Multiplexing scheme for simplified entanglement-based large-alphabet quantum key distribution

Multiplexing scheme for simplified entanglement-based large-alphabet quantum key distribution

Adetunmise Dada SUPA, Institute for Photonics and Quantum Sciences, School of Engineering and Physical Sciences, Heriot-Watt University, Edinburgh EH14 1AS, United Kingdom

We propose a practical quantum cryptographic scheme which combines high information capacity, such as provided by high-dimensional quantum entanglement, with the simplicity of a two-dimensional Clauser-Horne-Shimony-Holt (CHSH) Bell test for security verification. By applying a state combining entanglement in a two-dimensional degree of freedom, such as photon polarization, with high-dimensional correlations in another degree of freedom, such as photon orbital angular momentum (OAM) or path, the scheme provides a considerably simplified route towards security verification in quantum key distribution (QKD) aimed at exploiting high-dimensional quantum systems for increased secure key rates. It also benefits from security against collective attacks and is feasible using currently available technologies.

I Introduction

Cryptography is one of the most promising applications of quantum science Ekert (1991). With the recent demonstrations of high-dimensional two-photon entanglement using time bins Stucki et al. (2005); Ali-Khan and Howell (2006) and OAM Dada et al. (2011); Krenn et al. (2014), large-alphabet entanglement-based quantum key distribution (QKD) systems become closer to their real-world implementations and applications. The traditional approach to large-alphabet QKD based on Bell’s theorem involves encoding a key in a high dimensional degree of freedom, such as photon OAM, and verifying the security of the generated key using a test of a Bell inequality which requires projective measurements in high-dimensional mutually unbiased bases Klimov et al. (2009). This is a straighforward generalization of the original protocol introduced by Ekert in 1991 (E91) Ekert (1991); Kaszlikowski et al. (2003) and its modifications, such as proposed in Ref. Acin et al. (2006).

E91-based protocols have been demonstrated for qubits using polarisation Ling et al. (2008) and using time-energy entanglement Tittel et al. (2000). A Bell-type test of energy-time entangled qutrits has also been realised Thew et al. (2004). Reported Bell-test-based QKD experiments using OAM qutrits Gröblacher et al. (2006) have implemented a randomized selection of dichotomous measurements instead of full projective measurements in a 3-dimensional state space. Although projective measurement for detection of high-dimensional OAM states of light with up to 11 different outcomes is now within reach Berkhout et al. (2010); Lavery et al. (2011), it still remains an experimental challenge to perform them in arbitrary qudit bases. In the case of high-dimensional time-bin states, such unitary operations would require multi-path interferometric setups which become too cumbersome to implement for a high number of dimensions. Although a scheme for large-alphabet QKD has been proposed and realized using energy-time entanglement Ali-Khan et al. (2007), the applicability of this scheme is specific to this kind of entanglement and the security verification is highly device dependent as it places stringent conditions on timing resolutions of the detectors, which limits key generation rates.

Security verification of quantum key distribution schemes is a complicated problem in general. Security proofs have been provided for Bell-test-based QKD against the so-called collective attacks Biham and Mor (1997a) as well as the most general coherent attacks in the standard security scenarios Acín et al. (2007). However, proofs of device-independent security against these sophisticated attacks are not yet available in the case of entangled qudits requiring Bell tests generalised to high-dimensions Pironio et al. (2009).

Here, we propose an approach to large-alphabet entanglement-based QKD which circumvents these problems by avoiding the need to perform high-dimensional unitary rotations required for measurements in different mutually unbiased bases, resulting in a much simplified measurement setup. The scheme presented here also benefits from security proofs for QKD based on entangled qubits against collective attacks. Our approach is in principle applicable to any system in which it is possible to create bipartite two-dimensional entanglement in one degree of freedom and high-dimensional correlations in another. Although we will use an example with photon polarization and OAM to illustrate the protocol, the principle can be applied to other systems using other degrees of freedom to encode large secret keys.

The very essence of large-alphabet QKD is the possibility of a large rate of key generation. In practice, for a given entanglement-based QKD system, the minimum applicable coincidence detection time window is an important factor limiting the maximum rate at which it is possible to generate secure keys per run, i.e., a single transmission and detection of the source state. The higher the number of dimensions offered by the source state, the higher the maximum possible key rate per run for a given . The development of OAM sorters makes genuine large-alphabet key generation using up to 11-dimensional OAM entanglement feasible. This will also allow for a higher data rate per photon pair, as the detection of the photonic qudits would not need to be implemented as (probabilistic) dichotomous measurements as has been the case in previous experiments Gröblacher et al. (2006); Dada et al. (2011). It is also straightforward to implement projective measurements in computational (unrotated) time-bin bases. In what follows, we will first describe the existing generalizations of the E91 protocol. We will then describe the source state, measurement setup, and security considerations for our proposed scheme. Finally, we will conclude with a few remarks on the realizability of the proposed experimental implementations.

Ii Generalized E91 protocol

To establish our scheme, let us first review the basic entanglement-based large-alphabet QKD resulting from a direct generalization of the E91 protocol and its variants. Assume a source producing photon pairs in the state


Here we use the notation , where denotes tensor product. In terms of OAM eigenstates for example, this may be written as the maximally entangled state


where for all when is odd, and , when is even.

In a Bell inequality test experiment, each of the communicating parties ‘Alice’ (A) and ‘Bob’ (B) will have a photon OAM detector with outcomes per setting and two settings/measurements: and respectively, which maximize Bell inequality violation. For the QKD scheme, there is an additional setting for each detector, i.e., for Alice and for Bob, chosen to produce perfect correlations. In a variant of Ekert’s scheme modified for increased key generation efficiency Acin et al. (2006); Acín et al. (2007); Pironio et al. (2009), only Alice’s detector uses an additional setting, i.e., , which is chosen to produce perfect correlations when Bob measures with setting for the purpose of key generation. Although our scheme is directly applicable to this higher-efficiency version, we mainly illustrate here using Ekert’s scheme for clarity.

Figure 1: (Color online) Schematic diagram for a suggested implementation of the proposed simplified large-alphabet entanglement-based quantum key distribution using OAM and polarization. (a) Preparation of the two-photon state [Eq. (III.1)] or [Eq. (8)] using spontaneous parametric down conversion (SPDC) in a -barium borate (BBO) nonlinear crystal cut for type-I spontaneous parametric down conversion. The preparation uses an OAM parity sorter Leach et al. (2002), a polarizing beam splitter (PBS) and a non-polarising 1:1 beam splitter (BS). (b) Measurement setup for Alice (Bob). Measurements 1, 2, and 3 i.e., and () are respectively selected randomly (e.g., using beam splitters) on Alice’s and Bob’s side. For the Bell test, Alice (Bob) adds (subtracts) of OAM for vertically polarised photons using PBS1, SLM1 (OAM) and PBS2. Then Alice (Bob) sets the half-wave plate (HWP2) orientation angle to implement the randomly chosen measurement (/ or /). HWP2 and PBS3 are used for polarization analysis in the Bell-test, after which Alice (Bob) may then choose to reverse the first operation by using SLM2 (OAM) and PBS4. OAM sorting Berkhout et al. (2010) is used to resolve the qubit subspaces and/or establish the key (measurement 3).

Alice and Bob independently choose their settings at random and also note their detection results independently. After sufficiently many measurement runs, Alice and Bob perform basis reconciliation through one-way classical post processing Kraus et al. (2005), followed by privacy amplification on the raw key.

When the combination (or ) is selected by Alice and Bob, the measurement results are used for the secret key as they are perfectly correlated on both sides. To determine the security of this key, the correlation in the rest of the data will be checked for eavesdropping through a Bell inequality test, for example using Bell inequalities generalised to -outcomes per measurement proposed by Collins et al. Collins et al. (2002), equivalent to the CHSH-Bell inequality Clauser et al. (1969) when . Only cases in which the combination of measurement settings involve and are used for this test, while the remaining results are discarded. After basis reconciliation, Bob announces his data for the Bell inequality check, and Alice computes the value of the Bell parameter . If , then the key is secure and the eavesdropper, Eve, will not have gained any useful information on the key. The secret key can then be used in any cryptographic communication between Alice and Bob.

Implementing the above requires full projective measurements in the OAM state basis in a -dimensional subspace, corresponding to . This may be realized, e.g. for up to using OAM mode sorters as mentioned above. However, full projective measurements whose operators have eigenstates which are OAM superpositions are also required. It is nontrivial to realize such measurements because it requires a unitary operation within the high-dimensional OAM subspace being considered before the OAM detection. The implementations of such operations are difficult to derive in general, and have not yet been realized experimentally.

Iii Proposed scheme

iii.1 State preparation

We propose a state which replaces the need for measurements in high-dimensional rotated bases with the simplicity of a two-dimensional CHSH Bell test for the verification of the security of generated key. To appreciate how our source state relates to hybrid entangled states, consider the state expressed in terms of the composite OAM and polarisation basis states (where denotes the OAM, ; and denotes the prolarization ) as


with for even . Note that this state combines -dimensional orbital angular momentum entanglement and polarization entanglement in a way similar but quite different from the cases of the so-called hyper-entangled Barreiro et al. (2005), hypoentangled 111N. K. Langford, Ph.D. thesis, Univ. of Queensland (2007) or entangled entangled Walther et al. (2006) states. In hyper-entanglement, a measurement of OAM will not destroy polarization entanglement and vice versa. In hypoentanglement, measuring either polarization or OAM destroys entanglement in the other degree of freedom. Here measuring OAM completely destroys polarization entanglement, but the converse is not true. We note that the division of the subspaces (e.g. into odd and even OAM parities in this example) can also be done in other ways, depending on the specific realization and experimental convenience. State (III.1) can be rewritten, as


Here is an entangled state within the th OAM subspace. Although this state is (hypo)entangled in both polarization and OAM, only the classical correlation in OAM is strictly necessary for our scheme.

Source state: Our source state is of the form


Where is an entangled state in polarisation within an OAM subspace specified by . The source state could be obtained either by post-selection or deterministically (denoted by superscripts P and D respectively) as outlined below.

iii.1.1 State preparation: Post-selective case

Suppose we define


Note that this state is a combination of photon pairs, with each pair hypoentangled in both polarisation and OAM in unique OAM subspaces.

A source state for our scheme [of the form Eq. (5)] could be obtained by post-selection from


which is a product state of pairs of OAM-entangled photons where is the two-photon state expressed in Eq. (III.1). A proposed scheme to obtain from common spontaneous parametric down conversion (SPDC) sources is illustrated in Fig. 1(a). This involves generating OAM entanglement by type-I collinear parametric downconversion with a defined polarization, say horizontal (). The co-propagating photon pairs entangled in OAM are passed through an OAM parity (even/odd) sorter Leach et al. (2002). A half-wave plate is then inserted after one of the output arms which rotates to vertical polarization , coupling OAM parity to polarization. The state represented in Eq. (8) could then be generated by choosing parameters of the SPDC source to create more than one entangled photon pair simultaneously. It is well known that a desired probability of multiple pair generation per pump pulse can be achieved according to the theoretical -pair creation probability Kok and Braunstein (2000)


where is a real-valued coupling coefficient which is proportional to the product of the pump amplitude and the coupling constant between the electromagnetic field and the nonlinear crystal. The source state for our scheme can then be obtained by final postselection on state represented by Eq. (III.1). This can be done by registering only the values of for which both Alice and Bob have a single detection each per OAM subspace in one run. To achieve this, it suffices to use detectors which distinguish between zero, one, and more than one photon. Such detectors have been experimentally demonstrated Kwiat et al. (1994); Takeuchi et al. (1999). Also, actual photon-number-resolving detectors have been realised (e.g., see Kardynał et al. (2008); Dauler et al. (2009)) with increased detection efficiencies Calkins et al. (2013).

iii.1.2 State preparation: Deterministic case

A more suitable approach, however, is to prepare the source state in a deterministic way by, e.g., using an array of polarization-entangled-photon sources (EPS) generating exactly one photon pair at a time. Existing semiconductor quantum dot (QD) systems provide a suitable platform for single photon generation Akopian et al. (2006); Stevenson et al. (2006), as well as generation of entangled photon pairs on demand with high efficiency MullerM. et al. (2014). Rapid experimental progress is also being made towards implementing arrays consisting of several QD high-fidelity-entangled-photon-pair emitters on the same chip Juska et al. (2013). Here, we propose a setup utilising EPS (see Fig. 2). OAM of , for example, is then individually imprinted on photons emitted by the source to yield state , resulting in basis states that are assigned as shown below. The photons in an entangled pair are usually generated using the biexciton-exciton-vacuum cascade, and are separable based on their wavelength. Individual photons from different pairs may then be combined into one beam using an OAM combiner (i.e., a coherent OAM sorter operated in reverse) to obtain the source state [Eq. (5)]. For this case, the entangled state within the th subspace defined as


We note that the source state[Eq. 5] is essentially the same for both the probabilistic and deterministic preparations except for a change in the basis state assignment of the OAM measurement. This basis selection is simply for the convenience of experimental implementation specific to each method of state preparation.

Figure 2: (Color online) Schematic diagram for a deterministic implementation of the proposed QKD scheme (a) Suggested preparation of the source state using an array of single-entangled-photon-pair sources (EPS), spatial light modulators (SLMs), splitters, and OAM combiners. (b) Suggested measurement setup for Alice (Bob). Measurements 1, 2, and 3, i.e., and () are respectively selected randomly (e.g., using beam splitters) on Alice’s and Bob’s side. For the Bell test, Alice (Bob) sets the half-wave plate (HWP3) orientation angle to implement the randomly chosen measurement. HWP3 and PBS6 are used for polarization analysis in the Bell-test. As in Fig. 1, OAM sorting is used to resolve the qubit subspaces and/or establish the key.

iii.2 Measurement settings

As in the standard case for the generalised E91 protocol described in Section II, our scheme using the state (5) also involves three measurement settings randomly and independently chosen by Alice and Bob. However, the settings and are now achieved using polarization measurements for maximal CHSH-Bell inequality violation. These measurement settings each have two outcomes “+” and “-”. For key generation, and , (or and ) are the same as described above. An important aspect of our scheme is to perform both key generation and Bell tests individually in each th subspace (or channel), and simultaneously for all , using the same Bell-test setup.

iii.2.1 Measurement: Post-selective case

To achieve the simultaneous measurements for the case of the non-deterministic state preparation outlined in Section III.1.1 above, Alice and Bob need to first perform local operations which make the respective OAM states degenerate for orthogonal polarisations of Alice’s and Bob’s photons within each th subspace, i.e., to disentangle the polarisation and OAM degrees of freedom. This can be achieved if, e.g., Alice (Bob) subtracts (adds) of OAM for the vertically polarised photons [using the combination of PBS1, SLM1 and PBS2 in Fig. 1 (b)]. This operation by Alice and Bob can be described by the transformations and where


Note that this only causes a transformation of the basis states defined in Eq. (III.1.1) as follows,


A combination of a HWP and a PBS can now carry out the Bell-test polarisation measurements ( or ) for each value of .

We can write the CHSH inequality in the th subspace as


where the correlation coefficients of the measurement performed by Alice and by Bob are defined as


and are probabilities for equal and unequal outcomes respectively, determined experimentally using the coincidence rates within each th subspace. The detector settings for the CHSH Bell inequality violation could be specified as measurements in the bases , where


In the sign above, ‘’ applies to Alice and ‘’ applies to Bob. A half-wave plate oriented at an angle rotates the measurement basis of a polarizing beam splitter (PBS) i.e., to . If we set


as values of for and respectively so that Alice and Bob always measure in bases which are mutually unbiased with respect to each other, then we will ensure the commutativity of Alice’s and Bob’s measurement outcomes and get the maximal violation of for each th subspace of state (5). Using the basis notation defined above [Eq. (III.2.1)], the corresponding Bell operator Braunstein and Mann (1995); Braunstein et al. (1992); Acín et al. (2002) can be written as


Obtaining the statistical data for the Bell test requires either carrying out a detection which resolves both polarisation and OAM or, as illustrated in Figure 1 (b), reversing operation to re-establish OAM-polarisation entanglement (using SLM2 and PBS4), and then carrying out OAM detection. We define the operations to reverse as


Since the state within the th subspace [Eq. (6)] is maximally entangled, it gives a maximal violation of the CHSH inequality based on operator (III.2.1)


iii.2.2 Measurement: Deterministic case

When the state is prepared deterministically as described in Section III.1.2, operators and [Eqs. (12) and (19)] are not necessary for the measurements. As in the non-deterministic case, the Bell test is carried out using a combination of a HWP and PBS [see Fig. 2 (b)], but photon number resolution and final postselection are not required. Due to the difference in basis assignment in this case, we redefine the detector settings for the CHSH Bell inequality violation as measurements in the bases , where


The optimum settings (specified by ) for the HWP are the same as in Eq. (17) above, and the resulting Bell operator for this case [see Eq. (III.1.2)] is


The state represented by Eq. (10) is also maximally entangled within the th subspace for this case, and it gives a maximal violation of the CHSH inequality based on operator (III.2.2) when the key has not been eavesdropped.

iii.3 Security against collective attacks

Any eavesdropping of the key is essentially a measurement strategy that will destroy polarisation entanglement which is used to establish the key. This in turn degrades the CHSH Bell inequality violation Ekert (1991) in any respective OAM subspaces. A collective attack is one in which the eavesdropper (Eve) applies the same operation on each of Alice’s and Bob’s particles, but has no other limitations. In particular, she is allowed to have access to a string of qubits from Alice/Bob at one time, and to other dimensions of their particle states, even possibly unknown to Alice/Bob. Since Eq. (5) is a product state of entangled qubits pairs, our scheme is essentially a multiplexing of multiple polarisation-entangled qubit pairs by means of a higher-dimensional degree of freedom, followed by independently testing the CHSH Bell inequality simultaneously—Eve’s access to one or more source states in our scheme is equivalent to her access to a string of qubits on which she can perform joint (coherent) measurements. Therefore, the security of our scheme is completely guaranteed by the security of the individual qubit-based schemes against collective attacks Biham and Mor (1997a). This, in turn, implies security against the most general, so-called coherent attacks Biham and Mor (1997a, b) if an application of the exponential quantum de Finetti theorem can be made Renner (2007). This is indeed the case in our scheme (under the assumption of finite-dimensional subsystems) because our source state is invariant under permutation of Alice and Bob, and their measurement outcomes are commutative, as mentioned above [Eq. (17)]. These results apply fully to our large-alphabet protocol since it is equivalent to simultaneous but independent 2-qubit secure protocols. The total bit rate generated securely against collective attacks as a function of Bell parameters can therefore be written as Acín et al. (2007)


where is the binary entropy and is the quantum bit error rate for channel . As shown in Fig. 3, the larger the measured Bell violation, the higher the secure key rate per run. Our scheme gives a -fold enhancement over the traditional 2-qubit schemes as a large-alphabet scheme, but uses a much simplified Bell-test measurement setup compared to traditional large-alphabet schemes.

Figure 3: (Color online) Comparison of the minimum secure key rate as a function of the Bell parameter and the quantum bit-error rate (QBER) , in a single run, for our scheme with a qubit-based E91-type protocol Acín et al. (2007); Pironio et al. (2009). We assume that the quantum bit error rate and Bell parameter for each channel is the same, i.e., , and respectively for all . Our scheme shows a -fold enhancement in secure key rate.

The implications of loopholes for QKD based on Bell’s theorem is worthy of some mention here. Closing the locality loophole in general requires enforcing a space-like separation between Alice and Bob as required for testing non-locality Aspect et al. (1982), but in the context of our QKD scheme, it would be sufficient to guarantee that no quantum signals can travel from Alice to Bob by ensuring proper isolation of Alice’s and Bob’s locations Pironio et al. (2009). Also, a proper closure of the detection loophole is required for completely guaranteed security. This seems promising as it has already been achieved in a photon-based Bell-test experiment Giustina et al. (2013).

Iv Conclusion

Our scheme offers significant advantages over current generalised E91 schemes. It results in a greatly simplified security verification and key generation setup which does not get more complicated with increasing , except for an increase in the number of output ports of the OAM sorting device. It thereby provides a route to boosting the secure key rates in entanglement-based QKD without the usual increased complexity of Bell tests in high dimensions. It also benefits from the relative tolerance two-dimensional Bell tests to measurement error. Although it is known that the amount of violation for an actual -dimensional Bell test increases with , these increments are marginal even in the ideal case, and level off as increases Collins et al. (2002); Dada and Andersson (2011). Also, the high sensitivity of the complicated measurement setup to errors will usually overwhelm these increments even for modest values of , resulting in smaller violations than in the qubit case. Another advantage of our scheme where an SPDC source is used is that non-maximal high-dimensional entanglement will not generally degrade the the verification of security. For example, the spiral bandwidth Torres et al. (2003) of the SPDC source will not generally degrade Bell violation, but will only limit the effective number of OAM channels in the non-deterministic case. Whereas, if generalised OAM-based Bell tests are used without procrustrean filtering, then a small spiral bandwidth might cause a failure of the Bell test for an entangled state Dada et al. (2011).

In summary, this paper has described a practical scheme in which a single CHSH-Bell test setup combined with a full projective measurement is sufficient for security verification even for a large-alphabet scheme capable of arbitrarily large key rates per run. The scheme is simpler to implement than existing generalizations of E91 protocol to high-dimensions because it circumvents measurements in mutually unbiased bases in high dimensions, while maintaining capacity for large key-rate and security against collective attacks. A second significant advantage is that non-maximal high-dimensional entanglement will not necessarily degrade the verification of security. We point out that the scheme is realisable using current technology by mentioning two examples for generating applicable source states, namely, spontaneous parametric downconversion and, more suitably, source of single pairs of entangled photons, such as semiconductor quantum dots. From the point of view of real-world applications of high-dimensional QKD based on photon OAM in free space, judicious selection of basis states Pors et al. (2011); Malik et al. (2012) will increase resilience against decoherence induced by atmospheric turbulence in a free space implementation. Although this can be applied within the framework of this scheme, implementations with time bins Tittel et al. (2000); Marcikic et al. (2004) or path appear especially promising for long distance applications. The complexity of security verification in large-alphabet entanglement-based QKD makes it apparent that the simplified scheme presented here will likely enable otherwise infeasible secure key rates in QKD, enabling more practical implementations of entanglement-based technologies.

V Acknowledgements

The author acknowledges the Engineering and Physical Sciences Research Council [EPSRC (grant numbers: EP/I023186/1, EP/K015338/1)] and the Scottish Universities Physics Alliance (SUPA) for funding, Prof. Brian Gerardot and Prof. Gerald Buller for support, and Dr. Ryan Warburton, Dr. Jonathan Leach and Prof. Miles Padgett for stimulating discussions.


Comments 0
Request Comment
You are adding the first comment!
How to quickly get a good reply:
  • Give credit where it’s due by listing out the positive aspects of a paper before getting into which changes should be made.
  • Be specific in your critique, and provide supporting evidence with appropriate references to substantiate general statements.
  • Your comment should inspire ideas to flow and help the author improves the paper.

The better we are at sharing our knowledge with each other, the faster we move forward.
The feedback must be of minimum 40 characters and the title a minimum of 5 characters
Add comment
Loading ...
This is a comment super asjknd jkasnjk adsnkj
The feedback must be of minumum 40 characters
The feedback must be of minumum 40 characters

You are asking your first question!
How to quickly get a good answer:
  • Keep your question short and to the point
  • Check for grammar or spelling errors.
  • Phrase it like a question
Test description