Twin-field Quantum Key Distribution without Phase Post-Selection
Twin-field quantum key distribution (TF-QKD) protocol and its variants, e.g. phase-matching (PM) QKD and TF-QKD based on sending or not sending, are highly attractive since they are able to overcome the well-known rate-loss limit for QKD protocols without repeater: with standing for the channel transmittance. However, all these protocols require active phase randomization and post-selection that play an essential role together in their security proof. Counterintuitively, we find that in TF-QKD, beating the rate-loss limit is still possible even if phase randomization and post-selection in the coding mode are both removed, which means our final secure key rate . Furthermore, our protocol is more feasible in practice and more promising according to its higher final key rate in the valid distance.
With the help of quantum key distribution (QKD), two distant agents (Alice and Bob) are able to share secret key bits in the sense of information-theoretical securityBennett and Brassard (1984); Shor and Preskill (2000); Gottesman et al. (2004); Renner (2008); Scarani et al. (2009); Braunstein and Pirandola (2012); Lo et al. (2012). Albeit impressive progresses on QKD experimentsStucki et al. (2009); Wang et al. (2012); Shibata et al. (2014); Pirandola et al. (2015); Korzh et al. (2015); Yin et al. (2016, 2017) have been made, there is a fundamental limit on secret key rate versus channel transmittance . This limit is sufficiently discussed by researchersTakeoka et al. (2014); Pirandola et al. (2017) and finally revealed as the linear key rate bound Pirandola et al. (2017). For a long distance, the transmittance is much smaller, then . Surprisingly, this limit was overcome by the twin-field (TF) QKD protocol proposed early this yearLucamarini et al. (2018) . One may note that the security proof of TF-QKD has been rebuilt in Ref.Tamaki et al. (2018), although its original security analysis in Ref.Lucamarini et al. (2018) is not strict. The physics behind TF-QKD is that Alice and Bob prepare photon-number superposition remotely via coherent states and post-selection.
Inspired by TF-QKD, phase-matching (PM) QKD protocol is introduced in Ref.Ma et al. (2018). In PM-QKD protocol, Alice (Bob) prepares weak coherent states randomly and adds a random phase () to each of her (his) weak coherent states, then sends them to an untrusted party Charlie located in the middle of the channel. Depending on the measurement results declared by Charlie, Alice and Bob are able to generate raw key bits after post-selection of the cases satisfying . Another variant of TF-QKD is based on sending or not sending weak coherent pulse, which can be very robust under large optical misalignment error Wang et al. (2018) but the final key rate is not satisfactory. In its decoy mode, phase randomization and post-selection are still necessary. Consequently, in TF-QKD and its variants, active phase randomization and post-selection seem indispensable to the security of sifted key bits .
However, the phase post-selection may impair its secret key rate in practice. It is still an open question that if the active phase randomization and phase post-selection can be removed. Here, we firstly introduce a simplified TF-QKD protocol, in which its key bit is encoded in phase 0 or , but unlike PM-QKD, the coding mode does not employ active phase randomization and thus phase post-selection is also circumvented. Therefore, its coding mode is simple and the security proof is totally different from previous protocols. In section III, the security proof of proposed protocol is given by estimating the upper bound for latent information leakage. In section IV and V, the numerical simulations with practical imperfections show that the performance of the proposed protocol without active phase randomization is satisfactory and even better, i.e., it can beat the linear key rate bound at even shorter distance than other protocols. A conclusion is given in the last section.
Ii Simplified TF-QKD
Our simplified TF-QKD protocol removes the post-selection part of original TF-QKD. Firstly, let us introduce the flow of this simplified protocol as following.
Step 2.a. If code mode is selected, Alice (Bob) prepares a weak coherent state () according to his (her) random classical key bit or , and sends the prepared state to the untrusted measurement device controlled by Eve.
Step 2.b If decoy mode is selected, Alice (Bob) emits phase-randomized weak coherent state with mean photon-number (), where () is randomly chosen from a pre-decided set. Note that the phase of weak coherent state in decoy mode will be never publicly announced. Thus, in decoy mode, Alice (Bob) actually prepares a mixed state in Fock space.
Step 3. For each trial, the middle receiver Eve must publicly announce a successful message or a failure message to Alice and Bob. If she announces she has to simultaneously declare which message she obtained, or .
Step 4. After repeating steps 1 to 3 for sufficient times, Alice and Bob publicly announce which trials are code modes and which trials are decoy modes. For the trials that Alice and Bob both select the code mode and Eve announces or , the raw key bits are generated. Here, Bob should flip his bit if Eve announces . For the trials that Alice and Bob both select decoy mode, Alice and Bob can estimate the yield , which means the probability of Eve announcing provided Alice emits -photon state and Bob emits -photon state in a decoy mode. With these parameters, information leakage is bounded so that secret key bits can be generated from raw key bits by error correction and privacy amplification.
In the following paper, we will focus on the upper bound for the information leakage through the whole protocol.
Iii Main results of security Proof
For readability, we sketch the security proof and its main results here. One may refer to Appendix A for detailed derivations. We make no more assumptions to Eve than assumptions applied in measurement-device-independent (MDI) QKDLo et al. (2012); Braunstein and Pirandola (2012). Accordingly, Eve’s general collective attack to the above simplified TF-QKD protocol can be defined as an arbitrary measurement after an arbitrary unitary operation operating on the whole system with her prepared ancillaRenner (2008); Scarani et al. (2009). Under photon-number representation, this collective attack is given by
where state is the ancilla of Eve, and are some arbitrary quantum states composed by Eve’s ancilla, A-out and B-out. For simplicity, let’s denote Eve’s message and as the same one , since we only concern Alice’s key bit here, but not Bob’s bit and his flipping operation. We aim to bound Eve’s information on Alice’s key bit when Eve announces message . Through derivations given in the Appendix A, it is proved that this upper bound can be solved by the following optimization problem given by
with the definition of binary Von Neumann entropy . Here, is the probability of coherent state containing -photons, and is the probability of Alice obtaining a raw key bit in code mode, which is directly observed experimentally. In practice, agents can observe the parameters , , , and . Then, the information leakage bound can be estimated by the above optimization problem. According to Devetak-Winter’s bound Devetak and Winter (2005), the secret key rate per trial in a code mode is then given by
in which, is the error rate of raw key bits. This security proof assumes that Eve only launches collective attack, however, this restriction can be removed by following the results in Refs Caves et al. (2002); Christandl et al. (2009). Hence, our proof can guarantee the security against the coherent attacks. This ends our security proof rigorously.
Before proceeding, let’s roughly estimate the performance of the protocol under ideal case, in which only channel transmission efficiency is considered, while all other imperfections, e.g. dark counts of single photon detectors, are absent. Then, it is expected that , since the main contribution of and comes from the yield of the total photon number from Alice and Bob is two. With similar argument, we have . Thus, from Eq.(2) we can see for any provided a proper value of is assumed. Besides, it is obvious that and in ideal case. Accordingly, from above formulae, we have . This does reconfirm the expectation that the TF-QKD can overcome linear bound even if phase randomization and post-selection are both removed. In the next two sections, through numerical simulations with practical imperfections we will show the performance of our protocol with both infinite and finite decoy states techniques comparing with other states of the art.
Iv Estimation and Simulation with Infinite Decoy States
In a practical system, Alice and Bob can emit phase randomized decoy statesHwang (2003) to estimate . The gain of the decoy states that Alice emits pulse with mean photon-number and Bob emits pulse with mean photon-number shall satisfy
where is known by both agents. Considering the ideal case with infinite decoy states and , we can list infinite linear equations like Eq.(4) to calculate accurately. Therefore, the secure key rate can be easily calculated by Eq.(12) with given by Eq.(2). Here we simulate the maximum secure key rates related to different loss for multiple protocol with infinite decoy states implement and practical parameter of experiments. Details can be found in the Appendix B. The results are shown in Fig.1.
|Parameters Values Dark count rate Error correction efficiency 1.15 Detector efficiency 14.5% Misalignment error 0.375%|
We can see that with infinite decoy states, our protocol has higher key rate than original PM-QKD because our protocol is phase post-selection free and independent with extra error estimations. Note that the slope of key rate in our protocol is the same as linear bound with single repeater Pirandola (2016) when the fiber loss is less than 60 dB, which shows that advantage of beating well-known linear bound is also reconfirmed through 30 dB to 60 dB fiber loss. In other words, . It is also remarkable that our protocol can outperform BB84 at lower channel loss comparing to the original PM-QKD.
V Estimation and Simulation with Finite Decoy States
Finite decoy states can also help to estimate the lower bound for yieldsWang (2005); Lo et al. (2005); Zhou et al. (2016). In a practical system, this implement is much more feasible than the infinite one. Here we apply decoy states with four different intensities as , , and . After announcement of decoy modes and each applied intensity, we have gains as , , , , , , , , and .
Then we show how those statistics can give good approximations to , , , , and , where means the yield that are from decoy trials in which Alice and Bob share photons in total. From , , and , we can obtain lower bounds and upper bounds of , , by linear programming on Eq.(4). Similarly, lower bounds and upper bounds of and can be estimated from , , and . Upper bound and lower bound of could also be bounded by the linear programming on four linear equations of , , and . In the following text, we use superscript or to label the upper or lower bound for obtained here. To estimate , through the relation , could be bounded by
Then the remained task is constraining , , and with these lower bounds and upper bounds generated from decoy statistics.
Let’s take as an example. From Eq.(2), we have a general bound that limits the as
The details of the derivation are included in the appendix. Now we obtain the bounds of these four values based on all the observables in our protocol. The final step is only making an optimization to find the best information-theoretical secure key rate with Eq.(12) limited by these bounds.
So far, we show how Alice and Bob can estimate the lower bound for the key rates under different losses with four decoy states . We simulate a practical case for multiple protocols. The results are shown in Fig.2. Even in the case of finite decoy states, our protocol’s key rate holds the relation with transmittance as . Consequently, it can still beat the linear bound in the loss range from 40 dB to 60 dB.
|Parameters Values Dark count rate Error correction efficiency 1.15 Detector efficiency 14.5% Misalignment error 0.375%|
Inspired by TF-QKD protocol and its variants such as PM-QKD, we proposed a simplified protocol with higher final key rate, in which the raw key bits are generated without active phase randomization and phase post-selection. A meticulous security proof is presented by estimating the information leakage in our protocol. Counterintuitively, our bound for latent information leakage doesn’t rely on the error rate. Meanwhile, its advantage of beating the linear rate-loss limit is still available here, showing that the final key rate over transmittance . Besides, thanks to the removal of phase post-selection, our scheme can perform over the well-known BB84 at a shorter channel distance comparing to original PM-QKD protocol, which means the proposed protocol could be very competitive when channel loss is around dB to dB.
This work has been supported by the National Key Research And Development Program of China (Grant Nos.2016YFA0302600, 2016YFA0301702), the National Natural Science Foundation of China (Grant Nos. 61475148, 61627820, 61622506, 61575183, 61675189), and the “Strategic Priority Research Program(B)” of the Chinese Academy of Sciences (Grant No. XDB01030100).
- Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proceedings of IEEE International Conference on Computers, Systems and Signal Processing (IEEE, 1984), pp. 175–179.
- Shor and Preskill (2000) P. W. Shor and J. Preskill, Phys. Rev. Lett. 85, 441 (2000).
- Gottesman et al. (2004) D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, Quantum Inf. Comput. 4, 325 (2004).
- Renner (2008) R. Renner, Int. J. Quantum Inf. 6, 1 (2008).
- Scarani et al. (2009) V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, Rev. Mod. Phys. 81, 1301 (2009).
- Braunstein and Pirandola (2012) S. L. Braunstein and S. Pirandola, Phys. Rev. Lett. 108, 130502 (2012).
- Lo et al. (2012) H.-K. Lo, M. Curty, and B. Qi, Phys. Rev. Lett. 108, 130503 (2012).
- Stucki et al. (2009) D. Stucki, N. Walenta, F. Vannel, R. T. Thew, N. Gisin, H. Zbinden, S. Gray, C. Towery, and S. Ten, New. J. Phys. 11, 075003 (2009).
- Wang et al. (2012) S. Wang, W. Chen, J.-F. Guo, Z.-Q. Yin, H.-W. Li, Z. Zhou, G.-C. Guo, and Z.-F. Han, Opt. Lett. 37, 1008 (2012).
- Shibata et al. (2014) H. Shibata, T. Honjo, and K. Shimizu, Opt. Lett. 39, 5078 (2014).
- Pirandola et al. (2015) S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook, S. L. Braunstein, S. Lloyd, T. Gehring, C. S. Jacobsen, and U. L. Andersen, Nature Photon. 9, 397 (2015).
- Korzh et al. (2015) B. Korzh, C. C. W. Lim, R. Houlmann, N. Gisin, M. J. Li, D. Nolan, B. Sanguinetti, R. Thew, and H. Zbinden, Nature Photon. 9, 163 (2015).
- Yin et al. (2016) H.-L. Yin, T.-Y. Chen, Z.-W. Yu, H. Liu, L.-X. You, Y.-H. Zhou, S.-J. Chen, Y. Mao, M.-Q. Huang, W.-J. Zhang, et al., Phys. Rev. Lett. 117, 190501 (2016).
- Yin et al. (2017) J. Yin, Y. Cao, Y.-H. Li, S.-K. Liao, L. Zhang, J.-G. Ren, W.-Q. Cai, W.-Y. Liu, B. Li, H. Dai, et al., Science 356, 1140 (2017).
- Takeoka et al. (2014) M. Takeoka, S. Guha, and M. M. Wilde, Nat. Commun 5, 5235 (2014).
- Pirandola et al. (2017) S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, Nat. Commun. 8, 15043 (2017).
- Lucamarini et al. (2018) M. Lucamarini, Z. Yuan, J. Dynes, and A. Shields, Nature 557, 400 (2018).
- Tamaki et al. (2018) K. Tamaki, H.-K. Lo, W. Wang, and M. Lucamarini, arXiv preprint arXiv:1805.05511 (2018).
- Ma et al. (2018) X. Ma, P. Zeng, and H. Zhou, arXiv preprint arXiv:1805.05538 (2018).
- Wang et al. (2018) X.-B. Wang, Z.-W. Yu, and X.-L. Hu, arXiv preprint arXiv:1805.09222 (2018).
- Hwang (2003) W.-Y. Hwang, Phys. Rev. Lett. 91, 057901 (2003).
- Wang (2005) X.-B. Wang, Phys. Rev. Lett. 94, 230503 (2005).
- Lo et al. (2005) H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 230504 (2005).
- Devetak and Winter (2005) I. Devetak and A. Winter, in Proceedings of the Royal Society of London A: Mathematical, Physical and Engineering Sciences (The Royal Society, 2005), vol. 461, pp. 207–235.
- Caves et al. (2002) C. M. Caves, C. A. Fuchs, and R. Schack, J. Math. Phys. 43, 4537 (2002).
- Christandl et al. (2009) M. Christandl, R. König, and R. Renner, Phys. Rev. Lett. 102, 020504 (2009).
- Pirandola (2016) S. Pirandola, arXiv preprint arXiv:1601.00966 (2016).
- Zhou et al. (2016) Y.-H. Zhou, Z.-W. Yu, and X.-B. Wang, Phys. Rev. A 93, 042324 (2016).
- Boyd and Vandenberghe (2004) S. Boyd and L. Vandenberghe, Convex optimization (Cambridge university press, 2004).
Appendix A: Security proof
We make no more assumptions to Eve than assumptions applied in measurement-device-independent (MDI) QKDLo et al. (2012); Braunstein and Pirandola (2012). In order to bounding the information leakage to Eve, we have to describe the ultimate power of Eve under the assumptions. Also, Eve’s strategy must obey the time line through this protocol. Therefore, Eve’s general collective attack to the above simplified TF-QKD protocol can be defined as an arbitrary measurement after an arbitrary unitary operation operating on the whole system with her prepared ancillaRenner (2008); Scarani et al. (2009). Furthermore, the message Eve announces should be also obtained from the measurement results.
where state is the ancilla of Eve, and are some arbitrary quantum states composed by Eve’s ancilla, A-out and B-out. is a probability-like value shows the portion that they receive the message form Eve. For simplicity, let’s denote Eve’s message and as the same one , since we only concern Alice’s key bit here, but not Bob’s bit and his flipping operation. Note that this expression does give the most general collective attack, including possible attacks trying to distinguish decoy mode and code mode and treat them differently, since Eve’s ancilla is arbitrary. Indeed, any measurement and following transformation depending on the output of the measurement can be described as a "giant" unitary operator applied to a larger Hilbert space.
Suppose Alice and Bob each has an ancillary qubit to store their classical key bit in code mode. For simplicity, here we assume that Alice and Bob’s random binary bits come from measurements of their qubits in bases. So they set their initial qubits to and prepare a weak coherent state light pulse with average photon-number . Then the initial prepared state is
Then Alice and Bob apply a C- gate to upload their information on the output coherent state and measure their private qubits. Recall Eve’s attack given by Eq.(7). For the ease of representation, we define four intermediate unnormalized states labeled by the photon-number’s parity of A-out and B-out.
It should be taken into account that Eq.(7) never implies whether are orthogonal to each other or not. It’s obvious that Alice and Bob can not obtain any direct knowledge of them because they are measured by Eve. After tracing Bob’s qubit out and measuring Alice’s qubit in basis, the unnormalized density matrix of Eve’s ancilla and mode A conditioned that is announced becomes
where, . Then the Holevo bound of is upper-bounded by
with the definition of binary Von Neumann entropy . The probability of Alice obtaining a raw key bit in a code mode can be presented by . Now, we have clearly show that Eve’s information on Alice’s classical key bit is bounded by Eq.(11) as , even when the active phase randomization is removed. According to Devetak-Winter’s bound Devetak and Winter (2005), the secret key rate per trial in code mode is
in which, is the error rate of raw key bits. To calculate , these four values , , and must be estimated. Obviously, Alice and Bob can relate these values to the direct observables and statistics, i.e.
With these constraints, one can estimate upper bound of . By defining , , , and , we reach the Eq.(2) in the main text.
Appendix B: Details of mathematics in simulation
We derive a simulation scheme for our protocol and give out numerical results. Suppose the dark count of each detector is per trial. With zero misalignment of devices and no attack, the gain of code mode should be
where is the mean photon-number of pulse from Alice (Bob) in code mode, and stands for the total efficiency. The error rate should be
The above formulas are accord to results in Ref.Ma et al. (2018). The misalignment can be also included both in the gain and error rate, but in our phase-randomization-free protocol we suppose the best performance that the misalignment is zero.
If we apply infinite decoy states, the approximation of can be calculate as
Here, without compromising security, we treat double clicks as an effective event to simplify the bound of . With the above inequity, Eq.(13) is bounded by parameters in real experiments.
If we apply finite decoy states, we can only obtain good bounds for several with small and . For the case considered in the main text, linear programing on statistics and Eq.(5) helps to bound , , , , and . The upper bound for the right-hand values in Eq.(13) could be calculated as an optimization problem with constrains. Recall the example in the main text.
is untouchable by statistics from only four decoy states. But the constrains of total gain give an upper bound for this term. The optimization problem can be described as
which could be easily solved numerically. On the other side, we can use an analytical approach for the upper bound of the aimed function in Eq.(18). By the well-known Karush-Kuhn-Tucker Boyd and Vandenberghe (2004) conditions for solving optimization problems, the maximum is located at the boundary where any with reaches its upper bound and satisfied the conditions. Then the problem is simplified to finding an integer that reaches the maximum value of the aimed function in Eq.(18), say
Here at the right-hand side, is an integer waiting for optimization. This inequality is based on the inequality between arithmetic mean and quadratic mean. Then, the optimization problem Eq.(18) becomes
where, Cauchy-Schwarz inequality is also used. So the optimization problem Eq.(18) becomes finding that can maximize the right-hand side of Eq.(21). So far we get the last line of Eq.(22) in the main text.
This method is also effective for estimating upper bounds of , and . We just post the results below.