Device-dependent and device-independent quantum key distribution without a shared reference frame

Device-dependent and device-independent quantum key distribution without a shared reference frame

Abstract

Standard quantum key distribution (QKD) protocols typically assume that the distant parties share a common reference frame. In practice, however, establishing and maintaining a good alignment between distant observers is rarely a trivial issue, which may significantly restrain the implementation of long-distance quantum communication protocols. Here we propose simple QKD protocols that do not require the parties to share any reference frame, and study their security and feasibility in both the usual device-dependent case—in which the two parties use well characterized measurement devices—as well as in the device-independent case—in which the measurement devices can be untrusted, and the security relies on the violation of a Bell inequality. To illustrate the practical relevance of these ideas, we present a proof-of-principle demonstration of our protocols using polarization entangled photons distributed over a coiled 10-km-long optical fiber. We consider two situations, in which either the fiber spool freely drifts, or randomly chosen polarization transformations are applied. The correlations obtained from measurements allow, with high probability, to generate positive asymptotic secret key rates in both the device-dependent and device-independent scenarios (under the fair-sampling assumption for the latter case).

I Introduction

Quantum Key Distribution (2) is arguably the most developed area in quantum information processing, and has recently reached the commercial level. Currently the main limitation of QKD is the distance between the parties. State of the art experiments have reported key exchanges up to distances of km (3). It is a great challenge in this area to reach much longer distances, such as intercontinental distances, and tremendous effort is made in this direction. Significant progress has been recently reported, with promising developments in quantum repeaters (4), as well as in satellite-based quantum communications (5); (6).

The main reason for this challenge to practical implementations of QKD protocols, and more generally all long-distance quantum communication tasks, is the effect of noise and loss. Many studies have been devoted to these problems. There is however another key issue, often overseen, which is the alignment of a common reference frame between the parties. While usually being assumed a priori (hence not discussed) in theoretical works, the alignment of a common reference frame is rarely a trivial task in practice. Furthermore, when performing experiments outside of the laboratory, this issue can become highly cumbersome, and may significantly restrain—and even hinder—the implementation of certain quantum protocols. For instance, in fiber-based quantum communications, polarization rotations are induced by unavoidable temperature changes, which makes it challenging to maintain a good alignment. Also, in satellite-based quantum communications, establishing and maintaining a good alignment between the satellite and the ground station is a challenge (6), given the fast movement of the satellite and the limited amount of time for completing the protocol.

It is therefore relevant to consider quantum communication protocols in which the requirement of a common reference frame can be dispensed with. An elegant solution to this problem is to use decoherence-free subspaces (7); (8). However, this generally amounts to using high-dimensional quantum systems, the practical implementation of which is challenging—although progress has been achieved recently (9). It turns out however that one can in fact relax the shared reference frame assumption in certain simple quantum communication protocols that only involve qubits. This approach has received some attention in the context of tests of quantum nonlocality (10): in particular it was recently shown (11); (12), and experimentally illustrated (11); (13), that Bell inequality violations can be guaranteed even if the parties share no common measurement basis. In the context of QDK, Laing and colleagues (14) presented a protocol—dubbed “Reference Frame Independent”, and recently implemented in Ref. (15)—which requires the parties to only have one common measurement basis. While the latter approach is well suited and proposes an interesting solution for certain QKD implementations, it is however not adapted to all systems.

Here we propose QKD protocols that do not assume the existence of any shared reference frame. We analyse their security and feasibility in two scenarios. In the first, “device-independent” (DI) case (16); (17), the two communicating parties Alice and Bob use untrusted measurement devices and do not make any assumption on their functioning; the security of the protocol is ensured by the violation of a Bell inequality (for a recent review, see (18)). In the second, standard “device-dependent” (DD) case, Alice and Bob trust that their devices faithfully implement the prescribed measurements—which further constrains the possible attacks by an eavesdropper, Eve, detectable by Alice and Bob. We show in both cases that if Alice and Bob do not share a common reference frame but measure entangled pairs of quantum systems along randomly orientated measurement bases, they can still expect to generate, with reasonably large probability (which depends on the assumptions for the security analysis), secret keys with positive key rates. We then demonstrate the experimental relevance of these ideas by presenting a proof-of-principle implementation of our protocols using a photonic QKD setup with polarization entangled photons. For all cases under consideration, we could calculate, with non-zero probability, positive (asymptotic) secret key rates as obtained from the preceding security analysis (assuming the fair sampling assumption in the DI case to calculate the violation of a Bell inequality). This suggests that the requirement of a common reference frame can indeed—if need be—be completely dispensed with in experimental QKD, thus opening promising perspectives for long-distance and satellite-based QKD.

Ii Device-independent protocol

In our first protocol, Alice and Bob can each perform one out of 3 possible local measurements, labeled by for Alice and for Bob, on a shared entangled quantum state . All measurements are dichotomic, giving a binary outcome for Alice and for Bob. The protocol is device-independent in the sense that we shall not make any assumption on which measurements are physically implemented by Alice and Bob’s measuring apparatuses, nor of the dimension of the state .

After repeating the above operations sufficiently many times, Alice and Bob can, by communicating a random subset of their measurement choices and results, estimate the correlations they share, i.e. the probability distribution . For now we will focus on the correlators . From these, Alice and Bob can in particular calculate the 36 values (for all and ) of the Clauser-Horne-Shimony-Holt (CHSH) (19) parameters

 Sxx′yy′=|Exy+Exy′+Ex′y−Ex′y′|. (1)

If any of these CHSH values is greater than 2, Alice and Bob can certify that the observed correlations are “nonlocal”, in the sense that they violate Bell’s local causality assumption (20). Observing quantum nonlocality is not only interesting for testing the foundations of quantum theory, it can also have practical applications—in our case of interest it can indeed allow one, for a large enough value of a CHSH parameter together with a large enough value for at least one correlator, to prove the security of QKD protocols in a device-independent way (16); (17); (21); (22); (25).

Interestingly, it was shown in Refs. (11); (12) that if Alice and Bob share a maximally entangled 2-qubit state, say the singlet state , and can each choose among 3 orthogonal measurements, represented for Alice (Bob) by 3 orthogonal vectors () on the Bloch sphere, there is always at least one of the 36 CHSH values that is above the local bound of 2—unless Alice and Bob’s orthogonal measurement triads are perfectly aligned. Moreover, if Alice and Bob do not share any common reference frame and the relative orientation of their measurement triads is random, the largest CHSH value they observe is typically quite large: its average value was empirically found to be for random relative orientations drawn from a uniform distribution on the Bloch sphere (11).

This suggests that it should be possible to extract reasonably large secret key rates from the correlations obtained by Alice and Bob, without the requirement that they share a common reference frame (i.e. their orthogonal measurement triads are not pre-aligned). We study this idea below, following the security analyses of both Pironio et al. (21)—which proves the security against collective attacks—and of Masanes et al. (22)—which considers the security against general (coherent) attacks, only assuming memoryless devices. Note that full security proofs of DI QKD, considering the most general attacks, were recently reported (23); (24). However, these proofs are not robust to noise, hence of limited practical interest, and we do not consider these in this work.

ii.1 Device-independent security analysis along the lines of Pironio et al.(21)

Ref. (21) considered a DI-QKD protocol with 3 inputs for Alice (in our notations, ) and 2 inputs for Bob (). Considering the CHSH parameter and the correlator (see Eq. 1 above), it was shown that (if ) a secret key can be extracted through 1-way classical post-processing (from Bob to Alice) from the data obtained when using the settings and —the “raw key”—at an asymptotic rate (see details in (21))

 R ≥ 1−h[1−E312]−h[1+√(S1212/2)2−12], (2)

where is the binary entropy function. This bound on the secret key-rate ensures the security of the QKD protocol in the DI scenario against collective attacks (2), in the limit of infinite key lengths. The term represents the (minimum) amount of information that Alice and Bob need to classically exchange in order to correct the errors in their raw keys, while the term is a bound on Eve’s Holevo information conditioned on Bob’s measurement result. Both need to be reduced through privacy amplification.

The same protocol as in (21) can be run by following the protocol detailed above, in which Alice and Bob do not share a common reference frame (see start of Sec. II), with 3 settings for both Alice and Bob, by using any four correlators to estimate a CHSH parameter , and any pair of settings to define the raw key—with the important condition that either or . Let us then define

 rDI1=max\lx@stackrelx,x′,y,y′,xraw,yraw,\lx@stackrels.t.%  Sxx′yy′>2,xraw∈{x,x′} or yraw∈{y,y′}[1−h[1−Exrawyraw2]−h[1+√(Sxx′yy′/2)2−12]], (3)

corresponding to the rate (2) for the optimal choice of settings used to define the CHSH parameter and the raw key (by convention, if no violation is found we define . From the analysis of (21), if is found to be non-negative, then Alice and Bob will indeed be able to extract a secret key with an asymptotic rate of (at least) , in the DI scenario, secure against collective attacks1.

In order to study the experimental feasibility of such a protocol the questions we need to address are the following: How likely is to be positive? What are its typical values, and how are they distributed if Alice and Bob’s orthogonal measurement triads are randomly chosen?

To answer these questions, we estimated the distribution of by generating pairs of random orthogonal measurement triads and , independently drawn from a uniform distribution on the Bloch sphere. For each pair of triads, we computed the 9 correlators assuming that Alice and Bob receives pure (noise-free) maximally entangled states (hence, ), and calculated the bound  (3) on the secret key rate that Alice and Bob can extract. The results of our simulation are plotted on Figure 1. We found that of our samples of were positive (i.e., we estimate the probability for Alice and Bob to obtain to be ), with a maximum value for the distribution of observed around . The average value of was found to be ; if we post-select only the cases in which , the average value becomes . The maximum value for is found to be , obtained if two of Alice and Bob’s measurement settings coincide (say, ), while the other two pairs of settings, used to define , are coplanar (with an angle rad from one pair to the other).

It is also important to study the effect of noise on the secret key rates . For that, we similarly estimated the distribution of if the measurements are now performed on noisy singlet states (Werner states (26)) (which gives ), for and 0.95; see Figure 1. As expected, the secret key rates are reduced as decreases. For and , the probabilities that are, however, still and , respectively. Note in this respect that the violations of a CHSH inequality were found in Ref. (11) to be quite robust to noise; for instance, the probability that at least one value of is greater than 2 is still above for .

ii.2 Device-independent security analysis along the lines of Masanes et al.(22)

Ref. (22) provides a different approach to prove the security of a DI-QKD scheme. For the same protocol as in Ref. (21), Masanes et al. proved that (for ) a secret key—now secure against coherent attacks, but under the assumption that their measurement devices are causally independent (or memoryless)—can be extracted at an asymptotic rate (22)

 R ≥ − h[1−E312]−log2[1+√2−(S1212/2)22]. (4)

Again, the term is due to the necessary error correction, while the term is now a bound on the min-entropy of Alice’s raw key conditioned on Eve’s information. The information of both must be removed through privacy amplification to extract a secret key.

Let us then now define, for our experimental procedure with 3 settings for Alice and Bob,

 rDI2=max\lx@stackrelx,x′,y,y′,xraw,yraw,\lx@stackrels.t.%  Sxx′yy′>2,xraw∈{x,x′} or yraw∈{y,y′}[−h[1−Exrawyraw2]−log2[1+√2−(Sxx′yy′/2)22]]. (5)

As before, if is found to be non-negative, then Alice and Bob will indeed be able to extract a secret key with a rate (at least) .

Again, we wish to determine how likely it is that is positive, and how its typical values and distribution look like when Alice and Bob’s orthogonal measurement triads are randomly chosen from a uniform distribution on the Bloch sphere. For that, we estimated the distribution of in a similar way as for . The results of our simulation are plotted in Figure 2. We found that of our samples of were positive, and observed a peak in the distribution of for values around . The average value of was found to be ; if we post-select only the cases in which , the average value becomes . The maximum value for is obtained if two of Alice and Bob’s measurement settings coincide, while the other two pairs of settings, used to define , are coplanar, at from one another—i.e. they correspond to the optimal choice of settings for testing the CHSH inequality (which was not the case for the optimal settings for ). In that case, one gets .

We also, as before, considered the effect of depolarizing noise on the secret key rates (see Figure 2). For , we found the probability that to be ; for , however, no positive secret key rate is obtained any more.

Note that is always smaller than . This comes from the different techniques used in the proofs: Ref. (22) is based on the calculation of min-entropies to estimate Eve’s information, while Ref. (21) is based on the calculation of Eve’s Holevo information (which involves von Neumann entropies). The security analysis of Ref. (22) is more stringent in that it considers more general attacks. It is an open question whether any of the two analyses can be improved to account for more general attacks or to lead to higher bounds on the secret key rates (e.g. whether the higher bound of Ref. (21) also holds for the same class of attacks as considered in Ref. (22)).

Iii Device-dependent protocol

We now turn to the more standard device-dependent (DD) scenario, in which Alice and Bob trust their measurement apparatuses. We assume that the apparatuses implement dichotomic qubit measurements, that is a 2-qubit state, and that the 3 measurement settings they can each choose from, as before, trustfully correspond to orthogonal projective measurements, represented by 3 orthogonal Bloch vectors for Alice, and by 3 orthogonal Bloch vectors for Bob.

It is convenient here to think of Alice’s and Bob’s measurements along the orthogonal directions and as the application of an adequate local unitary operation on their respective qubit, followed by a measurement along the axes of their Bloch spheres2. Choosing random orientations for the orthogonal measurement triads and is equivalent to choosing random local unitary transformations to apply to the 2-qubit state .

In this view, the QKD protocol we are considering, with a choice of measurement among three orthogonal directions, is nothing but the entanglement-based version of the well-known 6-state protocol (27); (28). Its standard security analysis can thus directly be applied. The only difference in our case here will concern its typical implementation: we shall not assume that Alice and Bob can (in the ideal case) share an entangled state with any particular symmetries adapted to their measurement bases, but instead, that their qubits undergo some uncontrolled rotations before being measured.

Note already that in the device-dependent scenario, entanglement-based protocols can readily be translated into prepare-and-measure ones (2) (whose practical implementations are typically simpler), and the following analysis would still apply.

iii.1 Device-dependent security analysis à la 6-state protocol

Following the analysis presented in Appendix A of Ref. (2), one can show that the asymptotic secret key rate one can extract in the 6-state protocol from the data measured (say) with the settings (corresponding to a measurement, with the convention that and correspond to and measurements, resp.), under 1-way classical post-processing, and secure against the most general coherent attacks (in the device-dependent scenario) is bounded by

 R ≥ 1− H[{1+E11+E22−E334,1+E11−E22+E334, (6) 1−E11+E22+E334,1−E11−E22−E334}],

where is the Shannon entropy (and is a length 4 vector of probabilities).

In our case, the association between each of Alice’s 3 measurement settings and one of Bob’s settings is not defined a priori, but can be optimized so as to end up with the largest possible secret key rate—that is, we can choose the optimal permutation of Bob’s settings to be associated to Alice’s settings . Taking into account the fact that Eq. (6) assumes a given handedness for the orientation of Alice and Bob’s settings (that of ), we define

 rDD(6−state) =max\lx@stackrel{y1,y2,y3}=π({1,2,3})[1− H[{1+σπ(E1y1+E2y2−E3y3)4,1+σπ(E1y1−E2y2+E3y3)4, 1+σπ(−E1y1+E2y2+E3y3)4,1−σπ(E1y1+E2y2+E3y3)4}]], (7)

where is the signature of the permutation . is thus a lower bound on the asymptotic extractable secret key rate of our device-dependent protocol, secure against coherent attacks in the limit of infinitely long keys, obtained from the standard analysis of the 6-state protocol3.

We again estimated the distribution of the bound in a similar manner as before, i.e. if Alice and Bob share (noisy) singlet states and their measurement orientations (or their local unitaries, equivalently—cf above) are chosen at random, uniformly on the Bloch sphere. The results are shown in Figure 3. In the noiseless case () we found that of our samples led to positive secret key rates . The average value of was found to be ; if post-selected to the cases in which , it becomes . The maximum value of is 1, obtained e.g. when is a pure singlet state and Alice and Bob’s measurement axes are perfectly aligned (as in the standard case of the 6-state protocol). For and 0.95, as the key rates decrease, we still found that and of our samples, respectively, led to positive secret key rates .

We note that the key rates obtained from (7), in the DD scenario, are typically larger than those found in the DI scenario considered in the previous section. This was expected, as the assumptions on Eve’s possible attacks are more restrictive in the DD scenario. For instance, Eve cannot act on Alice and Bob’s measurement apparatuses—which, in the DI scenario, indeed allows her to perform more powerful attacks (21). An interesting difference between the DD and DI scenarios is the optimal orientations of settings. In the DD scenario, one only aims at maximizing three of the correlators , and the optimal arrangement does not allow the violation of any Bell inequality; on the other hand, in the DI scenario a trade-off must be found between a large enough violation of a Bell inequality and a large enough correlator (cf above).

iii.2 Improved device-dependent security analysis

In the security analysis of the 6-state protocol that leads to the closed form (6), one uses the fact that an upper bound on Eve’s information can be obtained, through a “depolarization process”, by restricting oneself to Bell-diagonal states (cf Appendix A of (2)). While this use of the symmetries of the protocol may be well adapted for standard implementations in which Alice and Bob share a common reference frame and indeed expect their state to be (close to) a Bell-diagonal state, the upper bound thus obtained may in general be over-pessimistic, and it may be possible to actually derive larger bounds on the secret key rates—as we now show.

In the experimental situation we consider, Alice and Bob each repeatedly perform one out of three orthogonal qubit measurements. Their full statistics—i.e. their correlators , together with the marginal probabilities and (which are expected to be uniformly 1/2 for maximally entangled 2-qubit states, possibly including white noise)—then actually allow them to fully reconstruct the state , up to local unitary rotations, through quantum state tomography (32). This can be used to estimate Eve’s information more tightly—e.g., in the ideal case in which the state would be found to be a pure state (such as a maximally entangled state), then one can be assured that Eve is not correlated to it.

More precisely, to study the security against collective attacks, the information potentially available to an eavesdropper can be represented by a quantum system that is correlated to Alice and Bob’s system in such a way that it “purifies” the reconstructed state —i.e., one can define a purification of (a pure 3-partite state such that ), and give the quantum system to Eve.

Let us denote by Eve’s partial state and by her conditional state corresponding to Alice’s measurement result for the choice of setting , and let us define Eve’s Holevo information conditioned on Alice’s outcome as

 χ(Ax:E) = S(ρE)−∑ap(Ax=a)S(ρE|Ax=a), (8)

where denotes the von Neumann entropy []. We similarly define to be Eve’s Holevo information conditioned on Bob’s measurement result for the choice of setting . A lower bound on the asymptotic secret key rate one can extract through 1-way post-processing from the data , obtained from the measurement of the settings and is then given by the Devetak-Winter bound (33)

 R ≥ I(Axraw:Byraw)−min[χ(Ax% raw:E),χ(Byraw:E)], (9)

where is the mutual information between Alice’s and Bob’s measurement results and which, after randomization of Alice and Bob’s marginals (through a simultaneous random flipping of their results), is equal to . The bound (9) ensures the security of the secret key against collective attacks (in the limit of infinitely long keys); using a de Finetti type of argument, one can show that the same secret key rate is also secure against coherent attacks (34).

In our case, Alice and Bob still have the possibility to choose the settings from which they will attempt to extract a secret key. Let us accordingly define

 rDD = maxxraw,yraw [1− H[1−Exrawyraw2]−min[χ(Axraw:E),χ(Byraw:E)]], (10)

If is found to be non-negative, then Alice and Bob will actually be able to extract a secret key with a rate (at least) —which is larger than the previous bound  (7).

In the ideal case in which Alice and Bob find that they share noiseless singlet states, the state is pure. This implies in particular that Eve’s Holevo information is null: . The bound  (10) on the secret key rate then just depends on the largest correlator (in absolute value) observed by Alice and Bob. One can show in that case that if Alice’s and Bob’s 3 measurements settings are orthogonal, this largest correlator is necessarily greater than (obtained if all scalar products are either or ), and hence ; on the other hand, the maximum value 1 of is attained if any two of Alice and Bob’s settings are aligned. As in the previous cases, we estimated the distribution of for randomly chosen orientations for Alice and Bob’s measurement triads; see Figure 4. Its average value was found to be .

If Alice and Bob determine that they find a noisy Werner state with , they calculate Eve’s Holevo information to be (for all ) . The distribution of , estimated as before, is also shown on Figure 4 for and . In both cases we always find positive bounds on the secret key rates (in fact, is always positive for ).

Iv Proof-of-principle experiments

To demonstrate the practical relevance of our theoretical discussions, we performed a proof-of-principle demonstration of QKD using the four security analyses discussed above. In our experiment Alice generated a sequence of pairs of polarization entangled photons and sent one photon of each pair to Bob via a channel with an unknown polarization transformation. Both parties projectively measured the polarization state of their photon in one of three mutually unbiased bases. Neither Alice nor Bob attempted to align their measurement devices, as we do not want to assume that they share a common reference frame. After collecting sufficient data on each pair of projectors—giving the 9 correlators as described above and allowing for the tomography of the quantum state shared by Alice and Bob (for the calculation of )—asymptotic secret key rates from each of the above analyses were calculated. Note that our demonstration is proof-of-principle only as we do not randomly select bases nor perform the required error correction or privacy amplification, which is required to generate actual secret keys (and which would require a rigorous finite-key analysis, which would go beyond the scope of this paper). Nor do we close the detection loophole as necessary to generate key for device-independent QKD.

iv.1 Experimental setup

Fig. 5 shows a schematic of our experiments. Alice holds a source of polarization-entangled qubits and a qubit analyzer (details below). Her entanglement source is based on two spontaneous parametric downconversion (SPDC) crystals in a polarizing Sagnac interferometer, described and characterized previously in (35); (36). Diagonally polarized pump light from a pulsed  nm wavelength laser is placed in a superposition of traveling clockwise (CW) and counter-clockwise (CCW) around the Sagnac interferometer. In the CCW path, vertically polarized pump light passes unaffected through the first SPDC crystal, which is oriented to down-convert horizontally polarized pump light, and then produces pairs of vertically polarized photons in the second SPDC crystal. Similarly, the CW path produces pairs of horizontally polarized photons. Each pair consists of one photon at around  nm wavelength and one photon at around  nm. By recombining the two paths at the output of the interferometer, and keeping pump powers sufficiently low, Alice generates a two-qubit state close to the Bell state4. Performing quantum state tomography based on a maximum likelihood optimization (32) with the source revealed an average tangle of (note that implies a maximally entangled state and that we observed the tangle to oscillate between and over the course of the experiment); this value of the tangle corresponds, for an ideal Werner state, to an average visibility of about .

During experiments, Alice separates the two entangled photons with a dichroic mirror and measures the  nm photon directly with her qubit analyzer, which consists of waveplates, a polarizing beam splitter (PBS) and a free-running silicon avalanche photo-diode (APD). Alice also sends the  nm photon to Bob via a 10 km fiber spool with approx.  dB loss, which serves as the quantum channel with unknown and varying polarization transformation, and, in parallel, generates an electronic signal to inform Bob of the incoming photon. Bob then projectively measures the photon with his own qubit analyzer, also consisting of waveplates, a PBS and a gated InGaAs APD. Measurement results from both Alice and Bob are recorded on the same PC for analysis.

iv.2 Experimental results

To demonstrate the feasibility of QKD without a shared reference frame with our setup, we performed two experiments. In both experiments Alice and Bob collected statistics on one of the nine correlators for two minutes and then either Alice or Bob would change measurement settings. Hence,  minutes were required to collect statistics on all nine correlators. In the first experiment, Alice and Bob cycled through the measurement settings for nearly three hours while the polarization transformation of the fiber spool was allowed to freely drift, which generated nine complete iterations through the measurements of the correlators. For our second experiment, we inserted three waveplates into the channel connecting Alice and Bob to randomly vary the polarization transformation and measured the nine correlators for each transformation.

In the first (free-drifting) experiment we analyzed the nearly three hours of data with a sliding  minute window: We first analyzed the nine correlators and performed state tomography with the data within a window beginning at time and going to  min. We then repeatedly stepped the window forward by  minutes, yielding a total of sets of data (e.g. the second data set is between  min and  min, etc.), and analyzed each set independently. For each data set we calculated the asymptotic secret key rates , , and one could extract in each of the 4 scenarios, according to Eqs. (3), (5), (7) and (10), respectively. In order to illustrate the role of the CHSH violation in the DI scenario and the importance of having large correlators, we also calculated the maximal CHSH value5 , and the largest sum of 3 correlators defined as .

These results are presented in Fig. 6. Initially, and by chance, the channel transformation turned out to be such that a reasonably high parameter was found, favoring device-independent QKD, but over the course of the experiment, the channel transformation slowly drifted close to a point where Alice’s and Bob’s measurement bases were aligned. At this point we observed 3 high correlators (i.e. a large value for ) and a low parameter , which favours device-dependent QKD. Indeed, when one examines the key rates as a function of time (i.e. window position) one observes steadily decreasing device-independent key rates (in fact, quickly falls to zero, whereas remains positive for longer) and steadily increasing device-dependent key rates.

These observations align with our discussion at the end of Sec. III.1 in that the alignment of bases optimal for device-dependent and device-independent QKD are different. All our protocols require a source with a high degree of entanglement (characterized, for instance, by a high visibility or high tangle). However, device-dependent QKD is optimal when Alice’s and Bob’s measurement bases are well aligned such that one finds three large-valued correlators with which to generate key, which minimizes key reduction due to error correction. On the other hand, in device-independent QKD one requires a set of four correlators that generate a high -parameter (to minimize the bound on Eve’s information and thus key reduction during privacy amplification) with one correlator being large so that error correction is minimal, which are conflicting requirements. This conflicting nature is indeed illustrated in Fig. 6, where one observes that decreases in time while increases—just as and decrease as and increase.

Furthermore, the difference between secret key rates granted by the two device-dependent analyses, and , are apparent in Fig. 6(c). The difference between these techniques, as discussed in Sec. III.2, is how one bounds an eavesdropper’s information: uses the Holevo information based on a reconstruction of the density matrix while uses three correlators. If the quantum state that Alice and Bob share contains a high tangle, then Eve’s Holevo information will be low and thus mainly depends on the strength of the correlator used to generate key. On the other hand, the privacy bound for does depend on alignment as three high correlators are needed for key generation. We see that in our results: first, always outperforms  (as mentioned in Sec. III.2) and, second, the difference between the two key rates is largest initially (when bases are the most misaligned) and slowly decreases as Alice’s and Bob’s bases begin to align.

As mentioned above, for our second experiment, we inserted three waveplates into the channel connecting Alice and Bob to randomly vary the polarization transformation. All nine correlators were measured times, and state tomography was performed independently each time. Before each iteration the waveplates were re-positioned based on randomly generated numbers, thus generating a random channel transformation (note that the fiber’s own transformation continued to drift as above). In Fig. 7 we present the results. We again plot the figures of merit and for each of the measurements, as well as the derived asymptotic secret key rates , , and . For device-independent QKD, we found positive secret key rates for in out of measurements (i.e. with probability of %) and out of measurements (i.e. %) for . For device-dependent QKD, we found positive secret key rates for in of measurements (i.e. %) and in of measurements (i.e. %) for . Although the size of our experimental sample is too small to really be statistically significant, our observations appear to agree reasonably well with the predictions from the numerical simulations above, assuming a source of entangled Werner states of visibility slightly larger than 0.95, i.e. a tangle of —in agreement with the measured tangle of the state, which was found to oscillate from to .

Lastly, we again point out that a consistently high tangle, which our experiment maintained (up to the oscillations), is required but not sufficient to generate positive secret key rates. A high-quality source does not guarantee the high -parameter needed for device-independent QKD, nor the high correlators needed for device-dependent QKD. An appropriate channel transformation is also required.

V Discussion

We have presented a practical QKD setup in which the requirement of a common reference frame can be completely dispensed with. A proof-of-principle demonstration of our protocols, which covers both the usual device-dependent case and the device-independent case, was performed over  km of spooled fiber. Specifically, we have shown that a secret key can in principle be established, considering both a freely drifting spool and randomly chosen transformations, even in the device-independent case (assuming fair sampling, and infinitely long keys).

We believe that the present ideas have potential to find applications in future long-distance quantum communication protocols, in particular in situations where the amount time available to perform the protocol is severely constrained, e.g. in satelite based quantum communications. The present results should be considered as a proof-of-principle experiment, and several technical improvements are required, such as implementing random choices of measurement settings, and a finite-key security analysis (37). For the device-independent approach, an essential step is to close the detection loophole, which has recently been achieved in fully optical systems (38); (39). Finally, another challenge consists in devising efficient error-correction protocols for high error rates, as our protocols typically lead to higher error rates compared to the standard approach in which the parties share a common reference frame.

Acknowledgements. This work was supported by a UQ Postdoctoral Research Fellowship, the Swiss National Science Foundation (grant PP00P2_138917), the EU project DIQIP, the National Sciences and Engineering Research Council of Canada (NSERC), Alberta Innovates Technology Futures (AITF), the Canadian Foundation for Innovation (CFI), Alberta Advanced Education and Technology (AAET) and by the Killam Trusts.

Footnotes

1. Note that instead of throwing some raw data away, Alice and Bob could additionally try to extract some secret key from their measurement results obtained by using other settings than the optimal , if any other choice also leads to a positive bound on the key rate through (2). For simplicity we do not consider this possibility in this paper, and only focus on as defined in (3).
2. Alternatively, one can use the orthogonal directions and to redefine the axes of Alice and Bob’s Bloch spheres, and hence their computational bases, and rewrite in these new bases (which indeed amounts to applying local unitaries to ).
3. Note that by considering only 2 of the 3 settings of both Alice and Bob, one can follow the security analysis for the BB84 protocol (29) (cf e.g. the Appendix A of (2)), and derive a simpler bound on the asymptotic secret key rate, secure against coherent attacks (and actually proven to give one-sided device independent security (30); (31), under the memoryless assumption), given by . Numerical simulations suggest that this bound is in general only slightly lower than  (7), and gives comparable distributions to those of Figure 3.
4. Note that all maximally entangled 2-qubit states (such as ) are equivalent, up to a local unitary transformation, to the singlet state considered in the previous sections.
5. Note that we do not claim that this maximal value is necessarily the one that grants the maximum secret key rate (as the latter also depends on the correlator ; cf Eqs (3) and (5)). However, as having a large value of is a necessary condition for positive DI secret key rates, we will use the value as an indicator of the ability to generate key in the DI scenario.

References

1. V. Scarani, H. Bechmann-Pasquinucci, N.J. Cerf, M. Dusek, N. Lütkenhaus, and M. Peev, Rev. Mod. Phys. 81, 1301 (2009).
2. D. Stucki, N. Walenta, F. Vannel, R. T. Thew, N. Gisin, H. Zbinden, S. Gray, C. R. Towery, and S. Ten, New J. Phys. 11, 075003 (2009).
3. N. Sangouard, C. Simon, H. de Riedmatten, and N. Gisin, Rev. Mod. Phys. 83, 33 (2011).
4. T. Jennewein, Physics World 2013.
5. J.-P. Bourgoin, E. Meyer-Scott, B. L. Higgins, B. Helou, C. Erven, H. Hübel, B. Kumar, D. Hudson, I. D’Souza, R. Girard, R. Laflamme and T. Jennewein, New J. Phys. 15, 023006 (2013).
6. A. Cabello, Phys. Rev. Lett. 91, 230403 (2003).
7. S. D. Bartlett, T. Rudolph, and R. W. Spekkens, Phys. Rev. Lett. 91, 027901 (2003).
8. V. D’Ambrosio, E. Nagali, S. P. Walborn, L. Aolita, S. Slussarenko, L. Marrucci, and F. Sciarrino, Nat. Commun. 3, 961 (2012).
9. Y.-C. Liang, N. Harrigan, S. D. Bartlett, and T. G. Rudolph, Phys. Rev. Lett. 104, 050401 (2010).
10. P. Shadbolt, T. Vertesi, Y.-C. Liang, C. Branciard, N. Brunner, and J. L. O’Brien, Sci. Rep. 2, 470 (2012).
11. J. J. Wallman and S. D. Bartlett, Phys. Rev. A 85, 024101 (2012).
12. M. S. Palsson, J. J. Wallman, A. J. Bennet, and G. J. Pryde, Phys. Rev. A 86, 032322 (2012).
13. A. Laing, V. Scarani, J. G. Rarity, and J. L. O’Brien, Phys. Rev. A 82, 012304 (2010)
14. J. Wabnig, D. Bitauld, H. W. Li, A. Laing, J. L. O’Brien, and A. O. Niskanen, New J. Phys. 15, 073001 (2013).
15. D. Mayers and A. Yao, Proc. of the 39th IEEE Conf. on Foundations of Computer Science (IEEE, Los Alamitos, 1998), p. 503.
16. A. Acín, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, Phys. Rev. Lett. 98, 230501 (2007).
17. N. Brunner, D. Cavalcanti, S. Pironio, V. Scarani, S. Wehner, preprint arXiv:1303.2849 (2013).
18. J. F. Clauser, M. A. Horne, A. Shimony, and R. A. Holt, Phys. Rev. Lett. 23, 880–884 (1969).
19. J. S. Bell, Speakable and unspeakable in quantum mechanics, 2nd ed. (Cambridge Univ. Press, 2004).
20. S. Pironio, A. Acín, N. Brunner, N. Gisin, S. Massar, and V. Scarani, New J. Phys. 11, 045021 (2009).
21. Ll. Masanes, S. Pironio, and A. Acín, Nat. Commun. 2, 238 (2011).
22. B. W. Reichardt, F. Unger and U. Vazirani, Nature 496, 456–460 (2013).
23. U. Vazirani and T. Vidick, preprint arXiv:1201.1810 (2012).
24. E. Hänggi and R. Renner, preprint arXiv:1009.1833 (2010).
25. R. F. Werner , Phys. Rev. A 40, 4277–4281 (1989).
26. D. Bruß, Phys. Rev. Lett. 81, 3018–3021 (1998)
27. H. Bechmann-Pasquinucci and N. Gisin, Phys. Rev. A 59, 4238–4248 (1999).
28. C. H. Bennett and G. Brassard, Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India (IEEE, New York, 1984), pp. 175–179.
29. M. Tomamichel and R. Renner, Phys. Rev. Lett. 106, 110506 (2011).
30. C. Branciard, E. G. Cavalcanti, S. P. Walborn, V. Scarani, and H. M. Wiseman, Phys. Rev. A 85, 010301(R) (2012).
31. J. B. Altepeter, E. R. Jeffrey, P. J. Kwiat, Adv. Atom. Mol. Opt. Phy. 52, 105–159 (2005).
32. I. Devetak and A. Winter, Proc. Roy. Soc. A 461, 207 (2005).
33. R. Renner, Nat. Phys. 3, 645 (2007).
34. T. E. Stuart, J. A. Slater, R. Colbeck, R. Renner, and W. Tittel, Phys. Rev. Lett. 109, 020402 (2012).
35. T. E. Stuart, J. A. Slater, F. Bussières, and W. Tittel, Phys. Rev. A 88, 012301 (2013).
36. V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501 (2008).
37. M. Giustina, A. Mech, S. Ramelow, B. Wittmann, J. Kofler, J. Beyer, A. Lita, B. Calkins, T. Gerrits, S. W. Nam, R. Ursin and A. Zeilinger, Nature 497, 227–230 (2013).
38. B. G. Christensen, K. T. McCusker, J. B. Altepeter, B. Calkins, T. Gerrits, A. E. Lita, A. Miller, L. K. Shalm, Y. Zhang, S. W. Nam, N. Brunner, C. C. W. Lim, N. Gisin and P. G. Kwiat, Phys. Rev. Lett 111, 130406 (2013).
You are adding the first comment!
How to quickly get a good reply:
• Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
• Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
• Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minumum 40 characters