Open-Destination Measurement-Device-Independent Quantum Key Distribution Network.

Quantum key distribution (QKD) networks hold promise for sharing secure randomness over multi-partities. Most existing QKD network schemes and demonstrations are based on trusted relays or limited to point-to-point scenario. Here, we propose a flexible and extensible scheme named as open-destination measurement-device-independent QKD network. The scheme enjoys security against untrusted relays and all detector side-channel attacks. Particularly, any users can accomplish key distribution under assistance of others in the network. As an illustration, we show in detail a four-user network where two users establish secure communication and present realistic simulations by taking into account imperfections of both sources and detectors.

1. Introduction

Quantum key distribution (QKD) [1,2,3,4] provides unconditional security between distant communication parties based on the fundamental laws of quantum physics. In the last three decades, QKD has achieved tremendous progress in both theoretical developments and experimental demonstrations. To extend to a large scale, the QKD network holds promise to establish an unconditionally secure global network. Different topologies for QKD network have been demonstrated experimentally during the past decades [5,6,7,8,9,10,11]. However, due to high demanding on security and the relatively low detection efficiency, the realization of large-scale QKD networks is still challenging.

On the one hand, many previous demonstrations of quantum networks heavily rely on the assumption of trusted measurement devices. From security point of view, however, such assumption is challenging in realistic situations, as various kinds of detector side-channel attacks are found due to the imperfections of practical devices [12,13,14,15,16]. Fortunately, measurement-device-independent QKD (MDI-QKD) protocol [17,18] can remove all kinds of attacks in the detector side-channel. Since its security does not rely on any assumptions on measurement devices, MDI-QKD networks are expected to close the security loophole existing in the previous QKD networks. The MDI-QKD network has been discussed theoretically in Ref. [19,20], and a preliminary experimental MDI-QKD network demonstration was realized very recently [21].

On the other hand, most of the existing QKD networks are limited to point-to-point QKD. When expanded to multi-partite QKD case, the complexity increases, and the efficiency decreases significantly. Recent study shows that multi-partite entanglement can speed up QKD in networks [22]. Therefore, it is highly desirable to develop variously novel schemes of QKD networks if assisted by multi-partite entanglement source. Then, an immediate problem comes out: how to design a QKD network enjoying security against untrusted measurement devices and simultaneously offer practical applicability for arbitrary scalability? This is exactly the purpose of this work.

In this paper, we propose a flexible and extensible protocol named as open-destination MDI-QKD network, by combining the idea of open-destination teleportation [23] and MDI-QKD [17,18]. In this protocol, secure communication between any two users in the network can be accomplished under assistance of others. The open-destination feature allows these two-party users share secure keys simultaneously, where we also generalize to the case of C communication users. Remarkably, this feature allows communication users not to be specified before the measurement step, which makes the network flexible and extendable. Furthermore, the MDI feature enables this scheme to be secure against untrusted relays and all detector side-channel attacks. Specially, all users need only trusted state-preparation devices at hand, while the untrusted relay section is made by entangled resources and measurement devices.

2. Open-Destination MDI-QKD Network

Consider an N-party quantum network. We are particularly interested in the case where arbitrary two users want to share secure keys. This scenario is denoted as for convenience. To simplify the discussion, here we focus on the star-type network, where both the user and a central source emit quantum signals. The signals are measured by untrusted relays located between each user and the central source.

2.1. Protocol

The open-destination MDI-QKD runs as follows. An illustration of the example is shown in Figure 1.

Figure 1

An optical diagram for the polarization-encoding open-destination measurement-device-independent quantum key distribution (MDI-QKD) network. The GHZ source outputs 4-partite GHZ entangled state in polarization and the light source outputs BB84 polarization state. The BSM represents the Bell state measurement, where BS is the 50:50 beam splitter, PBS is the polarization beam splitter, and , , , and are single-photon detectors. A click in and , or in and , indicates a projection into the Bell state , and a click in and , or in and , indicates a projection into the Bell state .

Preparation: A third party, which may be untrusted, prepares N-partite GHZ state where and denote two eigenstates of the computational basis Z. All users prepare BB84 polarization states, i.e., , , , and with being the two eigenstates of the basis X. The third party and all users distribute the prepared quantum states to their relays, which may also be untrusted.

Measurement: The relays perform Bell state measurements (BSMs). When using linear optical setups, only two outcomes related to projections on can be distinguished.

Announcement: All relays announce their successful BSM results among a public classical authenticated channel. The two communication users announce their photons bases, and other users announce their states prepared in the X basis.

Sifting: The two communication user keep the strings where all the relays get successful BSM results and other users use X bases. Then, they discard the strings where different preparation bases are used. To guarantee their strings to be correctly correlated, one of the two users flip or not flip his/her bit according to the corresponding BSM results and other users’ prepared states (see Appendix A for details). Then, the two users obtain the raw key bits.

Post-processing: The two communication users estimate the quantum phase error and quantum bit error rate (QBER) in Z and X bases, according to which they further perform error correction and privacy amplification to extract correct and secure keys.

In this protocol, the multi-partite GHZ state between distant users can also be established through a prior distributed singlets, following the scheme of Bose et al. [24]. In fact, the open-destination feature allows arbitrary two users in the network to share secure keys based on the same experiment statistics. To accomplish the task of MDI-QKD among arbitrary two users, a natural scheme is to establish direct MDI-QKD between each two users. This requires either the central source to adjust his devices such that EPR pairs (the maximally entangled quantum states of a two qubit system, named after Einsetin, Podolski and Rosen Paradox [25]) are sent along desired directions, or a number of two-user combinations to establish direct MDI-QKD using the same number of untrusted relays. The open-destination scheme is an alternative scheme. It does not require the central source to adjust his devices according to the demand of communications, at the same time involve only N untrusted relays. In a practical scenario, all the users can use weak coherent pulses to reduce experimental cost and apply decoy-state techniques [26,27,28] to avoid photon-number-splitting attack, as well as to estimate the gain and the error rate.

2.2. Correctness and Security Analysis

We will show the correctness and security of the open-destination MDI-QKD protocol, i.e., the communication users end up with sharing a common key in an honest run and any eavesdropper can only obtain limited information of the final key. The following analysis applies for the case. As an illustration, we show a detailed derivation of the in Appendix A.

For the correctness of the protocol, we show that after successful BSMs and other users announce the X-basis states, the two communication users can perform flip their bits locally to obtain perfectly correlated sifted keys. We start from rewriting the GHZ state as

Here, is a string of bits with bit value “+” or “−” and if the number of “−” is even (odd).

We label each user by and let the two communication users be and . In a successful run of the protocol, suppose that users and prepare states , respectively, and other users prepare state in the X basis, denoted as a string . In addition, denote the successful BSM results as a string , with the kth bit denoting the BSM outcome on the state prepared by the user and the k-th particle of the GHZ state. Here, corresponds to projections , respectively. Then, when other users send states denoted by and when all untrusted relays announce successful BSM results , the equivalent measurement on and is

Here, with and if the number of “−” in is even (odd). Therefore, when the user and both prepare Z-basis states, or when they both prepare X-basis states with , the corresponding strings are correctly correlated; otherwise, when they both prepare X-basis states but , their strings are anticorrelated, and one party needs to flip all his/her bits.

For the security of the protocol, here we show that an open-destination MDI-QKD can be equivalent to a standard bipartite MDI-QKD if we only focus on the two communication users. Recall that, in the standard MDI-QKD, two parties, Alice and Bob, prepare and send quantum signals to a remote untrusted relay, which announces a successful BSM result or not. In our scheme, one can treat all parts outside the two users and as an untrusted relay [29]. That is, the GHZ source, the BSM setups and all other users serve as a big untrusted relay, and the successful BSM results in the standard MDI-QKD corresponds to all BSMs announcing successful measurements together with all other users announcing X-basis states (see Figure A1 as an example of the case). In this sense, our scheme is reduced to the MDI-QKD and the two has the same security. Additionally, although we require the preparation device of each user to be trusted in the protocol, the two communication users need not to trust these preparation devices of other users.

Figure A1

(a) The schematic diagram for the open-destination MDI-QKD scheme. Users and denote communication users, while users and denote auxiliary users. (b) The equivalent topological schematic diagram when users and communicate with each other. According to BSM results of relays 3 and 4 and quantum states of auxiliary users and , the GHZ state is projected to a virtual Bell state. (c) The final equivalent topological schematic diagram that users and perform MDI-QKD, according to the BSM results and the virtual Bell state.

2.3. Key Generation Rate

The key generation rate for open-destination MDI-QKD can be derived similarly as the standard MDI-QKD, i.e., by converting it to an entanglement purification scheme. Suppose that the two communication users both have virtual singlets at their hands and then send one particle to the untrusted relays. In a successful run of the protocol, the remaining virtual particles of the two communication users will be entangled. When the entanglement between the virtual particles is sufficiently strong, the monogamy property of entanglement [30,31,32] guarantees the extraction of information-theoretically secure key bits between the two users. In this sense, the secret key rate can be roughly viewed as the gains of entanglement purification in the asymptotic case. Taking account of imperfections, such as basis misalignment, channel loss, and dark counts of the detectors, the key generation rate is given by the GLLP method [33]

Here, we have assumed that the user and use Z basis to generate keys and use X basis to estimate phase errors. In the equation, denotes the overall gain in the Z basis, and () denotes the phase (bit) error rate, is the error correction inefficiency for the error correction process, and is the binary Shannon entropy function. In a realistic experiment, if using weak coherent pulses and adopting decoy-state techniques, , , and can be efficiently estimated [27,28].

2.4. Comparison with the Standard MDI-QKD

The open-destination MDI-QKD network is different from the conventional MDI-QKD. The main difference comes from the open-destination feature, which in fact allows the all 2-party users in the network generate their own secure keys independently and simultaneously. There are in fact combinations of such two-party users. If one uses the conventional MDI-QKD scheme, the same number of untrusted relays are required. To increase the communication distance, one may further add the same number of relays and EPR sources to construct the user-relay-EPR source-relay-user structure. Such construction of quantum network could be expensive considering the number of devices required. One could also use the optical switches to reduce the number of relays; however, in this case the communication would be arranged in time order and some users have to wait. In the open-destination scheme, N untrusted relays are sufficient to connect each other supplied with good-quality GHZ central source. Although the distribution of GHZ states may lead to other technological challenges, the open-destination scheme can reduce the number of devices significantly in constructing the network. As for the performance, the two schemes in fact have similar performance in the ideal case. The difference is that the open-destination scheme generates secure keys for any two-party users in one round of implementation while the bipartite MDI-QKD scheme costs rounds. Furthermore, the open-destination scheme also establishes conference key agreements among arbitrary users, which can not be accomplished directly via the bipartite MDI-QKD. We will discuss this case in the next section.

3. Numerical Simulation

As an example, we will analyze the secure key rate for the open-destination MDI-QKD (see Appendices Appendix B and Appendix C for details). For simplicity, the single-photon source and the asymptotic approximations are assumed. We let the BSM setups be located in each user’s side, although, in a realistic experiment, the BSM setups can be located in anywhere to increase the communication distance. We suppose that quantum channels are identically depolarizing such that untrusted relays receive the GHZ state in a mixture form [34]: where . We also assume that all detectors are identical, i.e., they have the same dark count rates and the same detection efficiencies. After numerical simulation, the lower bound of secure key rates with respective to communication distance between user and central source are shown in Figure 2.

Figure 2

Lower bound on the secret key rate R versus communication distance between communication users using Werner-like states source. The red line denotes , i.e., the perfect GHZ source. The parameters are chosen according to experiments [35]: the detection efficiency , the misalignment-error probability of the system , the dark count rate of the detector , the error correction efficiency , the intrinsic loss coefficient of the standard telecom fiber channel .

The simulation shows that the secure key rate and the largest communication distance decrease when p decreases. To implement open-destination MDI-QKD efficiently, good-quality GHZ sources and single-photon sources are necessary. If such requirements are satisfied, our scheme can tolerate a high loss of more than 500 of optical fibers, i.e., 100 , using perfect GHZ source and single-photon source, even when the BSM setups are located in every user’s side. One can double the communication distance by putting the BSM setups in the middle of the users and the GHZ source, which is similar with the case in MDI-QKD [17,18]. For the realistic case where weak coherent pulses are used, our analysis can be generalized by considering the decoy state method [27,28] and following the procedures in Refs. [36,37].

4. Generalization to the (N,C) Case

As aforementioned, the complete analysis has been focused on the open-destination MDI-QKD case. Here, we show that the case of two communication users can also generalized to the case of C communication users. Note that the open-destination feature enables any C users to generate secure keys at the same time.

Suppose that, in an N-party quantum network with users , the communication users are denoted by the subset , where . The auxiliary set denoted by consists of auxiliary users, i.e., users that assist communication users to generate secure keys, with users. According to Equation (3), for a general C communication users case, the GHZ state can be rewritten as

Here, is a string of bits with bit value “+” or “−” and if the number of “−” is even (odd). Intuitively, with the assistance of auxiliary users, C-qubit GHZ states are shared among arbitrary C communication users. Meanwhile, based on the C-qubit GHZ state, the communication users can complete different quantum information tasks with the merit of open destination, such as quantum conference key agreement [24,34,38,39,40] and quantum secret sharing [39,41,42,43]. In general, we call it the open-destination quantum communication task. When , and the aim is to establish QKD, the task is reduced to the open-destination MDI-QKD network discussed above.

For instance, in the general case of open-destination quantum conference key agreement, all users prepares and sends BB84 states to their respective untrusted relays. The central source simultaneously distribute the GHZ state, which is measured together with the state from user on the untrusted relay. When the relays announce successful BSM outcomes and when all auxiliary users announce their prepared states in X-basis, the communication users virtually share a multipartite entangled state, as the same of the case. After suitable local operations of bit flips, all communication users share correctly correlated bits.

By slightly modifying the scheme, the experimental cost, especially the number of detectors can be reduced significantly. For instance, when all users announce their preparation basis X for assisting others while keep the bits corresponding to Z basis for distill the key, any C users can share secure keys simultaneously. This is because their respective sifted keys corresponds to different portions of the raw data. If one insists on using the conventional two-party QKD and multi-party conference key agreement scheme to realize the same function of the open-destination scheme under discussion, about detectors are required. In the open-destination scheme, the number of detectors is reduced to , which only increases linearly with the user number N.

As an example, we consider the case of open-destination quantum conference key agreement. From Equation (10), the post-selected 3-party GHZ state is according to the announcements of the states and the BSM results related with auxiliary users. Meanwhile, as shown in Table 1, an equivalent GHZ analyzer among three communication users can be obtained according to the post-selected GHZ state and the BSM results of their corresponding relays. Then, according to the MDI-QCC protocol in Ref. [39], open-destination quantum conference key agreement can be directly conducted based on the equivalent GHZ analyzer.

Table 1

The equivalent GHZ analyzer measurement results of three communication users. Here, GHZ denotes the post-selected GHZ state from the GHZ source; BSM result 1(2,3) denotes the BSM results of three relays nearby the communication users’ side; GHZ analyzer denotes the results of corresponding GHZ analyzer among three communication users.

GHZ^A	BSM Result 1	BSM Result 2	BSM Result 3	GHZ Analyzer^C
|ϕ3-party+〉 (|ϕ3-party−〉)	|ψ^+〉	|ψ^+〉	|ψ^+〉	|ϕ3-party+〉 (|ϕ3-party−〉)
|ϕ3-party+〉 (|ϕ3-party−〉)	|ψ^+〉	|ψ^+〉	|ψ^−〉	|ϕ3-party−〉 (|ϕ3-party+〉)
|ϕ3-party+〉 (|ϕ3-party−〉)	|ψ^+〉	|ψ^−〉	|ψ^+〉	|ϕ3-party−〉 (|ϕ3-party+〉)
|ϕ3-party+〉 (|ϕ3-party−〉)	|ψ^+〉	|ψ^−〉	|ψ^−〉	|ϕ3-party+〉 (|ϕ3-party−〉)
|ϕ3-party+〉 (|ϕ3-party−〉)	|ψ^−〉	|ψ^+〉	|ψ^+〉	|ϕ3-party−〉 (|ϕ3-party+〉)
|ϕ3-party+〉 (|ϕ3-party−〉)	|ψ^−〉	|ψ^+〉	|ψ^−〉	|ϕ3-party+〉 (|ϕ3-party−〉)
|ϕ3-party+〉 (|ϕ3-party−〉)	|ψ^−〉	|ψ^−〉	|ψ^+〉	|ϕ3-party+〉 (|ϕ3-party−〉)
|ϕ3-party+〉 (|ϕ3-party−〉)	|ψ^−〉	|ψ^−〉	|ψ^−〉	|ϕ3-party−〉 (|ϕ3-party+〉)

Similar to the open-destination MDI-QKD in Section (Section 2) of the case, the security of the open-destination quantum conference key agreement is also based on the entanglement purification discussion [39,44,45]. According to the multi-partite entanglement purification scheme [46], the secret key rate can be written as follows [34,39,40]: where is the overall gains when three communication users send out quantum states in Z basis, () is the marginal quantum bit error rate between user 1 and user 2 (3) in Z basis, is the overall quantum bit error rate in X basis, f is the error correction efficiency, and is the binary Shannon entropy function. , , , and can be gotten directly from the experimental results. Meanwhile, the estimation of key rate can be slightly different if the sources of users are weak coherent states [33].

5. Conclusions

As a conclusion, we proposed a flexible and extensible scheme of the open-destination MDI-QKD network. We proved the correctness and security of the protocol, and derived practical key generation rate formula. For an illustration, we studied a specific network where two of four users want to distill quantum secure keys. For the scenario, we presented a polarization-encoding scheme for experimental implementation and offered in detail a simulation by taking the imperfections in both source and detectors into account. The simulation results show that the scheme enjoys a promising structure and performance in real-life situation.

A significant virtue of our scheme is the security against untrustful relays and all detector side-channel attacks. Moreover, the open-destination feature enables any two users to establish MDI-QKD without changing the network structures. In fact, one can establish MDI-QKD among arbitrary users even after the entangled source have been distributed and all the measurements have been completed. Furthermore, following the multi-entanglement swapping scheme, the network can be extended into a large scale by adding shared multi-partite GHZ states.

We would like to remark that currently the efficiency was relatively low (seen from Figure 2). This can be overcome by taking optimization in network topology, basis selections, and measurements for both the auxiliary and communication parties, as well as considering asymmetric loss for various channels, etc., like techniques adopted in Ref. [47]. Any future improvement on distributing multipartite entanglement efficiently and effectively will definitely benefit the proposed scheme and push it forward practical applications.

Table A1

The correspondence between the POVM on state labeled k and the BSM result labeled by with auxiliary state labeled by .

State of System k^′	BSM Result on Systems kk^′	POVM on System k
|+〉	|ψ^−〉	|−〉〈−|/2
|−〉	|ψ^−〉	|+〉〈+|/2
|+〉	|ψ^+〉	|+〉〈+|/2
|−〉	|ψ^+〉	|−〉〈−|/2

Table A2

The equivalent BSM results of two communication users. Here, Bell denotes the post-selected Bell state from the GHZ source; BSM result 1(2) denotes the BSM results of the two relays nearby the communication users’ side; BSM denotes the results of corresponding BSM between two communication users.

Bell^A	BSM Result 1	BSM Result 2	BSM^C
|ϕ^+〉	|ψ^+〉	|ψ^+〉	|ϕ^+〉
|ϕ^+〉	|ψ^+〉	|ψ^−〉	|ϕ^−〉
|ϕ^+〉	|ψ^−〉	|ψ^+〉	|ϕ^−〉
|ϕ^+〉	|ψ^−〉	|ψ^−〉	|ϕ^+〉
|ϕ^−〉	|ψ^+〉	|ψ^+〉	|ϕ^−〉
|ϕ^−〉	|ψ^+〉	|ψ^−〉	|ϕ^+〉
|ϕ^−〉	|ψ^−〉	|ψ^+〉	|ϕ^+〉
|ϕ^−〉	|ψ^−〉	|ψ^−〉	|ϕ^−〉

Table A3

Flip table according to the preparation bases and the equivalent BSM result at communication users side.

Basis	|ϕ^+〉	|ϕ^−〉
Z-basis	No Flip	No Flip
X-basis	No Flip	Flip

Table A4

List of experimental parameters used for simulation. is the detection efficiency; is the misalignment-error probability of the system; is the dark count rate of the detector; f is error correction efficiency; is the intrinsic loss coefficient of the standard telecom fiber channel.

η_d	e_d	p_d	f	α(dB/km)
40%	2%	8×10^−8	1.16	0.2

Table A5

List of the parameters for the equivalent detectors. () denotes the equivalent detection efficiency for Z (X) basis, and  denotes the equivalent dark count.

ηd^′Z	ηd^′X	pd^′
8%	16%	6.4×10^−8