Almost-tight and versatile security analysis of
measurement-device-independent quantum key distribution
Measurement-device-independent quantum key distribution (MDI-QKD) is the only known QKD scheme that can completely overcome the problem of detection side-channel attacks. Yet, despite its practical importance, there is no standard approach towards computing the security of MDI-QKD. Here, we present a simple numerical method that can efficiently compute almost-tight security bounds for any discretely modulated MDI-QKD protocol. To demonstrate the broad utility of our method, we use it to analyze the security of coherent-state MDI-QKD, decoy-state MDI-QKD with leaky sources, and a variant of twin-field QKD called phase-matching QKD. In all of the numerical simulations (using realistic detection models) we find that our method gives significantly higher secret key rates than those obtained with current security proof techniques. Interestingly, we also find that phase-matching QKD using only two coherent test states is enough to overcome the fundamental rate-distance limit of QKD. Taken together, these findings suggest that our security proof method enables a versatile, fast, and possibly optimal approach towards the security validation of practical MDI-QKD systems.
Quantum key distribution (QKD) is an emerging quantum technology that enables the exchange of cryptographic keys in an untrusted network Bennett and Brassard (1984); Ekert (1991). The key feature of the technology is that it is provably secure. More specificially, its security is based solely on the laws of quantum mechanics and not on how powerful the adversary could be. For this reason, secret keys generated by QKD systems can be safely used in any cryptographic applications which require long-term security assurance.
A hugely popular QKD configuration is the prepare-and-measure (P&M) scheme. As its name suggest, P&M-QKD involves the preparation of a quantum state that is randomly drawn from a pre-agreed set of states by the protagonist, whom we call Alice. Then, she will send the prepared state to her distant associate, whom we call Bob, to be measured in a basis that is randomly drawn from a pre-agreed set. Since Eve could not perfectly discriminate the traversing signals, any attempt to learn its identity will inevitably modify the quantum state itself. Thus, the secrecy of the secret key is guaranteed by quantum theory and such is the main appeal of QKD.
Despite the rigorous mathematical validation of QKD, present physical implementations of QKD are vulnerable to numerous side-channel attacks. In particular, it was demonstrated that the adversary could exploit the imperfections of single-photon detectors to steal some information about the secret key without introducing noise into the quantum channel Fung et al. (2007); Qi et al. (2007); Zhao et al. (2008); Xu et al. (2010); Lydersen et al. (2010); Gerhardt et al. (2011). Consequently, these demonstrations necessitate the search for a QKD protocol that is robust against detection side-channel attacks: the measurement-device-independent QKD (MDI-QKD) Lo et al. (2012); Braunstein and Pirandola (2012).
The MDI-QKD scheme (see Fig. 1) requires both Alice and Bob to each prepare a quantum state, which, like the P&M scheme, is randomly drawn from a pre-agreed set of states, to be sent to a potentially untrusted node connecting them. Ideally, the node will perform a Bell-state measurement jointly on the prepared states, whose outcome will determine if both Alice and Bob will keep the indices of the prepared quantum states for key distillation. This process is equivalent to a protocol where Alice and Bob each prepares a bipartite entangled state and measuring a part of it Bennett et al. (1992) while sending the other to the node for entanglement swapping. Hence, it is as though Alice and Bob are making local measurements on a shared entangled state. Subsequently, Alice and Bob would sample their bit strings to evaluate their security against any potential adversary. Such security analysis is made assuming that Eve has full access and control of the node, and hence, any attack based on imperfect detectors is part of the untrusted quantum channel.
An innovation is only as good as its feasibility and the same applies to QKD protocols. With practicality in mind, MDI-QKD was designed to be implementable with existing hardware. Although the security of MDI-QKD relies mainly on instances when single-photon states are transmitted from Alice and Bob to the node, employing the decoy-state method Lo et al. (2005) gives good security performances using phase-randomized coherent states as signals. Due to its merits, efforts to progress MDI-QKD were made on both theoretical Curty et al. (2014); Tamaki et al. (2012); Coles et al. (2016); Winick et al. (2018); Tamaki et al. (2014); Ma et al. (2012); Xu et al. (2014) and experimental Rubenok et al. (2013); Liu et al. (2013); Da Silva et al. (2013); Tang et al. (2014a, b); Pirandola et al. (2015); Wang et al. (2015); Comandar et al. (2016); Tang et al. (2016); Yin et al. (2016) fronts.
Evolving from the original protocol, MDI-QKD could also be performed with coherent states without phase randomization and hence the decoy-state method. In this case, Alice and Bob encode the key information in the phases of the coherent states. The modified protocol can be proven secure using the so-called quantum coin method Tamaki et al. (2012), which was based on earlier research in P&M-QKD with imperfect devices Gottesman et al. (2004). However, it is not known if this approach would lead to optimal secret key rates.
Here, we introduce a versatile, fast and almost optimal framework to compute the security of discretely modulated MDI-QKD. This technique is based on the observation that the Gram matrix of Eve’s quantum side information translates to the characterization of Eve’s attack in a compact way. We apply this characterization technique to three different types of MDI-QKD protocols: (1) the original polarization (or time-phase) encoding decoy-state MDI-QKD Lo et al. (2012), (2) phase-encoding MDI-QKD using non-phase-randomized coherent states Tamaki et al. (2012), and (3) a variant of twin-field QKD Lucamarini et al. (2018) called phase-matching MDI-QKD Lin and Lütkenhaus (2018). The proposed proof technique demonstrates significant advantages over the known bounds on secret key rates for all of the considered MDI-QKD protocols.
In this section, we outline a general security framework that works for any MDI-QKD protocol, provided the encoded states are pure and their inner-products are known. In practice, one can characterize the encoded states by performing state tomography and thus their inner-products can be easily obtained. Suppose the states that Alice prepares are and those prepared by Bob are where and are the bit values while and are the basis choices of Alice and Bob respectively. We denote the inner-product of the code states by . Note that could be complex.
Since the joint input states are pure, we can describe the quantum channel and the untrusted measurement by the central node as a quantum-to-classical map. Such maps can be described by an isometry acting on the input states giving
where is the classical announcement made by the central node. For concreteness, we consider the case where , which indicates whether the Bell state measurement is successful or not. The vectors are sub-normalized states corresponding to the quantum side information that Eve holds. Now, one can construct a Gram matrix for the adversary’s quantum side information and it is clear that such matrix is positive semi-definite, i.e., .
Moreover, since the channel is described by an isometric transformation, the inner-product information is preserved at the output states as well. More specifically, we have the following constraint on the Gram matrix :
Furthermore, other observable constraints such as the bit-error rate and the probability of successful Bell state measurement can be expressed in terms of linear constraints on the Gram matrix. For example, the probability of successful Bell state measurement when Alice and Bob both choose the basis , denoted by , is given by
where is the probability of Alice and Bob both choosing the basis and is the joint probability that Alice chooses and Bob chooses . Similarly, the bit-error rate in the basis, denoted by , can be expressed as
Now, to prove the security of the protocol, we consider a virtual protocol illustrated in Fig. 1. For concreteness, we suppose that Alice and Bob extract secret key from the basis and they use the basis (which is mutually-unbias to ) to estimate Eve’s information. In this virtual protocol, to generate secret key, Alice and Bob first prepare the entangled states
where the systems and are qubits. From the point of view of Eve, this is equivalent to the actual protocol since after tracing out systems and , the marginal states are the same as if Alice and Bob prepare the states and randomly based on the random bit and given by their random number generator. Furthermore, Alice and Bob can obtain the random bit and , simply by measuring systems and in the basis.
After the central node successfully perform a Bell state projection, the qubit-qubit system are now entangled due to the entanglement swapping operation. Depending on the outcome of the Bell state measurement , Bob will need to perform a local unitary to rotate the state into the target state. Then, to estimate the side information that Eve has, Alice and Bob can measure the systems and respectively in the basis. This will give Alice and Bob the so-called phase-error rate in their virtual qubit-qubit system. Shor and Preskill Shor and Preskill (2000) proved that, for this type of QKD protocol, the lower bound on the asymptotic secret key rate is given by
where is the binary entropy function.
At this point, a few remarks are in order. Firstly, the measurement in the basis when Alice and Bob prepare the entangled states and are counter-factual measurements that are not performed in the actual protocol. The actual test states that Alice and Bob send are and whose virtual analogue is measuring the qubit systems of some other entangled states and in the basis. As such, the phase-error rate is not accessible in the actual protocol. However, Alice and Bob can employ the knowledge of the test states (i.e., the inner-product information), the observed error rate, and the success probability to constrain the virtual protocol phase-error rate, , as we will show later.
Secondly, like the bit-error rate , the phase-error rate is also a linear function of the Gram matrix . The explicit expression of , in general depends on the choice of entangled state that Alice and Bob prepares, the virtual measurements that steer the states, as well as the target state of the qubit pairs shared between Alice and Bob.
With all these in mind, here is the crucial observation. The Gram matrix depends on the isometry performed by Eve. Secondly, the constraints on the Gram matrix , imposed by the inner-product information and the observed statistics, are linear. Moreover, one can obtain a lower bound on the secret key rate by obtaining an upper bound on the phase-error rate , which is a linear objective function, allowing us to use semi-definite programming (SDP) techniques to completely characterize Eve’s strategies. This will be explained in more details in section III.
Lastly, to show that our method gives a tighter lower bound on the key rate as compared to the quantum coin approach, we will analyze MDI-QKD protocols based on coherent states and Trojan horse attacks. These are the scenarios in which the quantum coin approach was used in the literature. The outcomes of the simulation are presented in section IV.
Iii Characterizing Eve’s strategy using semi-definite programming
SDP is a class of convex optimization problem with a linear objective function over a cone of positive semi-definite matrices Boyd and Vandenberghe (2004). One can think of such optimization problem as linear programming with linear matrix inequalities as constraints. Just like any other optimization problems, we can define the primal problem and the dual problem of an SDP. If the primal problem is a minimization problem, then its dual would be a maximization problem and vice versa. Furthermore, if the primal problem is a maximization problem, then the weak duality theorem states that the optimal primal value and the optimal dual value satisfy the following relationship
and the opposite is true if the primal problem is a minimization problem. When , we say that strong duality holds and it implies that is the optimal solution to the SDP.
Previously, there have been some proof techniques of QKD that are based on SDP Wang et al. (2018); Coles et al. (2016); Winick et al. (2018). One of the appeals of such numerical approaches is that they are highly versatile and can be used to analyze a wide range of QKD protocols without relying on the specific structure of the underlying design. Here we propose another SDP-based technique of analyzing the security of MDI-QKD that is versatile, simple and almost-tight. Importantly, we highlight that our method does not rely on any semi-definite relaxation (such as the one proposed in Ref. Wang et al. (2018)).
Our method exploits the fact that the Gram matrix is both positive semi-definite and linearly constrained. As such, obtaining an upper bound to the phase-error rate is equivalent to solving the dual problem of an SDP. In other words, the solution of the SDP characterizes the optimal attack that Eve can perform on the quantum channel and with the untrusted central node. Thus, the security analysis of any MDI-QKD protocol is equivalent to solving the following SDP
where is the basis choice of Alice and Bob and is a linear function of the Gram matrix , which is protocol dependent. In order to obtain a reliable upper bound on , one has to optimize the dual problem of optimization (8).
Furthermore, due to the weak duality theorem, any feasible solution of the dual problem gives a reliable upper bound on the phase-error rate. Moreover, when the strong duality condition holds, our upper bound on the phase-error rate is tight. Remarkably, in practice, the duality gap (the difference between the primal and dual value) is usually very small. Hence, our upper bound on the phase-error rate is almost tight, even when the strong duality condition is not met.
Drawing the connection to the isometry performed by the eavesdropper, since the Gram matrix characterizes , solving the SDP (8) is equivalent to finding the isometry that gives Eve the maximum knowledge about the bits that Alice and Bob possess, considering the statistics that Alice and Bob observe. Lastly, we remark that SDPs can be efficiently solved with standard solvers that are readily accessible. Therefore, our method can be implemented easily even with personal computers (which is the case for the simulations presented in this work).
In this section, we apply our technique to coherent state based protocols, namely the phase-encoding coherent state MDI-QKD Tamaki et al. (2012) and a variant of the recently proposed twin-field QKD (TF-QKD) protocol Lucamarini et al. (2018), as well as the decoy-state protocols Lo et al. (2012) with Trojan horse attacks. We also analyze these protocols with the quantum coin method and show that our technique achieves significantly higher secret key rate. For simplicity, we assume that the central node is equidistant to Alice and Bob. Consequently, we can also assume that the set of states that Alice prepares is the same to that of Bob. Although these assumptions are not necessary for our method to work, they will simplify the calculations greatly.
For the simulations of phase-encoding coherent state MDI-QKD as well as the decoy-state MDI-QKD, the parameters that we use are listed in Table 1. Parameter 2 will also be used for the simulation of TF-QKD.
iv.1 Phase-encoding coherent state MDI-QKD
We first analyze the phase-encoding coherent state MDI-QKD protocols. With a simpler architecture and fewer components and their related flaws, this class of MDI-QKD protocols can, in principle, provide economic and high-speed QKD systems. However, they have not been implemented experimentally due to other technical challenges such as phase-locking two independent lasers at a distance. Furthermore, based on the quantum coin approach, the secret key rate achieved by these protocols is not favorable. However, the interest in coherent state MDI-QKD protocols has been revived recently due to the introduction of twin-field-QKD (TF-QKD) protocols, also known as phase-matching MDI-QKD Lucamarini et al. (2018); Ma et al. (2018a); Tamaki et al. (2018); Cui et al. (2018); Curty et al. (2018); Lin and Lütkenhaus (2018). Remarkably, TF-QKD enables the distribution of secret key with rate that overcomes the so-called repeaterless bound Takeoka et al. (2014); Pirandola et al. (2017) due to single-photon interference. As such, we foresee that there will be endeavours in implementing phase-locking techniques in QKD systems in the near future. Furthermore, as we shall see, we can prove that the secret key rate of coherent state protocols can be significantly improved using our method. Interestingly, as we demonstrate later, the secret key rate phase-encoding coherent state protocols can even be higher than that of standard decoy-state MDI-QKD protocols at short distances. Therefore, it will be interesting to study this class of protocols.
In Ref. Tamaki et al. (2012), Alice and Bob prepare the states where is the mean photon number of the coherent states. They use the basis to generate key and the basis for parameter estimation. On the other hand, the untrusted central node will announce depending on whether the outcome of Bell state measurement is , or unsuccessful respectively. Furthermore, to improve the efficiency of the protocol, whenever the central node announces , Bob will flip the value of his bit.
We note that in Bell state measurements of coherent states, the outcome cannot be distinguished from the outcome and similarly, the outcome cannot be distinguished from the outcome as mentioned in Ref. Tamaki et al. (2012). Consequently, there will be intrinsic phase-error rate even if the bit-error rate is zero. However, the probability of obtaining and is higher than the probability of obtaining and respectively when the intensity of the coherent states is small (which is typically the case for QKD). Hence, we choose to label the conclusive outcomes as and .
Here, we generalize the protocol to allow Alice and Bob to choose from possible bases. Thus, the protocol proposed in Ref. Tamaki et al. (2012) corresponds to the case where . The case where is known in the literature as the MDI-B92 protocol and was studied in Ref. Ferenczi (2013). In this section, we will also study the case where .
For the generalized protocol, Alice and Bob independently prepare one of the states of the form
where is her (his) bit value, and with as her (his) choice of basis.
In the following simulations, for each given distance, we choose the value of the mean photon number that maximize the lower bound on the secret key rate. The result of the simulation is shown in Fig. 2
Surprisingly, the three-basis protocol does not give noticeable improvement from the two-basis protocol in terms of the lower bound on the secret key rate. The intuition behind this is that one can estimate the statistics of the 4 test states in the three-basis protocol with the 2 test states in the two-basis protocol when we require all the intensities of the code states to be the same. Interestingly, when we remove that constraint, increasing the number of test states can give significant improvement in the secret key rate, as we shall see when we discuss about TF-QKD later.
To compare our method with the quantum coin method, we consider the two-basis protocol. Additionally, we will also evaluate the performance of the two techniques when Eve performs Trojan horse attack on the sources of Alice and Bob. For the model of the Trojan horse attack, we extend the model proposed by Ref. Lucamarini et al. (2015). The authors of Ref. Lucamarini et al. (2015) consider Trojan horse attack on prepare-and-measure QKD but it is rather straightforward to extend the model to MDI-QKD where Eve attacks both Alice’s and Bob’s sources. In the presence of Trojan horse attack, the output of Alice’s source can be written as
where is the intensity of the leaked light. Here, for simplicity of notation, we replace the pair with a single index. We assume that the Trojan horse system is only accessible to Eve and the probability of successful Bell state measurement is not affected by the Trojan horse attack. The output of Bob’s source is modeled similarly. The results of the simulations are shown in Fig. 3.
As we can see from the figure, our method gives a tighter bound on the secret key rate than the quantum coin method. This is because the inequality that was used in the quantum coin approach is, in general, not tight. On the contrary, our SDP gives an almost tight approximation of the phase-error rate, owing to the small duality gap. Furthermore, our method is also more robust against the Trojan horse attack. This is because for a given distance, our method predicts higher optimal intensity than the one predicted by the quantum coin method. As a result, the ratio of the intensity of the signal states to the intensity of the leaked light is higher when computed with our method. Remarkably, even in the absence of Trojan horse attack (when ), our method gives a significantly higher lower bound on the secret key rate.
iv.2 Decoy-state MDI-QKD with Trojan horse attacks
We now consider the decoy-state MDI-QKD protocol Lo et al. (2012). For concreteness, we consider the time-phase encoding but our results can be transferred to other encoding scheme such as the polarization encoding. Combined with the measurement-device-independent architecture which protects us against any detector side-channel attacks, the decoy-state method prevents a certain side-channel attack on the sources of Alice and Bob, namely the photon-number-splitting attack Lütkenhaus and Jahma (2002). Nevertheless, decoy-state MDI-QKD is still vulnerable to other attacks on the sources. One possible attack that Eve can perform with current technology is the Trojan horse attack. As such, it would be interesting to study how decoy-state MDI-QKD protocols fare when subjected to practical Trojan horse attacks.
For simplicity, we follow Ref. Lucamarini et al. (2015)’s assumption that the Trojan horse attack does not affect the decoy-state implementation but only leaks the information about which of the signal states are being prepared by Alice and Bob. However, we note that our method can also be applied when the Trojan horse leaks the information of the decoy setting as discussed in Ref. Tamaki et al. (2016). Such technical extension is out of the scope of this paper and will be left for future work.
To apply our technique to decoy-state MDI-QKD, we first estimate the single-photon yield as well as the single-photon quantum bit-error rate (QBER) where denotes the basis choice of Alice and Bob. Then, we can apply our method to estimate the single-photon phase-error rate and hence, the secret key rate. In the absence of Trojan horse attack, the single-photon phase-error rate is simply the single-photon QBER in the basis, . Nevertheless, when Eve performs Trojan horse attack, the single-photon phase-error rate is no longer measured by Alice and Bob and can only be estimated using techniques like the quantum coin method or our proposed method. Here, we show that our method gives a tighter estimation of the single-photon phase-error rate than the quantum coin method.
Following the model of Ref. Lucamarini et al. (2015), Alice’s single-photon signals when affected by the Trojan horse attack can be written as
where is the canonical basis and , and is the vacuum state. Bob’s single-photon signals can be written down in similar fashion.
For the simulation, suppose that two decoy-states are used alongside the signal state. At the end of the protocol, Alice and Bob will have an estimate of the total gain and the total QBER where are the intensity setting of Alice and Bob respectively. To simulate the statistics observed in the experiment, we follow Ref. Ma and Razavi (2012)’s model for the total gain and total QBER. Then, we use the Gaussian elimination method to estimate the single-photon yield and QBER. Assuming that , the lower bound on the single-photon yield and the upper bound on the single-photon QBER is given in Ref. Xu et al. (2014). Other methods such as linear programming will yield similar results.
After we obtain and , it is straightforward to apply our method or the quantum coin argument to lower bound the single-photon phase-error rate . For decoy-state protocols, the lower bound on the asymptotic secret key rate is given by
where is the single-photon gain in the basis.
Furthermore, we assume that Alice’s and Bob’s intensity modulators that choose the decoy settings have finite extinction ratio such that the intensity of the second decoy-state cannot be set to zero. In this case, we assume that the intensity of the second decoy-state is 1000 times smaller than that of the signal, i.e. . Thus, for each point, the remaining free parameters in the optimization are the signal intensity and the first decoy-state intensity . The result of the simulation is given in Fig. 4.
Referring to Fig. 4, we again see an improvement in the lower bound on the secret key rate compared to the secret key rate obtained from the quantum coin technique. This confirms that our technique is able to give tighter secret key rate as compared to the quantum coin approach.
Although it is not an entirely fair comparison, one might be interested to compare the two protocols that we have analyzed. Fig. 5 gives the superimposed plot of the key rate of the two protocols. When there are no leakages, as one would probably guess, the decoy-state protocol has a longer range than the coherent state protocol. However, rather surprisingly, we find that at short distances, the coherent state protocol gives a higher lower bound on the secret key rate than the decoy-state protocol.
A closer inspection reveals that for short distances, the coherent state protocol has significantly higher probability for successful Bell state measurement as compared to the single-photon gain of the decoy-state protocol. This is possible because the coherent state protocols rely on single-photon interference whereas decoy-state protocols are based on two-photon interference. Therefore, despite having higher phase-error rate, the coherent state protocol can give higher secret key rate than the decoy-state protocol at short distances. Nevertheless, at long distances, the fact that coherent state protocols have higher phase-error rate dominates and decoy-state protocols yield higher secret key rate in that regime. Drawing another connection to TF-QKD, single-photon interference is also an important feature of TF-QKD.
Interestingly, the coherent state protocols are more robust against Trojan horse attacks in the sense that the range of coherent state protocols suffers less penalty from Trojan horse attacks as compared to the range of decoy-state protocols. We also note that since we neglect the effect of leakages on the decoy-state implementation in the security analysis, the performance of the decoy-state protocol would suffer even more when we consider leakages in the intensity settings .
iv.3 Phase-matching MDI-QKD with finite number of test states
To demonstrate the versatility of our method, we will analyze a variant of the recently proposed twin-field QKD (TF-QKD) protocol called the phase-matching MDI-QKD Lin and Lütkenhaus (2018). As mentioned previously, there is a growing interest in TF-QKD. Indeed, after the original proposal of TF-QKD protocol Lucamarini et al. (2018), other variants of the protocol have been proposed alongside with their respective security analyses Ma et al. (2018a); Lin and Lütkenhaus (2018); Tamaki et al. (2018); Curty et al. (2018); Cui et al. (2018). Remarkably, TF-QKD protocols are able to overcome the repeaterless bounds Takeoka et al. (2014); Pirandola et al. (2017). However, many variants of the TF-QKD protocols (including the original proposal Lucamarini et al. (2018)) require phase-randomization of two independent phase-locked lasers with the notable exception of Ref. Lin and Lütkenhaus (2018). There, the protocol uses non-phase-randomized coherent states which form phase-matching pairs. However, the results presented in Ref. Lin and Lütkenhaus (2018) require Alice and Bob to send infinitely many coherent states, leaving the practical case where a finite number of test states is used as an open problem. Here, we show that a finite number of test states is indeed enough to overcome the repeaterless bound.
Remarkably, one can see phase-matching MDI-QKD as a generalization of the phase-encoding MDI-QKD that we have considered earlier in Section IV.1. There, we assumed that the signal and test states share the same intensity. Here, we vary the intensity of different phase-matching pairs. More explicitly, in this protocol, Alice prepares states of the form
where are defined in similar way as in the phase-encoding MDI-QKD protocol and now the intensity of the coherent state depends on which basis Alice and Bob choose. By optimizing the intensity of each phase-matching pair, we show that we can overcome the repeaterless bound.
For comparison with the Ref. Lin and Lütkenhaus (2018)’s result as well as the repeaterless bound, we will show the ideal performance of our protocol, i.e. when there are no dark counts or misalignment errors. For the repeaterless bound, we choose the secret key capacity given in Ref. Pirandola et al. (2017), also known as the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound
where is the total transmittivity of the quantum channel. On the other hand, Ref. Lin and Lütkenhaus (2018) proved that the secret key rate obtained when infinitely many test states are used in the loss only scenario, denoted by , is given by
Lastly, it will also be interesting to see how the protocol fare in the presence of imperfections such as dark counts and misalignment errors. To that end, we will also use Parameter 2 of Table 1 in our simulation. Furthermore, for fair comparison with PLOB bound, we plot the key rate against total loss (in dB), which includes the loss in the detector, instead of treating the loss in the fiber and in the detector separately. The plots of the key rate for the ideal and imperfect scenario as well as the PLOB and the key rate for the ideal infinite test states scenario are given in Fig. 6. Remarkably, two test states are sufficient to overcome the PLOB bound in the ideal scenario whereas in the noisy scenario, four test states are sufficient to overcome the PLOB bound. Furthermore, we emphasize that in our simulation, we use the states with the structure given by equation (13) and optimize (using a coarse-grained exhaustive search) the intensity of each test state. We leave the question of whether optimizing the global phases can significantly increase the secret key rate as an open problem.
To conclude, we have developed a new numerical technique to analyze the security of MDI-QKD protocols. This is done by employing SDP to obtain an almost-tight upper bound on the phase-error rate, hence the significant improvement in the distilled secret key rate compared to the quantum coin method. Additionally, our method also reveals that phase-encoding coherent state MDI-QKD might outperform decoy-state MDI-QKD at short distances. Furthermore, our method is highly efficient and can be applied to any protocols with discretely modulated, pure, input states including continuous-variable MDI-QKD protocols with discrete modulation Ma et al. (2018b). Due to the versatility of our technique, it can also be applied to MDI-QKD protocols which lack symmetry. For example, by applying our method to phase-matching MDI-QKD protocol, we also showed that the repeaterless bound can be overcome with only a few test states. It is also interesting to extend the results presented in this paper to allow mixed input states and to MDI-QKD networks where we have multiple transmitters as well as to include finite-key analysis.
This research is supported by the National Research Foundation (Singapore), the Ministry of Education (Singapore), the National University of Singapore, and the Asian Office of Aerospace Research and Development.
- Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proc. of IEEE Int. Conf. on Comp., Syst. and Signal Proc., Bangalore, India, Dec. 10-12, 1984 (1984).
- Ekert (1991) A. K. Ekert, Physical Review Letters 67, 661 (1991).
- Fung et al. (2007) C.-H. F. Fung, B. Qi, K. Tamaki, and H.-K. Lo, Physical Review A 75, 032314 (2007).
- Qi et al. (2007) B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, Quantum Information and Computation 7, 073 (2007).
- Zhao et al. (2008) Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, Physical Review A 78, 042333 (2008).
- Xu et al. (2010) F. Xu, B. Qi, and H.-K. Lo, New Journal of Physics 12, 113026 (2010).
- Lydersen et al. (2010) L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, Nature Photonics 4, 686 (2010).
- Gerhardt et al. (2011) I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, Nature Communications 2, 349 (2011).
- Lo et al. (2012) H.-K. Lo, M. Curty, and B. Qi, Physical Review Letters 108, 130503 (2012).
- Braunstein and Pirandola (2012) S. L. Braunstein and S. Pirandola, Physical Review Letters 108, 130502 (2012).
- Bennett et al. (1992) C. H. Bennett, G. Brassard, and N. D. Mermin, Physical Review Letters 68, 557 (1992).
- Lo et al. (2005) H.-K. Lo, X. Ma, and K. Chen, Physical Review Letters 94, 230504 (2005).
- Curty et al. (2014) M. Curty, F. Xu, W. Cui, C. C. W. Lim, K. Tamaki, and H.-K. Lo, Nature Communications 5, 3732 (2014).
- Tamaki et al. (2012) K. Tamaki, H.-K. Lo, C.-H. F. Fung, and B. Qi, Physical Review A 85, 042307 (2012).
- Coles et al. (2016) P. J. Coles, E. M. Metodiev, and N. Lütkenhaus, Nature Communications 7, 11712 (2016).
- Winick et al. (2018) A. Winick, N. Lütkenhaus, and P. J. Coles, Quantum 2, 77 (2018).
- Tamaki et al. (2014) K. Tamaki, M. Curty, G. Kato, H.-K. Lo, and K. Azuma, Physical Review A 90, 052314 (2014).
- Ma et al. (2012) X. Ma, C.-H. F. Fung, and M. Razavi, Physical Review A 86, 052305 (2012).
- Xu et al. (2014) F. Xu, H. Xu, and H.-K. Lo, Physical Review A 89, 052333 (2014).
- Rubenok et al. (2013) A. Rubenok, J. A. Slater, P. Chan, I. Lucio-Martinez, and W. Tittel, Physical Review Letters 111, 130501 (2013).
- Liu et al. (2013) Y. Liu, T.-Y. Chen, L.-J. Wang, H. Liang, G.-L. Shentu, J. Wang, K. Cui, H.-L. Yin, N.-L. Liu, L. Li, X. Ma, J. S. Pelc, M. M. Fejer, C.-Z. Peng, Q. Zhang, and J.-W. Pan, Physical Review Letters 111, 130502 (2013).
- Da Silva et al. (2013) T. F. Da Silva, D. Vitoreti, G. Xavier, G. Do Amaral, G. Temporao, and J. Von Der Weid, Physical Review A 88, 052303 (2013).
- Tang et al. (2014a) Y.-L. Tang, H.-L. Yin, S.-J. Chen, Y. Liu, W.-J. Zhang, X. Jiang, L. Zhang, J. Wang, L.-X. You, J.-Y. Guan, D.-X. Yang, Z. Wang, H. Liang, Z. Zhang, N. Zhou, X. Ma, T.-T. Chen, Q. Zhang, and J.-W. Pan, Physical Review Letters 113, 190501 (2014a).
- Tang et al. (2014b) Z. Tang, Z. Liao, F. Xu, B. Qi, L. Qian, and H.-K. Lo, Physical Review Letters 112, 190503 (2014b).
- Pirandola et al. (2015) S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook, S. L. Braunstein, S. Lloyd, T. Gehring, C. S. Jacobsen, and U. L. Andersen, Nature Photonics 9, 397 (2015).
- Wang et al. (2015) C. Wang, X.-T. Song, Z.-Q. Yin, S. Wang, W. Chen, C.-M. Zhang, G.-C. Guo, and Z.-F. Han, Physical Review Letters 115, 160502 (2015).
- Comandar et al. (2016) L. Comandar, M. Lucamarini, B. Fröhlich, J. Dynes, A. Sharpe, S.-B. Tam, Z. Yuan, R. V. Penty, and A. Shields, Nature Photonics 10, 312 (2016).
- Tang et al. (2016) Y.-L. Tang, H.-L. Yin, Q. Zhao, H. Liu, X.-X. Sun, M.-Q. Huang, W.-J. Zhang, S.-J. Chen, L. Zhang, L.-X. You, Z. Wang, Y. Liu, C.-Y. Lu, M. X. Jiang, Xiao, Q. Zhang, T.-Y. Chen, and J.-W. Pan, Physical Review X 6, 011024 (2016).
- Yin et al. (2016) H.-L. Yin, T.-Y. Chen, Z.-W. Yu, H. Liu, L.-X. You, Y.-H. Zhou, S.-J. Chen, Y. Mao, M.-Q. Huang, H. Zhang, Wei-Jun Chen, M. J. Li, D. Nolan, F. Zhou, X. Jiang, Z. Wang, Q. Zhang, X.-B. Wang, and J.-W. Pan, Physical Review Letters 117, 190501 (2016).
- Gottesman et al. (2004) D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, Quantum Information & Computation 4, 325 (2004).
- Lucamarini et al. (2018) M. Lucamarini, Z. Yuan, J. Dynes, and A. Shields, Nature 557, 400 (2018).
- Lin and Lütkenhaus (2018) J. Lin and N. Lütkenhaus, Physical Review A 98, 042332 (2018).
- Shor and Preskill (2000) P. W. Shor and J. Preskill, Physical Review Letters 85, 441 (2000).
- Boyd and Vandenberghe (2004) S. Boyd and L. Vandenberghe, Convex Optimization (Cambridge university press, 2004).
- Wang et al. (2018) Y. Wang, I. W. Primaatmaja, A. Varvitsiotis, and C. C. W. Lim, arXiv preprint arXiv:1803.04796 (2018).
- Ma et al. (2018a) X. Ma, P. Zeng, and H. Zhou, Physical Review X 8, 031043 (2018a).
- Tamaki et al. (2018) K. Tamaki, H.-K. Lo, W. Wang, and M. Lucamarini, arXiv preprint arXiv:1805.05511 (2018).
- Cui et al. (2018) C. Cui, Z.-Q. Yin, R. Wang, W. Chen, S. Wang, G.-C. Guo, and Z.-F. Han, arXiv preprint arXiv:1807.02334 (2018).
- Curty et al. (2018) M. Curty, K. Azuma, and H.-K. Lo, arXiv preprint arXiv:1807.07667 (2018).
- Takeoka et al. (2014) M. Takeoka, S. Guha, and M. M. Wilde, Nature Communications 5, 5235 (2014).
- Pirandola et al. (2017) S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, Nature Communications 8, 15043 (2017).
- Ferenczi (2013) A. Ferenczi, Security proof methods for quantum key distribution protocols, Ph.D. thesis, University of Waterloo (2013).
- Lucamarini et al. (2015) M. Lucamarini, I. Choi, M. B. Ward, J. F. Dynes, Z. Yuan, and A. J. Shields, Physical Review X 5, 031030 (2015).
- Lütkenhaus and Jahma (2002) N. Lütkenhaus and M. Jahma, New Journal of Physics 4, 44 (2002).
- Tamaki et al. (2016) K. Tamaki, M. Curty, and M. Lucamarini, New Journal of Physics 18, 065008 (2016).
- Ma and Razavi (2012) X. Ma and M. Razavi, Physical Review A 86, 062319 (2012).
- Ma et al. (2018b) H.-X. Ma, P. Huang, D.-Y. Bai, T. Wang, S.-Y. Wang, W.-S. Bao, and G.-H. Zeng, arXiv preprint arXiv:1812.05254 (2018b).
Appendix A The phase-error rate of phase-encoding coherent state MDI-QKD
In the main text, we give a general framework to obtain the expression for the phase-error rate for any MDI-QKD protocol. Here, we illustrate how this can be done. As a concrete example, we consider the phase-encoding coherent state MDI-QKD. In the virtual protocol, let the entangled states that Alice and Bob prepare for the key basis be denoted by
It is easy to see that measuring the qubit systems in the -basis is equivalent to sending the states randomly. Now, the quantum channel is an isometry that maps the system to where the register stores Eve’s quantum side information and the classical register stores the result of the Bell state measurement. The states are associated to the respective Bell states, whereas the state is associated to the case where the Bell state measurement fails to give a conclusive outcome. After the isometry, the global state is given by
Post-selecting on the successful Bell state measurements,
Let the target state be . Conditioned on the outcome of the Bell state measurement, Bob applies the following correction on his qubit:
where is the identity operator and are the usual Pauli operators. After the corrections, the global state becomes
Since the target state is the state and key is extracted by Alice and Bob by performing -measurement on each of their qubits, the phase-error rate can be computed by using
where is simply
and therefore, we have
Thus, we obtain the phase-error rate of the phase-encoding coherent state MDI-QKD protocol. The phase-error rate of other protocols can be obtained through a similar procedure.