Measurement-device-independent quantum cryptographic conferencing with an untrusted source
Chen Rui-Ke1, 2, Bao Wan-Su1, 2, †, Wang Yang1, 2, Bao Hai-Ze1, 2, Zhou Chun1, 2, Jiang Mu-Sheng1, 2, Li Hong-Wei1, 2
Zhengzhou Information Science and Technology Institute, Zhengzhou 450001, China
Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei 230026, China

 

† Corresponding author. E-mail: 2010thzz@sina.com

Abstract

Measurement-device-independent quantum cryptographic conferencing (MDI-QCC) protocol puts MDI quantum key distribution (MDI-QKD) forwards to multi-party applications, and suggests a significant framework for practical multi-party quantum communication. In order to mitigate the experimental complexity of MDI-QCC and remove the key assumption (the sources are trusted) in MDI-QCC, we extend the framework of MDI-QKD with an untrusted source to MDI-QCC and give the rigorous security analysis of MDI-QCC with an untrusted source. What is more, in the security analysis we clearly provide a rigorous analytical method for parameters’ estimation, which with simple modifications can be applied to not only MDI-QKD with an untrusted source but also arbitrary multi-party communication protocol with an untrusted source. The simulation results show that at reasonable distances the asymptotic key rates for the two cases (with trusted and untrusted sources) almost overlap, which indicates the feasibility of our protocol.

1. Introduction

Quantum communication has been developed in the past thirty years. One highlighted communication protocol is quantum key distribution (QKD). [1] QKD is to allow two authorized parties, Alice and Bob, to share a secret key in the presence of an eavesdropper. QKD offers unconditional security guaranteed by the laws of quantum mechanics. [24] However, real-life imperfections of the QKD devices lead to the difference between theoretical and practical security of QKD, which compromises the security of QKD systems. In order to close the gap, device-independent QKD (DIQKD) [57] and semi-device-independent QKD (SDI-QKD) [8, 9] have been proposed. Unfortunately, the demonstration of these two protocols is still an extremely difficult challenge.

As we know, among the real-life imperfections, the defect in the detectors is a serious threat to the security. By exploiting the vulnerabilities of single-photon detectors, several specific attacks [1017] have been successfully launched against practical QKD systems. Fortunately, measurement-device-independent QKD (MDI-QKD) [18, 19] has been proposed, which can remove all the possible loopholes in detection. Thereafter, MDI-QKD has drawn great interest in both theory [2031] and experiment. [3240]

All the protocols mentioned above are two-party protocols distributing secret keys between two authorized parties. Multi-party quantum communication protocols [41, 42] have been proposed. But all of them face the same constraints, i.e., lacking the high intensity source and reliable remote distribution of the entangled states. Until recently, two multi-party quantum communication protocols [43, 44] combining the MDI-QKD [18, 19] technologies manifest the possibility for the practical applications of MDI multi-party quantum communication. These two protocols are not only immune to all detection-side attacks, but also require neither the preparation of high-fidelity entangled states (GHZ states or W states) in advance nor their remote distribution. Afterwards, a finite-key analysis on MDI quantum cryptographic conferencing (MDI-QCC) [43] has been reported in Ref. [45].

However, just like in MDI-QKD system, there are still some major challenges making the practical applications of MDI-QCC [43, 44] an experimental challenge. Firstly, we assume there is no security loophole in the users’ frequency-locked lasers. Secondly, a complex time-synchronization system and feedback controls are truly essential in fiber communication. Thirdly, in MDI-QCC protocol, it also needs to ensure the indistinguishability of the particles from Alice, Bob, and Charlie. However, since the photons are prepared independently, it is difficult to meet this condition.

Recently, Xu [29] has proposed an MDI-QKD protocol with a single untrusted source and provided a complete security analysis. This protocol can overcome the analogous challenges mentioned above in MDI-QKD. It should be noted that in the decoy-analysis of MDI-QKD with an untrusted source, Xu uses the numerical method to study the precise parameters’ estimation and just presents a relatively simple analytical method.

In this paper, we extend the framework of MDI-QKD with an untrusted source to MDI-QCC and give a complete security analysis. Due to the bi-directional structure, the birefringence effects and polarization-dependent losses can be automatically compensated. With a single source, we can easily ensure the indistinguishability of the particles from different users. What is more, inspired by the security analysis for plug & play QKD, [46, 47] we give a rigorous analytical method for parameters’ estimation based on the actual photon number distribution of users’ output pulses.

2. MDI-QCC with an untrusted source

To extend the protocol of MDI-QKD with an untrusted source [29] to MDI-QCC, we clearly define the protocol of MDI-QCC with an untrusted source illustrated in Fig. 1. Here, we clarify the required assumptions for our protocol. First, we require that Alice’s, Bob’s, and Charlie’s laboratories are perfectly isolated, and their devices are independent. Second, Alice’s, Bob’s, and Charlie’s monitoring devices are trusted. The monitoring unit used in our protocol is realized by a standard optical filter and a classical intensity detector. So most of the attacks against single-photon detectors are ineffective. The security of the intensity detector has been studied in Ref. [48]. Then, the detailed description of our protocol is presented below.

Fig. 1 (color online) Schematic layout of the MDI-QCC with an untrusted source setup. An untrusted relay, David, generates bright laser pulses. They are split into three parts by two beam splitters (BS). Before entering Alice’s, Bob’s, and Charlie’s lab, the pulses will travel through the channel, which is fully controlled by Eve. In the lab, to ensure the single mode assumption for each signal, the pulses pass through an optical filter (F) first. After that, a monitoring unit, which consists of a BS and an intensity detector (ID), is needed to monitor the photon number distribution of the input pulse. Then, the input pulses pass through a phase modulator (PM) for phase randomization, a variable optical attenuator (VOA) and an encoder that consists of an intensity modulator (IM) and a PM. Finally, the pulses are reflected by a Faraday mirror (FM) and travel back to David who is supposed to perform a GHZ-state measurement. [43] The measurement can identify two of the eight GHZ states.

(i) State preparation and distribution David, located in the middle node, generates bright pulses whose photon numbers are centered at . The bright pulses go through two beam splitters one after another and are split into three parts. Then, David sends them to Alice, Bob, and Charlie via two quantum channels. In this paper, we assume a fiber-based channel model.

(ii) Monitoring and encoding The pulses sent by David suffer the whole channel loss and then enter Alice’s, Bob’s, and Charlie’s lab. In the lab, to remove side-channels and ensure that only pulses of the desired mode can pass through, we place an optical filter working in spectral, spatial, and temporal domains. Accordingly, the single mode assumption for each pulse sustains. Then, the pulses go through a monitoring unit which consists of a beam splitter and an intensity monitor. The monitoring unit is used to estimate the photon number of input pulses. [29] After the monitoring unit, the pulses go through a phase modulator used to apply the phase randomization on each pulse. The randomization is used to disentangle the input pulse into a classical mixture of Fock states, which is also the foundation of our security analysis. Then, the input pulses are encoded by an encoder which consists of a phase modulator (PM) and an intensity modulator (IM). After that, the pulses are reflected by a Faraday mirror (FM).

(iii) Measurement The reflected pulses are attenuated to the single-photon level by a variable optical attenuator. We denote the internal transmittance of Alice’s, Bob’s, and Charlie’s labs as , where the superscript are the intensity settings chosen by Alice, Bob, and Charlie, and the subscripts refer to Alice, Bob, and Charlie respectively. Then, the attenuated pulses retransmit through the same optical fiber to David. David is supposed to perform a GHZ-state measurement which can identify two of the eight GHZ states, that is, and .

(iv) Sifting David reveals which GHZ state he has obtained. Meanwhile, Alice, Bob, and Charlie broadcast the intensity settings and post-select the events where they use the same basis via an authenticated channel.

(v) Parameter estimation The data of Z basis are used to generate the cryptographic conferencing keys, while the data of X basis are totally used to estimate errors. Alice, Bob, and Charlie estimate the gain and quantum bit error rate of single-photon pulses of untagged pulses with the decoy state method.

(vi) Post processing Firstly, Alice, Bob, and Charlie apply the error correction to ensure that they share a string of identical keys. Secondly, to make the leakage of information on keys as little as possible, they apply the privacy amplification to extract the secret key.

Here, in order to post-select GHZ states among Alice, Bob, and Charlie, we need to ensure the mode matching of their pulses. Since we use plug-and-play architecture in our protocol, the polarization drift can be automatically compensated, and the spectral modes of these pulses are naturally identical. So the only measure we need to take is to actively control the arrival timing of the pulses.

3. Properties of untagged pulses

As the framework presented in Section 2, the source is placed in the middle node. So we can consider the source is controlled by Eve. To enhance the security of our protocol, we place an optical filter and phase modulator in the users’ lab to ensure the single mode assumption and phase randomization on each input pulse, respectively. In addition, the monitoring unit in users’ lab is used to test the photon numbers of the input pulses. In order to estimate the bounds of output pulses, we focus on the input pulses whose photon numbers are concentrated in a relatively narrow range.

Following Ref. [29], we divide the input pulses into two categories according to the photon numbers: untagged input pulses with photon number , and tagged input pulses with photon number or , where the subscript denotes which users (Alice, Bob, or Charlie) the pulses belong to. is a small positive real number, chosen in advance by Alice, Bob, and Charlie. is a large positive integer denoted as the average of the photon numbers of the input pulses. For a specific user (Alice, Bob, or Charlie), these parameters can be denoted as , , or .

The conditional probability that photons are emitted by Alice (Bob, Charlie) given that photons entering Alice’s (Bob’s, Charlie’s) device obeys a binomial distribution as

(1)
where are the internal transmittance of Alice’s, Bob’s, and Charlie’s labs when their intensity settings are , respectively, and q is the splitting ratio of the beam splitter in Alice’s, Bob’s, and Charlie’s monitoring units.

For untagged pulses, we can show that the upper bound and lower bound of are

(2)

In practice, quantum non-demolition (QND) measurements on photon number of the input pulses are not feasible with current technology. Thus Alice, Bob, and Charlie do not know the exact photon number of each input pulse. They can only measure the overall gain and the overall quantum bit error rate (QBER) , and cannot get the gain Q and the QBER EQ of the untagged pulses directly. However, as in the description of the protocol presented in Section 2, Alice, Bob, and Charlie can use a monitoring unit to sample the input pulses to acquire information about the photon number distribution. From Ref. [29], with this information, Alice, Bob, and Charlie know that at least , , and pulses are untagged with high confidence, where k denotes the number of pulses sent by David and denotes the probability that a certain sampling pulse of Alice (Bob, Charlie) belongs to untagged pulses in the asymptotic case. In the asymptotic case, . The calculating methods of are totally presented in Ref. [29], which have been elided here for brevity.

Then Alice, Bob, and Charlie can estimate the upper bounds and the lower bounds of the gain Q and the QBER EQ of the untagged pulses. The upper bound and lower bound of Q are given by

(3)

The upper bound and lower bound of EQ are given by

(4)

4. Security analysis

If the source is trusted, Eve only knows the output photon number of each pulse. This draws out the basic assumption of previous decoy state analysis of MDI-QCC, that is,

where the subscript denotes that the photon numbers of the output pulses of Alice, Bob, and Charlie are , respectively.

However, if the source is untrusted, the assumption above no longer holds. Because both the source and channel are controlled by Eve, Eve not only knows the output photon number , but also knows the input photon number . In this case, and . Considering and jointly, we can find that

where the subscript denotes that the photon numbers of the input pulses and the output pulses of Alice, Bob, and Charlie are and , respectively.

In this case, the rigorous decoy-state analysis for MDI-QCC with untrusted source becomes much more difficult and complicated. Fortunately, since we focus on the gain and the QBER of the untagged pulses whose photon numbers are concentrated within a narrow range, the unconditional security of our protocol can still be achieved quantitatively and rigorously. By performing the measurements for different intensity settings, we can obtain

(5)
(6)
where denotes the joint probability that the input (output) photon numbers of Alice, Bob, and Charlie are , respectively; denotes that Alice, Bob, and Charlie choose the same basis (X or Z). According to the multiplication theorems on probability, we have , where denotes the joint probability that Alice’s, Bob’s, and Charlie’s input pulses contain photons, and denotes the conditional probability that photons are emitted by Alice, Bob, and Charlie given that photons enter Alice’s, Bob’s, and Charlie’s devices. So, Eqs. (5) and (6) can be written as
(7)
(8)

Because the events that photons are emitted by Alice (Bob, Charlie) given that photons have entered Alice’s (Bob’s, Charlie’s) device are independent, we have

Thus, equations (7) and (8) can be written as
(9)
(10)

4.1. The gain of single-photon pulses of untagged pulses

To estimate the gain of single-photon pulses of untagged pulses, we have to solve Eq. (9) under the constraints of the binomial probability distributions given by Eq. (2). From the proof in Appendix A, the lower bound of untagged pulses Q111 Z is given by

where Q uuu Z (Q vvv Z , Q000 Z ) are the gain of single-photon pulses of untagged pulses when Alice, Bob, and Charlie choose the signal state (the decoy state, the vacuum state) simultaneously, and their bounds can be estimated from Eq. (3). Then,
(11)
where and are defined by Eq. (2). We have , , , , , and , where , , , , , and are defined by Eq. (2).

4.2. The error rate of single-photon pulse of untagged pulses

To estimate the error rate of single-photon pulses of untagged pulses, we have to solve Eq. (10) under the constraints of the binomial probability distributions given by Eq. (2). From the proof in Appendix B, the upper bound of e111 X in untagged pulses is given by

where are the error rate of single-photon pulse of untagged pulses when Alice’s, Bob’s, and Charlie’s intensity settings are respectively, and their bounds can be estimated from Eq. (4). and are defined by Eq. (2).

4.3. Secret key rate

We analyze the behavior of the secret key rate of MDI-QCC with an untrusted source such that

where Q uuu Z (E uuu Z ) is the gain (the total quantum bit error rate) of Z basis when Alice, Bob, and Charlie use signal states, which can be directly obtained from the experimental results; is the lower bound of the gain that Alice sends out vacuum state in Z basis, given that Alice, Bob, and Charlie all send states in untagged pulses; and are the lower bound of the gain in the Z basis and the upper bound of the error rate in the X basis, given that Alice, Bob, and Charlie all send single-photon states in untagged pulses.

5. Numerical simulation

By assuming a fiber-based channel model, we numerically show the performance of our protocol in the asymptotic case in comparison with Ref. [43] (the case with trusted sources). The experimental parameters for simulation are listed in Table 1.

Table 1

List of experimental parameters for simulations: and are the detection efficiency and the dark-count rate of David’s single photon detectors, represents the overall misalignment-error probability of the system, [43] and are the the efficiency and the noise of intensity detector, q is the beam-splitter ratio, [29] α is the loss coefficient of the fiber, and f is the error-correction efficiency.

.

In Fig. 2, we consider the imperfections of the intensity monitor in implementation [29] and present the numerical simulation of secret-key rates with different values of , which is the average photon number per pulse at the source in the middle node. In the simulation, we consider two decoy state (weak+vacuum) protocols. Specifically, the intensity of one decoy state is 0.01 and the other decoy state is a vacuum state, while the signal state is optimized for different distances. Since can significantly affect the performance of the protocol, [46, 47] we optimize for different distances.

Fig. 2 (color online) Secret key rate versus fiber length with different values of . The red dashed curve denotes the asymptotic secret key rate with trusted source in Ref. [43]. At short distance, the asymptotic key rates for the two cases (with trusted and untrusted sources) almost overlap. With and considering the imperfections of intensity detector, MDI-QCC with an untrusted source can achieve the nonzero asymptotic secret key rate in long distance approximating to 105 km.

From the simulation results, we can find that as for the secret key rates, our protocol (the MDI-QCC with an untrusted source) and the case with trusted sources [43] are neck and neck at short distances. However, at long distances the secret key rates of our protocol reduce significantly. The reason is that due to the bi-directional structure, bright pulses sent by David will suffer the whole channel loss. This means that as the distances increase, lower photons per pulse can arrive at Alice’s, Bob’s, and Charlie’s labs, which leads to the increase of .

Moreover, from Eqs. (3) and (4), we know the estimation of the gain of the untagged pulses is sensitive to the value of which affects the performance directly. This influence is much greater than that of Refs. [29, 46], and [47]. Because MDI-QCC is a multi-party protocol, the influence on will affect the parameter estimating of the untagged pulses together. In other words, the influence on each party accumulates.

6. Conclusion

We extend the framework of MDI-QKD with an untrusted source [29] to MDI-QCC and give the rigorous security analysis of MDI-QCC with an untrusted source. The protocol of MDI-QCC with an untrusted source utilizes the bi-directional structure and can certainly mitigate the experimental complexity of MDI-QCC. What is more, inspired by the security analysis for plug & play QKD, [46, 47] we clearly provide rigorous analytical method for parameters’ estimation based on the actual photon number distribution of user’s output pulses. With simple modifications, our analytical method can be applied to not only MDI-QKD with an untrusted source, but also arbitrary multi-party communication protocol with an untrusted source. To some extent, our work can be an important step towards practical application for quantum networks.

The numerical simulation results show that we can achieve the nonzero asymptotic secret key rate over reasonable distances, and the secret key rates for our protocol and the case with trusted source almost overlap at short distances. Importantly, our framework and security analysis can be extended to arbitrary multi-party communication not merely confined to three parties and can also be applied to MDI-QSS [43] protocol and MDI-QCC protocol using W-state. [44] To make the protocol of MDI-QCC with an untrusted source more practical, it is necessary to settle the remaining practical issues, such as the source flaws and the imperfections in the electronics of the classical intensity detector.

Reference
[1] Bennett C H Brassard G 1984 Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India 175 179
[2] Lo H K Chau H F 1999 Science 283 2050
[3] Shor P W Preskill J 2000 Phys. Rev. Lett. 85 441
[4] Mayers D 2001 J. ACM 48 351
[5] Acín A Brunner N Gisin N Massar S Pironio S Scarani V 2007 Phys. Rev. Lett. 98 230501
[6] Masanes L Pironio S Acín A 2011 Nat. Commun. 2 238
[7] Pironio S Masanes Ll Leverrier A Acín A 2013 Phys. Rev. X 3 031007
[8] Pawłowski M Brunner N 2011 Phys. Rev. A 84 010302
[9] Wang Y Bao W S Li H W Zhou C Li Y 2014 Chin. Phys. B 23 080303
[10] Qi B Fung C H F Lo H K Ma X 2007 Quantum Inf. Comput. 7 73
[11] Zhao Y Fung C H F Qi B Chen C Lo H K 2008 Phys. Rev. A 78 042333
[12] Lydersen L Wiechers C Wittmann C Elser D Skaar J Makarov V 2010 Nat. Photonics 4 686
[13] Gerhardt I Liu Q Lamas-Linares A Skaar J Kurtsiefer C Makarov V 2011 Nat. Commun. 2 349
[14] Jain N Wittmann C Lydersen L Wiechers C Elser D Marquardt C Makarov V Leuchs G 2011 Phys. Rev. Lett. 107 110501
[15] Jiang M S Sun S H Tang G Z Ma X C Li C Y Liang L M 2013 Phys. Rev. A 88 062335
[16] Tanner M G Makarov V Hadfield R H 2014 Opt. Express 22 6734
[17] Bugge A N Sauge S Ghazali A M M Skaar J Lydersen L Makarov V 2014 Phys. Rev. Lett. 112 070503
[18] Braunstein S L Pirandola S 2012 Phys. Rev. Lett. 108 130502
[19] Lo H K Curty M Qi B 2012 Phys. Rev. Lett. 108 130503
[20] Tamaki K Lo H K Fung C H F Qi B 2012 Phys. Rev. A 85 042307
[21] Ma X Razavi M 2012 Phy. Rev. A 86 062319
[22] Wang X B 2013 Phys. Rev. A 87 012320
[23] Xu F Curty M Qi B Lo H K 2013 New J. Phys. 15 113007
[24] Zhou C Bao W S Chen W Li H W Yin Z Q Wang Y Han Z F 2013 Phys. Rev. A 88 052333
[25] Wang Q Wang X B 2013 Phys. Rev. A 88 052332
[26] Curty M Xu F Cui W Lim C C W Tamaki K Lo H K 2014 Nat. Commun. 5 3732
[27] Yin Z Q Fung C H F Ma X Zhang C M Li H W Chen W Wang S Guo G C Han Z F 2014 Phys. Rev. A 90 052319
[28] Zhou C Bao W S Zhang H L Li H W Wang Y Li Y Wang X 2015 Phys. Rev. A 91 022313
[29] Xu F 2015 Phys. Rev. A 92 012333
[30] Dong C Sun Y Zhao S H 2015 Acta Phys. Sin. 64 140304 in Chinese
[31] Wang L Zhao S M Gong L Y Cheng W W 2015 Chin. Phys. B 24 120307
[32] Rubenok A Slater J A Chan P Lucio-Martinez I Tittel W 2013 Phys. Rev. Lett. 111 130501
[33] Liu Y Chen T Y Wang L J Liang H Shentu G L Wang J Cui K Yin H L Liu N L Li L Ma X Pelc J S Fejer M M Peng C Z Zhang Q Pan J W 2013 Phys. Rev. Lett. 111 130502
[34] Tang Z Liao Z Xu F Qi B Qian L Lo H K 2014 Phys. Rev. Lett. 112 190503
[35] Tang Y L Yin H L Chen S J Liu Y Zhang W J Jiang X Zhang L Wang J You L X Guan J Y Yang D X Wang Z Liang H Zhang Z Zhou N Ma X Chen T Y Zhang Q Pan J W 2014 Phys. Rev. Lett. 113 190501
[36] Pirandola S Ottaviani C Spedalieri G Weedbrook C Braunstein S L Lloyd S Gehring T Jacobsen C S Andersen U L 2015 Nat. Photonics 9 397
[37] Tang Y L Yin H L Zhao Q Liu H Sun X X Huang M Q Zhang W J Chen S J Zhang L You L X Wang Z Liu Y Lu C Y Jiang X Ma X Zhang Q Chen T Y Pan J W 2016 Phys. Rev. X 6 011024
[38] Comandar L C Lucamarini M Fröhlich B Dynes J F Sharpe A W Tam S W B Yuan Z L Penty R V Shields A J 2016 Nat. Photonics 10 312
[39] Wang C Song X T Yin Z Q Wang S Chen W Zhang C M Guo G C Han Z F 2015 Phys. Rev. Lett. 115 160502
[40] Yin H L Chen T Y Yu Z W Liu H You L X Zhou Y H Chen S J Mao Y Huang M Q Zhang W J Chen H Li M J Nolan D Zhou F Jiang X Wang Z Zhang Q Wang X B Pan J W 2016 Phys. Rev. Lett. 117 190501
[41] Bose S Vedral V Knight P L 1998 Phys. Rev. A 57 822
[42] Chen K Lo H K 2007 Quantum Inf. Comput. 7 689
[43] Fu Y Yin H L Chen T Y Chen Z B 2015 Phys. Rev. Lett. 114 090501
[44] Zhu C Xu F Pei C 2015 Sci. Rep. 5 17449
[45] Chen R K Bao W S Wang Y Bao H Z Zhou C Li H W 2016 Opt. Express 24 6594
[46] Zhao Y Qi B Lo H K 2008 Phys. Rev. A 77 052327
[47] Zhao Y Qi B Lo H K Qian L 2010 New J. Phys. 12 023024
[48] Sajeed S Radchenko I Kaiser S Bourgoin J P Pappa A Monat L Legré M Makarov V 2015 Phys. Rev. A 91 032326