Almost-tight and versatile security analysis of measurement-device-independent quantum key distribution

Almost-tight and versatile security analysis of
measurement-device-independent quantum key distribution

Ignatius William Primaatmaja ign.william@gmail.com Centre for Quantum Technologies, National University of Singapore, Singapore    Emilien Lavie Centre for Quantum Technologies, National University of Singapore, Singapore Télécom ParisTech, LTCI, Paris, France Department of Electrical & Computer Engineering, National University of Singapore, Singapore    Koon Tong Goh Department of Electrical & Computer Engineering, National University of Singapore, Singapore    Chao Wang Department of Electrical & Computer Engineering, National University of Singapore, Singapore    Charles Ci Wen Lim Centre for Quantum Technologies, National University of Singapore, Singapore Department of Electrical & Computer Engineering, National University of Singapore, Singapore
Abstract

Measurement-device-independent quantum key distribution (MDI-QKD) is the only known QKD scheme that can completely overcome the problem of detection side-channel attacks. Yet, despite its practical importance, there is no standard approach towards computing the security of MDI-QKD. Here, we present a simple numerical method that can efficiently compute almost-tight security bounds for any discretely modulated MDI-QKD protocol. To demonstrate the broad utility of our method, we use it to analyze the security of coherent-state MDI-QKD, decoy-state MDI-QKD with leaky sources, and a variant of twin-field QKD called phase-matching QKD. In all of the numerical simulations (using realistic detection models) we find that our method gives significantly higher secret key rates than those obtained with current security proof techniques. Interestingly, we also find that phase-matching QKD using only two coherent test states is enough to overcome the fundamental rate-distance limit of QKD. Taken together, these findings suggest that our security proof method enables a versatile, fast, and possibly optimal approach towards the security validation of practical MDI-QKD systems.

I Introduction

Quantum key distribution (QKD) is an emerging quantum technology that enables the exchange of cryptographic keys in an untrusted network Bennett and Brassard (1984); Ekert (1991). The key feature of the technology is that it is provably secure. More specificially, its security is based solely on the laws of quantum mechanics and not on how powerful the adversary could be. For this reason, secret keys generated by QKD systems can be safely used in any cryptographic applications which require long-term security assurance.

A hugely popular QKD configuration is the prepare-and-measure (P&M) scheme. As its name suggest, P&M-QKD involves the preparation of a quantum state that is randomly drawn from a pre-agreed set of states by the protagonist, whom we call Alice. Then, she will send the prepared state to her distant associate, whom we call Bob, to be measured in a basis that is randomly drawn from a pre-agreed set. Since Eve could not perfectly discriminate the traversing signals, any attempt to learn its identity will inevitably modify the quantum state itself. Thus, the secrecy of the secret key is guaranteed by quantum theory and such is the main appeal of QKD.

Despite the rigorous mathematical validation of QKD, present physical implementations of QKD are vulnerable to numerous side-channel attacks. In particular, it was demonstrated that the adversary could exploit the imperfections of single-photon detectors to steal some information about the secret key without introducing noise into the quantum channel Fung et al. (2007); Qi et al. (2007); Zhao et al. (2008); Xu et al. (2010); Lydersen et al. (2010); Gerhardt et al. (2011). Consequently, these demonstrations necessitate the search for a QKD protocol that is robust against detection side-channel attacks: the measurement-device-independent QKD (MDI-QKD) Lo et al. (2012); Braunstein and Pirandola (2012).

The MDI-QKD scheme (see Fig. 1) requires both Alice and Bob to each prepare a quantum state, which, like the P&M scheme, is randomly drawn from a pre-agreed set of states, to be sent to a potentially untrusted node connecting them. Ideally, the node will perform a Bell-state measurement jointly on the prepared states, whose outcome will determine if both Alice and Bob will keep the indices of the prepared quantum states for key distillation. This process is equivalent to a protocol where Alice and Bob each prepares a bipartite entangled state and measuring a part of it Bennett et al. (1992) while sending the other to the node for entanglement swapping. Hence, it is as though Alice and Bob are making local measurements on a shared entangled state. Subsequently, Alice and Bob would sample their bit strings to evaluate their security against any potential adversary. Such security analysis is made assuming that Eve has full access and control of the node, and hence, any attack based on imperfect detectors is part of the untrusted quantum channel.

An innovation is only as good as its feasibility and the same applies to QKD protocols. With practicality in mind, MDI-QKD was designed to be implementable with existing hardware. Although the security of MDI-QKD relies mainly on instances when single-photon states are transmitted from Alice and Bob to the node, employing the decoy-state method Lo et al. (2005) gives good security performances using phase-randomized coherent states as signals. Due to its merits, efforts to progress MDI-QKD were made on both theoretical Curty et al. (2014); Tamaki et al. (2012); Coles et al. (2016); Winick et al. (2018); Tamaki et al. (2014); Ma et al. (2012); Xu et al. (2014) and experimental Rubenok et al. (2013); Liu et al. (2013); Da Silva et al. (2013); Tang et al. (2014a, b); Pirandola et al. (2015); Wang et al. (2015); Comandar et al. (2016); Tang et al. (2016); Yin et al. (2016) fronts.

Figure 1: Virtual protocol for arbitrary MDI-QKD protocols. To prove the security of an MDI-QKD protocol, we consider a virtual protocol, which from the point of view of the adversary is equivalent to the actual protocol. In this virtual protocol, (i’) Alice and Bob each prepares an entangled state which can be steered into the signal states of the real protocol. Furthermore, we can choose the entangled state such that one part of the entangled state is a qubit which is kept in each party’s quantum memory. (ii’) Then, the other part of the entangled states, namely system and , are sent through the quantum channel to the central node. (iii’) When the central node performs a successful Bell state projection, Alice’s qubit is now entangled with that of Bob due to entanglement swapping. As such, one can see the virtual protocol as a procedure of distributing entangled qubit pairs to Alice and Bob. Then, one can use the techniques for entanglement-based QKD to prove the security of MDI-QKD.

Evolving from the original protocol, MDI-QKD could also be performed with coherent states without phase randomization and hence the decoy-state method. In this case, Alice and Bob encode the key information in the phases of the coherent states. The modified protocol can be proven secure using the so-called quantum coin method Tamaki et al. (2012), which was based on earlier research in P&M-QKD with imperfect devices Gottesman et al. (2004). However, it is not known if this approach would lead to optimal secret key rates.

Here, we introduce a versatile, fast and almost optimal framework to compute the security of discretely modulated MDI-QKD. This technique is based on the observation that the Gram matrix of Eve’s quantum side information translates to the characterization of Eve’s attack in a compact way. We apply this characterization technique to three different types of MDI-QKD protocols: (1) the original polarization (or time-phase) encoding decoy-state MDI-QKD Lo et al. (2012), (2) phase-encoding MDI-QKD using non-phase-randomized coherent states Tamaki et al. (2012), and (3) a variant of twin-field QKD Lucamarini et al. (2018) called phase-matching MDI-QKD Lin and Lütkenhaus (2018). The proposed proof technique demonstrates significant advantages over the known bounds on secret key rates for all of the considered MDI-QKD protocols.

Ii Method

In this section, we outline a general security framework that works for any MDI-QKD protocol, provided the encoded states are pure and their inner-products are known. In practice, one can characterize the encoded states by performing state tomography and thus their inner-products can be easily obtained. Suppose the states that Alice prepares are and those prepared by Bob are where and are the bit values while and are the basis choices of Alice and Bob respectively. We denote the inner-product of the code states by . Note that could be complex.

Since the joint input states are pure, we can describe the quantum channel and the untrusted measurement by the central node as a quantum-to-classical map. Such maps can be described by an isometry acting on the input states giving

(1)

where is the classical announcement made by the central node. For concreteness, we consider the case where , which indicates whether the Bell state measurement is successful or not. The vectors are sub-normalized states corresponding to the quantum side information that Eve holds. Now, one can construct a Gram matrix for the adversary’s quantum side information and it is clear that such matrix is positive semi-definite, i.e., .

Moreover, since the channel is described by an isometric transformation, the inner-product information is preserved at the output states as well. More specifically, we have the following constraint on the Gram matrix :

(2)

Furthermore, other observable constraints such as the bit-error rate and the probability of successful Bell state measurement can be expressed in terms of linear constraints on the Gram matrix. For example, the probability of successful Bell state measurement when Alice and Bob both choose the basis , denoted by , is given by

(3)

where is the probability of Alice and Bob both choosing the basis and is the joint probability that Alice chooses and Bob chooses . Similarly, the bit-error rate in the basis, denoted by , can be expressed as

(4)

Now, to prove the security of the protocol, we consider a virtual protocol illustrated in Fig. 1. For concreteness, we suppose that Alice and Bob extract secret key from the basis and they use the basis (which is mutually-unbias to ) to estimate Eve’s information. In this virtual protocol, to generate secret key, Alice and Bob first prepare the entangled states

(5)

where the systems and are qubits. From the point of view of Eve, this is equivalent to the actual protocol since after tracing out systems and , the marginal states are the same as if Alice and Bob prepare the states and randomly based on the random bit and given by their random number generator. Furthermore, Alice and Bob can obtain the random bit and , simply by measuring systems and in the basis.

After the central node successfully perform a Bell state projection, the qubit-qubit system are now entangled due to the entanglement swapping operation. Depending on the outcome of the Bell state measurement , Bob will need to perform a local unitary to rotate the state into the target state. Then, to estimate the side information that Eve has, Alice and Bob can measure the systems and respectively in the basis. This will give Alice and Bob the so-called phase-error rate in their virtual qubit-qubit system. Shor and Preskill Shor and Preskill (2000) proved that, for this type of QKD protocol, the lower bound on the asymptotic secret key rate is given by

(6)

where is the binary entropy function.

At this point, a few remarks are in order. Firstly, the measurement in the basis when Alice and Bob prepare the entangled states and are counter-factual measurements that are not performed in the actual protocol. The actual test states that Alice and Bob send are and whose virtual analogue is measuring the qubit systems of some other entangled states and in the basis. As such, the phase-error rate is not accessible in the actual protocol. However, Alice and Bob can employ the knowledge of the test states (i.e., the inner-product information), the observed error rate, and the success probability to constrain the virtual protocol phase-error rate, , as we will show later.

Secondly, like the bit-error rate , the phase-error rate is also a linear function of the Gram matrix . The explicit expression of , in general depends on the choice of entangled state that Alice and Bob prepares, the virtual measurements that steer the states, as well as the target state of the qubit pairs shared between Alice and Bob.

With all these in mind, here is the crucial observation. The Gram matrix depends on the isometry performed by Eve. Secondly, the constraints on the Gram matrix , imposed by the inner-product information and the observed statistics, are linear. Moreover, one can obtain a lower bound on the secret key rate by obtaining an upper bound on the phase-error rate , which is a linear objective function, allowing us to use semi-definite programming (SDP) techniques to completely characterize Eve’s strategies. This will be explained in more details in section III.

Lastly, to show that our method gives a tighter lower bound on the key rate as compared to the quantum coin approach, we will analyze MDI-QKD protocols based on coherent states and Trojan horse attacks. These are the scenarios in which the quantum coin approach was used in the literature. The outcomes of the simulation are presented in section IV.

Iii Characterizing Eve’s strategy using semi-definite programming

SDP is a class of convex optimization problem with a linear objective function over a cone of positive semi-definite matrices Boyd and Vandenberghe (2004). One can think of such optimization problem as linear programming with linear matrix inequalities as constraints. Just like any other optimization problems, we can define the primal problem and the dual problem of an SDP. If the primal problem is a minimization problem, then its dual would be a maximization problem and vice versa. Furthermore, if the primal problem is a maximization problem, then the weak duality theorem states that the optimal primal value and the optimal dual value satisfy the following relationship

(7)

and the opposite is true if the primal problem is a minimization problem. When , we say that strong duality holds and it implies that is the optimal solution to the SDP.

Previously, there have been some proof techniques of QKD that are based on SDP Wang et al. (2018); Coles et al. (2016); Winick et al. (2018). One of the appeals of such numerical approaches is that they are highly versatile and can be used to analyze a wide range of QKD protocols without relying on the specific structure of the underlying design. Here we propose another SDP-based technique of analyzing the security of MDI-QKD that is versatile, simple and almost-tight. Importantly, we highlight that our method does not rely on any semi-definite relaxation (such as the one proposed in Ref. Wang et al. (2018)).

Our method exploits the fact that the Gram matrix is both positive semi-definite and linearly constrained. As such, obtaining an upper bound to the phase-error rate is equivalent to solving the dual problem of an SDP. In other words, the solution of the SDP characterizes the optimal attack that Eve can perform on the quantum channel and with the untrusted central node. Thus, the security analysis of any MDI-QKD protocol is equivalent to solving the following SDP

(8)

where is the basis choice of Alice and Bob and is a linear function of the Gram matrix , which is protocol dependent. In order to obtain a reliable upper bound on , one has to optimize the dual problem of optimization (8).

Furthermore, due to the weak duality theorem, any feasible solution of the dual problem gives a reliable upper bound on the phase-error rate. Moreover, when the strong duality condition holds, our upper bound on the phase-error rate is tight. Remarkably, in practice, the duality gap (the difference between the primal and dual value) is usually very small. Hence, our upper bound on the phase-error rate is almost tight, even when the strong duality condition is not met.

Drawing the connection to the isometry performed by the eavesdropper, since the Gram matrix characterizes , solving the SDP (8) is equivalent to finding the isometry that gives Eve the maximum knowledge about the bits that Alice and Bob possess, considering the statistics that Alice and Bob observe. Lastly, we remark that SDPs can be efficiently solved with standard solvers that are readily accessible. Therefore, our method can be implemented easily even with personal computers (which is the case for the simulations presented in this work).

Iv Examples

In this section, we apply our technique to coherent state based protocols, namely the phase-encoding coherent state MDI-QKD Tamaki et al. (2012) and a variant of the recently proposed twin-field QKD (TF-QKD) protocol Lucamarini et al. (2018), as well as the decoy-state protocols Lo et al. (2012) with Trojan horse attacks. We also analyze these protocols with the quantum coin method and show that our technique achieves significantly higher secret key rate. For simplicity, we assume that the central node is equidistant to Alice and Bob. Consequently, we can also assume that the set of states that Alice prepares is the same to that of Bob. Although these assumptions are not necessary for our method to work, they will simplify the calculations greatly.

For the simulations of phase-encoding coherent state MDI-QKD as well as the decoy-state MDI-QKD, the parameters that we use are listed in Table 1. Parameter 2 will also be used for the simulation of TF-QKD.

(dB/km)
Parameter 1 14.5% 0.20 1.5%
Parameter 2 85% 0.20 1.5%
Table 1: List of parameters for numerical simulations. The different parameters corresponds to different type of detectors commonly used in QKD experiments. Parameter 1 corresponds to the case when avalanche photodiode (APD) detectors are used. Typically, APD detectors have relatively high dark count rate and low detector efficiency . On the other hand, Parameter 2 corresponds to the case where superconducting nanowire single-photon-detectors (SNSPD) are used. SNSPDs typically have lower dark count rate and higher detector efficiency. For all the simulations presented in this paper, we assume that the single mode fiber has loss coefficient dB/km and the overall misalignment error in the channel . Furthermore, we assume that error corrections can be done at Shannon’s limit. Then, for each given distance, we optimize the intensity of the signals to get the highest lower bound on the secret key rate.
Figure 2: Key rate simulation for generalized phase-encoding coherent state MDI-QKD. We use our method to compute the lower bound on the secret key rate for the one-basis (blue-dotted curves), two-basis (red-solid curves) and three-basis protocols (black-dashed curves). As one can see, the curves corresponding to the three-basis protocol almost coincide with the curves corresponding to the two-basis protocol.

iv.1 Phase-encoding coherent state MDI-QKD

We first analyze the phase-encoding coherent state MDI-QKD protocols. With a simpler architecture and fewer components and their related flaws, this class of MDI-QKD protocols can, in principle, provide economic and high-speed QKD systems. However, they have not been implemented experimentally due to other technical challenges such as phase-locking two independent lasers at a distance. Furthermore, based on the quantum coin approach, the secret key rate achieved by these protocols is not favorable. However, the interest in coherent state MDI-QKD protocols has been revived recently due to the introduction of twin-field-QKD (TF-QKD) protocols, also known as phase-matching MDI-QKD Lucamarini et al. (2018); Ma et al. (2018a); Tamaki et al. (2018); Cui et al. (2018); Curty et al. (2018); Lin and Lütkenhaus (2018). Remarkably, TF-QKD enables the distribution of secret key with rate that overcomes the so-called repeaterless bound Takeoka et al. (2014); Pirandola et al. (2017) due to single-photon interference. As such, we foresee that there will be endeavours in implementing phase-locking techniques in QKD systems in the near future. Furthermore, as we shall see, we can prove that the secret key rate of coherent state protocols can be significantly improved using our method. Interestingly, as we demonstrate later, the secret key rate phase-encoding coherent state protocols can even be higher than that of standard decoy-state MDI-QKD protocols at short distances. Therefore, it will be interesting to study this class of protocols.

In Ref. Tamaki et al. (2012), Alice and Bob prepare the states where is the mean photon number of the coherent states. They use the basis to generate key and the basis for parameter estimation. On the other hand, the untrusted central node will announce depending on whether the outcome of Bell state measurement is , or unsuccessful respectively. Furthermore, to improve the efficiency of the protocol, whenever the central node announces , Bob will flip the value of his bit.

We note that in Bell state measurements of coherent states, the outcome cannot be distinguished from the outcome and similarly, the outcome cannot be distinguished from the outcome as mentioned in Ref. Tamaki et al. (2012). Consequently, there will be intrinsic phase-error rate even if the bit-error rate is zero. However, the probability of obtaining and is higher than the probability of obtaining and respectively when the intensity of the coherent states is small (which is typically the case for QKD). Hence, we choose to label the conclusive outcomes as and .

Figure 3: Key rate simulation for phase-encoding coherent state MDI-QKD under Trojan horse attack. We compare the secret key rate obtained using our method (shown by solid curves) with the one obtained using the quantum coin technique (shown by dashed curves). For the simulation, we assume different intensities of the leakage light (From top to bottom: (blue), (red) and (black)). Comparing the two methods, we can see that for a given intensity of leakage, the secret key rate computed using our method is consistently higher than the secret key rate obtained by the quantum coin approach. Furthermore, one can see that the key rate obtained by our method is more robust against Trojan horse attacks.

Here, we generalize the protocol to allow Alice and Bob to choose from possible bases. Thus, the protocol proposed in Ref. Tamaki et al. (2012) corresponds to the case where . The case where is known in the literature as the MDI-B92 protocol and was studied in Ref. Ferenczi (2013). In this section, we will also study the case where .

For the generalized protocol, Alice and Bob independently prepare one of the states of the form

(9)

where is her (his) bit value, and with as her (his) choice of basis.

In the following simulations, for each given distance, we choose the value of the mean photon number that maximize the lower bound on the secret key rate. The result of the simulation is shown in Fig. 2

Surprisingly, the three-basis protocol does not give noticeable improvement from the two-basis protocol in terms of the lower bound on the secret key rate. The intuition behind this is that one can estimate the statistics of the 4 test states in the three-basis protocol with the 2 test states in the two-basis protocol when we require all the intensities of the code states to be the same. Interestingly, when we remove that constraint, increasing the number of test states can give significant improvement in the secret key rate, as we shall see when we discuss about TF-QKD later.

To compare our method with the quantum coin method, we consider the two-basis protocol. Additionally, we will also evaluate the performance of the two techniques when Eve performs Trojan horse attack on the sources of Alice and Bob. For the model of the Trojan horse attack, we extend the model proposed by Ref. Lucamarini et al. (2015). The authors of Ref. Lucamarini et al. (2015) consider Trojan horse attack on prepare-and-measure QKD but it is rather straightforward to extend the model to MDI-QKD where Eve attacks both Alice’s and Bob’s sources. In the presence of Trojan horse attack, the output of Alice’s source can be written as

(10)

where is the intensity of the leaked light. Here, for simplicity of notation, we replace the pair with a single index. We assume that the Trojan horse system is only accessible to Eve and the probability of successful Bell state measurement is not affected by the Trojan horse attack. The output of Bob’s source is modeled similarly. The results of the simulations are shown in Fig. 3.

Figure 4: Key rate simulation for time-phase-encoding decoy-state MDI-QKD under Trojan horse attack. We compare the secret key rate obtained using our method (shown by solid curves) with the one obtained using the quantum coin technique (shown by dashed curves). For the simulation, we assume different intensities for the Trojan horse light. (From top to bottom: (blue), (red) and (black)). Comparing the two methods, we can see that the secret key rate computed using our method is consistently higher than the secret key rate obtained by the quantum coin approach. We note that for the simulation with APD, when , the quantum coin method fails to obtain any positive key rate.

As we can see from the figure, our method gives a tighter bound on the secret key rate than the quantum coin method. This is because the inequality that was used in the quantum coin approach is, in general, not tight. On the contrary, our SDP gives an almost tight approximation of the phase-error rate, owing to the small duality gap. Furthermore, our method is also more robust against the Trojan horse attack. This is because for a given distance, our method predicts higher optimal intensity than the one predicted by the quantum coin method. As a result, the ratio of the intensity of the signal states to the intensity of the leaked light is higher when computed with our method. Remarkably, even in the absence of Trojan horse attack (when ), our method gives a significantly higher lower bound on the secret key rate.

iv.2 Decoy-state MDI-QKD with Trojan horse attacks

We now consider the decoy-state MDI-QKD protocol Lo et al. (2012). For concreteness, we consider the time-phase encoding but our results can be transferred to other encoding scheme such as the polarization encoding. Combined with the measurement-device-independent architecture which protects us against any detector side-channel attacks, the decoy-state method prevents a certain side-channel attack on the sources of Alice and Bob, namely the photon-number-splitting attack Lütkenhaus and Jahma (2002). Nevertheless, decoy-state MDI-QKD is still vulnerable to other attacks on the sources. One possible attack that Eve can perform with current technology is the Trojan horse attack. As such, it would be interesting to study how decoy-state MDI-QKD protocols fare when subjected to practical Trojan horse attacks.

For simplicity, we follow Ref. Lucamarini et al. (2015)’s assumption that the Trojan horse attack does not affect the decoy-state implementation but only leaks the information about which of the signal states are being prepared by Alice and Bob. However, we note that our method can also be applied when the Trojan horse leaks the information of the decoy setting as discussed in Ref. Tamaki et al. (2016). Such technical extension is out of the scope of this paper and will be left for future work.

To apply our technique to decoy-state MDI-QKD, we first estimate the single-photon yield as well as the single-photon quantum bit-error rate (QBER) where denotes the basis choice of Alice and Bob. Then, we can apply our method to estimate the single-photon phase-error rate and hence, the secret key rate. In the absence of Trojan horse attack, the single-photon phase-error rate is simply the single-photon QBER in the basis, . Nevertheless, when Eve performs Trojan horse attack, the single-photon phase-error rate is no longer measured by Alice and Bob and can only be estimated using techniques like the quantum coin method or our proposed method. Here, we show that our method gives a tighter estimation of the single-photon phase-error rate than the quantum coin method.

Figure 5: Comparison of the secret key that can be distilled per channel use in decoy-state versus coherent state MDI-QKD. We compare the secret key rate of time-phase encoding decoy-state and phase-encoding coherent state MDI-QKD protocols both with and without Trojan horse attack. When there is no Trojan horse leakages, we can see that the coherent state protocol (shown by red-dash-dotted curves) has higher secret key rate than the decoy-state protocol (shown by blue-solid curves) at low loss regime (up to around 65 km with APD or around 230 km with SNSPD). Furthermore, when there is a Trojan horse leakage with intensity , we see that the decoy-state protocol (shown by black-dotted curves), suffers a more significant reduction in range as compared to the coherent state protocol (shown by green-dashed curves). This suggests that the coherent state protocol is more robust against Trojan horse attacks. We reiterate that in simulating the Trojan horse attack on decoy-state protocols, we assume that the Trojan horse attack does not affect the decoy-state implementation. Once we take into account the effect of Trojan horse attack on the decoy-state implementation, the key rate of the decoy-state protocol will suffer from an additional reduction due to the leakages.

Following the model of Ref. Lucamarini et al. (2015), Alice’s single-photon signals when affected by the Trojan horse attack can be written as

(11)

where is the canonical basis and , and is the vacuum state. Bob’s single-photon signals can be written down in similar fashion.

For the simulation, suppose that two decoy-states are used alongside the signal state. At the end of the protocol, Alice and Bob will have an estimate of the total gain and the total QBER where are the intensity setting of Alice and Bob respectively. To simulate the statistics observed in the experiment, we follow Ref. Ma and Razavi (2012)’s model for the total gain and total QBER. Then, we use the Gaussian elimination method to estimate the single-photon yield and QBER. Assuming that , the lower bound on the single-photon yield and the upper bound on the single-photon QBER is given in Ref. Xu et al. (2014). Other methods such as linear programming will yield similar results.

After we obtain and , it is straightforward to apply our method or the quantum coin argument to lower bound the single-photon phase-error rate . For decoy-state protocols, the lower bound on the asymptotic secret key rate is given by

(12)

where is the single-photon gain in the basis.

Furthermore, we assume that Alice’s and Bob’s intensity modulators that choose the decoy settings have finite extinction ratio such that the intensity of the second decoy-state cannot be set to zero. In this case, we assume that the intensity of the second decoy-state is 1000 times smaller than that of the signal, i.e. . Thus, for each point, the remaining free parameters in the optimization are the signal intensity and the first decoy-state intensity . The result of the simulation is given in Fig. 4.

Referring to Fig. 4, we again see an improvement in the lower bound on the secret key rate compared to the secret key rate obtained from the quantum coin technique. This confirms that our technique is able to give tighter secret key rate as compared to the quantum coin approach.

Although it is not an entirely fair comparison, one might be interested to compare the two protocols that we have analyzed. Fig. 5 gives the superimposed plot of the key rate of the two protocols. When there are no leakages, as one would probably guess, the decoy-state protocol has a longer range than the coherent state protocol. However, rather surprisingly, we find that at short distances, the coherent state protocol gives a higher lower bound on the secret key rate than the decoy-state protocol.

Figure 6: Key rate simulation for phase-matching MDI-QKD with finite test states. We compare the secret key rate obtained in phase-matching MDI-QKD with finite number of test states (represented by solid curves: from top to bottom, green curves for six test states, orange curves for four test states and blue curves for two test states) against the PLOB bound Pirandola et al. (2017) (represented by red-dashed curves). For completeness, we also plot the secret key rate when infinite test states are used Lin and Lütkenhaus (2018) (represented by black-dotted curve) in the noiseless scenario (, ). Remarkably, in the noiseless scenario, two test states are sufficient to overcome the PLOB bound. Furthermore, when considering the lossless scenario, two test states give almost the same performance as infinite test states.

A closer inspection reveals that for short distances, the coherent state protocol has significantly higher probability for successful Bell state measurement as compared to the single-photon gain of the decoy-state protocol. This is possible because the coherent state protocols rely on single-photon interference whereas decoy-state protocols are based on two-photon interference. Therefore, despite having higher phase-error rate, the coherent state protocol can give higher secret key rate than the decoy-state protocol at short distances. Nevertheless, at long distances, the fact that coherent state protocols have higher phase-error rate dominates and decoy-state protocols yield higher secret key rate in that regime. Drawing another connection to TF-QKD, single-photon interference is also an important feature of TF-QKD.

Interestingly, the coherent state protocols are more robust against Trojan horse attacks in the sense that the range of coherent state protocols suffers less penalty from Trojan horse attacks as compared to the range of decoy-state protocols. We also note that since we neglect the effect of leakages on the decoy-state implementation in the security analysis, the performance of the decoy-state protocol would suffer even more when we consider leakages in the intensity settings .

iv.3 Phase-matching MDI-QKD with finite number of test states

To demonstrate the versatility of our method, we will analyze a variant of the recently proposed twin-field QKD (TF-QKD) protocol called the phase-matching MDI-QKD Lin and Lütkenhaus (2018). As mentioned previously, there is a growing interest in TF-QKD. Indeed, after the original proposal of TF-QKD protocol Lucamarini et al. (2018), other variants of the protocol have been proposed alongside with their respective security analyses Ma et al. (2018a); Lin and Lütkenhaus (2018); Tamaki et al. (2018); Curty et al. (2018); Cui et al. (2018). Remarkably, TF-QKD protocols are able to overcome the repeaterless bounds Takeoka et al. (2014); Pirandola et al. (2017). However, many variants of the TF-QKD protocols (including the original proposal Lucamarini et al. (2018)) require phase-randomization of two independent phase-locked lasers with the notable exception of Ref. Lin and Lütkenhaus (2018). There, the protocol uses non-phase-randomized coherent states which form phase-matching pairs. However, the results presented in Ref. Lin and Lütkenhaus (2018) require Alice and Bob to send infinitely many coherent states, leaving the practical case where a finite number of test states is used as an open problem. Here, we show that a finite number of test states is indeed enough to overcome the repeaterless bound.

Remarkably, one can see phase-matching MDI-QKD as a generalization of the phase-encoding MDI-QKD that we have considered earlier in Section IV.1. There, we assumed that the signal and test states share the same intensity. Here, we vary the intensity of different phase-matching pairs. More explicitly, in this protocol, Alice prepares states of the form

(13)

where are defined in similar way as in the phase-encoding MDI-QKD protocol and now the intensity of the coherent state depends on which basis Alice and Bob choose. By optimizing the intensity of each phase-matching pair, we show that we can overcome the repeaterless bound.

For comparison with the Ref. Lin and Lütkenhaus (2018)’s result as well as the repeaterless bound, we will show the ideal performance of our protocol, i.e. when there are no dark counts or misalignment errors. For the repeaterless bound, we choose the secret key capacity given in Ref. Pirandola et al. (2017), also known as the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound

(14)

where is the total transmittivity of the quantum channel. On the other hand, Ref. Lin and Lütkenhaus (2018) proved that the secret key rate obtained when infinitely many test states are used in the loss only scenario, denoted by , is given by

(15)

Lastly, it will also be interesting to see how the protocol fare in the presence of imperfections such as dark counts and misalignment errors. To that end, we will also use Parameter 2 of Table 1 in our simulation. Furthermore, for fair comparison with PLOB bound, we plot the key rate against total loss (in dB), which includes the loss in the detector, instead of treating the loss in the fiber and in the detector separately. The plots of the key rate for the ideal and imperfect scenario as well as the PLOB and the key rate for the ideal infinite test states scenario are given in Fig. 6. Remarkably, two test states are sufficient to overcome the PLOB bound in the ideal scenario whereas in the noisy scenario, four test states are sufficient to overcome the PLOB bound. Furthermore, we emphasize that in our simulation, we use the states with the structure given by equation (13) and optimize (using a coarse-grained exhaustive search) the intensity of each test state. We leave the question of whether optimizing the global phases can significantly increase the secret key rate as an open problem.

V Conclusion

To conclude, we have developed a new numerical technique to analyze the security of MDI-QKD protocols. This is done by employing SDP to obtain an almost-tight upper bound on the phase-error rate, hence the significant improvement in the distilled secret key rate compared to the quantum coin method. Additionally, our method also reveals that phase-encoding coherent state MDI-QKD might outperform decoy-state MDI-QKD at short distances. Furthermore, our method is highly efficient and can be applied to any protocols with discretely modulated, pure, input states including continuous-variable MDI-QKD protocols with discrete modulation Ma et al. (2018b). Due to the versatility of our technique, it can also be applied to MDI-QKD protocols which lack symmetry. For example, by applying our method to phase-matching MDI-QKD protocol, we also showed that the repeaterless bound can be overcome with only a few test states. It is also interesting to extend the results presented in this paper to allow mixed input states and to MDI-QKD networks where we have multiple transmitters as well as to include finite-key analysis.

Acknowledgements

This research is supported by the National Research Foundation (Singapore), the Ministry of Education (Singapore), the National University of Singapore, and the Asian Office of Aerospace Research and Development.

References

  • Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proc. of IEEE Int. Conf. on Comp., Syst. and Signal Proc., Bangalore, India, Dec. 10-12, 1984 (1984).
  • Ekert (1991) A. K. Ekert, Physical Review Letters 67, 661 (1991).
  • Fung et al. (2007) C.-H. F. Fung, B. Qi, K. Tamaki,  and H.-K. Lo, Physical Review A 75, 032314 (2007).
  • Qi et al. (2007) B. Qi, C.-H. F. Fung, H.-K. Lo,  and X. Ma, Quantum Information and Computation 7, 073 (2007).
  • Zhao et al. (2008) Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen,  and H.-K. Lo, Physical Review A 78, 042333 (2008).
  • Xu et al. (2010) F. Xu, B. Qi,  and H.-K. Lo, New Journal of Physics 12, 113026 (2010).
  • Lydersen et al. (2010) L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar,  and V. Makarov, Nature Photonics 4, 686 (2010).
  • Gerhardt et al. (2011) I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer,  and V. Makarov, Nature Communications 2, 349 (2011).
  • Lo et al. (2012) H.-K. Lo, M. Curty,  and B. Qi, Physical Review Letters 108, 130503 (2012).
  • Braunstein and Pirandola (2012) S. L. Braunstein and S. Pirandola, Physical Review Letters 108, 130502 (2012).
  • Bennett et al. (1992) C. H. Bennett, G. Brassard,  and N. D. Mermin, Physical Review Letters 68, 557 (1992).
  • Lo et al. (2005) H.-K. Lo, X. Ma,  and K. Chen, Physical Review Letters 94, 230504 (2005).
  • Curty et al. (2014) M. Curty, F. Xu, W. Cui, C. C. W. Lim, K. Tamaki,  and H.-K. Lo, Nature Communications 5, 3732 (2014).
  • Tamaki et al. (2012) K. Tamaki, H.-K. Lo, C.-H. F. Fung,  and B. Qi, Physical Review A 85, 042307 (2012).
  • Coles et al. (2016) P. J. Coles, E. M. Metodiev,  and N. Lütkenhaus, Nature Communications 7, 11712 (2016).
  • Winick et al. (2018) A. Winick, N. Lütkenhaus,  and P. J. Coles, Quantum 2, 77 (2018).
  • Tamaki et al. (2014) K. Tamaki, M. Curty, G. Kato, H.-K. Lo,  and K. Azuma, Physical Review A 90, 052314 (2014).
  • Ma et al. (2012) X. Ma, C.-H. F. Fung,  and M. Razavi, Physical Review A 86, 052305 (2012).
  • Xu et al. (2014) F. Xu, H. Xu,  and H.-K. Lo, Physical Review A 89, 052333 (2014).
  • Rubenok et al. (2013) A. Rubenok, J. A. Slater, P. Chan, I. Lucio-Martinez,  and W. Tittel, Physical Review Letters 111, 130501 (2013).
  • Liu et al. (2013) Y. Liu, T.-Y. Chen, L.-J. Wang, H. Liang, G.-L. Shentu, J. Wang, K. Cui, H.-L. Yin, N.-L. Liu, L. Li, X. Ma, J. S. Pelc, M. M. Fejer, C.-Z. Peng, Q. Zhang,  and J.-W. Pan, Physical Review Letters 111, 130502 (2013).
  • Da Silva et al. (2013) T. F. Da Silva, D. Vitoreti, G. Xavier, G. Do Amaral, G. Temporao,  and J. Von Der Weid, Physical Review A 88, 052303 (2013).
  • Tang et al. (2014a) Y.-L. Tang, H.-L. Yin, S.-J. Chen, Y. Liu, W.-J. Zhang, X. Jiang, L. Zhang, J. Wang, L.-X. You, J.-Y. Guan, D.-X. Yang, Z. Wang, H. Liang, Z. Zhang, N. Zhou, X. Ma, T.-T. Chen, Q. Zhang,  and J.-W. Pan, Physical Review Letters 113, 190501 (2014a).
  • Tang et al. (2014b) Z. Tang, Z. Liao, F. Xu, B. Qi, L. Qian,  and H.-K. Lo, Physical Review Letters 112, 190503 (2014b).
  • Pirandola et al. (2015) S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook, S. L. Braunstein, S. Lloyd, T. Gehring, C. S. Jacobsen,  and U. L. Andersen, Nature Photonics 9, 397 (2015).
  • Wang et al. (2015) C. Wang, X.-T. Song, Z.-Q. Yin, S. Wang, W. Chen, C.-M. Zhang, G.-C. Guo,  and Z.-F. Han, Physical Review Letters 115, 160502 (2015).
  • Comandar et al. (2016) L. Comandar, M. Lucamarini, B. Fröhlich, J. Dynes, A. Sharpe, S.-B. Tam, Z. Yuan, R. V. Penty,  and A. Shields, Nature Photonics 10, 312 (2016).
  • Tang et al. (2016) Y.-L. Tang, H.-L. Yin, Q. Zhao, H. Liu, X.-X. Sun, M.-Q. Huang, W.-J. Zhang, S.-J. Chen, L. Zhang, L.-X. You, Z. Wang, Y. Liu, C.-Y. Lu, M. X. Jiang, Xiao, Q. Zhang, T.-Y. Chen,  and J.-W. Pan, Physical Review X 6, 011024 (2016).
  • Yin et al. (2016) H.-L. Yin, T.-Y. Chen, Z.-W. Yu, H. Liu, L.-X. You, Y.-H. Zhou, S.-J. Chen, Y. Mao, M.-Q. Huang, H. Zhang, Wei-Jun Chen, M. J. Li, D. Nolan, F. Zhou, X. Jiang, Z. Wang, Q. Zhang, X.-B. Wang,  and J.-W. Pan, Physical Review Letters 117, 190501 (2016).
  • Gottesman et al. (2004) D. Gottesman, H.-K. Lo, N. Lütkenhaus,  and J. Preskill, Quantum Information & Computation 4, 325 (2004).
  • Lucamarini et al. (2018) M. Lucamarini, Z. Yuan, J. Dynes,  and A. Shields, Nature 557, 400 (2018).
  • Lin and Lütkenhaus (2018) J. Lin and N. Lütkenhaus, Physical Review A 98, 042332 (2018).
  • Shor and Preskill (2000) P. W. Shor and J. Preskill, Physical Review Letters 85, 441 (2000).
  • Boyd and Vandenberghe (2004) S. Boyd and L. Vandenberghe, Convex Optimization (Cambridge university press, 2004).
  • Wang et al. (2018) Y. Wang, I. W. Primaatmaja, A. Varvitsiotis,  and C. C. W. Lim, arXiv preprint arXiv:1803.04796  (2018).
  • Ma et al. (2018a) X. Ma, P. Zeng,  and H. Zhou, Physical Review X 8, 031043 (2018a).
  • Tamaki et al. (2018) K. Tamaki, H.-K. Lo, W. Wang,  and M. Lucamarini, arXiv preprint arXiv:1805.05511  (2018).
  • Cui et al. (2018) C. Cui, Z.-Q. Yin, R. Wang, W. Chen, S. Wang, G.-C. Guo,  and Z.-F. Han, arXiv preprint arXiv:1807.02334  (2018).
  • Curty et al. (2018) M. Curty, K. Azuma,  and H.-K. Lo, arXiv preprint arXiv:1807.07667  (2018).
  • Takeoka et al. (2014) M. Takeoka, S. Guha,  and M. M. Wilde, Nature Communications 5, 5235 (2014).
  • Pirandola et al. (2017) S. Pirandola, R. Laurenza, C. Ottaviani,  and L. Banchi, Nature Communications 8, 15043 (2017).
  • Ferenczi (2013) A. Ferenczi, Security proof methods for quantum key distribution protocols, Ph.D. thesis, University of Waterloo (2013).
  • Lucamarini et al. (2015) M. Lucamarini, I. Choi, M. B. Ward, J. F. Dynes, Z. Yuan,  and A. J. Shields, Physical Review X 5, 031030 (2015).
  • Lütkenhaus and Jahma (2002) N. Lütkenhaus and M. Jahma, New Journal of Physics 4, 44 (2002).
  • Tamaki et al. (2016) K. Tamaki, M. Curty,  and M. Lucamarini, New Journal of Physics 18, 065008 (2016).
  • Ma and Razavi (2012) X. Ma and M. Razavi, Physical Review A 86, 062319 (2012).
  • Ma et al. (2018b) H.-X. Ma, P. Huang, D.-Y. Bai, T. Wang, S.-Y. Wang, W.-S. Bao,  and G.-H. Zeng, arXiv preprint arXiv:1812.05254  (2018b).

*

Appendix A The phase-error rate of phase-encoding coherent state MDI-QKD

In the main text, we give a general framework to obtain the expression for the phase-error rate for any MDI-QKD protocol. Here, we illustrate how this can be done. As a concrete example, we consider the phase-encoding coherent state MDI-QKD. In the virtual protocol, let the entangled states that Alice and Bob prepare for the key basis be denoted by

(16)

It is easy to see that measuring the qubit systems in the -basis is equivalent to sending the states randomly. Now, the quantum channel is an isometry that maps the system to where the register stores Eve’s quantum side information and the classical register stores the result of the Bell state measurement. The states are associated to the respective Bell states, whereas the state is associated to the case where the Bell state measurement fails to give a conclusive outcome. After the isometry, the global state is given by

(17)

Post-selecting on the successful Bell state measurements,

(18)

Let the target state be . Conditioned on the outcome of the Bell state measurement, Bob applies the following correction on his qubit:

  • : apply

  • : apply

where is the identity operator and are the usual Pauli operators. After the corrections, the global state becomes

(19)

Since the target state is the state and key is extracted by Alice and Bob by performing -measurement on each of their qubits, the phase-error rate can be computed by using

(20)

where is simply

(21)

and therefore, we have

(22)

Thus, we obtain the phase-error rate of the phase-encoding coherent state MDI-QKD protocol. The phase-error rate of other protocols can be obtained through a similar procedure.

Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
""
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
   
Add comment
Cancel
Loading ...
330609
This is a comment super asjknd jkasnjk adsnkj
Upvote
Downvote
""
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters
Submit
Cancel

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test
Test description