User-defined quantum key distribution
Quantum key distribution (QKD) provides secure keys resistant to code-breaking quantum computers. As headed towards commercial application, it is crucial to guarantee the practical security of QKD systems. However, the difficulty of security proof limits the flexibility of protocol proposals, which may not fulfill with real application requirements. Here we show a protocol design framework that allows one to securely construct the protocol using arbitrary non-orthogonal states. Multi-mode entangled source is virtually introduced for the security analysis, while coherent measurement is used to provide raw data. This ‘arbitrary’ feature reverses the traditional protocol-decide-the-system working style, such that the protocol design now can follow what the system generates. We show a valuable showcase, which not only solves the security challenge of discrete-modulated coherent states, but also achieves high performance with no more than 256 coherent states. Our findings lower the requirement for system venders with off-the-shell devices, thus will promote the commercialization of QKD.
BB84 protocol BB84_1984 () started the era of quantum cryptography, among which quantum key distribution (QKD) Gisin_RevModPhys_2002 (); Scarani_RevModPhys_2009 (); Lo_NaturePhoton_2014 () is the most applicable technology, providing physical-layer protection of information transmission through secure distribution of private keys. For cost-effective implementation, a practical system usually carries out the prepare-and-measure (PM) scheme of a QKD protocol, in which non-orthogonal states are randomly prepared by Alice (the sender), and transmitted to Bob (the receiver), who will measure the states with either single-photon detection or coherent measurement (homodyne or heterodyne detection) Ralph_PhysRevA_1999 (); Grosshans_PhysRevLett_2002 (); Weedbrook_PhysRevLett_2004 (); Patron_PhysRevLett_2009 (). Systems with coherent detectors are more attractive to commercial companies, due to its room-temperature operation feature and the compatibility with mature product chain of telecommunication. Protocols with coherent measurement usually encode key information on quadratures of a quantum optical state, which are usually called continuous variable (CV) protocols Braunstein_RevModPhys_2005 (); Weedbrook_RevModPhys_2012 (); Diamanti_Entropy_2015 ().
The most influential CV protocol is GG02 protocol using Gaussian modulated coherent states Grosshans_PhysRevLett_2002 (); Grosshans_Nature_2003 (). It later evolves to various Gaussian protocols Weedbrook_PhysRevLett_2004 (); Patron_PhysRevLett_2009 (); Pirandola_NaturePhys_2008 () with theoretical security proof Acin_PhysRevLett_2006 (); Patron_PhysRevLett_2006 (); Furrer_PhysRevLett_2012 (); Leverrier_PhysRevLett_2015 (); Leverrier_PhysRevLett_2017 (), outperforming other CV protocols. To maintain the practical security Scarani_RevModPhys_2009 () of a protocol running in a system, the system should fulfill the theoretical assumptions in security proof. However, even the most state-of-the-art components cannot remove all the theory-experiment mismatches, for instance, the continuous modulation of Gaussian protocols can never be achieved with finite resolution digital-to-analog-convertor (DAC) Paul_PhysRevA_2012 (). These mismatches also are one of the motivations for the exploration of CV protocols using discrete modulation Zhao_PhysRevA_2009 (); Weedbrook_PhysRevA_2018 (); Leverrier_PhysRevLett_2009 (), but their performances are not promising as Gaussian protocols. Therefore, it’s desired for such a protocol that it is adjustable according to practical systems.
Here we move one step forward, proposing a new CV protocol design framework, which allows one to construct the protocol using arbitrary non-orthogonal states with rigorous security analysis. Numerous protocols can be proposed by choosing different non-orthogonal states, which can be discretely or continuously distributed, and can be pure or mixed. This ‘arbitrary’ feature makes the protocol design can be customized by any system vendor according to what they can actually manufacture.
The framework contains two duel schemes, one is the PM scheme, and the other is the entanglement-based (EB) scheme Grosshans_QIC_2003 (), which is the core design of our framework. The main idea is that Alice uses multi-mode entangled state as the source, and conducts positive-operator valued measures (POVMs) and coherent measurements on different modes. The results of POVMs correspond to the key information in Alice’s side, and decide which state is sent out. The results of coherent measurements are used to estimate the correlation between Alice and Bob, through which the lower bound of the secret key rate can be calculated.
Let us explain our framework using schematics in Fig. 1. Due to finite resolution of devices, discrete modulation is always the case in practical applications, therefore we describe our framework in discrete form. The PM scheme of our framework is quite similar as a general QKD protocol. There are different non-orthogonal states that Alice could possibly send to Bob with non-zero probabilities . For each time, which state will be sent is decided by the first random number (a complex number or a vector) generated by a quantum random number generator (QRNG). Bob measures the received state with coherent measurement, and then they do the post-processing Bennett_IEEE_1995 (); Renner_conference_2005 (). The difference is, Alice additionally needs a second sequence for the security analysis (see explanation later).
The equivalence of the EB scheme lies in the design of Alice’s entangled source and measurements. The entangled source is an -mode purification of the mixed state , in which the subscript represents modes , represents modes , and . Alice keeps modes and , while sends mode to Bob. The measurements for modes are POVMs, with the results recorded as ; and the measurements for modes are heterodyne measurements, with the results recorded as . We require that these measurements will project mode onto a state . After sending the state to Bob, the rest are the same as the PM scheme.
To show the validity of our framework for arbitrary non-orthogonal states, we first give a sufficient condition to find such an -mode purification. It is that which state is sent to Bob is only decided by the POVMs results . This means the sub-state of modes and conditioned on the results is a product state, . Then among the purifications of such mixed state , the entangled source and the corresponding POVMs for modes can always be found. This sub-state product feature is also the necessary condition if the non-orthogonal states are coherent states.
Second, we explain how to calculate the secret key rate. Here we restrict to the reverse reconciliation and asymptotic case Grosshans_Nature_2003 (); Devetak_Proc_2005 (), which is the base for other cases. The key part is to evaluate the Holevo information Holevo_Probl_1973 () between Bob’s data and the quantum adversary, whose upper bound can be got through the covariance matrix thanks to the Gaussian state extramelity theorem Wolf_PhysRevLett_2006 (); Patron_PhysRevLett_2006 (). However, the POVMs for modes make incomplete. More specifically, if is expressed in the form of several sub-matrices,
then the covariance term is unknown. For other terms, , and can be theoretically calculated, and can be estimated through the measured data. Now becomes a function of an unknown variable . Nevertheless, the uncertainty principle puts a constraint on the covariance matrix of a physical state Weedbrook_RevModPhys_2012 (), which limits the possible value of to a set . If we denote as the real eavesdropping induced , then . Therefore, by finding the maximum through traversing the set , we can define the secret key rate as
where is the classical mutual information, and is the reconciliation efficiency.
Now we can explain what the second sequence in the PM scheme is. Originally, it should be the measurements results , which can be simulated by a QRNG since all modes are kept in Alice’s side. If further exploiting the product feature of , the estimation of requires only the mean values of quadratures for the sub-state . Then a simpler form of the second sequence is , where , and . This simple form can be realized digitally in the processer, since it’s decided by the first random number, not independently random. Therefore, the PM scheme has no change in hardware comparing to the existing CV-QKD system.
System vendors, as the direct user of protocols, used to build the system following the instruction of a protocol. Now in contrast to this tradition, the protocol can be customized following a practical system. A vendor can start with checking what states their system can generate, then set the probability of sending each state. For the rest, one can follow our framework to find a proper -mode purification, and the secret key rate formula can be got.
Protocols using coherent states are usually the choice of vendors due to the low-cost laser source. The state is generated by modulating the laser with an intensity modulator (IM) and a phase modulator (PM) or a quadrature-phase shift keying (QPSK) modulator, followed by a strong attention. Such modulation using off-the-shell devices usually suffers problems as discretization, non-linearity and noise. To check what the state is actually generated, one can use an additional measurement structure, shown in Fig. 2. The modulated light passes a beamsplitter before entering the attenuator, and a large portion of it goes to a heterodyne detector. Then the modulation result can be read-out with high signal-to-noise ratio (SNR), since the noise figure of classical detectors performs well in the bandwidth of a QKD system (usually less than GHz). This step can be a pre-calibration procedure, or a continuous feedback during the whole running time. Once the map between Alice’s data and its real modulation result is set up, it can also be used to compensate the modulation error. Only small deviation remains.
We found an effective way to build the EB scheme for the case using coherent states. We choose three-mode entangled source for simplicity, and our design principle is to maximize the correlation between modes and , which can limit the eavesdropper. This leads to the choice for each that it’s also a coherent state with the mean value linearly dependent on . Following this way, one only needs to find a two-mode entangled state , then mode passing a beamsplitter will result in the , as shown in Fig. 3.
To achieve the same high performance as ideal Gaussian protocols, our framework can reduce the necessary number of used coherent states to no more than 256. Comparing to generating around 1 million coherent states in Gaussian protocols, requested to suppress the theory-experiment mismatch Paul_PhysRevA_2012 (), this will greatly reduce the complexity of state preparation. Now only 4-bits resolution for each quadrature’s modulation is required, which means the modulation noise is negligible, considering the fact that the equivalent-number-of-bit (ENOB) for an off-the-shell DAC can usually reach higher than 10 bits. Different constellation of will influence the protocol’s performance. We show some performance simulations of standard quadrature-amplitude-modulation (QAM) with different number of states in Fig. 4, which is commonly used constellation in classical telecommunication. One can find that with proper settings, 256-QAM can reach the performance almost the same as ideal Gaussian case. And for the low noise case, the number of coherent states can be further reduced to 64, or even lower as 16 for short range. Small-deviation non-standard QAMs, which may happen due to the uncompensated modulation non-linearity, have the similar performances.
Other constellation maps can also be introduced, and run on the same hardware. The switch among pre-set or freshly user-defined constellation maps can be actively controlled by customers, through software-defined manner. This complies the trend of telecommunication network. Combined with the simple modulation and allowance for using off-the-shell devices, our framework will promote the commercialization of QKD.
We thank C. Su, L. Lu, Y. Zou, Y. Cai and B. Xu for discussions. This work was supported by the National Natural Science Foundation under Grant 61531003.
Appendix A: Secret key rate
Here we explain our derivation of the secret key rate formula. The state-of-the-art security analysis method is deriving the secret key length formula in the finite-size regime under the universal composable framework (UCF) Furrer_PhysRevLett_2012 (); Leverrier_PhysRevLett_2015 (); Leverrier_PhysRevLett_2017 (). First, one needs to reduce the full formula (quantized by the smooth min-entropy) to a lower bound, which usually is the asymptotic secret key rate with modification terms related to the block size. Then derive a lower bound of the asymptotic secret key rate, which should be calculable through only the measured data. The first reduction relies on several theoretical theorems, differing for different entangled states and measurements used in the protocol, and this is an open question for our framework. Therefore, here we focus on the asymptotic secret key rate formula, and discuss the reverse reconciliation case.
A generally used secret key rate for the asymptotic case is the Devetak-Winter formula Devetak_Proc_2005 (),
where is the classical mutual information between Alice and Bob, is the classical reconciliation efficiency, and is the Holevo information between Bob’s data and the adversary Holevo_Probl_1973 (). Usually, can be replaced by any of its upper bounds , among which the Gaussian state extramelity theorem Wolf_PhysRevLett_2006 (); Patron_PhysRevLett_2006 () induced upper bound is the most commonly used case. Because its calculation only relies on the covariance matrix , which can be estimated through the experimental data.
The covariance matrix of a N-mode state is defined as Weedbrook_RevModPhys_2012 (),
where , , and . Suppose is the covariance matrix of the state , which is the state after mode of the entangled source arriving at Bob’s side through the channel. It can be represented using several sub-matrices,
where , and are covariance matrices for modes , and , and , and are covariance terms between different modes.
Among all these sub-matrices, , and can be directly calculated from , since modes and are kept in Alice’s side. and can be estimated after Alice and Bob randomly sharing part of their coherent measurement results. The only unknown sub-matrix is , since the measurements for modes are not coherent measurements now.
Nevertheless, the covariance matrix for a -mode state is constrained by the uncertainty principle Weedbrook_RevModPhys_2012 (), which is
where , and
We denote as the set of all satisfying this constraint for , which is
If is the real eavesdropping induced , then . It can be understood that is a function of now. Then by traversing the set for all possible , we can find the maximum of . Then the secret key rate can be wrote as
Next we briefly introduce the calculation method for each term. For , it can be expressed as , in which is the Shannon entropy of Bob’s measurement results, and represents the information that Bob sends to Alice for the data reconciliation. Both these terms can be got from measured data and the error correction step. The reason that we usually separate into and in theoretical study is this helps numerical simulation, which is used to evaluate the performance of a protocol. Given the channel model (usually required to fit the experimental environment), the probability can be got from the model, which is the probability of getting Bob’s measurement result given Alice sending the state . And the overall probability will be . If is a discrete variable quantized from the measurement result, then
If consider as the continuous variable for some theoretical research, the sum of will be replaced by integration. The reconciliation efficiency can be set according to certain error correction code, for instance, 0.95 is achievable for multi-dimensional reconciliation method in low signal-to-noise regime Jouguet_NaturePhoton_2013 ().
For , we traverse each to calculate its corresponding and find the maximal value of them. can be expressed as , in which means the von Neumann entropy of a Gaussian state which has the same covariance matrix as , and means the von Neumann entropy of a conditional Gaussian state which has the same covariance matrix as , related to Bob’s measurement method. The methods to get the from , to get the symplectic eigenvalues of each covariance matrix, and to calculate the von Neumann entropy are commonly used in CV-QKD, and can be found in reference Patron_PhysRevLett_2006 (); Weedbrook_RevModPhys_2012 ().
Appendix B: The simple form of the second sequence
In the covariance matrix , , and can be theoretically calculated, and is estimated only using Bob’s data. Only the estimation of will use the measurement results of modes C. Naturally, the second sequence should be the measurement results for modes , which can be simulated through a quantum random number generator (QRNG). However, the product feature of sub-state can help to simplify this.
Let’s take the -quadrature of mode as an example. After tracing out the other modes of C, the state of modes and is , where . Then
in which each and can be theoretically calculated. Therefore, if the first random number decides that will be sent, then it’s enough to let the second sequence be for the calculation of . This is much simpler than simulating the heterodyne results using quantum random numbers.
Appendix C: The product feature of sub-state is necessary
The EB scheme plays the key role in our framework, in which we need to find a proper entangled source and the measurements in Alice’s side. Here we explain one detail of our design solution. Consider the case that one wants to use finite discrete-distributed coherent states as the non-orthogonal source, which is the most significant case for practical implementation. In this case, it is necessary to require that the sub-state of modes and conditioned on the POVMs results is a product state.
To explain this necessity, we first prove a lemma which is
Lemma 1. For any two-mode entangled state , if after the heterodyne detection over mode , mode is projected onto a coherent state, then the number of possibly projected coherent states for mode is either one or infinite.
We prove this by contradiction. Suppose satisfies that mode is a coherent state after the heterodyne detection over mode , and the number of the possibly projected coherent state is .
For generality, we assume is a mixed state. There exists a purification of , which can be expressed as . The heterodyne detection can be seen as the projection onto a coherent state . We divide the overall phase space for mode into different sets , among which any two of them has no overlap. This equals to divide the two-dimensional plane into points sets without overlap. The first sets correspond to the different output coherent states of mode . For example, for the heterodyne measurement result , if , then mode will be projected onto . And we assume for each element of the first sets, the probability of getting a corresponding heterodyne result for mode is non-zero. The last set corresponds to the points that will never be the heterodyne result, which means , if .
Suppose , and , then we know
where , and is the probability of getting the measurement result .
First, we can prove that if or , then , which means the only non-zero term is . The intuitive understanding of this is that, there are infinite equations constraining finite variables . The detailed proof can follow these steps:
1) derive , and move the vacuum state term to one side,
2) calculate the inner product between the Fock state and the vacuum state,
If let , , then the first equations can be written in the matrix formula , in which is the transport of a Vandermonde matrix with different non-zero , and is a vector with different . Since the Vandermonde matrix has the feature of full rank, then the above equations have the only solution that each , which means , and .
Second, for any , we can define a corresponding set of coherent states, which is . Then the above discussion will lead to the conclusion that, for each , there exists at least one state orthogonal to it. First look at the case , in which for any . This means , where . Then is orthogonal to the set . Second, for the case , from its definition we know , if . Then is orthogonal to .
However, it can be proved that when is finite, among all these set , at least there is one of them being a complete or over-complete set of the Fock state space Bargmann_RepMathPhys_1971 (), which means no state can be orthogonal to this set. This is contradictory to the previous conclusion. Therefore, for the case , no such a two-mode entangled state can be found.
One can easily generalize this to the -mode entangled state case, which is, for any -mode entangled state , if after the heterodyne detections for each mode of , mode is projected onto a coherent state, then the number of possibly projected coherent states for mode is either one or infinite.
For our EB scheme, after the POVMs for modes , the conditioned sub-state will face the same situation as the above argument. And what we consider is the finite coherent states case, then the number of possibly projected coherent states for mode is only one. This means is a product state that .
The above conclusion shows four facts about our framework: 1) POVM measurements other than heterodyne detection should be introduced; 2) entangled state with more than two modes are necessary; 3) after the POVMs, the conditioned sub-state should be a product state; 4) which coherent state will be sent to Bob is decided by the results of POVMs.
Appendix D: Three-mode protocol for finite discrete-distributed coherent states
For a CV system, generating discrete-distributed coherent states is the most practical case, because of the finite resolution for practical devices. The successful application of our framework to this case improves the practical security of CV systems.
Here we will explain some details of our design principle for the discrete-distributed coherent states case. The three-mode entangled source model we use is not only simple-structure, but also highly effective.
.1 Two-mode entangled source
Suppose the source states are different coherent states , and the three-mode entangled source is . From the discussion of section II. B we know that, the performance of a protocol is mainly decided by the structure of . Therefore, our design principle is to let the correlation between modes and as ‘high’ as possible, which from the covariance matrix pointview we want and to be as large as possible. We note that our design principle is only an example inspired by the experience, and it works well for the quadrature-amplitude modulation (QAM) case. Other design solutions for different modulation cases also worth further investigations.
We take -quadure as the example. Denote the mean and the variance of each sub-state and as
Then the overall mean values of modes and are , and the variances are
Now look at , which is
The inequality is due to the Cauchy-Schwarz inequality, in which the equality holds if and only if , where is non-zero. The uncertainty principle tells that for each sub-state, . If we further assume that and are symmetric for each sub-state, then , and . Thus, to achieve the maximum , we need . One can find that these two conditions can be both satisfied if each is also a coherent state , with the mean value linearly dependent on , which is . This linear relationship can be got from a beamsplitter model, which is a coherent state with passes through a beamsplitter with transmittance . This means Alice only needs to generate a two-mode entangled state , and then let the mode pass through a beamsplitter, shown as Fig. 2 in the main context.
As for the design of , first, we find a set of orthogonal states , which can diagonalize the mixed state , such that
Then is defined as
where is related to in such a way,
.2 Quadrature-amplitude modulation (QAM)
We are especially interested in the QAM case, because it’s a standard modulation format in the classical coherent communication. Systems running such a modulation format is naturally compatible with current industry chain of electro-optical devices.
In -QAM () is positive integer), coherent states are positioned at the cross points of equally-spaced columns and rows in the phase space (or classically called constellation map). Suppose the space between each column (or row) is , then the positions of coherent states are
It can be verified that for this standard QAM format, the covariance matrix for is of the standard form,
where , and . We know that due to the uncertainty principle, and the closer approaches to , the better the protocol performance will be. Thus, for the -QAM, we need to choose the proper sending probabilities and the space parameter to make the as large as possible. Since the different and will result in different , we introduce a dimensionless parameter to evaluate the closeness of to for the small region.
Fully optimization of the probabilities is complicated. Here we let them follow a discrete Gaussian distribution: let (the unit is the square root of the shot noise unit (SNU)), then the probability of sending the state is
This simplifies the probability distribution to only one parameter .
We numerically calculate the for -QAM, -QAM and -QAM, with different and , to find a relatively optimal combination of and . Generally speaking, for the small region, the larger the is, the worse the is. Fig. 5 shows our simulation result. For -QAM (Fig. 5(A)), when , the optimal choice for is , which corresponds to ; when , the optimal choice for is , which corresponds to . For -QAM (Fig. 5(B)), when , the optimal choice for is , which corresponds to ; and when , the optimal choice for is , which corresponds to . For -QAM (Fig. 5(C)), when , the optimal choice for is , which corresponds to ; and when , the optimal choice for is , which corresponds to .
From the -pointview, 256-QAM is almost the ideal Gaussian case, and such a small deviation won’t cause a large performance reduction. This is verified by the secret key rate simulation shown in the Fig. 3 of the main context.
In experiment, the two quadratures can be modulated separately, for instance using the QPSK modulator. Thus, for the -QAM, the resolution of the DAC device for the modulation of one quadrature is . Then for -QAM,