† Corresponding author. E-mail:
Project supported by the Fund from the State Key Laboratory of Information Photonics and Optical Communications (Beijing University of Posts and Telecommunications) (Grant No. IPOC2017ZT0).
In this paper, we proposed the scheme for a passive round-robin differential-phase-shift quantum key distribution (RRDPS-QKD) set-up based on the principle of Hong–Ou–Mandel interference. Our scheme requires two legitimate parties to prepare their signal state with two different non-orthogonal bases instead of single in original protocol. Incorporating this characteristic, we establish the level of security of our protocol under the intercept-resend attack and demonstrate its detector-flaw-immune feature. Furthermore, we show that our scheme not only inherits the merit of better tolerance of bit errors and finite-sized-key effects but can be implemented using hardware similar to the measurement device independent QKD (MDI-QKD). This ensures good compatibility with the current commonly used quantum system.
Quantum key distribution (QKD) systems facilitate two legitimate parties (commonly named Alice and Bob) to share their security keys in an information-theoretic secure way. Since the conception of first such protocol, i.e., Bennett–Brassard 1984 algorithm (BB84),[1] QKD has attracted significant attention worldwide, following which, many similar protocols and experiments have been presented.[2–13] However, these protocols inherently rely on the original version of the Heisenberg uncertainty principle, which dictates that greater the amount of information obtained by Eve, higher would be the disturbance caused by her on the signal.[14–17] The amount of leaked key information, which is quantified by the phase error eph, can be deduced from the channel disturbance, which in turn is quantified by the bit error ebit. However, this leads to a fundamental limitation on the error rate existing in the conventional QKD protocol. For example, in the BB84 protocol equipped with strong symmetries, the phase error rate can be estimated by the bit error rate, i.e., eph = ebit. In the extreme case, where the bit flip error ebit ≥ 11%, no secure key can be generated. In other protocols, normally there exists a relationship between the two error rates, as a result upper bounds of error rate thresholds generally exist.[18] This enforces a stringent requirement on the environment of the system, rendering certain issues of practical implementation challenging.
Recently, a new approach known as the round-robin differential-phase-shift (RRDPS) QKD[19] and its alternative scheme[20,21] was proposed. The costs of privacy amplification of this protocol is estimated without any monitoring, but depends exclusively on the state prepared by Alice, such as the number of L sequential pulses and photons (N) in the L-pulse signal. This distinctive property causes the protocol to have a better tolerance against bit errors and finite-length effects. In theory, by maintaining a large enough value of L, the scheme can tolerate up to 50% of bit error rate. However, the realistic experimental apparatus, which is not strictly ideal, poses a serious and non-trivial threat to the security of these protocols, as eavesdropper (denoted Eve) may exploit loopholes caused by imperfections in the apparatus. Recently, it has been proved, that RRDPS-QKD protocol is vulnerable when equipped with practical detectors,[22,23] own to the differences between the theoretical and practical models. Here, we present a new RRDQPS-QKD scheme, in which Alice and Bob prepare their own state by using X or Y basis independently, following which Bob uses Hong–Ou–Mandel (HOM) type interference set-up to read the detected events with time slots, and subsequently broadcasts this information to Alice. Finally, they can calculate the secure key by using this detected information. Since the clicks of detectors are publicly announced, our scheme is immune to all attacks against detectors. However, it cannot exclude all security assumptions about the measurement device, because the original protocol theoretically requires that Bob can arbitrarily choose between an actual or alternative measurement processing.
In the following paragraphs, we describe a setup of our scheme as depicted in Fig.
Since Alice and Bob can share a secure key successfully only when they use identical bases to encode corresponding state, we consider only the situation when X basis is chose for simplicity, i.e., aai = abj = 0. The common random phase δp cannot influence the response of detectors, so this item is omitted from the following discussion. After the interference caused by the beam splitter (BS), which replaces
For performing the security analysis, we consider an alternative measurement model executed by Bob, as shown in Fig.
We can prove this procedure to be equivalent to our protocol depicted in Fig.
Hence, the equivalence between the two measurement methods shown in Fig.
To calculate the rate of secure key generation, we should know two important parameters, which is the bit and phase error rate, respectively. While the bit error rate can be obtained directly from the experiment, so we just need to estimate the phase error rate, which is used to quantify the information disclosed to Eve.
Moreover, we need to consider an entanglement-based virtual procedure performed by Alice, she encodes her signal state by preparing an L-pulse state |Ψ⟩ and L ancillary qubits
The security analysis above is based on an ideal single-photon source. However, most experimental implementations of QKD protocols are based on weak coherent sources that have photon statistics given by the Poisson distribution. It is well know that a weak coherent source with multiple decoy intensities can be used to overcome the photon-number-splitting (PNS) attack against the multiphoton pulses and achieve secret key rates similar to an ideal single-photon source.[24] It has been proved that the decoy technique can be applied to the RRDPS-QKD protocol,[25,26] we will develop our scheme based on the decoy state in the future work. Below we will estimate the information leaked to Eve caused by the multiphoton pulses.
Considering the weak-coherent-source scenario, we follow the method introduced in a previous report[20] since our works are based on the same model. In this scenario, multiphoton components may exist in both Alice and Bob’s respective pulse trains. We assume that Bob randomly chooses two detected positions i and j, when he receives two or more detector clicks in a block. To estimate the phase error rate, we consider the mean photon number of Alice’s L-pulse train and Bob’s L-pulse train to be both v, and set a proper mean photon number threshold vth with a probability Pr (v > vth) ≤ esrc, where vth is an integer less than vth < (L − 1)/2, and esrc is a constant. The phase error rate can be deduced when each of the following four cases for events corresponding to one detector click in each of the two pulses are considered separately.
(i) v ≤ vth, and two clicks are one from Alice and one from Bob;
(ii) v ≤ vth and two clicks are both from Alice or both from Bob;
(iii) v > vth;
(iv) The event where at least one of the clicks is caused by more than one photon, in which case the first three cases are excluded.
The first case is mainly contributing to the final secure key, the phase error rate is equal to the one corresponding to the single-photon protocol. For the second case, without loss of generality, we assume that the two photons are both from Alice, then the response of detector will be
When the overall phase is randomized, it is shown that the state of the whole pulse train can be described by a statistical mixture of the Fock state, whose photon number follows a Poisson distribution.[27] Thus, in principle, Alice can tag each of the rounds with v > vth,[28] and we assume that this tagged portion, at most esrc/Q, is fully leaked to Eve, while Q represents the overall gain. As for the fourth case, to present the worst estimate, we suppose that all these events also contribute to the maximal phase error. According to the fair sampling assumption, as deduced in Ref. [20], the probability of occurrence of this case is
In the original protocol, it is assumed that Bob’s detectors are independent of Eve, they cannot leak the information to Eve, and even be control by Eve. However, this assumption is unsustainable at the practical applications. When the weak coherence source is used, detectors may be controlled by Fred depicted in Fig.
Our scheme can remove the assumptions on the detector, as required in the original protocol. The detectors in our scheme can be completely controlled by Eve, and the information of the clicks of detector is allowed to reveal to Eve. Thus, the detector parts can be regarded as a “Black Box” for Alice and Bob. As we can see, Eve’s main purpose in the attacks showed above is to obtain the information about the click position of the detectors, i.e., in the attack scheme proposed in Ref. [22], Fred, who have controlled the detector’s clicks, can announce a filtered (i,j) pairs, which are known by Bob in advance. However, the specific detected results are also required to be published in our protocol. Since Eve may not know the encoding information of Bob’s signal pulses, these attack schemes cannot work effectively in our protocol, where the secure key is generated according to the specific detector responses and the states are prepared by legitimated parties. Hence, our protocol can effectively immune to all attacks against the detector. Furthermore, the signal states are encoded with two non-orthogonal bases, and Eve cannot identify the transmitted signal entirely. This characteristic will further enhance the security of our scheme.
Actually, the model of our scheme is similar to that of the MDI-QKD protocol, Alice and Bob need prepare their states independently, and then encoded states are transmitted to the untrusted part, named Charlie. However, it is noted that the security of the original RRDPS-QKD protocol is ensured by the principle of information causality and complementarity, which suggests that Bob is required to switch the measurement procedures depicted between Fig.
In order to examine the performance of our scheme, we calculated the secure key generation rate based on the following model and the parameter for simulation[32] listed in Table
In Fig.
So far, we have described a new passive RRDPQS protocol with untrusted detectors. According to simulation results, our protocol can cover over 60-km transmission distance when the error rate ebit > 17%, while no secure key can be generated under such a high bit error rate for a conventional BB84 protocol. Since the random delay r = |j − i| is passively generated in our scheme, the parameter L can be decided during the postprocessing step, which has an advantage in the case with large fluctuations in the environment. However, the pulse train length L in original scheme needs to be optimized before performing the experiment, which requires a precise calibration system. Furthermore, two non-orthogonal bases for encoding are used to enhance the security of our protocol. Thus, our scheme is more efficient and secure compared to the original RRDPS-QKD protocol. We note that our analysis is limited to the case when Eve performs the intercept-resend attack; it remains to be prove the more strictly bound of phase error rate under the general attack in the future works. In this simulation, the parameter is partially optimized, and we believe our scheme will exhibit a better performance when a full parameter optimization is considered in the future work.
The Decoy state technique has been recently studied in RRDPS-QKD protocol,[25,26] and the error rate is considered to improve the rate of secure key generation for a small value of L.[35,36] It will be an interesting exercise to combine these novel works to test the performance of proposed scheme under a more practical situation. It is noted that a MDI-RRDPS-QKD has been proposed by Chau et al.[37] However, their protocol required photon number resolving detectors, it is infeasible with current technology. We believe our scheme will contribute significantly to the formulation of a feasible MDI version of RRDPS-QKD and its practical applications. Furthermore, our scheme can be implemented with a hardware similar to the MDI-QKD, ensuring good compatibility with the current quantum system.
[1] | |
[2] | |
[3] | |
[4] | |
[5] | |
[6] | |
[7] | |
[8] | |
[9] | |
[10] | |
[11] | |
[12] | |
[13] | |
[14] | |
[15] | |
[16] | |
[17] | |
[18] | |
[19] | |
[20] | |
[21] | |
[22] | |
[23] | |
[24] | |
[25] | |
[26] | |
[27] | |
[28] | |
[29] | |
[30] | |
[31] | |
[32] | |
[33] | |
[34] | |
[35] | |
[36] | |
[37] |