Practical semi-quantum key distribution with one-way key and one basis

Ke Wang; Xiu-Qing Yang; Xiu-Qing Yang; Ting-Yu Li; Ya-Qian Lin; Na Hai; Zhen-Qiang Yin; Zhen-Qiang Yin

doi:10.1364/OE.506256

1. Introduction

Quantum key distribution (QKD) [1,2] can distribute secret keys between legitimate parties based on the laws of quantum physics. The QKD protocols have attracted much attention and can be used in fiber sensing fields [3,4]. Recently, the twin-field QKD requiring phase sensitive single-photon interference has been implemented over a long distance and can be used for remote sensing of the channel vibration [5,6]. In a typical QKD protocol, a sender Alice transmits single-photons of $Z$ basis (rectangular basis) or $X$ basis (diagonal basis) to a receiver Bob, who performs measurements with $Z$ basis or $X$ basis. The encoding bit can be got when both Alice and Bob have chosen the $Z$ basis. The amount of information of the shared key leaked to Eve can be quantified by bit errors of the $X$ basis. In practice, reference frame alignment is required to ensure the system stability and high key rates. Alternatively, reference-frame-independent QKD (RFI-QKD) [7–9] avoids the problem of the active calibration of reference frames.

Nevertheless, Eve may crack practical QKD systems by exploiting device imperfections despite the proven security in theory. All possible detector side-channel attacks have been removed by the measurement-device-independent QKD (MDI-QKD) [10]. High-speed MDI-QKD with integrated silicon photonics has been implemented [11]. Particularly, a silicon-based light source that relies on well-established fabrication techniques [12] is well suitable for on-chip photonic QKD components. Meanwhile, imperfect sources become the main bottlenecks for the application of QKD. Now, we need to consider all source imperfections [13,14], such as multi-photon states, state preparation flaws, side channels caused by mode dependence, the Trojan horse attack and pulse correlations, resulting in the performance degradation of the QKD system. In particular, the imperfect source significantly limits the performance of RFI-QKD, which is a three-basis protocol. Evidently, the more states that Alice and Bob prepare, the more difficulty there has been in security.

In 2007, Boyer et al. proposed a semi-quantum key distribution (SQKD) protocol [15], which limits one party to be the classical one and may still achieve communication with information-theoretic security. The quantum party can perform the preparation and measurement of qubits in any basis form, while the classical party has only some classical capabilities in the physical sense, and can only use a set of orthogonal bases to measure and prepare quantum states [16]. For the SQKD protocol, there are two operations can be chosen by the classical party Alice: CTRL and SIFT. The CTRL operation means to return the photon to the quantum party Bob, while SIFT is commonly done as follows: Alice measures the incoming photon in the $Z$ basis $\left \{ {0,1} \right \}$ and resends the photon according to the measurement results. In 2009, SQKD schemes with fewer quantum states were proposed to reduce the difficulty in preparing quantum states [17]. However, the regenerated photon cannot be the same as the original one, which would make the systems vulnerable to the attack using the tagged method [18]. Fortunately, the Mirror protocol [19] based on single-state SQKD has been proposed, making a proof-of-principle demonstration currently feasible.

However, the existing SQKD protocol relies on a two-way quantum channel. Normally, Alice transmits optical pulses to Bob via the quantum channel. Bob encodes the pulses and then sends them to Alice to complete the information transfer. There has been substantial difficulty in security in practical two-way QKD systems. It seems that Eve may seek more side-channel attacks in two-way QKD compared to the one-way communication, which has been referred to as Trojan horse attacks [20]. It is natural to ask whether the Trojan horse attack could be extended to SQKD which has the same framework as two-way QKD. We note that Eve may crack SQKD based on the Mirror protocol with time-phase encoding [21]. For the qubit state $\left | {{\varphi _ + }} \right \rangle = \left ( {\left | {10} \right \rangle + \left | {01} \right \rangle } \right )/\sqrt 2$ from Bob, Alice randomly selects "SWAP-x-Z" ($x \in \left \{ {01,10} \right \}$), "SWAP-ALL", or "CTRL-X". In the "SWAP-x-Z", Alice randomly modulates the intensity of one of the pulses to zero using an intensity modulator and returns the state $\left | {01} \right \rangle$ or $\left | {10} \right \rangle$ to Bob to encode her bit information in the $Z$ basis. Since qubits are transmitted forward or backward through the channel, an eavesdropper can send her own state and measure the reflected state to estimate the key. When Alice declares "SWAP-x", Eve can determine which pulse will be reflected based on two different time windows. In particular, the invisible photons and delayed photons sent by Eve cannot be effectively detected, if the detector is not trusted [22–24]. As a result, the SQKD is in fact insecure against such attacks.

Normally, QKD requires that state preparation processes are characterized and trusted. Is there a potential advantage in security for the SQKD with fewer quantum states? While recent works [25–28] have proven the robustness and security of SQKD, it does not appear to be any achievability results resolving the question of whether SQKD with fewer quantum states provides an advantage of being secure against imperfect source. In this paper, we focus on improving the performance of SQKD in practicability. We propose an SQKD protocol with the robustness against the Trojan horse attack by using one-way communication instead of the two-way key generation currently used in the SQKD system. We prove its security based on entanglement distillation. Meanwhile, our protocol with one basis enjoys the advantage of being secure against source flaws. In particular, We find that the proposed protocol provides security advantages in a situation where weak coherent pulses (WCP) are used. By simulation, we compare two protocols in a practical setting: the SQKD protocol and the BB84 protocol (no decoy-state). The results show that the maximal secure distance of the SQKD protocol without decoy states is over 110 km.

2. SQKD with one-way key and one basis

We propose an implementation scheme for SQKD with one-way key and one basis as shown in Fig. 1. The quantum party Alice transmits a single photon with a random polarization, chosen from $H$ (horizontal) or $V$ (vertical), to a beam splitter (BS) of a Michelson interferometer (MI). One of the output arms of MI remains in Alice’s security zone, while the other is transmitted through the channel to the classical party Bob. Note that we adopt the same Michelson-type interferometer of counterfactual QKD (CQKD) [29] for practical implementation. However, the security of SQKD cannot rely on the same principles as CQKD. The quantum state of the photon after BS is

(1)$${\left| \Psi \right\rangle _{ab}} = \frac{1}{{\sqrt 2 }}\left( {{{\left| p \right\rangle }_a}{{\left| 0 \right\rangle }_b} + {{\left| 0 \right\rangle }_a}{{\left| p \right\rangle }_b}} \right),$$

where $p \in \left \{ {H{\rm {,}}V} \right \}$, $\left | 0 \right \rangle$ denotes the vacuum state. Alice is called a quantum party due to the fact that the quantum state and she prepares can be regarded as a superposition state of a single photon and an empty pulse.

Fig. 1. Possible implementation of SQKD with one-way key and one basis. S, pulse laser source; Cir, optical circulator; ATT, attenuator; QC, quantum channel; FM, Faraday mirror; and ${D_i}$, with $i \in \left \{ {1,2,3} \right \}$, single-photon detectors. Alice splits the single photon prepared in the horizontally polarized or vertically polarized state into two paths $a$ and $b$ with a BS of MI. Bob performs a SIFT or CTRL operation by controlling a SW. Bob encodes his bit information by obtaining it at different detection clicks with a polarization-maintaining PBS together with OL.

Download Full Size | PDF

In each round of communication, Bob randomly chooses to measure (SIFT) or reflect (CTRL) the incoming signal. In particular, any polarized photon can be measured by opening a switch (SW). Specifically, the Sagnac loop consisting of a BS and a phase modulator can be equivalent to SW used to choose a different path. Also, recent findings that ON-OFF keying up to GHz frequencies should be feasible with silicon light-emitting devices would help to implement high-speed SW [30]. In the case of SIFT, there are two possibilities for its detection: (i) the detector ${D_1}$ or ${D_2}$ clicks when the photon goes through path $a$; (ii) with this photon at path $b$, ${D_3}$ will produce a click. Bob then uses the special degree of freedom of the single photons to encode his bit information. This is done using a polarizing beam splitter (PBS) together with an optical adjustable delay line (OL), which adjusts the length difference between horizontally polarized and vertically polarized photons. All optical elements are connected by polarization-maintaining fiber. With the photon in different polarizations, Bob would obtain it at different detection clicks. Then the value of the encoding bit can be revealed to Bob. That is, SQKD can be seen as a reversed CQKD which uses the photons travelling through the channel for key generation. In contrast to CQKD, the efficiency of SQKD should be double.

If Bob chooses the CTRL operation, he randomly performs the flip operation on the reflected photons by using a switching polarization rotator (SPR). Meanwhile, Alice randomly applies another SPR to the reflected pulse at path $a$. Whenever they both apply the flip operation or not, there are two pulses to interfere to produce a click only on detector ${D_2}$, and no click on detector ${D_1}$. Therefore, its security depents not only on the bit error, but also on the counting rates in Alice’s site. Bob publicly announces his choice (CTRL or SIFT) and Alice announces her detection results, which is used as a parameter to bound Eve’s information.

3. Security analysis

According to the security proof ideas of Shor and Preskill [31], the quantum key distribution protocol based on state preparation and state measurement is equivalent to the entanglement distillation protocol in security. In the following, we will prove the security of this protocol based on the idea of entanglement distillation.

For the security analysis, we shall assume that Alice prepares N pairs of entanglement states ${\left | \Psi \right \rangle _A}= \left ( {{{\left | H \right \rangle }_A}\left | {{\psi _H}} \right \rangle + {{\left | V \right \rangle }_A}\left | {{\psi _V}} \right \rangle } \right )/\sqrt 2$. After one photon pulse has passed through BS, its quantum state becomes $\left | {{\psi _{H\left ( V \right )}}} \right \rangle = \left [ {{{\left | {H\left ( V \right )} \right \rangle }_a}{{\left | 0 \right \rangle }_b} + {{\left | 0 \right \rangle }_a}{{\left | {H\left ( V \right )} \right \rangle }_b}} \right ]/\sqrt 2$. Photon A and mode $a$ always remain in Alice’s laboratory, while mode $b$ is transmitted to Bob through the channel.

After N rounds of communication, the initial state of Alice is given by

(2)$$\left| {{{\rm{\Psi }}_0}} \right\rangle _A^{ {\otimes} N} = {\left( {\frac{1}{{\sqrt 2 }}{{\left| \phi \right\rangle }_{Aa}}{{\left| 0 \right\rangle }_b} + \frac{1}{2}{{\left| H \right\rangle }_{Aa}}{{\left| H \right\rangle }_b} + \frac{1}{2}{{\left| V \right\rangle }_{Aa}}{{\left| V \right\rangle }_b}} \right)^{ {\otimes} N}},$$

in which ${\left | \phi \right \rangle _{Aa}} = \left ( {{{\left | H \right \rangle }_A}{{\left | H \right \rangle }_a} + {{\left | V \right \rangle }_A}{{\left | V \right \rangle }_a}} \right )/\sqrt 2$, ${\left | H \right \rangle _{Aa}} = {\left | H \right \rangle _A}{\left | 0 \right \rangle _a}$, ${\left | V \right \rangle _{Aa}} = {\left | V \right \rangle _A}{\left | 0 \right \rangle _a}$. Note that for the sake of brevity, we will omit the Dirac bracket symbol in the following and define the use of the symbols $0,H,V$ instead of $\left | 0 \right \rangle,\left | H \right \rangle,\left | V \right \rangle$, respectively.

The general attack can be defined as the same individual unitary transformation ${U_{{\rm {Eve}}}}$ to Alice’s emitting state in the channel. Eve can entangle the quantum state of mode $b$ with her ancilla ${e_0}$. Eve’s operations can be described mathematically as

(3)$$\begin{aligned}{U_{Eve}}{0_b}{e_0} &= {e_{00}}{0_b} + {e_{0H}}{H_b} + {e_{0V}}{V_b}\\ {U_{Eve}}{H_b}{e_0} &= {e_{H0}}{0_b} + {e_{HH}}{H_b} + {e_{HV}}{V_b}\\ {U_{Eve}}{V_b}{e_0} &= {e_{V0}}{0_b} + {e_{VH}}{H_b} + {e_{VV}}{V_b}. \end{aligned}$$

Bob randomly performs the SIFT operation or the CTRL operation on the incoming mode $b$. Specifically, we have defined that Bob performs well-defined ${U_S}$ and ${U_C}$ transformations on the quantum state of the information carrier mode $b$. Therefore, we can easily obtain that ${U_S}{H_b}{0_B} = {0_b}{H_B}$, ${U_S}{V_b}{0_B} = {0_b}{V_B}$, ${U_S}{0_b}{0_B} = {0_b}{0_B}$, ${U_C}{H_b}{0_B} = {H_b}{0_B}$, ${U_C}{V_b}{0_B} = {V_b}{0_B}$, ${U_C}{0_b}{0_B} = {0_b}{0_B}$, where B is coupled to Bob’s detector ${D_3}$. Considering the lth communication, the quantum state of the system evolves as

(4)$$\begin{aligned}{U_{Bob}}&{U_{Eve}}\left| {{\Psi _0}} \right\rangle _A^{ {\otimes} N}\left| {{e_0}} \right\rangle\\ =& \frac{1}{2}\phi _{Aa}^l\left[ {{e_{00}}\left( {0_b^l0_B^l + 0_b^l0_B^l} \right) + {e_{0H}}\left( {0_b^lH_B^l + H_b^l0_B^l} \right) + {e_{0V}}\left( {0_b^lV_B^l + V_b^l0_B^l} \right)} \right]\\ &+ \frac{1}{{2\sqrt 2 }}H_{Aa}^l\left[ {{e_{H0}}\left( {0_b^l0_B^l + 0_b^l0_B^l} \right) + {e_{HH}}\left( {0_b^lH_B^l + H_b^l0_B^l} \right) + {e_{HV}}\left( {0_b^lV_B^l + V_b^l0_B^l} \right)} \right]\\ &+ \frac{1}{{2\sqrt 2 }}V_{Aa}^l\left[ {{e_{V0}}\left( {0_b^l0_B^l + 0_b^l0_B^l} \right) + {e_{VH}}\left( {0_b^lH_B^l + H_b^l0_B^l} \right) + {e_{VV}}\left( {0_b^lV_B^l + V_b^l0_B^l} \right)} \right], \end{aligned}$$

where ${e_{XY}}$, $X,Y = 0,H,V$ represent the state of the system except for the lth communication, corresponding to the case where mode $b$ evolves from the initial state $X$ to $Y$ via the quantum channel. Considering that the detector never clicks twice in a communication, we obtain that ${e_{0V}}$ and ${e_{0H}}$ must be a 0 vector.

In the security proof, we only consider Eve’s attacks that are related to the key bit generation. In other words, we only consider the attacks where Eve applies unitary transformation to Alice’s emitting states. After Bob returns mode $b$, we have

(5)$$\begin{aligned}{\left| \Psi \right\rangle _{ABE}} =& {U_{Bob}}{U_{Eve}}\left| {{\Psi _{{\rm{ini}}}}} \right\rangle _A^{ {\otimes} N}\left| {{e_0}} \right\rangle\\ =& \frac{1}{4}\left[ {H_A^l\left( {H_a^l + V_a^l} \right){e_{00}}0_b^l0_B^l + V_A^l\left( {H_a^l + V_a^l} \right){e_{00}}0_b^l0_B^l} \right]\\ &+ \frac{1}{{2\sqrt 2 }}H_{Aa}^l\left[ {{e_{H0}}0_b^l0_B^l + {e_{HH}}0_b^lH_B^l + \frac{1}{{\sqrt 2 }}\left( {{e_{HH}}H_b^l0_B^l + {e_{HH}}V_b^l0_B^l} \right)} \right.\\ &\left. { + {e_{HV}}0_b^lV_B^l + \frac{1}{{\sqrt 2 }}\left( {{e_{HV}}V_b^l0_B^l + {e_{HV}}H_b^l0_B^l} \right)} \right]\\ &+ \frac{1}{{2\sqrt 2 }}V_{Aa}^l\left[ {{e_{V0}}0_b^l0_B^l + {e_{VH}}0_b^lH_B^l + \frac{1}{{\sqrt 2 }}\left( {{e_{VH}}H_b^l0_B^l + {e_{VH}}V_b^l0_B^l} \right)} \right.\\ &+ {e_{VV}}0_b^lV_B^l\left. { + \frac{1}{{\sqrt 2 }}\left( {{e_{VV}}V_b^l0_B^l + {e_{VV}}H_b^l0_B^l} \right)} \right]. \end{aligned}$$

In the case of CRTL operation, Alice will combine the returning mode $b$ and her mode $a$ in a BS and interfere, conditioned that Alice and Bob simultaneously choose to flip or not to flip. We define ${K_e}{\rm {,\ }}K = 0{\rm {,\ }}1{\rm {,\ }}2, \ldots$, is a set of well-defined basis for $e$ state, and ${C_K}\left ( {AB} \right ) = {}_e\left \langle {K\left | {{e_{AB}}} \right \rangle } \right.$, $A{\rm {,\ }}B = 0{\rm {,\ }}H{\rm {,\ }}V$. The density matrices of the lth A, B, mode $a$ and $b$ for the case where both Alice and Bob’s operation choices are not flip can be given by

(6)$$\begin{aligned} \rho _{AB}^l =& \frac{1}{8}\sum_K {P\left\{ {\frac{1}{{\sqrt 2 }}\left[ {{H_A}{H_a}{C_K}\left( {00} \right){0_b}{0_B} + {V_A}{V_a}{C_K}\left( {00} \right){0_b}{0_B}} \right]} \right.}\\ &+ {H_{Aa}}\left[ {{C_K}\left( {H0} \right){0_b}{0_B} + {C_K}\left( {HH} \right){0_b}{H_B} + \frac{1}{{\sqrt 2 }}{C_K}\left( {HH} \right){H_b}{0_B}} \right.\\ &+ {C_K}\left( {HV} \right){0_b}{V_B} + \left. {\frac{1}{{\sqrt 2 }}{C_K}\left( {HV} \right){V_b}{0_B}} \right]\\ &+ {V_{Aa}}\left[ {{C_K}\left( {V0} \right){0_b}{0_B} + {C_K}\left( {VH} \right){0_b}{H_B} + \frac{1}{{\sqrt 2 }}{C_K}\left( {VH} \right){H_b}{0_B}} \right.\\ &+ {C_K}\left( {VV} \right){0_b}{V_B} + \left. {\left. {\frac{1}{{\sqrt 2 }}{C_K}\left( {VV} \right){V_b}{0_B}} \right]} \right\}.\end{aligned}$$

Furthermore, combined with the assumption ${U_{Eve}} {0_b}^l{e_0}= {e_{00}}{0_b}^l$, we can obtain that ${\sum \nolimits _K {\left | {{C_K}\left ( {00} \right )} \right |} ^2} = 1$. The function of the BS can be described by $H{\left ( V \right )_a} \to \sqrt \eta \left [ {H{{\left ( V \right )}_c} + H{{\left ( V \right )}_d}} \right ]/\sqrt 2$ and $H{\left ( V \right )_b} \to \left [ {H{{\left ( V \right )}_d} - H{{\left ( V \right )}_c}} \right ]/\sqrt 2$, where $\eta$ is the channel transmittance in mode $a$. For simplicity, we define $\alpha _K^l = {C_K}\left ( {00} \right )$, $\beta _K^l = {C_K}\left ( {HH} \right )$, $\beta _K^{'l} = {C_K}\left ( {VV} \right )$, $\xi _K^l = {C_K}\left ( {HV} \right )$, $\xi _K^{'l} = {C_K}\left ( {VH} \right )$. The reduced density matrices for path $d$ and path $c$ are given by

(7)$$\begin{aligned}\rho _{Ad}^l =& \frac{1}{{\Lambda _{Ad}^l}}\sum_K {P\left\{ {{H_A}{H_d}\left( {\sqrt \eta \alpha _K^l + \beta _K^l} \right)} \right.}+ \left. {{V_A}{V_d}\left( {\sqrt \eta \alpha _K^l + \beta _K^{'l}} \right) + {H_A}{V_d}\xi _K^l + {V_A}{H_d}\xi _K^{'l}} \right\},\\ \rho _{Ac}^l =& \frac{1}{{\Lambda _{Ac}^l}}\sum_K {P\left\{ {{H_A}{H_c}\left( {\sqrt \eta \alpha _K^l - \beta _K^l} \right)} \right.} \left. { + {V_A}{V_c}\left( {\sqrt \eta \alpha _K^l - \beta _K^{'l}} \right) - {H_A}{V_c}\xi _K^l - {V_A}{H_c}\xi _K^{'l}} \right\}, \end{aligned}$$

where ${\Lambda ^l}$ is the constant. By Eq. (6), we can deduce the detection probabilities for the lth communication

(8)$$\begin{aligned} {{\rm{P}}^l}\left( {{H_A}{H_d}} \right) =& \frac{1}{{32}}{\sum_K {\left| {\sqrt \eta \alpha _K^l + \beta _K^l} \right|} ^2},\\ {{\rm{P}}^l}\left( {{V_A}{V_d}} \right) =& \frac{1}{{32}}{\sum_K {\left| {\sqrt \eta \alpha _K^l + \beta _K^{'l}} \right|} ^2},\\ {{\rm{P}}^l}\left( {{H_A}{V_d}} \right) =& \frac{1}{{32}}{\sum_K {\left| {\xi _K^l} \right|} ^2},\\ {{\rm{P}}^l}\left( {{V_A}{H_d}} \right) =& \frac{1}{{32}}{\sum_K {\left| {\xi _K^{'l}} \right|} ^2},\\ {{\rm{P}}^l}\left( {{H_A}{H_c}} \right) =& \frac{1}{{32}}{\sum_K {\left| {\sqrt \eta \alpha _K^l - \beta _K^l} \right|} ^2},\\ {{\rm{P}}^l}\left( {{V_A}{V_c}} \right) =& \frac{1}{{32}}{\sum_K {\left| {\sqrt \eta \alpha _K^l - \beta _K^{'l}} \right|} ^2},\\ {{\rm{P}}^l}\left( {{H_A}{V_c}} \right) =& \frac{1}{{32}}{\sum_K {\left| {\xi _K^l} \right|} ^2},\\ {{\rm{P}}^l}\left( {{V_A}{H_c}} \right) =& \frac{1}{{32}}{\sum_K {\left| {\xi _K^{'l}} \right|} ^2}.\end{aligned}$$

Due to the symmetry of the optical path, the probability distribution for the case where Alice and Bob flip simultaneously is the same as Eq. (8). We consider that all errors are introduced by Eve in the channel. The quantum state of the system can be transformed into the following four cases via the quantum channel ${\left | {{\phi ^ + }} \right \rangle _{Ad}} = \left ( {{H_A}{H_d} + {V_A}{V_d}} \right )/\sqrt 2$, ${\left | {{\phi ^ - }} \right \rangle _{Ad}} = \left ( {{H_A}{H_d} - {V_A}{V_d}} \right )/\sqrt 2$, ${\left | {{\psi ^ + }} \right \rangle _{Ad}} = \left ( {{H_A}{V_d} + {V_A}{H_d}} \right )/\sqrt 2$, ${\left | {{\psi ^ - }} \right \rangle _{Ad}} = \left ( {{H_A}{V_d} - {V_A}{H_d}} \right )/\sqrt 2$. Now we can analyse the phase error rate. If the initial quantum state transforms to state ${\left | {{\phi ^ + }} \right \rangle _{Ad}}$ via the quantum channel, there is no error in the channel; If the initial quantum state transforms to states ${\left | {{\phi ^ - }} \right \rangle _{Ad}}$, ${\left | {{\psi ^ + }} \right \rangle _{Ad}}$ and ${\left | {{\psi ^ - }} \right \rangle _{Ad}}$ via the quantum channel, the Eve generates phase errors and bit errors in the channel; respectively. Hence, we can obtain the phase error rate $e_{ph}^l = {}_{Ad}\left \langle {{\phi ^ - }} \right |\rho _{Ad}^l{\left | {{\phi ^ - }} \right \rangle _{Ad}} + {}_{Ad}\left \langle {{\psi ^ - }} \right |\rho _{Ad}^l{\left | {{\psi ^ - }} \right \rangle _{Ad}}$.

Recall that ${\sum \nolimits _K {|{C_K}\left ( {00} \right )|} ^2} = 1$, we obtain $\sum \nolimits _K {|\alpha _K^l{|^2}}= 1$, and define that ${\beta ^l} = \sum \nolimits _K {|\beta _K^l{|^2}}$, ${\beta ^{'l}} = \sum \nolimits _K | \beta _K^{'l}{|^2}$, ${\xi ^l} = {\sum \nolimits _K {|\xi _K^l|} ^2}$, ${\xi ^{'l}} = {\sum \nolimits _K {|\xi _K^{'l}|} ^2}$. We calculate from Eq. (8) that ${\beta ^l} = 16\left [ {{{\rm {P}}^l}\left ( {{H_A}{H_c}} \right ) + {{\rm {P}}^l}\left ( {{H_A}{H_d}} \right )} \right ] - \eta$, ${\beta ^{'l}} = 16\left [ {{{\rm {P}}^l}\left ( {{V_A}{V_c}} \right ) + {{\rm {P}}^l}\left ( {{V_A}{V_d}} \right )} \right ] - \eta$, ${\xi ^l} = 32{{\rm {P}}^l}\left ( {{H_A}{V_c}} \right )$, ${\xi ^{'l}} = 32{{\rm {P}}^l}\left ( {{V_A}{H_c}} \right )$. Hence, with these parameters, the upper bound of the phase error $e_{ph}^l$ can be given by

(9)$$\begin{aligned}e_{ph}^l &= \frac{1}{{2{\Lambda ^l}}}\sum_K {\left[ {{{\left| {\beta _K^l - \beta _K^{'l}} \right|}^2} + {{\left| {\xi _K^l - \xi _K^{'l}} \right|}^2}} \right]}\\ &\le \frac{1}{{2{\Lambda ^l}}}\left[ {{\beta ^l} + {\beta ^{'l}} + {\xi ^l} + {\xi ^{'l}} - 2\min \left( {\beta _K^l,\beta _K^{'l}} \right)} \right], \end{aligned}$$

where $\min \left \{ {\beta _K^l,\beta _K^{'l}} \right \}$ is equal to the smaller one of $\beta _K^l$ and $\beta _K^{'l}$, the normalisation constant ${\Lambda ^l}$ can be described as

(10)$$\begin{aligned}{\Lambda ^l} &= \sum_K {\left( {{{\left| {\sqrt \eta \alpha _K^l + \beta _K^l} \right|}^2} + {{\left| {\sqrt \eta \alpha _K^l + \beta _K^{'l}} \right|}^2} + {{\left| {\xi _K^l} \right|}^2} + {{\left| {\xi _K^{'l}} \right|}^2}} \right)}\\ &\ge 2\eta + {\beta ^l} + {\beta ^{'l}} + {\xi ^l} + {\xi ^{'l}}. \end{aligned}$$

Ultimately, we need to deduce an overall phase error ${e_{ph}}$. According to Azuma’s inequality [32], if N is large enough, the difference between ${e_{ph}}$ and $\sum \nolimits _{l = 1}^N {e_{ph}^l/N}$ is arbitrarily small. Thus we obtain the overall phase error rate ${e_{ph}} = \sum \nolimits _{l = 1}^N {e_{ph}^l/} N$. In the same manner, we can obtain that $\beta \buildrel \Delta \over =\sum \nolimits _{l=1}^N {{\beta ^l}/N} =16\left [ {{\rm {P}}\left ( {{H_A}{H_c}} \right ) + {\rm {P}}\left ( {{H_A}{H_d}} \right )} \right ] - \eta$, $\beta ' \buildrel \Delta \over = \sum \nolimits _{l = 1}^N {{{\beta '}^l}/N} = 16\left [ {{\rm {P}}\left ( {{V_A}{V_c}} \right ) + {\rm {P}}\left ( {{V_A}{V_d}} \right )} \right ] - \eta$, $\xi \buildrel \Delta \over = \sum \nolimits _{l = 1}^N {{\xi ^l}/N} \! = 32{\rm {P}}\left ( {{H_A}{V_c}} \right )$, $\xi ' \buildrel \Delta \over = \sum \nolimits _{l = 1}^N {{\xi ^{'l}}/N} = 32{\rm {P}}\left ( {{V_A}{H_c}} \right )$. Therefore, we obtain the upper bound of the overall phase error rate as

(11)$$\begin{aligned} {e_{ph}} &= \sum_{l = 1}^N {{{e_{ph}^l} \mathord{\left/ {\vphantom {{e_{ph}^l} N}} \right.} N}}\\ &\le \frac{1}{N}\sum_{l = 1}^N {\min \left\{ {\frac{{{\beta ^l} + {\beta ^{'l}} + {\xi ^l} + {\xi ^{'l}} - 2\min \left( {{\beta ^l},{\beta ^{'l}}} \right)}}{{2\left( {2\eta + {\beta ^l} + {\beta ^{'l}} + {\xi ^l} + {\xi ^{'l}}} \right)}},1} \right\}}\\ &\le \min \left\{ {\frac{{\beta + \beta ' + \xi + \xi ' - 2\min \left( {\beta ,\beta '} \right)}}{{2\left( {2\eta + \beta + \beta ' + \xi + \xi '} \right)}},1} \right\}. \end{aligned}$$

Supposing there is no error, we have ${\rm {P}}\left ( {{H_A}{H_d}} \right ) = {\rm {P}}\left ( {{V_A}{V_d}} \right ) = \eta /8$ and ${\rm {P}}\left ( {{H_A}{H_c}} \right ) = {\rm {P}}\left ( {{V_A}{V_c}} \right ) = 0$, from which we can deduce that $\beta = \beta ' = \eta$ and $\xi = \xi ' = 0$. As a result, we have ${e_{ph}} =0$, which means that Eve’s information is 0. Thus, Alice and Bob share the pure maximal entanglement states ${\left | {{\phi ^ + }} \right \rangle _{Ad}} = \left ( {{H_A}{H_d} + {V_A}{V_d}} \right )/\sqrt 2$. Based on the above analysis, we can conclude that the protocol is unconditionally secure in a noiseless channel.

4. SQKD protocol with weak coherent pulses

We observe that the SQKD protocols use fewer quantum states and gain an potential advantage over QKD in state preparation. By working with fewer states, SQKD can achieve secure key distribution without detailed state characterization, which would make the systems more reliable against such attacks that exploit source imperfection. Here, we study the performances of the SQKD and BB84 protocols using WCP without decoy states. In the simulation, we need to consider all the device imperfections such as misalignment, environment noise and dark counts.

4.1 Key rate estimation

In practical QKD systems, WCP are often used as photon sources, making QKD protocols insecure against the photon number-splitting (PNS) attack. Generally, the decoy-state can be used to solve the problem of multi-photon states [33–35]. However, intensity modulator imperfections limit the performance of the decoy-state method and bring side channels [36]. Here, the security of SQKD with one-way key and one basis is guaranteed by the statistics of single photon interference. In terms of each signal photon, Eve cannot access the entire quantum system, but only parts of the quantum system, which leads to security advantages for case in which WCP are used for practical implementation. First, any attempt to eavesdrop on the quantum channel would inevitably cause disturbance in the quantum signals. Once Eve measures the number of photons in each pulse, she would destroy interference and introduce the phase error rate. Alice and Bob can thus quantify the amount of information leaked to Eve by monitoring the disturbance. Second, the security assumption of the SQKD protocol requires that there is only one detector that clicks for a key generation. In the one-click case, Eve cannot obtain a copy of the initial quantum state even when she succeeds in splitting a photon through path $b$. Hence, the proposed SQKD protocol is robust to the PNS attack and can distribute secure key even when a multi-photon pulse is used.

With the GLLP security analysis [37], we can estimate the cost in privacy amplification. In the SQKD, Alice prepares a phase randomized coherent state pulse with intensity $2\mu$. Then, Alice can obtain a statistical mixture of $n$-photon states from the output part of BS

(12)$$p = \sum_{n = 0} {{e^{ - \mu }}\frac{{{\mu ^n}}}{{n!}}\left| n \right\rangle } \left\langle n \right|.$$

For single-photon term, the phase error rate can be estimated by Eq. (11). Denote the ratio of the key required to be sacrificed for privacy amplification by $H({e_{ph}})$. By extending the GLLP security analysis, the final key rate is given by

(13)$$R = {Q_1}\left( \mu \right)\left( {1 - H\left( {{e_{ph}}} \right)} \right) - {Q_\mu }fH\left( {{E_\mu }} \right),$$

where ${Q_\mu } = {e^{ - \mu }}\sum \nolimits _{n = 0}^\infty {{Y_n}{{{\mu ^n}} \mathord {\left / {\vphantom {{{\mu ^n}} {n!}}} \right.} {n!}}}$ is the overall gain, with ${Y_n}$ denoting the yield of the $n$-photon state; ${Q_1}\left ( \mu \right )$ refers to the gain of the single-photon state; $H(x) = - x{\log _2}x - (1 - x){\log _2}(1 - x)$ is the binary Shannon entropy function; ${E_\mu }$ is the overall quantum bit error rate (QBER).

4.2 Simulation model and result

In the following simulation, we adopt the simulation model for QKD in Ref. [38]. Denote $\eta = {\eta _d}{10^{{{ - \alpha L} \mathord {\left / {\vphantom {{ - \alpha L} {10}}} \right.} {10}}}}$ to be the channel transmittance parameters used are listed in Table 1. Let ${Y_n}$ and ${e_n}$ be the yield and the error rate, respectively. Without Eve’s interference, they are given by Ref. [38]

(14)$${Y_n} = 1 - (1 - {Y_0}){(1 - \eta )^n},$$

(15)$${e_n}{Y_n} = {e_0}{Y_0} + {e_d}(1 - {Y_0})[1 - {(1 - \eta )^n}],$$

where the QBER for the vacuum ${e_0}$ is equal to 0.5. Then the QBER is given by

(16)$${E_\mu }{Q_\mu } = \sum_{n = 0} {{e_n}{Y_n}\frac{{{\mu ^n}}}{{n!}}{e^{ - \mu }}}.$$

Table 1. Experimental parameters for the simulation. Here ${\eta _d}$ is the detection efficiency, $\alpha$ is the channel loss, ${e_d}$ is the misalignment error rate, and ${Y_0}$ is the background rate, and $f$ is the efficiency of error correction.

View Table

With the key rate formula given in Eq. (13), we optimise $\mu$ to obtain the maximal transmission distance. The performance of the SQKD protocol with WCP is shown in Fig. 2. Interestingly, the maximal secure distance of the SQKD protocol without decoy states is over 110 km. In the case of WCP, we compare the BB84 and SQKD protocols. In the BB84 protocol with only one source intensity $\mu$, the gain of the single-photon state can be lower-bounded by

(17)$${Y_1}{P_1} \ge {Q_\mu } - {P_{n \ge 2}} - {Y_0}{P_0},$$

(18)$${Y_0}{P_0} \le 2{Q_\mu }{E_\mu },$$

where ${P_{n \ge 2}}$ and ${P_0}$ are the probability of the multi-photon and the vacuum state, respectively. The error rate of the single-photon state can be upper-bounded by ${Y_1}{P_1}{e_1} \le {E_\mu }{Q_\mu } - {Y_0}{P_0}/2$. By doing so, we find that the key generation rate for the BB84 protocol is given by $R \ge {Y_1}{P_1}\left ( {1 - H\left ( {{e_1}} \right )} \right ) - {Q_\mu }fH\left ( {{E_\mu }} \right )$. In practice, we need to optimize ${Y_1},{Y_0}$ and ${e_1}$ to improve the performance of QKD. Here, ${e_1}$ can be estimated in the worst scenario where ${e_1} \le {{{E_\mu }{Q_\mu }} \mathord {\left / {\vphantom {{{E_\mu }{Q_\mu }} {{Y_1}{P_1}}}} \right.} {{Y_1}{P_1}}}$. Thus, only $\mu$ needs to be optimized for the maximal transmission distance. With the same set of experimental parameters, however, we cannot obtain secret keys due to the PNS attack. We find the BB84 protocol without decoy states can distribute secret keys over 25 km when ${\eta _d}$ reaches 0.19.

Fig. 2. Secure key rate of the SQKD and BB84 protocols in the case of WCP. The secure distance of the BB84 protocol using a detector with ${\eta _d} = 19{\%}$ is only about 25 km due to the PNS attack. Using a practical QKD model, the maximal distance of the SQKD protocol is over 110 km with ${\eta _d} = 5{\%}$.

Download Full Size | PDF

5. Conclusion

Despite its promising performance, however, the existing SQKD protocol has several drawbacks for physical implementation. One drawback is that SQKD entirely depends on two-way communication, resulting in substantial difficulty in finding security proof analysis for the SQKD system. Similar to the two-way QKD, existing SQKD is insecure against the Trojan horse attack as well as against other attacks that exploit imperfect detectors. Another is the high channel loss due to the two-way path. This limits the possible secret key rate that two parties can distil at a given distance using SQKD.

In this paper, we propose to use the one-way bits as key bits, whose security is quantified by the returned bits based on the statistics of single-photon interference. The SQKD with one-way key is robust against the Trojan horse attack currently existed in the two-way system. Also, we can increase the bit rate and range of SQKD using one-way communication. Meanwhile, our protocol with one basis enjoys security advantage in practical systems. Interestingly, SQKD can distribute secure key over long distance when WCP are used, due to the fact that it is robust against the PNS attack. Our scheme only requires SW, for instance, a Sagnac loop to perform classical operations and further simplifies the system. This scheme is a promising step toward solving the question of performance degradation of the QKD system due to source imperfection and paving the way for practical SQKD implementations.

Funding

National Natural Science Foundation of China (62161038, 62171424); Key Science Research Project of Inner Mongolia University of Technology (BS201929, ZZ202015).

Disclosures

The authors declare no conflicts of interest.

Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request

References

1. C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in Proceedings of IEEE International Conference on Computers, Systems, and Signal Processing, (IEEE, 1984), pp. 175–179.

2. A. K. Ekert, “Quantum cryptography based on Bell’s theorem,” Phys. Rev. Lett. 67(6), 661–663 (1991). [CrossRef]

3. C. Broadway, R. Min, A. G. Leal-Junior, et al., “Toward Commercial Polymer Fiber Bragg Grating Sensors: Review and Applications,” J. Lightwave Technol. 37(11), 2605–2615 (2019). [CrossRef]

4. A. G. Leal-Junior, A. Frizera, C. Marques, et al., “Optical Fiber Specklegram Sensors for Mechanical Measurements: A Review,” IEEE Sensors J. 20(2), 569–576 (2020). [CrossRef]

5. M. Lucamarini, Z. L. Yuan, J. F. Dynes, et al., “Overcoming the rate–distance limit of quantum key distribution without quantum repeaters,” Nature 557(7705), 400–403 (2018). [CrossRef]

6. J. P. Chen, C. Zhang, Y. Liu, et al., “Quantum Key Distribution over 658 km Fiber with Distributed Vibration Sensing,” Phys. Rev. Lett. 128(18), 180502 (2022). [CrossRef]

7. A. Laing, V. Scarani, J. G. Rarity, et al., “Reference-frame-independent quantum key distribution,” Phys. Rev. A 82(1), 012304 (2010). [CrossRef]

8. K. Lim, B. S. Choi, J. H. Baek, et al., “Countermeasure for security loophole caused by asymmetric correlations of reference frame independent quantum key distribution with fewer quantum states,” Opt. Express 29(12), 18966–18975 (2021). [CrossRef]

9. X. L. Jiang, Y. Wang, J. J. Li, et al., “Improving the performance of reference-frame-independent quantum key distribution with advantage distillation technology,” Opt. Express 31(6), 9196–9210 (2023). [CrossRef]

10. H. K. Lo, M. Curty, and B. Qi, “Measurement-Device-Independent Quantum Key Distribution,” Phys. Rev. Lett. 108(13), 130503 (2012). [CrossRef]

11. K. Wei, W. Li, H. Tan, et al., “High-Speed Measurement-Device-Independent Quantum Key Distribution with Integrated Silicon Photonics,” Phys. Rev. X 10(3), 031030 (2020). [CrossRef]

12. K. Wu, Y. Chen, J. Cheng, et al., “Use of carrier injection engineering to increase the light intensity of a polycrystalline silicon avalanche mode light-emitting device,” J. Appl. Phys. 128(17), 173104 (2020). [CrossRef]

13. M. Pereira, G. Kato, A. Mizutani, et al., “Quantum key distribution with correlated sources,” Sci. Adv. 6(37), eaaz4487 (2020). [CrossRef]

14. J. Gu, X. Y. Cao, Y. Fu, et al., “Experimental measurement-device-independent type quantum key distribution with flawed and correlated sources,” Sci. Bull. 67(21), 2167–2175 (2022). [CrossRef]

15. M. Boyer, D. Kenigsberg, and T. Mor, “Quantum Key Distribution with Classical Bob,” Phys. Rev. Lett. 99(14), 140501 (2007). [CrossRef]

16. M. Boyer, R. Gelles, D. Kenigsberg, et al., “Semiquantum key distribution,” Phys. Rev. A 79(3), 032341 (2009). [CrossRef]

17. X. Zou, D. Qiu, L. Li, et al., “Semiquantum-key distribution using less than four quantum states,” Phys. Rev. A 79(5), 052312 (2009). [CrossRef]

18. Y. G. Tan, H. Lu, and Q. Y. Cai, “Comment on “Quantum Key Distribution with Classical Bob”,” Phys. Rev. Lett. 102(9), 098901 (2009). [CrossRef]

19. M. Boyer, M. Katz, R. Liss, et al., “Experimentally feasible protocol for semiquantum key distribution,” Phys. Rev. A 96(6), 062335 (2017). [CrossRef]

20. N. Gisin, S. Fasel, B. Kraus, et al., “Trojan-horse attacks on quantum-key-distribution systems,” Phys. Rev. A 73(2), 022320 (2006). [CrossRef]

21. S. Han, Y. Huang, S. Mi, et al., “Proof-of-principle demonstration of semi-quantum key distribution based on the Mirror protocol,” EPJ Quantum Technol. 8(1), 28 (2021). [CrossRef]

22. X. Liu, B. Zhang, J. Wang, et al., “Eavesdropping on counterfactual quantum key distribution with finite resources,” Phys. Rev. A 90(2), 022318 (2014). [CrossRef]

23. Q. Y. Cai, “Eavesdropping on the two-way quantum communication protocols with invisible photons,” Phys. Lett. A 351(1-2), 23–25 (2006). [CrossRef]

24. X. Yang, K. Wei, H. Ma, et al., “Trojan horse attacks on counterfactual quantum key distribution,” Phys. Lett. A 380(18-19), 1589–1592 (2016). [CrossRef]

25. C. Q. Ye, J. Li, X. B. Chen, et al., “Security and application of semi-quantum key distribution protocol for users with different quantum capabilities,” EPJ Quantum Technol. 10(1), 21–23 (2023). [CrossRef]

26. S. Dong, S. Mi, Q. Hou, et al., “Decoy state semi-quantum key distribution,” EPJ Quantum Technol. 10(1), 18 (2023). [CrossRef]

27. H. Jiao, T. Pu, J. Zheng, et al., “Semi-quantum noise randomized data encryption based on an amplified spontaneous emission light source,” Opt. Express 26(9), 11587–11598 (2018). [CrossRef]

28. O. Amer and W. O. Krawec, “Semiquantum key distribution with high quantum noise tolerance,” Phys. Rev. A 100(2), 022319 (2019). [CrossRef]

29. T. G. Noh, “Counterfactual Quantum Cryptography,” Phys. Rev. Lett. 103(23), 230501 (2009). [CrossRef]

30. K. Xu, “Silicon electro-optic micro-modulator fabricated in standard CMOS technology as components for all silicon monolithic integrated optoelectronic systems,” J. Micromech. Microeng. 31(5), 054001 (2021). [CrossRef]

31. P. W. Shor and J. Preskill, “Simple Proof of Security of the BB84 Quantum Key Distribution Protocol,” Phys. Rev. Lett. 85(2), 441–444 (2000). [CrossRef]

32. K. Azuma, “Weighted sums of certain dependent random variables,” Tohoku Math. J. 19(3), 357–367 (1967). [CrossRef]

33. W. Y. Hwang, “Quantum Key Distribution with High Loss: Toward Global Secure Communication,” Phys. Rev. Lett. 91(5), 057901 (2003). [CrossRef]

34. H. K. Lo, X. Ma, and K. Chen, “Decoy State Quantum Key Distribution,” Phys. Rev. Lett. 94(23), 230504 (2005). [CrossRef]

35. X. B. Wang, “Beating the Photon-Number-Splitting Attack in Practical Quantum Cryptography,” Phys. Rev. Lett. 94(23), 230503 (2005). [CrossRef]

36. F. Y. Lu, X. Lin, S. Wang, et al., “Intensity modulator for secure, stable, and high-performance decoy-state quantum key distribution,” npj Quantum Inf. 7(1), 75 (2021). [CrossRef]

37. D. Gottesman, H. K. Lo, N. Lutkenhaus, et al., “Security of quantum key distribution with imperfect devices,” in International Symposium onInformation Theory, 2004. ISIT 2004. Proceedings, (2004), p. 136.

38. X. Ma, B. Qi, Y. Zhao, et al., “Practical decoy state for quantum key distribution,” Phys. Rev. A 72(1), 012326 (2005). [CrossRef]

Practical semi-quantum key distribution with one-way key and one basis

Abstract

1. Introduction

2. SQKD with one-way key and one basis

3. Security analysis

4. SQKD protocol with weak coherent pulses

4.1 Key rate estimation

4.2 Simulation model and result

5. Conclusion

Funding

Disclosures

Data availability

References

Data availability

Cited By

Figures (2)

Tables (1)

Equations (18)

Optics Express