Detector-device-independent quantum key distribution
Recently, a quantum key distribution (QKD) scheme based on entanglement swapping, called measurement-device-independent QKD (mdiQKD), was proposed to bypass all detector side-channel attacks. While mdiQKD is conceptually elegant and offers a supreme level of security, the experimental complexity is challenging for practical systems. For instance, it requires interference between two widely separated independent single-photon sources, and the rates are dependent on detecting two photons - one from each source. Here we experimentally demonstrate a QKD scheme that removes the need for a two-photon system and instead uses the idea of a two-qubit single-photon (TQSP) to significantly simplify the implementation and improve the efficiency of mdiQKD in several aspects.
Quantum key distribution (QKD) enables the exchange of cryptographic keys between two separated users, Alice and Bob, who are connected by a potentially insecure quantum channel Bennett and Brassard (1984); Gisin et al. (2002); Scarani et al. (2009); Lo et al. (2014). Unlike conventional key distribution schemes, the security of QKD depends only on the principles of quantum physics and can be proven information-theoretically secure. However, despite the potential of QKD, one still has to be prudent about potential side-channel attacks that may lead to security failures. For example, it has been shown that with detector blinding techniques, it is possible to remotely hack the measurement unit of some QKD systems Lydersen et al. (2010). Although it is possible to implement appropriate countermeasures for specific attacks, one may be wary that the adversary, Eve, could devise new detector control strategies, unforeseen by the users.
To prevent all known and yet-to-be-discovered detector side-channel attacks, a measurement-device-independent QKD (mdiQKD) protocol was proposed Lo et al. (2012). In this scheme, Alice and Bob each randomly prepare one of the four Bennett Brassard (BB84) states Bennett and Brassard (1984) and send it to a third party, Charlie, whose role is to introduce entanglement between Alice and Bob via a Bell-state measurement (BSM) Biham et al. (1996); H. Inamori (2008). Obviously, Alice and Bob do not have to trust Charlie since any other non-entangling measurement would necessarily introduce some noise between them. In practice, mdiQKD can be implemented with phase-randomized weak coherent (BB84) states (WCSs), using either time-bin encoded qubits Rubenok et al. (2013); Liu et al. (2013) or polarization-encoded qubits Ferreira da Silva et al. (2013); Tang et al. (2014). To meet the assumption that Alice and Bob send single photons, as required by mdiQKD, they randomly vary the intensity of their laser pulses and use the decoy-state method Hwang (2003); Lo et al. (2005); Wang (2005) to estimate the fraction of single-photon states sent to and detected by Charlie.
Unfortunately, mdiQKD possesses many drawbacks. Firstly, the achievable secure key rates (SKR) are significantly lower compared to conventional prepare and measure (P&M) QKD systems Dixon et al. (2010); Tanaka et al. (2012); Walenta et al. (2014); Korzh et al. (2014a). This is mainly because a two-photon BSM relies on coincidence detections, meaning that the SKR scales with , where is the single photon detector (SPD) efficiency and is the probability of the source emitting a single-photon
Here we report on the implementation of a QKD scheme that overcomes the aforementioned limitations but is still secure against all detector side-channel attacks. This bridges the gap between the superior performance and practicality of P&M QKD schemes and the enhanced security offered by mdiQKD. Note that a similar scheme, following the same basic idea, has been proposed elsewhere Gonzalez et al. (2014). Our scheme, henceforth referred to as detector-device-independent QKD (ddiQKD), essentially follows the idea of mdiQKD, however, instead of encoding separate qubits into two independent photons, we exploit the concept of a two-qubit single-photon (TQSP). This scheme has the following advantages: (1) it requires only single-photon interference, (2) the linear-optical BSM is 100% efficient Boschi et al. (1998), (3) the secret key rate scales linearly with the SPD detection efficiency and (4) it is expected that in the finite-key scenario the minimum classical post-processing size is similar to that of P&M QKD schemes. In the following we outline the main concepts and demostrate a proof-of-principle experiment.
The protocol works as follows; see Fig. 1. Alice first prepares a single photon in the qubit state chosen at random from the following set of BB84 states:
where the subscript indicates this is a qubit in the polarization DOF of the photon. Alice sends to Bob via an untrusted quantum channel. Upon reception of the photon, Bob encodes his random qubit state in the spatial DOF (hence the subscript “”). To achieve this, Bob sends the photon to a 50/50 beam splitter (BS). We denote and the states of the basis defined by the “upper” and “lower”arms after the BS, respectively. He then applies a phase chosen at random in the set on the lower arm to prepare the state , yielding BB84 states in the spatial modes. Both DOFs have so far been created and manipulated independently of each other, and thus the two-qubit state can be written as .
We then define the following Bell states:
A complete and deterministic BSM of these states is realized by first applying the unitary transformation and on the upper arm using a half-wave plate (HWP), followed by recombination of the arms on a 50/50 BS, and finally by a projection in the basis using two PBSs on the two output arms followed by four SPDs. In this way, a click on each SPD corresponds to a projection on one of the four Bell states; see Fig. 1.
To show how the raw key establishment functions, let us first define the mutually unbiased bases and . The bit to be established is encoded in Alice’s state, i.e. and encode bit 0, and and encode bit 1. After the measurement phase, Bob uses an authenticated channel to announce the success of the BSM and reveals the basis he used to encode his qubit. Subsequently, Alice announces whether Bob’s basis choice was compatible with hers. Bob can then determine Alice’s bit value according to Table 1, which shows all of the possible combinations. For example, if , the bit is 0 if he detected or , and 1 otherwise. If more than one detector clicked, Bob announces a successful BSM and assigns a random bit value. Importantly, the knowledge of the bases used by Alice and Bob, along with which of the Bell states Bob obtained, does not reveal Alice’s bit. Hence, Eve does not gain information on the key by controlling Bob’s detectors.
From a security point of view, it is important to consider carefully the operation of Bob’s device. Strictly speaking, the mathematical description of his qubit, outlined previously, holds only if the light state entering the first BS is a single-photon excitation of a single optical-temporal mode. As with any other QKD scheme, it is not possible to guarantee this. Indeed, Eve may send multi-photon states through the quantum channel and break the qubit description. However, such an attack is only detrimental if she can interact with Bob’s prepared states, for instance, by making unambiguous state discrimination measurements on them Scarani et al. (2004). This is not possible since the adversary can only interact with Alice’s qubits. Additionally, if the input is a multi-photon state, with very high probability, more than one detector clicks, in which case Bob would pick a random bit value, increasing the errors in the raw bit string. This is due to the fact that the optical linear circuit of the BSM randomizes the encoded state.
The security of our scheme requires that the final light state (just before the SPDs), taken over all possible encoding choices, is independent of the input light state. In particular, for any input state with a given -photon excitation, the average final state after passing through the linear optical circuit is a fixed state. This requirement is in fact similar to the one used in the security analysis of BB84, where the average of the BB84 states has to be independent of the basis choice Gottesman et al. (2004). Once this requirement is met, the security of the scheme can be obtained following proof techniques for the BB84 QKD scheme. A common method to prove the security of P&M QKD schemes is to consider an equivalent entanglement-based version, where Alice and Bob make random measurements on bipartite quantum states distributed by the adversary. To this end, we point to a formalism that allows us to see Bob’s linear optical circuit as random measurements made on some entangled bipartite state.
First, let us relate the two different DOFs, i.e. , denoting the polarization states of Alice and Bob respectively, while denotes Bob’s spatial state. Since Alice is able to prepare the four polarization BB84 states correctly, it is equivalent to consider the entanglement based version, where Alice first prepares a two-qubit maximally entangled state, , and then performs a projective measurement on one half of the state to prepare the other half for Bob. Mathematically, we have, , where is the positive-operator valued measure (POVM) element corresponding to preparation and is an auxiliary state related to the spatial DOF.
Second, Alice sends the quantum systems and using a single photon through the quantum channel to Bob. At this point, the resulting state is not necessarily a single photon state; it may be a multi-photon state. In this case, the state, after tracing out system , is described by a bipartite density operator, , whose dimension is unknown but fixed, i.e. it could be any -photon light state. Note that we changed the subscript to to reflect the action of the quantum channel. To proceed, we use a result from Ref. (Beaudry et al., 2013, Lemma. 1), which says that if, for any input state, the linear optical circuit (parameterized by ) outputs a state that is fixed on the average, then the encoding can be seen as a purified measurement acting on the same input state and one half of a bipartite pure state, where the other half of the bipartite is the same output state. More formally, let the linear optical circuit be described by a set of completely positive trace-preserving maps, , taking the input quantum system to an output quantum system , such that for any input quantum state , the output quantum state is fixed over all possible encoding choices, i.e. for any . Then, the linear optical circuit is equivalent to making a joint measurement on the same input state, , and one half of a bipartite pure state, , living in a joint quantum system , where the other half gives the fixed state . Therefore, the purification provides a method to analyze the security of our scheme in an entanglement-based picture, where Alice makes random BB84 measurements on one half of a bipartite quantum state, and Bob makes random purified measurements on the other half.
Finally, the security of ddiQKD follows directly from that of the BB84 QKD scheme, with the additional benefit that detectors are excluded from the security analysis. In particular, the security can be obtained by using the entropic uncertainty relation proof technique Tomamichel et al. (2012); Lim et al. (2014): in the asymptotic limit, and under the approximation that the BB84 polarization states are prepared correctly, the secret key fraction is , where is the binary entropy function and is the error rate of the sifted key. In fact, the finite-key security performance of ddiQKD is expected to be similar to the one of the single-photon BB84 Tomamichel et al. (2012) since only single-photon detections are required on Bob’s side. Likewise, for a more practical implementation using the decoy-state method for WCS, we expect the security performance to be similar to the one in Ref. Lim et al. (2014).
We implemented a proof-of-principle experiment as illustrated in Fig. 2. We started with the generation of a pair of correlated photons by type-0 SPDC in a fiber-pigtailed periodically-poled lithium-niobate waveguide (PPLN-WG) Tanzilli et al. (2012). The waveguide was pumped with a continuous wave diode laser (Toptica DL100) at 780 nm and the signal and idler photons were deterministically separated by dense wavelength division multiplexers at 1563.9 nm (200 GHz) and 1556.6 nm (100 GHz), respectively. The idler photon was detected by a free-running InGaAs single-photon detector (ID Quantique ID220). The polarization of the heralded signal photon was set to before passing through a Soleil-Babinet, which allowed us to rotate the state around the equator of the Bloch sphere and prepare Alice’s single-photon state. Bob’s device consisted of a balanced interferometer, with a polarization controller in the upper arm acting as a HWP and a piezo phase modulator in the lower arm. The outputs of the BSM corresponding to and were delayed by 2.5 ns before being combined using two PBSs (see Fig. 2) with the other two outputs, which allowed the use of two detectors for all four outcomes. Bob’s free-running InGaAs SPDs were cooled with a Stirling cooler to and had a dark count rate of less than 50 cps at 25% efficiency Korzh et al. (2014b). The detection events were recorded by a time-to-digital converter (TDC). The of the single photons at Alice was about in a 1 ns coincidence window. Due to the extremely low dark count probability of the InGaAs detectors, the probability of having a double detection at Bob was .
To analyze the detection outcomes for all combinations of Alice and Bob’s settings, we fixed the state prepared by Alice and scanned the phase of Bob’s interferometer. Figure 3 shows four curves, one for each of the polarization states chosen by Alice, representing the normalized probability of each Bell-state being announced at any given phase setting in Bob’s interferometer. The measurement points were fitted in order to calculate the visibility, with the highest average value obtained being for the input state at Bob and the lowest value of for the state. Table 1 shows the theoretical Bell-state announcement probability for every combination of Alice and Bob’s settings. We complete this correlation table with the experimental results by selecting points from Fig. 3 closest to the desired settings for Bob. One can see that the experimental values coincide with the prediction and the overall quantum bit error rate, , was . The total detection rate was around 60 cps.
While the concept of ddiQKD is fundamentally the same as mdiQKD, some subtleties need to be pointed out. For instance, in mdiQKD, Eve can interact with Alice’s and Bob’s qubits, but in our scheme only with Alice’s qubit. Furthermore, we extend the trusted device boundary in Bob’s laboratory to include the linear optical elements of the BSM, leaving only the single-photon detectors as untrusted devices. This means that Eve can have full control over their functionalities, e.g. she can control the response functions of the detectors Liu et al. (2014). But Bob can ensure that no additional information, other than the outcome of the BSM, leaks out of his lab. Indeed, if Eve had access to the output ports of Bob’s PBSs she could carry out a Trojan-horse attack Gisin et al. (2006) in order to gain information about the phase setting of Bob’s interferometer. Note that attacks targeting the state preparation devices are also applicable to mdiQKD, but can be resolved (see Refs. Gonzalez et al. (2014); Xu et al. (2014) for further discussion).
In practice, an implementation of ddiQKD using WCSs together with the decoy-state method could yield SKRs comparable with existing GHz clocked systems Dixon et al. (2010); Tanaka et al. (2012); Walenta et al. (2014); Korzh et al. (2014a). In particular, ultra-fast generation of polarization states could be achieved using a birefringence modulator scheme as used in Ref. Lunghi et al. (2014). We would like to highlight that the concept of TQSP entanglement employed in the ddiQKD scheme can be achieved by using any two DOFs of the single-photon. For example, Alice could encode a time-bin qubit Korzh et al. (2013) followed by Bob’s addition of a polarization qubit to the same photon.
In summary we implemented a ddiQKD protocol that overcomes the main disadvantages of the mdiQKD protocol whilst offering the same level of security. Future theoretical work should focus on deriving a bound on the extractable key length in a finite key scenario. This work paves the way to practical, high-performance and detector-side-channel free QKD.
We would like to acknowledge Gustavo Lima, Guilherme Xavier and Marcos Curty for stimulating discussions regarding the basic idea. We thank ID Quantique and Battelle for the PPLN-WG and the Swiss NCCR QSIT for financial support.
- For a WCS , where is the average photon number per pulse. Typical values of are for practical InGaAs SPDs.
- C. H. Bennett and G. Brassard, in Proc. IEEE Int. Conf. Comp. Sys. Sig. Process. (Bangalore, 1984) pp. 175–179.
- N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. Phys. 74, 145 (2002).
- V. Scarani, H. Bechmann-Pasquinucci, N. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, Reviews of Modern Physics 81, 1301 (2009).
- H.-K. Lo, M. Curty, and K. Tamaki, Nat. Photon. 8, 595 (2014).
- L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, Nat. Photonics 4, 686 (2010).
- H.-K. Lo, M. Curty, and B. Qi, Phys. Rev. Lett. 108, 130503 (2012).
- E. Biham, B. Huttner, and T. Mor, Phys. Rev. A 54, 2651 (1996).
- H. Inamori, Algorithmica 34, 340 (2008).
- A. Rubenok, J. A. Slater, P. Chan, I. Lucio-Martinez, and W. Tittel, Phys. Rev. Lett. 111, 130501 (2013).
- Y. Liu, T.-Y. Chen, L.-J. Wang, H. Liang, G.-L. Shentu, J. Wang, K. Cui, H.-L. Yin, N.-L. Liu, L. Li, X. Ma, J. S. Pelc, M. M. Fejer, C.-Z. Peng, Q. Zhang, and J.-W. Pan, Phys. Rev. Lett. 111, 130502 (2013).
- T. Ferreira da Silva, D. Vitoreti, G. B. Xavier, G. C. do Amaral, G. P. Temporão, and J. P. von der Weid, Phys. Rev. A 88, 052303 (2013).
- Z. Tang, Z. Liao, F. Xu, B. Qi, L. Qian, and H.-K. Lo, Phys. Rev. Lett. 112, 190503 (2014).
- W.-Y. Hwang, Phys. Rev. Lett. 91, 57901 (2003).
- H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 230504 (2005).
- X.-B. Wang, Phys. Rev. Lett. 94, 230503 (2005).
- A. R. Dixon, Z. L. Yuan, J. F. Dynes, A. W. Sharpe, and A. J. Shields, Appl. Phys. Lett. 96, 161102 (2010).
- A. Tanaka, M. Fujiwara, K.-i. Yoshino, S. Takahashi, Y. Nambu, A. Tomita, S. Miki, T. Yamashita, Z. Wang, M. Sasaki, and A. Tajima, IEEE J. Quantum Electron. 48, 542 (2012).
- N. Walenta, A. Burg, D. Caselunghe, J. Constantin, N. Gisin, O. Guinnard, R. Houlmann, P. Junod, B. Korzh, N. Kulesza, M. Legré, C. C. W. Lim, T. Lunghi, L. Monat, C. Portmann, M. Soucarros, R. T. Thew, P. Trinkler, G. Trolliet, F. Vannel, and H. Zbinden, New J. Phys. 16, 013047 (2014), 1309.2583 .
- B. Korzh, C. C. W. Lim, R. Houlmann, N. Gisin, M. J. Li, D. Nolan, B. Sanguinetti, R. Thew, and H. Zbinden, (2014a), arXiv:1407.7427 .
- For a WCS , where is the average photon number per pulse. Typical values of are for practical InGaAs SPDs.
- L. Vaidman and N. Yoran, Phys. Rev. A 59, 116 (1999).
- N. Lütkenhaus, J. Calsamiglia, and K.-A. Suominen, Phys. Rev. A 59, 3295 (1999).
- R. Valivarthi, I. Lucio-Martinez, A. Rubenok, P. Chan, F. Marsili, V. B. Verma, M. D. Shaw, J. A. Stern, J. A. Slater, D. Oblak, S. W. Nam, and W. Tittel, Opt. Express 22, 24497 (2014).
- M. Curty, F. Xu, W. Cui, C. C. W. Lim, K. Tamaki, and H.-K. Lo, Nat. Commun. 5 (2014).
- C. C. W. Lim, M. Curty, N. Walenta, F. Xu, and H. Zbinden, Phys. Rev. A 89, 022307 (2014).
- P. Gonzalez, L. Rebon, T. F. da Silva, M. Figueroa, C. Saavedra, M. Curty, G. Lima, G. B. Xavier, and W. A. T. Nogueira, (2014), arXiv:1410.1422 .
- D. Boschi, S. Branca, F. De Martini, L. Hardy, and S. Popescu, Phys. Rev. Lett. 80, 1121 (1998).
- V. Scarani, A. Acín, G. Ribordy, and N. Gisin, Phys. Rev. Lett. 92, 057901 (2004).
- D. Gottesman, H.-K. Lo, N. Lutkenhaus, and J. Preskill, Quant. Inf. Comput. 5, 325 (2004).
- N. J. Beaudry, M. Lucamarini, S. Mancini, and R. Renner, Phys. Rev. A 88, 62302 (2013).
- M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, Nat. Commun. 3, 634 (2012).
- S. Tanzilli, A. Martin, F. Kaiser, M. De Micheli, O. Alibart, and D. Ostrowsky, Las. Photon. Rev. 6, 115 (2012).
- B. Korzh, N. Walenta, T. Lunghi, N. Gisin, and H. Zbinden, Appl. Phys. Lett. 104, 081108 (2014b).
- Q. Liu, A. Lamas-Linares, C. Kurtsiefer, J. Skaar, V. Makarov, and I. Gerhardt, Rev. Sci. Instrum. 85 (2014).
- N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, Phys. Rev. A 73, 22320 (2006).
- F. Xu, M. Curty, B. Qi, and H.-K. Lo, (2014), arXiv:1409.5157 .
- T. Lunghi, J. B. Brask, C. C. W. Lim, Q. Lavigne, J. Bowles, A. Martin, H. Zbinden, and N. Brunner, (2014), arXiv:1410.2790 .
- B. Korzh, N. Walenta, R. Houlmann, and H. Zbinden, Opt. Express 21, 19579 (2013).