Large-alphabet Quantum Key Distribution using spatially encoded light
Most Quantum Key Distribution protocols use a two-dimensional basis such as HV polarization as first proposed by Bennett and Brassard in 1984. These protocols are consequently limited to a key generation density of 1 bit per photon. We increase this key density by encoding information in the transverse spatial displacement of the used photons. Employing this higher-dimensional Hilbert space together with modern single-photon-detecting cameras, we demonstrate experimentally large-alphabet Quantum Key Distribution with symbols and a shared information between sender and receiver of bit per photon.
pacs:Valid PACS appear here
We rely increasingly on the availability of affordable and high speed communication, which fosters the need of high key-rate generating cryptography. Recent progress in the development of quantum computers Barends et al. (2016); Brecht et al. (2016); Aasen et al. (2016); Saffman (2016); Wang et al. (2018) threatens the widely used cryptographic methods, which rely on computational assumptions Shor (1994); Menezes et al. (1996). A possible solution is Quantum Key Distribution (QKD) of which the security is only based on quantum physics and not on any computational assumption. The first QKD protocol BB84 Bennet (1984) uses the two-dimensional polarization basis to encode information in photons. Therefore, the alphabet is limited to two symbols, ”0” and ”1”, with a maximum information content of 1 bit per photon. Since the generated key is used as a one-time pad, this is a bottleneck especially for encrypted video communication Liao et al. (2017).
There are two approaches to increase the key generation rate. One is to increase the repetition rates of photon generation Yuan et al. (2016) and detection Patel et al. (2014), which is inherently limited by dead times and jitter of the detectors Brougham et al. (2016). The other approach is to exploit properties of photons besides the polarization to increase the dimensionality of the Hilbert space Bechmann-Pasquinucci and Tittel (2000); Bechmann-Pasquinucci and Peres (2000). A higher dimensional Hilbert space leads to a higher information content of the photons and finally increases the key generation rate. Moreover, the error rates introduced by eavesdropping are larger, resulting in an increased security Cerf et al. (2002).
Several methods of high-dimensional QKD have been demonstrated, including time-bin encoding Ali-Khan et al. (2007); Nunn et al. (2013); Zhong et al. (2015); Islam et al. (2017), orbital angular-momentum states Mafu et al. (2013); Mirhosseini et al. (2015); Krenn et al. (2014); Sit et al. (2017) and transversal momentum states Walborn et al. (2006); Etcheverry et al. (2013). Comparing the last two spatial encoding schemes, transversal momentum states have the following advantages. Assuming a realistic sender-receiver configuration with finite-size apertures, a diffraction-limited spot translated in an x,y-plane has a higher capacity limit than the pure OAM states, since they form a subset of Laguerre-Gauss modes Zhao et al. (2015); Kahn et al. (2016). Together with the ease of generating a Fourier-transformed mutually unbiased basis with lens optics, spatial translation states of single photons is a promising candidate for very-high-dimensional QKD.
In principle a scan mirror could be used to spatially translate single photons. However, to correct for disturbances a Spatial Light Modulator (SLM) is more flexible and also allows to use wavefront-shaping methods Vellekoop and Mosk (2007). The SLM allows to change the phase and amplitude of a wavefront by use of holographic methods.
In this paper we experimentally demonstrate very-high-dimensional QKD with distinguishable symbols in two mutually unbiased bases with a shared information of bit per sifted photon. This value is higher than previously reported values of bit for OAM states Mirhosseini et al. (2015) and comparable to the values demonstrated in time-energy QKD Zhong et al. (2015). We give finite-key security arguments for claiming an error-corrected and privacy-amplified secret key rate of the final key of more than bit per photon.
We implement a high-dimensional version of the BB84 protocol using the x,y spatial translation of single photons to encode information Walborn et al. (2006); Tentrup et al. (2017). A detailed description of our setup is given in the supplementary information. The working principle of the protocol is illustrated in Fig. 1. We define detection areas on the two-dimensional plane representing the symbols of our alphabet. The detection areas span pixels on our single-photon sensitive detector. All the areas are arranged in a two-dimensional grid of symbols. In this way, we are able to encode symbols in total, which allows a theoretical maximum of bit encoded in a single photon. The protocol requires a second, mutually unbiased, basis to guarantee that a measurement in the wrong basis yields no information. In general it is always possible to use a Fourier transform to form this second basis. In optics, a single lens performs this task.Therefore, Alice and Bob both switch between an imaging path and a Fourier path. Only two of the four possible combinations will reveal all the information that Alice encoded to Bob. From the remaining two, no information can be extracted by Bob.
First, we characterize the information content of the transmission from Alice to Bob. For this purpose, we analyze the two compatible bases choices of Alice and Bob (II and FF). Alice sends each symbol out of her alphabet individually, while Bob receives the symbol out of the alphabet . Per symbol images are recorded on Bob’s side. This step is performed for both compatible bases. In Fig. 2 the number of photons detected per symbol is shown in a log-log plot. In this figure, the joint probability function is sampled, where is an element of the sent alphabet and from the received alphabet . We quantify the shared information between Alice and Bob by the mutual information Nielsen and Chuang (2002)
where is the probability to measure symbol and the probability of a sent symbol . The maximum information Alice can send per symbol is bit. Due to noise in the channel and in the detection and imperfections in the information encoding, the shared information between Alice and Bob is smaller. For the II and FF basis configuration, we calculated the sampled mutual information to be bit and bit, respectively. The two main contributions to the noise are the cross talk to the neighboring detection areas, which was and the dark counts of the detector which was .
Despite considerable experimental efforts, the probabilities used in the calculation of the mutual information are under-sampled with an average of detection events per symbol. This means that neighboring pixel cross-talk events are not accurately sampled, a problem that gets increasingly severe for larger alphabets. If Eve uses an optimal cloner Bruß and Macchiavello (1999), the minimum fidelity for cloning-based individual attacks is Cerf et al. (2002). Introducing the average symbol hit probability , the mutual information in equation (1) can be simplified to
where is the dimensionality of the basis. In our experiment, . Since a large portion of the photons hits the neighboring areas, equation (2) is an underestimate and can be refined by adding the hit probabilities , , and defined in the top left corner of Fig. 2. We assume the values , , and are equal for each symbol and derive
The resulting mutual information is bit in the II configuration and bit in the FF configuration.
One important criterion for the security of QKD is that the basis choice of Alice remains hidden from Eve. We use Gaussian optics in our setup. As a result, we have Gaussian foci with finite width in the focus plane. The Fourier transform of a Gaussian function is another Gaussian function, as seen in Fig. 3. In the Fourier basis, the probability to detect a photon is higher in the center than at the edges. If Alice sends all symbols of her alphabet with the same probability, Eve could therefore make a reasonable guess which basis is used. A photon detection at the edge of the detector is more likely to have been sent in the imaging basis, while a detection in the center is more likely in the Fourier basis. We measured the photon hit distribution for the two incompatible bases choices IF and FI with the same parameters as in the compatible case. In Fig. 3, the distribution is shown with a Gaussian fit. The width in the columns is pixel and pixel in the rows together with pixel and pixel in the FI configuration. To close the leak, Alice can adjust her send probability to this Gaussian distribution. As a result, the information sent by Alice reduces from bit to bit and bit. Consequently, the sampled mutual information with the hidden basis drops to Walborn et al. (2006)
In a postprocessing step via the public channel, Alice and Bob reveal their basis choice. They only keep the measurement results if they measured in two compatible bases, which bisects the key length. To check for eavesdropping, the quantum bit error rate of this sifted key needs to be calculated. We used the Gray code Gray (1953) to encode the x and y position of the symbol in a bit string. In this way we reduce the bit error rate, since of the error is due to crosstalk to neighboring symbols. In the Gray code, neighboring symbols have a Hamming distance of only . We calculated the averaged quantum bit error rate over all symbols to be for the II configuration and for the FF configuration. We calculated the secret fraction of the key in case of intercept-resend attacks and infinite key length in the supplementary information.
For security arguments against collective attacks, we used finite key considerations given in Sheridan and Scarani (2010); Scarani and Renner (2008); Cai and Scarani (2009). In the case of a finite key length, , failure probabilities in each step of postprocessing need to be considered. After sifting the key and removing the incompatible basis choices of Alice and Bob, the key length bisects. From this key length, half the symbols are used to check for the presence of an eavesdropper. The next step is error correction to achieve an error-free key. Due to the finite key length the error correction has a finite failure probability and not all errors can be removed. Assuming a two-way cascade code Brassard and Salvail (1994), this failure probability is Martinez-Mateo et al. (2015); Tomamichel et al. (2014) in case of a bit error rate. To limit the maximum information of Eve, a privacy amplification step needs to be performed. With average bound privacy amplification Bennett et al. (1995); Gilbert et al. (2001), the information of Eve can be bound to bit with a failure probability of . In this case, the lower bound for the secret key rate per photon of a secure key is given by Sheridan and Scarani (2010); Scarani and Renner (2008); Cai and Scarani (2009)
We neglect the failure probability introduced by smoothening the entropies. If both bases are used with the same probability, symbols can be used to create a key. is defined in equation (3) and is the mutual information between Alice and Bob and
is Eve’s information assuming all channel errors are attributed to the presence of an eavesdropper Cerf et al. (2002). We assume the worst case values in parameter estimation and replace the fidelity by to take the statistical fluctuations of the measured fidelity into account. The remaining terms in equation (5) are the influence of the failure probabilities on the secret key rate.
Figure 4 shows the minimum secret key rate as a function of the number of symbols. With increasing key length, the secret key rate approaches its asymptotic limit, which is the difference between the shared information between Alice and Bob and the information of Eve. As seen in the figure, we can establish a non-zero secret key rate starting from a key length symbols. Assuming an SLM with a maximum frame rate of fps, such a key can be generated in minutes.
In this paper, we experimentally demonstrate high-dimensional QKD using spatially encoded photons. We encode an alphabet of symbols and achieve a channel capacity of bit per detected photon. We discuss a solution to hide Alice’s basis choice from Eve. Taking error correction and privacy amplification into account for finite key length, we show a secret key fraction of bit per photon. For longer-distance communication, the combination of this work with multimode fibers Amitonova et al. (2018) appears attractive.
We would like to thank the Nederlandse Organisatie voor Wetenschappelijk Onderzoek (NWO) for funding this research. We thank Lyuba Amitonova, Jelmer Renema, Ravitej Uppu and Willem Vos for support and discussions. We also like to thank Valerio Scarani for giving us useful input for the finite-key formalism.
- Barends et al. (2016) R. Barends, A. Shabani, L. Lamata, J. Kelly, A. Mezzacapo, U. Las Heras, R. Babbush, A. G. Fowler, B. Campbell, Y. Chen, et al., Nature 534, 222 (2016).
- Brecht et al. (2016) T. Brecht, W. Pfaff, C. Wang, Y. Chu, L. Frunzio, M. H. Devoret, and R. J. Schoelkopf, npj Quantum Inf. 2, 16002 (2016).
- Aasen et al. (2016) D. Aasen, M. Hell, R. V. Mishmash, A. Higginbotham, J. Danon, M. Leijnse, T. S. Jespersen, J. A. Folk, C. M. Marcus, K. Flensberg, et al., Phys. Rev. X 6, 031016 (2016).
- Saffman (2016) M. Saffman, J. Phys. B 49, 202001 (2016).
- Wang et al. (2018) Y. Wang, Y. Li, Z.-q. Yin, and B. Zeng, arXiv preprint arXiv:1801.03782 (2018).
- Shor (1994) P. W. Shor, in Foundations of Computer Science, 1994 Proceedings., 35th Annual Symposium on (Ieee, 1994) pp. 124–134.
- Menezes et al. (1996) A. J. Menezes, P. C. Van Oorschot, and S. A. Vanstone, Handbook of applied cryptography (CRC press, 1996).
- Bennet (1984) C. H. Bennet, in Proc. of IEEE Int. Conf. on Comp., Syst. and Signal Proc., Bangalore, India, Dec. 10-12, 1984 (1984).
- Liao et al. (2017) S.-K. Liao, W.-Q. Cai, W.-Y. Liu, L. Zhang, Y. Li, J.-G. Ren, J. Yin, Q. Shen, Y. Cao, Z.-P. Li, et al., Nature 549, 43 (2017).
- Yuan et al. (2016) Z. L. Yuan, B. Fröhlich, M. Lucamarini, G. L. Roberts, J. F. Dynes, and A. J. Shields, Phys. Rev. X 6, 031044 (2016).
- Patel et al. (2014) K. A. Patel, J. F. Dynes, M. Lucamarini, I. Choi, A. W. Sharpe, Z. L. Yuan, R. V. Penty, and A. J. Shields, Appl. Phys. Lett. 104, 051123 (2014).
- Brougham et al. (2016) T. Brougham, C. F. Wildfeuer, S. M. Barnett, and D. J. Gauthier, The European Physical Journal D 70, 214 (2016).
- Bechmann-Pasquinucci and Tittel (2000) H. Bechmann-Pasquinucci and W. Tittel, Phys. Rev. A 61, 062308 (2000).
- Bechmann-Pasquinucci and Peres (2000) H. Bechmann-Pasquinucci and A. Peres, Phys. Rev. Lett. 85, 3313 (2000).
- Cerf et al. (2002) N. J. Cerf, M. Bourennane, A. Karlsson, and N. Gisin, Phys. Rev. Lett. 88, 127902 (2002).
- Ali-Khan et al. (2007) I. Ali-Khan, C. J. Broadbent, and J. C. Howell, Phys. Rev. Lett. 98, 060503 (2007).
- Nunn et al. (2013) J. Nunn, L. J. Wright, C. Söller, L. Zhang, I. A. Walmsley, and B. J. Smith, Optics express 21, 15959 (2013).
- Zhong et al. (2015) T. Zhong, H. Zhou, R. D. Horansky, C. Lee, V. B. Verma, A. E. Lita, A. Restelli, J. C. Bienfang, R. P. Mirin, T. Gerrits, et al., New J. Phys. 17, 022002 (2015).
- Islam et al. (2017) N. T. Islam, C. C. W. Lim, C. Cahall, J. Kim, and D. J. Gauthier, Sci. Adv. 3, e1701491 (2017).
- Mafu et al. (2013) M. Mafu, A. Dudley, S. Goyal, D. Giovannini, M. McLaren, M. J. Padgett, T. Konrad, F. Petruccione, N. Lütkenhaus, and A. Forbes, Phys. Rev. A 88, 032305 (2013).
- Mirhosseini et al. (2015) M. Mirhosseini, O. S. Magaña-Loaiza, M. N. OâSullivan, B. Rodenburg, M. Malik, M. P. J. Lavery, M. J. Padgett, D. J. Gauthier, and R. W. Boyd, New J. Phys. 17, 033033 (2015).
- Krenn et al. (2014) M. Krenn, M. Huber, R. Fickler, R. Lapkiewicz, S. Ramelow, and A. Zeilinger, Proc. Natl. Acad. Sci. U.S.A. 111, 6243 (2014).
- Sit et al. (2017) A. Sit, F. Bouchard, R. Fickler, J. Gagnon-Bischoff, H. Larocque, K. Heshami, D. Elser, C. Peuntinger, K. Günthner, B. Heim, et al., Optica 4, 1006 (2017).
- Walborn et al. (2006) S. P. Walborn, D. S. Lemelle, M. P. Almeida, and P. H. SoutoRibeiro, Phys. Rev. Lett. 96, 090501 (2006).
- Etcheverry et al. (2013) S. Etcheverry, G. Cañas, E. S. Gómez, W. A. T. Nogueira, C. Saavedra, G. B. Xavier, and G. Lima, Sci. Rep. 3, 2316 (2013).
- Zhao et al. (2015) N. Zhao, X. Li, G. Li, and J. M. Kahn, Nat. Photon. 9, 822 (2015).
- Kahn et al. (2016) J. M. Kahn, G. Li, X. Li, and N. Zhao, in Signal Processing in Photonic Communications (Optical Society of America, 2016) pp. SpM4E–1.
- Vellekoop and Mosk (2007) I. M. Vellekoop and A. P. Mosk, Opt. Lett. 32, 2309 (2007).
- Tentrup et al. (2017) T. B. H. Tentrup, T. Hummel, T. A. W. Wolterink, R. Uppu, A. P. Mosk, and P. W. H. Pinkse, Opt. Express 25, 2826 (2017).
- Nielsen and Chuang (2002) M. A. Nielsen and I. Chuang, ‘‘Quantum computation and quantum information,” (2002).
- Bruß and Macchiavello (1999) D. Bruß and C. Macchiavello, Phys. Lett. A 253, 249 (1999).
- Gray (1953) F. Gray, “Pulse code communication, us patent 2,632,058,” (1953).
- Sheridan and Scarani (2010) L. Sheridan and V. Scarani, Phys. Rev. A 82, 030301 (2010).
- Scarani and Renner (2008) V. Scarani and R. Renner, Phys. Rev. Lett. 100, 200501 (2008).
- Cai and Scarani (2009) R. Y. Q. Cai and V. Scarani, New J. Phys. 11, 045024 (2009).
- Brassard and Salvail (1994) G. Brassard and L. Salvail, in Advances in Cryptology EUROCRYPTâ93, Vol. 765 (1994) pp. 410–23.
- Martinez-Mateo et al. (2015) J. Martinez-Mateo, C. Pacher, M. Peev, A. Ciurana, and V. Martin, Quantum Inf. Comput. 15, 453 (2015).
- Tomamichel et al. (2014) M. Tomamichel, J. Martinez-Mateo, C. Pacher, and D. Elkouss, in Information Theory (ISIT), 2014 IEEE International Symposium on (IEEE, 2014) pp. 1469–1473.
- Bennett et al. (1995) C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, IEEE T. Inform. Theory 41, 1915 (1995).
- Gilbert et al. (2001) G. Gilbert, M. Hamrick, and F. J. Thayer, arXiv preprint quant-ph/0108013 (2001).
- Amitonova et al. (2018) L. V. Amitonova, T. B. H. Tentrup, I. M. Vellekoop, and P. W. H. Pinkse, arXiv preprint arXiv:1801.07180 (2018).
- Gisin et al. (2006) N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, Phys. Rev. A 73, 022320 (2006).
Appendix A Supplementary material
Our setup consists of a single-photon source, a spatial encoder, optics, the free-space quantum channel between Alice and Bob and finally a decoder together with a single-photon-sensitive position-reading detector on Bob’s side.
The setup is schematically shown in Fig. 5. We use spontaneous parametric down-conversion (SPDC) as a source of photon pairs, here called signal and herald. The wavelength of the generated photons is nm with a heralded single-photon count rate of kHz and a coincidence probability of measured with two avalanche photodiods (APDs). The photon in the herald arm is detected by one of the APDs and signals a successful photon pair creation. The signal photon is sent through a m single-mode fiber (SMF) to add an optical delay. The fiber output coupler (Thorlabs F220FC-780) and a mm lens together with a mm lens expand the light to a collimated beam of mm FWHM to match the size of the spatial light modulator (SLM). We use a phase-only liquid-crystal SLM to write a blazed grating in the phase of the wavefront. A mm lens focuses the light to distinct x,y positions in its focal plane. With a half-wave plate and a polarizing beam splitter (PBS), Alice can switch between the two mutually unbiased bases. One basis is designed for imaging the light in a 4f configuration with two mm lenses. The other one performs a Fourier transform with a single lens with twice the focal length. In case the basis choice needs to be hidden from an eavesdropper, a second half-wave plate can be put after Alice’s last PBS to counteract the polarization rotation of the first half-wave plate. After being transmitted via the quantum channel with two lenses ( mm), the photons are randomly split by a beam splitter (BS) and are again guided through an imaging or a Fourier transform path for decoding. The half-wave plate in the Fourier path ensures that all the light is reflected to the intensified charged-coupled detector (ICCD). The ICCD is triggered via a m BNC cable to match the detection window of the camera to the arrival of the signal photon.
To detect the photons in a two-dimensional grid, we use an ICCD (Lambert HICAM 500S). It consists of an intensifier stage fiber-coupled to a CMOS camera of pixels. The photocathode of the ICCD acts as a gate and is triggered by the herald photons at kHz. The delay between the trigger signal and the signal photon was measured to be ns. The gate width of the intensifier is ns. The CMOS camera is read out with frames per second. The variance of the read-out noise of the CMOS is 0.4 counts and a threshold of counts is set to filter the readout noise from the data. Moreover, a threshold on the size and intensity of detection events is set to between and pixels and between and counts, respectively, to remove unwanted spurious ion events.
a.3 Trojan-horse attacks
The quantum channel connecting Alice and Bob, could be used as a door by an eavesdropper to read out the state of Alice’s and Bob’s devices making the setup vulnerable against Trojan-horse attacks Gisin et al. (2006). To counteract this attack, the optical devices should only be active when the photons are sent. In our setup that could be realized by replacing the mechanical switch of the half-wave plate with a fast electro-optic modulator and the liquid-crystal SLM by a faster digital micromirror device. They could be synchronized to the photon arrival. Another countermeasure is to use bandpass filters and optical isolators at the entrance of Alice’s device. Alice should also use auxiliary detectors to detect any light entering her device to detect attacks.
a.4 Intercept-resend attack
For the security of the protocol, we need to ensure that the information Eve can gain from intercepting the communication is lower than the mutual information between sender and receiver. Assuming an intercept-resend attack, the information Eve can learn is with the fraction of intercepted photons and the sent information of Alice. Averaged over the compatible bases, we find bit. An eavesdropper can extract a maximum of bit. Therefore, just as in the case of the original BB84, information gain is only possible at the expense of disturbing the signal Nielsen and Chuang (2002). An eavesdropper will be recognized by increasing the error rate of the key generated by Alice and Bob. Alice and Bob will have to compare a random part of their key to decide if they have been eavesdropped. Intercepting a fraction of photons, an attacker introduces an error of
where is the number of symbols. To calculate the quantum bit error rate of the sifted key, we used the Gray code Gray (1953) to encode the x and y position of the symbol in a bit string. In this way, we reduce the bit error rate, since of the error is due to crosstalk to neighboring symbols. In the Gray code, neighboring symbols have a minimum hamming distance of . We calculated the averaged quantum bit error rate over all symbols to be with a standard deviation of for II configuration and and for FF configuration. Assuming Alice and Bob set their threshold to detect eavesdropping to a bit error rate of , where is the averaged quantum bit error rate. In this case Eve could only intercept a fraction of of the photons.
a.5 Basis guess fidelity
In practical QKD, Alice’s basis choice could leak to an eavesdropper via side channels or imperfect encoding. To include this into the model, we added a guess fidelity of . Eve can not guess the basis if , while means that Eve knows Alice’s basis choice. In our experiment, we measured by a correlation measurement performed with classical light. Eve can then extract
from the information Alice sends. Thereby she adds an additional error of
To detect eavesdropping, Alice and Bob must set an error threshold . The error rate introduced by Eve’s perturbation of the quantum channel has to be lower than this threshold to stay unnoticed. The quantum bit error rate including an eavesdropper is
From the relation
the maximum fraction of intercepted photons is
which depends on the fidelity to guess the correct basis and the threshold . The minimum fidelity of Bob reduces to
Now it is possible to calculate the distance of information between Bob and Eve, which is a measure for the secure key rate. The information distance is defined as
The amount of information Bob receives depends on the amount of information Alice transmits and on the channel noise. Therefore
By substituting from equation (13) in this expression, the minimum information distance can be plotted as a function of and in figure 6. Compared to equation (5) the prefactor does not appear, since already a small fraction of the key is enough for parameter estimation. Moreover, the error correction and parameter estimation as well as the uncertainties about Eve’s entropies lower the secret fraction.
The information distance becomes monotonically larger with decreasing threshold , but becomes smaller with increasing , as visible in Fig. 6. If Eve knows Alice’s basis choice (), her measurements will no longer add noise, which allows here to intercept the quantum communication without being detected. In comparison to the finite-key-length secret fraction in the case of collective attacks, the values the minimum secret information is larger.