. (11), we can calculate the conditional states and , and evaluate in Eq. (10) to obtain in Eq. (9).

From the relation between and shown in Eq. (6), we notice that a full knowledge of gives us a full knowledge of and thus we can determine the key rate using Eq. (12). However, if we cannot uniquely determine , then we cannot uniquely determine . In that case, we have a set of compatible density operators , that is, . Thus, we need to consider the worst-case scenario by taking the minimum of over the set , or equivalently, over the set = .

In this situation, the asymptotic key rate should be expressed as


The essential part of the optimization is to optimize the Holevo information by finding the all possible Eve’s conditional states, which are needed to evaluate the Eq. (10).

We remark that most of the discussion so far is general to a generic MDI QKD protocol. In the next section, we will adapt this procedure to our specific PM-MDI QKD protocol.

iii.4 Determination of Eve’s POVM for PM-MDI QKD

As discussed in the previous sections, knowing Eve’s POVM elements allows us to calculate the key rate, since the minimization in the Eq. (15) is now over a set containing only one element. We will now explain how our choice of test states (coherent states with a continuum of complex amplitudes) allows in principle to determine Eve’s POVM elements.

For simplicity, let us concentrate on the case of testing a measurement device acting on a single mode (rather than the two-mode case of our protocol). Knowing some POVM element is equivalent to being able to predict the probability of the associated outcome for any input state as . We can now use the phase-space formalism of quantum mechanics (see for example Cahill and Glauber (1969a, b)) where we use the P-function representation of so that we have


As we see from this equation, knowledge of the function allows the prediction of for all input states for which the P-function of the density matrix exists. So testing the measurement device with all possible coherent states and observing the corresponding probabilities is equivalent to knowing .

Actually, using results from Cahill and Glauber (1969a, b) one can reconstruct the operator explicitly also in cases where the P-function of may not exist. Let us go through the arguments directly for the POVM elements for the outcome in the two-mode case. We adapt the equations (3.4)-(3.6) from Cahill and Glauber (1969b) to our scenario.

By substituting the Eq. (3.4) and the Eq. (3.6) into the Eq. (3.5) from Cahill and Glauber (1969b), we obtain a power series for each as:


where and their complex conjugated counterparts are treated as independent variables, and , are the annihilation and creation operators of the two modes. Since is a POVM element and thus has bounded eigenvalues, such series exist and converge Cahill and Glauber (1969a). Using the two-mode test states and the associated observed probabilities thus uniquely determines .

Note that a full description of as shown above is more than what we actually need since we are only interested in how acts on the subspace , which is only a four-dimensional space.

For this, we need to be able to calculate off-diagonal elements of the form . It is an interesting question whether we can estimate these elements well enough with just a few number of coherent states. (The diagonal elements are directly accessible.) We present now the handle to attack this question.

We first notice that characterizing on is equivalent to the question whether the operator can be approximated to arbitrary precision in the Hilbert-Schmidt norm by the discrete diagonal coherent state representation Mukunda and Sudarshan (1978); Sharma et al. (1981):


where we use sets of tensor products of coherent states and complex numbers .

Then, we can write as a sum of observed values as


By appropriate choices of , we will be able to get a good approximation by terminating the summation at . From the approximation, we will then determine a set of POVMs compatible with experimental correlations, which is a neighborhood of the POVM that Eve actually performed. When we calculate the key rate in this case, we need to perform the minimization in the Eq. (15). In that case, we may apply numerical methods Coles et al. (2016); Winick et al. (accepted, in press, 2018) to perform the desired optimization. If such an approximation makes this set of compatible POVMs small enough, then the key rate with several choices of test states would be close to the key rate with infinite choices of test states. We leave the detailed analysis of finite choices of test states scenario to the future work.

In Appendix A, we will discuss how to represent in the four-dimensional subspace after knowing for .

Iv Simulation

We perform simulations to study the loss scaling of this PM-MDI QKD protocol and also the stability of the protocol.

iv.1 Loss-only scenario

To show that the key rate of this protocol has a scaling of with the single photon transmissivity between Alice and Bob, we first study the loss-only scenario. We simulate the quantum channel as a lossy channel and we consider the normal situation where Charlie (Eve) performs the measurements so that the observed statistics during the parameter estimation step is compatible with Charlie performing the measurement shown in Fig. LABEL:sub@fig:scheme_a. That is, we calculate the POVM corresponding to the real setup. Our protocol can verify via test states in the test mode that this is the actual POVM performed by Eve in the loss-only scenario. For the purpose of our presentation, we consider a symmetric setup, that is, Charlie is at an equal distance from Alice and Bob, and the loss in each path is the same. For a total transmissivity between Alice and Bob, each path has a transmissivity .

In this situation, when Alice sends a coherent state and Bob sends a coherent state in the same optical mode, the state becomes after the lossy channel. When Charlie performs the measurement on this state, the probability for each announcement outcome can be calculated as follows:


Specifically, the conditional probability of each announcement outcome for each state in the set is summarized in the Table 1. From this table, we can directly evaluate the classical mutual information as

0 0
0 0
0 0 0 0
Table 1: Conditional probability distribution of announcement outcomes given the states from in the loss-only scenario. is the single photon transmissivity between Alice and Bob and is the intensity of coherent states in the key-generation mode.

Clearly, we cannot distill keys from and announcements. Also, we find since no error correction is needed in this loss-only scenario. Now, we only need to evaluate for and . We first find conditional states and defined in the Eq. (13).

As we can notice from Table 1, in the loss-only scenario, whenever Alice and Bob prepare coherent states with a phase difference, Charlie will never announce and whenever they prepare coherent states with the same phase, Charlie will never announce . Because and , each of the states and is a pure state so that .

Therefore, we only need to evaluate and . In this loss-only case,


The eigenvalues of are and thus , where is the binary entropy function. Similarly, the eigenvalues of are and thus . Using the definition of in Eq. (14), we obtain


Thus, we have . We provide explicit expressions of for this loss-only scenario in the section B.1 of Appendix B, using which the reader can check the result directly.

Finally, we obtain the expression of secret key generation rate as a function of and the intensity in this loss-only scenario as


For small values of , . When we take the optimal value of , which is , then we find , thus confirming the rate scaling of .

In Fig. 2, the blue dashed line is the asymptotic key rate of this loss-only scenario as a function of the transmission distance , where we take and is optimized for each distance . The red solid line is the fundamental repeaterless bound Pirandola et al. (2017). This calculation gives an intuitive understanding on how the PM-MDI QKD can beat the repeaterless key rate bound. We see that this PM-MDI QKD protocol beats the repeaterless bound at around km. Our key rate expression in the Eq. (24) is tight for the loss-only scenario. Therefore, we expect this is the loss limit for PM-MDI QKD.

iv.2 Realistic Imperfections

It is of practical interests to study how stable this protocol is in noisy scenarios. In particular, we simulate the scenario with realistic imperfections in experimental devices, including the dark counts of detectors, mode mismatch and phase mismatch, detector inefficiency, and error correction inefficiency. In this section, we briefly introduce sources of imperfections and corresponding simulation parameters, then explain the correlations that Alice and Bob would observe in our simulation model, and finally present the results of our key rate calculation. In the section B.2 of the Appendix B, we provide more detailed explanations for the physical model of each imperfection.

For the purpose of presentation, we assume that both detectors have the same detector efficiency and the same dark count probability . We remark that the simulation method described in the section B.2 is also applicable to more general situations.

In the ideal implementation of this protocol, Alice and Bob should prepare coherent states in the same optical mode, that is, with the same spectral, temporal profiles and the same polarization, in order to have single-photon interference at the beamsplitter. In reality, since their states may come from different lasers and pass through different optical components before reaching the central node, the modes of their states are not necessarily perfectly matched. Thus, we consider the relative mode mismatch between their states with a simulation parameter . In our simulation, if without any mode mismatch, the state arriving at the central node from Alice and Bob is supposed to be , then with the mode mismatch, the state becomes in the original mode and in a second mode. Both modes enter Charlie’s devices independently.

Another source of imperfection considered in our simulation model is the phase mismatch. In the key-generation mode, Alice and Bob are supposed to prepare states in the set , which are coherent states with the same global phase and with the encoding information in the relative phases. In reality, the global phase is not guaranteed to be the same when states reach the detectors. Therefore, we consider the situation where there is a relative phase mismatch between Alice’s signal state and Bob’s signal state. If without any phase mismatch, the state is supposed to be , then due to the phase mismatch, the state is changed to with a simulation parameter .

Table 2 lists the choice of parameters in our simulation. In particular, We choose the same values for the efficiency of a detector and the dark count probability of a detector as those used in the Ref. Ma et al. (2018) for comparison purpose. We also select pessimistic values for the mode mismatch and phase mismatch to demonstrate the feasibility of beating the repeaterless bound with currently available devices.

Detector efficiency 14.5%
Detector dark count probability
Mode mismatch () 5%
Phase mismatch
Error correction efficiency 1.15
Table 2: Values for simulation parameters. They are experimentally feasible and might be pessimistic values. See main text for more explanations.

We give the expressions for the probability of each announcement outcome given each choice of the input state in terms of the simulation parameters , , , and . We define the total transmissivity as , where is the channel transmission probability between Alice and Bob.


where for the simplicity of writing, we have made the following definitions


From the Eq. (25), it is straightforward to derive the conditional probability of each announcement outcome given the state in . Similar to the loss-only scenario, we also discover that the mutual information is zero for and since the probability of making those announcements is independent from the signal states sent by Alice and Bob in our simulation. Thus, we only generate keys from and outcomes.

We define error rates and given the announcement outcome and , respectively.


where we define and .

To take the inefficiency of error correction into consideration, we take the following values for Leak and Leak:


where is the efficiency of error correction.

The rest of the task is to find each of and