Kento Maeda1,2, Toshihiko Sasaki1, Masato Koashi3,4. 1. Photon Science Center, Graduate School of Engineering, The University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo, 113-8656, Japan. 2. Department of Applied Physics, Graduate School of Engineering, The University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo, 113-8656, Japan. 3. Photon Science Center, Graduate School of Engineering, The University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo, 113-8656, Japan. koashi@qi.t.u-tokyo.ac.jp. 4. Department of Applied Physics, Graduate School of Engineering, The University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo, 113-8656, Japan. koashi@qi.t.u-tokyo.ac.jp.
Abstract
Quantum key distribution (QKD) over a point-to-point link enables us to benefit from a genuine quantum effect even with conventional optics tools such as lasers and photon detectors, but its capacity is limited to a linear scaling of the repeaterless bound. Recently, twin-field (TF) QKD was conjectured to beat the limit by using an untrusted central station conducting a single-photon interference detection. So far, the effort to prove the conjecture was confined to the infinite key limit which neglected the time and cost for monitoring an adversary's act. Here we propose a variant of TF-type QKD protocol equipped with a simple methodology of monitoring to reduce its cost and provide an information-theoretic security proof applicable to finite communication time. We simulate the key rate to show that the protocol beats the linear bound in a reasonable running time of sending 1012 pulses, which positively solves the conjecture.
Quantum key distribution (QKD) over a point-to-point link enables us to benefit from a genuine quantum effect even with conventional optics tools such as lasers and photon detectors, but its capacity is limited to a linear scaling of the repeaterless bound. Recently, twin-field (TF) QKD was conjectured to beat the limit by using an untrusted central station conducting a single-photon interference detection. So far, the effort to prove the conjecture was confined to the infinite key limit which neglected the time and cost for monitoring an adversary's act. Here we propose a variant of TF-type QKD protocol equipped with a simple methodology of monitoring to reduce its cost and provide an information-theoretic security proof applicable to finite communication time. We simulate the key rate to show that the protocol beats the linear bound in a reasonable running time of sending 1012 pulses, which positively solves the conjecture.
Quantum key distribution (QKD)[1,2] provides a secret key shared between two remote legitimate parties with information-theoretic security, enabling private communication regardless of an adversary’s computational power and advanced hardware technology. It also has a welcome feature that, for a simple prepare-and-measure type of QKD protocols, the sender’s and the receiver’s device can be implemented with current technology such as lasers, linear optics components, and photon detectors. A drawback is a limitation on the key generation rate stemming from the loss in the channel. For a direct link from the sender to the receiver, the key rate cannot surpass the loss bounds[3,4] of , where is the single-photon transmissivity of the link. Although quantum repeaters[5] are known to beat this limitation by placing untrusted intermediate stations to segment the link, the required technology to manipulate quantum states is demanding. Early proposals to mitigate this demand to beat the scaling still requires quantum memories[6] or quantum non-demolition (QND) measurements[7], which are currently in the developing stage.Surprisingly, possibility of achieving an scaling with current technology was recently proposed[8] as a protocol called twin-field (TF) QKD, a variant of the measurement-device independent (MDI) protocols[9]. In this protocol, an untrusted station Charlie sitting midway between Alice and Bob simply conducts an interference measurement to learn the relative phase between the pulse pair sent from Alice and Bob. On the surface, the scaling may be understood from the interpretation that a photon detected by Charlie has traveled either the Alice-Charlie segment or the Bob-Charlie segment with transmissivity . But a similar phase encoding scheme was already adopted in an earlier MDI-QKD protocol[10], which did not achieve the scaling. The essential point lies elsewhere, in how Alice and Bob can monitor the adversary’s attack on the link and on Charlie’s apparatus. For this purpose, the TF QKD was specifically designed so as to attain the compatibility to the standard decoy-state method[11-13], which have been successfully used in other QKD protocols.As the original proposal[8] lacked a rigorous security proof, many intensive studies[14-21] have been devoted to achieving information-theoretic proofs of variants of TF QKD[15-17] and a family of similar protocols called phase-matching (PM) QKD[14,18-21]. As was the case for other QKD protocols, these first proofs mainly consider the asymptotic regime. All the key rates shown to beat the loss bounds so far are achievable only in the limit of infinitely large number of pulses being sent. Explicit formulation in the finite-size regime is found only in the work of Tamaki et al.[15], but this early proposal barely surpasses the loss bounds even in the asymptotic limit, and no numerical values were given for finite-size effect. Hence, at this point, we have totally no clue on how long one must run a QKD protocol on end to beat the loss bounds. It could be hours, days, or even longer.We should also be aware that the finite-size regime is not a mere appendage to the asymptotic regime. In the latter regime, the fraction of the communication time devoted to the monitoring of the adversary is assumed to be negligible. This implies that one is allowed to invest an infinite resource to the monitoring with no penalty, despite the fact that the monitoring is the main obstacle in the TF-type protocols. In fact, the protocol by Lin and Lütkenhaus[20], which attains both the simplest of the proofs and the highest of the asymptotic key rates, adopts a newly proposed generalization of the decoy-state method for a complete characterization of the adversary’s act, by using the set of test states composed of coherent states with every complex amplitude. Although it gives a lucid view on the problem, it is probably not the shortest route to answer the ultimate question of whether one can find a protocol with information-theoretic security to beat the loss bounds with current technology.Here we positively answer to the above question by proposing a variant of PM-QKD protocol equipped with a simple security proof in the finite-size regime. Our protocol also involves a kind of extension of the standard decoy-state method, but interestingly, its direction is the opposite of the generalization by Lin and Lütkenhaus: we try to learn about the adversary’s act as little as possible except the parameter crucial for the security. For this purpose, we construct a minimal set of test states to satisfy an operator inequality, which we call an operator dominance condition. Our method drastically simplifies the analysis of the finite-size effect to just a double use of classical Bernoulli sampling.
Results
Proposed protocol
The setup for our proposed protocol is illustrated in Fig. 1. In order to distribute a secure key, Alice and Bob both send optical pulses to Charlie, the central untrusted station. Each of the senders randomly switches between the signal mode and the test mode. They use the signal mode for accumulating raw key bits and the test mode for monitoring the amount of leak.
Fig. 1
Illustration of the proposed quantum key distribution protocol. In the signal mode, Alice and Bob each encode their random bits on phase-locked pulses with intensity (mean photon number) μ through phase modulators (PMODs). In the test mode, they independently randomize the optical phase θ and switch among three intensities 0, μ1, and μ2. The central station Charlie, who may be in control of an adversary, announces whether his detection has succeeded and if it has, he further announces whether he has found the pulse pair to be in-phase or anti-phase. Bob flips his bit when anti-phase was announced
Illustration of the proposed quantum key distribution protocol. In the signal mode, Alice and Bob each encode their random bits on phase-locked pulses with intensity (mean photon number) μ through phase modulators (PMODs). In the test mode, they independently randomize the optical phase θ and switch among three intensities 0, μ1, and μ2. The central station Charlie, who may be in control of an adversary, announces whether his detection has succeeded and if it has, he further announces whether he has found the pulse pair to be in-phase or anti-phase. Bob flips his bit when anti-phase was announcedThe signal mode is based on the PM-QKD protocol[14], which is common to previous proposals[18-21]. We assume Alice and Bob have phase-locked pulse sources to generate in-phase pulses. Each party encodes a random bit by applying 0 or π phase shift to the pulse with a fixed intensity μ (defined in terms of its mean photon number) and sends it to Charlie. He measures and announces whether the two pulses are in-phase or anti-phase, by using a 50:50 beam-splitter and a pair of photon detectors. Successful detection at Charlie allows Alice and Bob to learn whether their bits have the same or different values. Thus, by appropriately flipping Bob’s bits, Alice, and Bob can accumulate shared random bits by repetition, which we call sifted keys.As in refs. [19,21], we associate the amount of leak to the phase errors in an equivalent protocol in which Alice and Bob use auxiliary qubits A and B. Let us call the Z basis of a qubit, and the X basis. Alice and Bob’s procedure in the signal mode can be equivalently executed by preparing the qubits AB and the optical pulses CACB in a joint quantum stateSuppose that Charlie has declared K0 detected rounds after the repetition. This leaves the corresponding K0 pairs of qubits at Alice and Bob. If they measure the qubits in the Z basis, they obtain K0-bit sifted keys in the actual protocol. To assess the amount of leak in the sifted keys, we consider a virtual protocol in which they measure the qubits in the X basis instead and count the number of phase errors (X errors) among the K0 pairs. Here an X error is defined to be an event where the pair was found in either state or . We denote the number of X errors as for the reason we clarify later. If there is a promise that the phase error rate is low, it implies that the leak on the sifted keys is small. Hence, the aim of the test mode is to gather data to compute a good upper bound eph on . In the asymptotic limit, shortening by fraction h(eph) via privacy amplification achieves the security[22,23], where for /2 and for /2.To obtain a good intuition on the meaning of the observable in the virtual protocol, consider a scenario in which Alice and Bob make the X basis measurements before sending out the optical pulses. Notice that the state (Eq. 1) is rewritten aswhere and . The state consists of even photon numbers, whereas the state consists of odd photon numbers. Then, we may interpret that an X error occurs with probability and the optical pulses are sent in state , which is given byFor probability , the optical pulses are sent in state , whereWe see that for state , the total number of photons in the pulse pair is always even. Hence, the number can be interpreted as the frequency of detection when the total emitted photon number of the pulse pair was even.The main question is how we should design the test mode to estimate the number in the signal mode. An obvious choice is to prepare actually the state as was proposed recently[21], but generation of such a non-classical optical state with a good fidelity will be hard to realize in current technology. For the use of laser pulses, previous approaches[18,19] for the asymptotic regime use the standard decoy-state method in which various detection rates labeled by emitted photon numbers are estimated. A bound on the phase error rate is then computed from those rates through a set of inequalities. Lin and Lütkenhaus[20] generalized the decoy-state method to a kind of tomography, in which case tight estimation of phase error rate / should be possible. In order to simplify the security argument for the finite-size regime, here we take a more direct approach of constructing a state approximating . Of course, is a highly non-classical optical state and thus it is impossible to approximate it by a mixture of coherent states. As the second-best plan, we propose to find a linear combination of test states to approximate . The crux is that we allow coefficients to include negative values as long as it satisfies an operator inequality,which we call an operator dominance condition.Based on the above design policy, we found the following potocol (see Fig. 1).where the parameter and the function will be specified below.Alice chooses a label from {“0”, “10”, “11”, “2”} with probabilities p0, p10, p11, and p2, respectively. According to the label, Alice performs one of the following procedures.“0”: She generates a random bit a and sends a pulse with amplitude .“10”: She sends the vacuum.“11”: She sends a phase-randomized pulse with intensity μ1.“2”: She sends a phase-randomized pulse with intensity μ2.Bob independently carries out the same procedure as Alice in Step 1.Alice and Bob repeat Steps 1 and 2 in total of Ntot times.For every pair of pulses received from Alice and Bob, Charlie announces whether the phase difference was successfully detected. When it was detected, he further announces whether it was in-phase or anti-phase.Alice and Bob disclose their label choices. Let K0 be the number of detected rounds for which both Alice and Bob chose “0”. Alice concatenates the random bits for the K0 rounds to define her sifted key. Bob defines his sifted key in the same way except that he flips all the bits for the rounds declared to be anti-phase.Let K10, K11, and K2 be the number of detected rounds for which both Alice and Bob chose the same label “10”, “11”, and “2”, respectively. Let .For error correction, Alice announces HEC bits of syndrome of a linear code for her sifted key. Bob reconciles his sifted key accordingly. Alice and Bob verify the correction by comparing bits via universal2 hashing[24].They apply the privacy amplification to obtain final keys of length
Security proof
In order to prove the security of the above protocol, we need to construct an upper bound on the phase error rate / in the virtual protocol. To cover the finite-size cases as well, our objective is to construct which satisfiesfor any attack in the virtual protocol. It is known that it immediately implies that the actual protocol is -secure with a small security parameter . See methods section for the detailed definition of security.Let be the phase-randomized coherent state with mean photon number μ,Our proof method is based on an operator dominance condition which readswhere and are positive constants. Our security argument below holds for any set of parameters (p10, p11, μ, μ1, μ2, , ) satisfying Eq. (9). A simple method of computing and from (p10, p11, μ, μ1, μ2) is given in methods section.We first clarify the meaning of numbers K1 and K2 collected in the test mode. By definition of the protocol, K1 is the frequency of detection when the pulse pair CACB was initially prepared in state , whereSimilarly, K2 is the frequency of detection for stateAlso recall that is the frequency of detection for state defined in Eq. (3).When Eq. (9) holds, there exists a normalized state , which satisfiesfor . Therefore, we can reinterpret the state as a mixture of the three states , , and . Let us consider a modified scenario in which the state of the pulse pair is directly prepared in various states with the probabilities specified in Fig. 2. In this scenario, the frequencies and shown in Fig. 2 are also well-defined. Suppose that the adversary’s attack (which may include taking over Charlie’s announcement) is the same as that for the actual/virtual protocols. As the breakdown of the mixed state in the actual protocol is revealed only after Charlie has announced all the detections, we see that the following property naturally holds.
Fig. 2
Relation between the actual/virtual protocol and the modified scenario. Each row is chosen with the initial probability and the pulse pair is prepared in the corresponding quantum state. The detection frequency is the number of times Charlie has declared success. The cases when Alice’s and Bob’s label differ are irrelevant and not shown. In the actual protocol, three detection frequencies, K0, K1, and K2 are determined. In the virtual protocol, K0 is decomposed into a sum of two frequencies, and . The security of the actual protocol is quantitatively assured if a good upper bound on is found. To find such a bound, we consider a modified scenario in which the variables follows the same statistics as in the virtual protocol. In the modified scenario, K1 is interpreted as a sum of three frequencies corresponding to three different initial quantum states of the pulse pair, , , and . We notice that the first two rows are chosen with probabilities and and classified to the Test2 mode and to the Test1 mode accordingly, but the pulse pairs are initially prepared in the same state . Charlie’s success/failure declaration and the Test2/Test1 mode choice should thus be statistically independent. It follows that the conditional statistics of variable K2 obeys a Binomial distribution given that the sum is a constant. This leads to a lower bound on in terms of K2. A similar argument holds for variables and , leading to an upper bound on in terms of . Combining these, we obtain an upper bound on in terms of K1 and K2, which should be applicable to the virtual protocol
The marginal joint probability of the three variables in the modified scenario is the same as that in the virtual protocol.This means that if Eq. (7) is true in the modified scenario, it is also true in the virtual protocol.From comparison between the first and the second rows in Fig. 2, we notice that K2 and in the modified scenario are detection frequencies of the same initial state . As the adversary has no clue about whether a pulse pair in state belongs to Test1 mode or to Test2 mode, they cannot force Charlie to detect one of the cases preferably over the others. Hence, the ratio of K2 to is expected to be close to the initial ratio of the two cases, . More precisely, K2 is a Bernoulli sampling from a population with elements. This is also the case with and . It leads to the following property of conditional probabilities stated in terms of binomial distribution .and similarly,In the modified scenario, it holds thatRelation between the actual/virtual protocol and the modified scenario. Each row is chosen with the initial probability and the pulse pair is prepared in the corresponding quantum state. The detection frequency is the number of times Charlie has declared success. The cases when Alice’s and Bob’s label differ are irrelevant and not shown. In the actual protocol, three detection frequencies, K0, K1, and K2 are determined. In the virtual protocol, K0 is decomposed into a sum of two frequencies, and . The security of the actual protocol is quantitatively assured if a good upper bound on is found. To find such a bound, we consider a modified scenario in which the variables follows the same statistics as in the virtual protocol. In the modified scenario, K1 is interpreted as a sum of three frequencies corresponding to three different initial quantum states of the pulse pair, , , and . We notice that the first two rows are chosen with probabilities and and classified to the Test2 mode and to the Test1 mode accordingly, but the pulse pairs are initially prepared in the same state . Charlie’s success/failure declaration and the Test2/Test1 mode choice should thus be statistically independent. It follows that the conditional statistics of variable K2 obeys a Binomial distribution given that the sum is a constant. This leads to a lower bound on in terms of K2. A similar argument holds for variables and , leading to an upper bound on in terms of . Combining these, we obtain an upper bound on in terms of K1 and K2, which should be applicable to the virtual protocolThe properties (i) and (ii) reduce the security proof to an elementary problem of classical random sampling. In an asymptotic limit of K1, , a bound on is immediately obtained from the relations , , and . A finite-size bound satisfying Eq. (7) can be constructed by the use of the Chernoff bound[25]. As explained in methods section, we can compute general bounds that satisfywhen holds for all . Then, we can construct the function aswithwhich obviously satisfies Eq. (7) and hence completes the security proof.For an intuitive understanding of the amount of the finite-size effect, an approximate expression of the bound may be helpful. The general bounds M± are approximated aswhen . Then, we can approximate aswith
Numerical simulation
We simulated the key rate G/Ntot as a function of distance L between Alice and Bob when they are fiber-linked to Charlie with a loss of 0.2 dB/km. We assumed a detection efficiency of for Charlie’s apparatus. The parameters are optimized for each distance. The detail of the model for determining K0, K1, and K2 is given in methods section.Figure 3 shows the key rates of our protocol in the asymptotic limit and in the finite-size cases with and 1012. We have also plotted the PLOB bound[4], −, for the direct link from Alice to Bob with transmissivity , assuming the same detection efficiency. The asymptotic key rate shows an scaling. As expected, the asymptotic rate is lower than those of the protocols[18-20] investing more resources for the monitoring. The main feature of our protocol lies in the provably secure key rate in the finite-size regime. We see that at it barely surpasses the PLOB bound, and at it clearly beats the bound at ~ 300 km. The dotted line below the PLOB bound is the asymptotic rate for the ideal decoy-state BB84 protocol[2,4,13], /, which is surpassed by our protocol beyond 200 km even with .
Fig. 3
The key rate per pulse as a function of distance L between Alice and Bob. We assumed a fiber loss of 0.2 dB/km, a loss-independent misalignment error of em = 0.03, a detector dark counting probability of pd = 10−8, and a detection efficiency of . The rate in the asymptotic limit and those in the finite-size cases with transmission of , 1012 pulse pairs are shown. For comparison, we also show the PLOB bound[4] and the asymptotic key rate of ideal decoy-BB84 protocol[2,4] for the direct link transmissivity
The key rate per pulse as a function of distance L between Alice and Bob. We assumed a fiber loss of 0.2 dB/km, a loss-independent misalignment error of em = 0.03, a detector dark counting probability of pd = 10−8, and a detection efficiency of . The rate in the asymptotic limit and those in the finite-size cases with transmission of , 1012 pulse pairs are shown. For comparison, we also show the PLOB bound[4] and the asymptotic key rate of ideal decoy-BB84 protocol[2,4] for the direct link transmissivityAs an example, we present explict values of the optimized parameters for at 340 km. The intensities are and the probabilities are . The operator dominance condition (Eq. 9) is satisfied with and . The observed values expected from the model are .
Discussion
We proposed a variation of TF-type QKD protocol by using the signal mode of the PM-QKD protocol and the test mode specifically designed to simplify the estimation process of the amount of information leak. The simulated key rate shows that it beats the PLOB bound when the total number of pulse pairs emitted from Alice and Bob is 1011 to 1012, which corresponds to several to twenty minutes for a system of 1 GHz pulse repetition. It amounts to settling down the conjecture with a comprehensive information-theoretic security proof covering the finite-size key regime.In the protocol, the events where Alice and Bob have chosen different local labels are simply discarded. It is an interesting question whether we may improve the key rate by incorporating the detection frequencies of such events in the analysis. Conversely, by accepting a lower key rate, we may be able to simplify the protocol to use only three intensities instead of four in the current protocol. We leave these questions to future study.An essential ingredient of our design is the operator dominance method of estimating the detection frequency of one state from those of a combination of different test states. We can identify two instances of binomial distribution in a modified scenario, which simplifies the required statistical analysis in the finite-size regime. As a methodology, the number of test states forming the linear combination to approximate the target state does not affect the simplicity of analysis. As long as the operator dominance condition is satisfied, we can group the states with positive coefficients to define state and those with negative to define . Such a flexibility will be used to improve the finite-size key rate of TF-type protocols further. We also expect that the method can be used to simplify the security analysis of other QKD protocols, especially when the imperfection of practical devices is taken into account.
Methods
Definition of security in the finite-size regime
We evaluate the secrecy of the final key as follows. When the final key length is , we represent Alice’s final key and an adversary’s quantum system as a joint stateand define the corresponding ideal state asLet be the trace norm of an operator σ. We say a protocol is -secret whenholds regardless of the adversary’s attack. It is known[26] that if the number of phase errors is bounded as in Eq. (7), the protocol is -secret with .For correctness, we say a protocol is -correct if the probability for Alice’s and Bob’s final key to differ is bounded by . Our protocol achieves via the verification in Step 7.When the above two conditions are met, the protocol becomes -secure with in the sense of universal composability[27].
Construction of operator dominance condition
Here we describe a procedure to compute parameter sets fulfilling the operator dominance condition (Eq. 9). Suppose that values of μ1, μ2, p10, and satisfyingare given. Then, we can satisfy Eq. (9) by choosing and according to the following:The proof goes as follows. Using the representation , we see that the lefthand side of Eq. (9) has a diagonal form on the Fock basis, whereSubstituting Eq. (26), we haveunder condition (Eq. 25). Using q, Eq. (27) is rewritten asLet and be projections to the subspaces with even and odd photon numbers, respectively. We denote . From Eq. (3), we haveHence, Eq. (9) is equivalent to the following set of conditions:The condition (Eq. 34) is obviously true from Eq. (29). Since when is even, Eq. (32) is true ifwithSincefrom Eq. (30), we see that condition Eq. (35) is true and so is condition (Eq. 32). Similarly, forwe haveimplying that condition (Eq. 33) is also true.
Bounds for a classical random sampling
Here we give a computable definition of functions and prove the relevant properties. We assume and . Let , , , andwith . Then, for , we have , , and . The partial derivatives satisfyandHence we may uniquely define for as follows.
Definition 1
M+ is the unique solution of the equation for . For , M− is the unique solution of the equation for . For , let .Due to the properties of described above, is non-decreasing. Using this definition, we can prove the following lemma:
Lemma 1
Let M and K be random variables taking nonnegative integer values. If for all , thenandProof: using the Chernoff bound[25] for the binominal distribution, we havefor all , leading toIf , then and hold. Hence Eq. (46) implies , leading to Eq. (43). Similarly to Eq. (46), we can also obtainIf , then , , and hold. Then, Eq. (47) implies , leading to Eq. (44).
Calculation of simulated key rates
For the simulation of the key rate G/Ntot as a function of distance between Alice and Bob, we adopted the following model for the channels and Charlie’s detection apparatus. We assumed a fiber loss of 0.2 dB/km and a detection efficiency of for Charlie’s apparatus. The distance between Alice and Bob is denoted by L (in km). The overall transmissivity from Alice to Charlie’s detection is then . The overall transmissivity from Bob to Charlie is also . We assume that (honest) Charlie declares a success when one or both of the detectors have reported detection. When both have detected, he randomly declares in-phase or anti-phase. We assume that each detector has a dark count probability of , which amounts to the effective probability from the two detectors. The expected frequencies of detection are then modeled asFor the bit error rate, we use the following model that includes a mode/phase mismatch error of :We assume the cost of error correction HEC to be .For calculation of the key rate with a finite value of Ntot, we chose the security parameters as , , and , which makes the protocol -secure with . The final key length is then optimized with the Nelder–Mead method over six parameters μ, , , p2, , and /. For every point shown in Fig. 3, we confirmed that the absolute values of the numerical partial derivative at each optimized condition were sufficiently small compared with the parameter values.For calculation of the asymptotic key rate, we analytically reduced the number of parameters as follows. Using Eq. (20), the phase error rate for is given byFrom Eqs. (26), (27), (48), (49), and (50), we see that it can be cast into the form / withwhere {C} depend only on μ, μ1, μ2, , and d. The function g(λ) takes its minimum at withHence, in the limit of and p10, p11, with /, we haveTo calculate the asymptotic key rate in Fig. 3, we optimized the above expression over μ, /μ and /μ with the Nelder–Mead method.Peer Review File
Fig. 1
Fig. 2
Fig. 3