Expand this Topic clickable element to expand a topic
Skip to content
Optica Publishing Group
Journal Home About Issues in Progress Current Issue All Issues Feature Issues

Simple security proof of coherent-one-way quantum key distribution

Rui-Qi Gao, Yuan-Mei Xie, Jie Gu, Wen-Bo Liu, Chen-Xun Weng, Bing-Hong Li, Hua-Lei Yin, and Zeng-Bing Chen

Open Access Open Access

Abstract

Coherent-one-way quantum key distribution (COW-QKD), which requires a simple experimental setup and has the ability to withstand photon-number-splitting attacks, has been not only experimentally implemented but also commercially applied. However, recent studies have shown that the current COW-QKD system is insecure and can only distribute secret keys safely within 20 km of the optical fiber length. In this study, we propose a practical implementation of COW-QKD by adding a two-pulse vacuum state as a new decoy sequence. This proposal maintains the original experimental setup as well as the simplicity of its implementation. Utilizing detailed observations on the monitoring line to provide an analytical upper bound on the phase error rate, we provide a high-performance COW-QKD asymptotically secure against coherent attacks. This ensures the availability of COW-QKD within 100 km and establishes theoretical foundations for further applications.

© 2022 Optica Publishing Group under the terms of the Optica Open Access Publishing Agreement

1. Introduction

Quantum key distribution (QKD) [1,2], whose security is guaranteed by quantum laws, allows secret key distribution between two distant parties. Since the Bennett-Brassard 1984 (BB84) protocol [1] was first proposed, numerous QKD schemes have been developed [35]. To defeat detector attacks [4,6], a viable approach is measurement-device-independent QKD [7,8], which has been implemented over a long distance [9,10]. Recently, twin-field QKD [1119] has also solved this issue and significantly improved the secret key rate. Another strong restriction in practical QKD is the photon number splitting attack [20] on the source side. For example, the coherent-state-based (non-random phase) BB84 protocol can only realize secure key transmissions over 15 km. To overcome this limitation, several approaches such as decoy-state methods [2123], strong reference-pulse methods [24], non-orthogonal coding methods [2527], and distributed-phase-reference methods [2831] have been proposed.

As a type of distributed-phase-reference protocol, coherent-one-way (COW) QKD [30] has received considerable attention because of its simple and convenient experimental implementation [3239], which has been deployed in practical quantum communication networks [40,41]. Considering the restricted types of collective attacks [42], the key rate depends linearly on the transmittance $\eta$. Additionally, a variant of COW-QKD with a security proof against general attacks was proposed in 2012 [43], and the resulting key rate “appears to” be of order $O(\eta ^{2})$. To date, all COW-QKD experiments [34,3639], including long-distance experiments [35,44], still employ the original security proof [42] in which the key rate is of order $O(\eta )$. These experimental results demonstrate the practicability and potential of COW-QKD.

However, the so called “zero-error attack” [45,46] involves eavesdropping without breaking the coherence between adjacent non-vacuum pulses (no bit error). Consequently, COW-QKD is insecure if the key rate scales as $O(\eta )$; in fact, the given attack restricts the secure key rate scaling to slightly higher than $\eta ^{2}$. Recently, a novel security proof using semidefinite programming techniques [47] showed that the transmission distance of COW-QKD using active basis choice is only 20 km. Thus, extending the secure transmission distance of COW-QKD has become an urgent issue.

In this study, we propose a practical implementation of COW-QKD and provide a security proof with precise phase error rate estimation. This proposal keeps all the experimental equipment of the original version unchanged and maintains its ease of implementation. With detailed observations on the monitoring line, we estimate the upper bound on the phase error rate instead of only checking the coherence between adjacent non-vacuum states. We show that the lower bound of the key rate is $0.005\eta ^{2}$, while ensuring the security within 100 kilometers. It is worth mentioning that our secure lower bound for the key rate is approximately 10 times higher than the key rate given by the COW-QKD variant in Ref. [43], considering that we effectively evaluated the impact of the vacuum states and provided an analytical expression.

2. Protocol description

In the original COW protocol, sender Alice encodes logic bits 0 and 1 into a pair of coherent states (non-random phase) ${ | {0_{k}} \rangle }={ | {0} \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$ and ${ | {1_k} \rangle }={ | {\alpha } \rangle }_{2k-1}{ | {0} \rangle }_{2k}$ at two time points $2k-1$ and $2k$ $(k=1,2,\ldots,K)$, where ${ | {0} \rangle }$ is the vacuum state and ${ | {\alpha } \rangle }$ is a coherent state with mean photon number $\mu =|\alpha |^{2}$. Additionally, Alice sends a two-pulse sequence ${ | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$, which is defined as a decoy sequence. Because all non-vacuum pulses share a common phase, Alice can use a mode-locked continuous-wave laser followed by an intensity modulator to prepare weak coherent pulses.

The pulses are then transmitted to the receiver, Bob, through a quantum channel characterized by $\eta$. Bob employs an asymmetric beam-splitter with a transmission coefficient $t_B$ (passive basis choice) to split the incoming pulses into the data line and the monitoring line. We note that Bob can also use an optical switch (active basis choice) instead of the beam-splitter. On the data line, Bob obtains the raw key by measuring the arrival time of each pair of pulses using detector $D_{T}$. On the monitoring line, Bob checks the coherence between adjacent non-vacuum pulses by observing the measurement outcome of a Mach-Zehnder interferometer with two detectors, $D_{M_0}$ and $D_{M_1}$. Information leakage can be detected by broken coherence, which can be reflected by the visibility $V=[P\left (D_{M_0}\right )-P\left (D_{M_1}\right )]/[P\left (D_{M_0}\right )+P\left (D_{M_1}\right )]$, where $P\left (D_{M_0}\right )$ [$P\left (D_{M_1}\right )$] is the probability that the detector $D_{M_0}$ ($D_{M_1}$) clicks. Alice and Bob also use a random subset of data on the data line to test the bit error rate $E_{\rm b}$. The security proof and secure key rate of COW-QKD are provided based on these two parameters, $E_{\rm b}$ and $V$ [42].

Nevertheless, recent studies introduced the so-called zero-error attack [45,46]. On the one hand, since the signals sent by Alice are linearly independent, Eve can adopt an unambiguous state discrimination measurement to distinguish each signal sent by Alice without introducing error on the data line. On the other hand, the vacuum state in the signals naturally breaks the coherence between adjacent pulses. Taking advantage of this property, Eve can resend to Bob blocked signal sequences that preserve coherence among consecutive non-empty pulses. Thus, all the security proofs of COW-QKD, which rely on coherence analysis, appear to be unreliable.

As shown in figure 1, we propose a practical implementation of COW-QKD by adding a two-pulse vacuum state ${ | {0} \rangle }_{2k-1}{ | {0} \rangle }_{2k}$ as decoy sequence 2. When evaluating the secure key rate, Alice no longer estimates the visibility $V$ to quantify leaked information. Instead, she calculates the gains $Q_{0\alpha }^{M_{i}}$, $Q_{\alpha 0}^{M_{i}}$, $Q_{\alpha \alpha }^{M_{i}}$ and $Q_{00}^{M_{i}}$ ($i=0$ or $1$) to estimate the phase error rate, where the superscript $M_i$ represents the clicking detector $D_{M_i}$ on the monitoring line announced by Bob, the subscript refers to the corresponding sequence ${ | {0} \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$, ${ | {\alpha } \rangle }_{2k-1}{ | {0} \rangle }_{2k}$, ${ | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$ and ${ | {0} \rangle }_{2k-1}{ | {0} \rangle }_{2k}$ sent by Alice. Here, we clarify that if multiple detectors click corresponding to every pair of states, Bob regards this event as one of these detectors clicking randomly [48,49].

 figure: Fig. 1.

Fig. 1. Schematic of COW-QKD in our work. Alice randomly sends a sequence of states ${ | {0} \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$, ${ | {\alpha } \rangle }_{2k-1}{ | {0} \rangle }_{2k}, { | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$, and ${ | {0} \rangle }_{2k-1}{ | {0} \rangle }_{2k}$ to Bob. Then, a beam-splitter of transmittance $t_B$ distributes incoming pulses into the data line and monitoring line at the receiving side, Bob. The quantum states can be experimentally realized by Alice by modulating ${ | {0} \rangle }$ or ${ | {\alpha } \rangle }$ using an intensity modulator (IM) in each time bin. Compared with the original version, where the sequences of states can be prepared in a similar manner, there is no extra technical requirement in our modification. $D_T$, $D_{M_{0}}$, and $D_{M_{1}}$ are the single-photon detectors.

Download Full Size | PDF

3. Security analysis

To provide a security proof for COW-QKD, we introduce a virtual entanglement-based protocol as follows: Here, we redefine the $k$-th optical modes ${ | {0_{z}} \rangle }={ | {0} \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$ and ${ | {1_{z}} \rangle }={ | {\alpha } \rangle }_{2k-1}{ | {0} \rangle }_{2k}$, where we omit the label $k$ to simplify the presentation. Let ${ | {0_{x}} \rangle }=({ | {0_{z}} \rangle }+{ | {1_{z}} \rangle })/\sqrt {N^{+}}$ and ${ | {1_{x}} \rangle }=({ | {0_{z}} \rangle }-{ | {1_{z}} \rangle })/\sqrt {N^{-}}$ be two nonclassical optical modes, where $N^{\pm }=2(1\pm e^{-\mu })$ are the normalization factors. We introduce an ancillary qubit, where ${ | {\pm z} \rangle }$ and ${ | {\pm x} \rangle }$ are the eigenstates of the Pauli operators $Z$ and $X$ of the qubit, respectively. Alice prepares $K$ pairs of entangled state

$$\begin{aligned} { | {\psi} \rangle }= & \frac{1}{\sqrt{2}}({ | {+z} \rangle }_A{ | {0_z} \rangle }_{A^{\prime}}+{ | {-z} \rangle }_A{ | {1_z} \rangle }_{A^{\prime}})\\ = & \frac{\sqrt{N^{+}}}{2}{ | {+x} \rangle }_A{ | {0_{x}} \rangle }_{A^{\prime}}+\frac{\sqrt{N^{-}}}{2}{ | {-x} \rangle }_A{ | {1_{x}} \rangle }_{A^{\prime}}, \end{aligned}$$
where the subscript $A$ denotes the ancillary qubit maintained by Alice, and $A^{\prime }$ represents the optical mode sent to Bob. Alice randomly measures the ancillary qubit in the $Z$ or $X$ basis and then acquires the raw keys $\tilde {\mathbf {Z}}_{A}$ from the $Z$ basis and $\tilde {\mathbf {X}}_{A}$ from the $X$ basis. Then, she sends optical modes to Bob in an insecure quantum channel. Similar to the practical COW protocol, the optical modes are detected randomly on the data or monitoring line. When observing that the detector $D_{T}$ clicks at the previous moment $\mathcal {T}_{0}$ (the latter moment $\mathcal {T}_{1}$), Bob records the bit value 0 (1) as the raw key in $\tilde {\mathbf {Z}}_{B}$. In addition, the raw key $\tilde {\mathbf {X}}_{B}$ is obtained by Bob observing the monitoring line. A detector $D_{M_{0}}$ ($D_{M_{1}}$) click denotes a bit value of 0 (1).

Let $H^{\epsilon }_{\min }\left (\tilde {\mathbf {Z}}_A|E\right )$ be the smooth min-entropy characterizing the average probability that Eve guesses $\tilde {\mathbf {Z}}_A$ correctly using the optimal strategy with access to the correlations stored in her quantum memory [50]. Let $H^{\epsilon }_{\max }\left (\tilde {\mathbf {Z}}_A|\tilde {\mathbf {Z}}_B\right )$ be the smooth max-entropy corresponding to the number of extra bits required to reconstruct the value of $\tilde {\mathbf {Z}}_A$ using $\tilde {\mathbf {Z}}_B$, up to a failure probability of $\epsilon$ [51]. For later use, we denote the binary Shannon entropy as $h(a)=-a\log _{2}a-(1-a)\log _{2}(1-a)$, and the size of $\tilde {\mathbf {Z}}_{A}$ as $n_{z}$. $\tilde {\mathbf {X}}_{A}'$ is the bit string that Alice would have obtained if she had measured in the $X$ basis in virtual protocol, which is actually measured in the $Z$ basis. Therefore, we have a smooth max-entropy $H^{\epsilon }_{\max }\left (\tilde {\mathbf {X}}_{A}'|B\right )\leq n_{z}h(E_{x})$ in the asymptotic limit, where $E_{x}$ is the bit error rate in the $X$ basis. By exploiting the uncertainty relation method for smooth entropies [52], the asymptotic secure key rate of the virtual entanglement-based protocol can be expressed as

$$\begin{aligned} \tilde{R} & =\frac{1}{\mathcal{P}_{z}K}\left[H^{\epsilon}_{\min}\left(\tilde{\mathbf{Z}}_A|E\right)-H^{\epsilon}_{\max}\left(\tilde{\mathbf{Z}}_A|\tilde{\mathbf{Z}}_B\right)\right]\\ & =\frac{1}{\mathcal{P}_{z}K}\left[n_{z}-H^{\epsilon}_{\max}\left(\tilde{\mathbf{X}}_{A}'|B\right)-n_{z}fh(E_{\rm z})\right]\\ & =Q_{z}\left[1-h(E_{x})-fh(E_{z})\right], \end{aligned}$$
where $Q_{z}=n_{z}/(\mathcal {P}_{z}K)=(Q_{0_{z}}^{\mathcal {T}_{0}}+Q_{0_{z}}^{\mathcal {T}_{1}}+Q_{1_{z}}^{\mathcal {T}_{0}}+Q_{1_{z}}^{\mathcal {T}_{1}})/2$ is the gain that Alice measures in the $Z$ basis and Bob detects on the data line, and $\mathcal {P}_{z}$ is the probability that Alice measures in the $Z$ basis and Bob measures on the data line. Here, $f$ denotes the efficiency of error correction and $E_{z}$ is the bit error rate in the $Z$ basis. Moreover, when using the entropic uncertainty relation, the signals detected by Bob’s device should be independent of Alice and Bob’s basis choices [53]. This requirement can naturally be satisfied when using active basis choice [43,47], but it needs to be cautiously considered when applying the passive basis choice. Using passive basis choice, Eve can apply classical wavelength attacks [54] to partially control Bob’s basis selection and cause weak basis-choice flaws. Nevertheless, the secure key rate decreases only slightly when the wavelength is carefully characterized to minimize this effect [55,56]. Recently, passive basis choice has been widely utilized in various QKD protocols [5763]. In this study, using passive basis choice, we assume that the beam-splitter is not controlled by the eavesdropper and use the squashing model [48,49] in the measurement setup.

In fact, the virtual entanglement-based protocol can be converted to an equivalent prepare-and-measure nonclassical protocol, that is, Alice directly prepares optical modes rather than preparing entangled states and measuring the ancillary qubit system. When Alice chooses the $Z$ basis, she directly sends the optical modes ${ | {0_{z}} \rangle }$ and ${ | {1_{z}} \rangle }$ with probability $1/2$. If Alice selects the $X$ basis, she directly sends nonclassical optical modes ${ | {0_{x}} \rangle }$ and ${ | {1_{x}} \rangle }$ with probabilities $N^{+}/4$ and $N^{-}/4$, respectively.

The above facts can be directly seen from the density matrices of the $Z$ and $X$ bases, which are equal in the nonclassical protocol, that is,

$$\begin{aligned}\rho & =({ | {0_{z}} \rangle }{ \langle {0_{z}} | }+{ | {1_{z}} \rangle }{ \langle {1_{z}} | })/2\\ & =(N^{+}{ | {0_{x}} \rangle }{ \langle {0_{x}} | }+N^{-}{ | {1_{x}} \rangle }{ \langle {1_{x}} | })/4. \end{aligned}$$

Therefore, the bit error rate $E_{z}$ can be obtained directly from the observed gain as follows:

$$\begin{aligned} E_{z}=\frac{Q_{0_{z}}^{\mathcal{T}_{1}}+Q_{1_{z}}^{\mathcal{T}_{0}}}{Q_{0_{z}}^{\mathcal{T}_{0}}+Q_{0_{z}}^{\mathcal{T}_{1}}+Q_{1_{z}}^{\mathcal{T}_{0}}+Q_{1_{z}}^{\mathcal{T}_{1}}}, \end{aligned}$$
where $Q_{w_{z}}^{\mathcal {T}_{j}}$ represents the gain of the event that Alice sends optical mode ${ | {w_{z}} \rangle }$ ($w=0$ or $1$) and Bob obtains a click at the $\mathcal {T}_{j}$ ($j=0$ or $1$) moment on the data line, and $Q_{z}=\left (Q_{0_{z}}^{\mathcal {T}_{0}}+Q_{0_{z}}^{\mathcal {T}_{1}}+Q_{1_{z}}^{\mathcal {T}_{0}}+Q_{1_{z}}^{\mathcal {T}_{1}}\right )/2$. Similarly, the bit error rate of the $X$ basis is given by
$$\begin{aligned} E_{x} & =\frac{N^{+}Q_{0_{x}}^{M_{1}}+N^{-}Q_{1_{x}}^{M_{0}}}{N^{+}\left(Q_{0_{x}}^{M_{0}}+Q_{0_{x}}^{M_{1}}\right)+N^{-}\left(Q_{1_{x}}^{M_{0}}+Q_{1_{x}}^{M_{1}}\right)}\\ & =\frac{N^{+}Q_{0_{x}}^{M_{1}}+\left[2\left(Q_{0_{z}}^{M_{0}}+Q_{1_{z}}^{M_{0}}\right)-N^{+}Q_{0_{x}}^{M_{0}}\right]}{2\left(Q_{0_{z}}^{M_{0}}+Q_{0_{z}}^{M_{1}}+Q_{1_{z}}^{M_{0}}+Q_{1_{z}}^{M_{1}}\right)}, \end{aligned}$$
where $Q_{w_{x(z)}}^{M_{i}}$ represents the gain of the event that Alice senda optical mode ${ | {w_{x(z)}} \rangle }$ and Bob obtains a click with detector $D_{M_{i}}$ on the monitoring line. In the second equation, we use the relation $N^{+}Q_{0_{x}}^{M_{i}}+N^{-}Q_{1_{x}}^{M_{i}}=2\left (Q_{0_{z}}^{M_{i}}+Q_{1_{z}}^{M_{i}}\right )$, which is obtained using Eqs. (3).

Let us now return to the practical COW-QKD protocol. Note that if Alice prepares the encoding sequence ${ | {0} \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$ or ${ | {\alpha } \rangle }_{2k-1}{ | {0} \rangle }_{2k}$ with equal probability, the eavesdropper Eve cannot distinguish this step from the following virtual step: Alice prepares an entangled state ${ | {\psi } \rangle }$ and measures the ancillary qubit in the $Z$ basis. Consequently, Alice’s raw key is identical to $\mathbf {Z}_{A}$. The secret key rate in the asymptotic limit can be written as

$$\begin{aligned} R=Q\left[1-h(E_{\rm p}^{\rm u})-fh(E_{\rm b})\right], \end{aligned}$$
where $Q=Q_{z}$ and $E_{b}=E_{z}$ are the gain and bit error rate, respectively. The phase error rate $E_{\rm p}^{\rm u}$ is the upper bound on the average error probability [64], which Bob guesses as Alice’s bit string $\mathbf {X}_{A}'$ in the virtual entanglement-based protocol. This is equal to the upper bound on the bit error rate of the $X$ basis in the nonclassical protocol. In practice, Alice does not measure qubits in the $X$ basis, which means that one cannot directly acquire the gains $Q_{0_{x}}^{M_{0}}$ and $Q_{0_{x}}^{M_{1}}$ in the nonclassical protocol. However, we can exploit the gains of the other quantum states ${ | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$ and ${ | {0} \rangle }_{2k-1}{ | {0} \rangle }_{2k}$ which can be directly attained in the COW-QKD protocol to estimate the upper bound $\overline {Q}_{0_{x}}^{M_{1}}$ and the lower bound $\underline {Q}_{0_{x}}^{M_{0}}$. The phase error rate $E_{\rm p}^{\rm u}$ can be expressed as
$$\begin{aligned} E_{\rm p}^{\rm u} & =\frac{N^{+}\overline{Q}_{0_{x}}^{M_{1}}+\left[2\left(Q_{0_{z}}^{M_{0}}+Q_{1_{z}}^{M_{0}}\right)-N^{+}\underline{Q}_{0_{x}}^{M_{0}}\right]}{2\left(Q_{0_{z}}^{M_{0}}+Q_{0_{z}}^{M_{1}}+Q_{1_{z}}^{M_{0}}+Q_{1_{z}}^{M_{1}}\right)}, \end{aligned}$$
where we use the relation for gain between the nonclassical protocol and the COW-QKD protocol, that is, $Q_{0_{z}}^{M_{i}}=Q_{0\alpha }^{M_{i}}$ and $Q_{1_{z}}^{M_{i}}=Q_{\alpha 0}^{M_{i}}$. Under collective attacks, we have the upper bound $\overline {Q}_{0_{x}}^{M_{1}}$ and lower bound $\underline {Q}^{M_0}_{0_x}$, using the method described in Refs. [16,65]. The details can be found in A. Using Azuma’s inequality [66], we remark that the security of COW-QKD can be extended against coherent attacks because the estimation of the phase-error rate will yield consistent results in the asymptotic limit. Security against coherent attacks is presented in B.

4. Numerical simulation

In our simulation, we assume a dark-count rate of $p_d=10^{-8}$ and detection efficiency of $\eta _d=80\%$. The correction efficiency, $f$, was set to $1.1$. The linear lossy channel is characterized by a transmittance of $\eta =10^{-0.02L}$. The transmission coefficient $t_B$ of the asymmetric beam-splitter is given by the optimization algorithm.

We present the secret key rate of COW-QKD using passive-basis choice with different misalignment errors in figure 2. Compared with $\eta ^{2}$ and the Pirandola-Laurenza-Ottaviani-Banchi bound (PLOB bound) [67,68] ($R_{\rm PLOB}=-\log _2(1-\eta$)), the lower bound on the key rate scales is of the order of $O(\eta ^{2})$, which is consistent with the result in Ref. [45]. The secret key can still be transmitted over 100 km through the optical fiber when misalignment error $e_a=0$. The secret key rate using active basis choice on the receiving side is also considered. The numerical results of the secret key rate using passive basis choice and active basis choice are presented in figure 3. Figure 3 also presents the upper bound on the phase error rate $E^{u}_P$ using active basis choice.

 figure: Fig. 2.

Fig. 2. Secret key rates in the asymptotic case using passive basis choice with different misalignment errors, $e_a=0$ and $5\%$. The key rate scales linearly with $0.005\eta ^{2}$ when $e_a=0$, which is much lower than the upper bound on the secret key rate of order $O(\eta ^{2})$ given in Refs. [45,46].

Download Full Size | PDF

 figure: Fig. 3.

Fig. 3. Comparison of secret key rates using passive basis choice and active basis choice in the asymptotic case. The dashed yellow line represents the upper bound on the phase error rate $E^{u}_p$ using active basis choice. The misalignment error $e_a$ is set to $2\%$.

Download Full Size | PDF

In figure 4, we show the key rate of the nonclassical protocol using passive basis choice. Comparing the results of the nonclassical protocol with the decoy-state BB84 protocol [22,23] and the PLOB bound [67,68], we find that the nonclassical protocol also achieves the key rate of order $O(\eta )$.

 figure: Fig. 4.

Fig. 4. Comparison of asymptotic secret key rates of COW-QKD in our work, our nonclassical protocol, the decoy-state BB84 QKD and the PLOB bound. The misalignment error $e_a=2\%$ is set as the same. The nonclassical protocol in our work can reach the key rate of order $O(\eta )$.

Download Full Size | PDF

Additionally, we compare the COW-QKD of this study with the variants of COW-QKD [43,47] in figure 5. The variant in Ref. [43] is considered in the case where all different 3-signal blocks (including 6 optical pulses) share the same phase and Bob applies the active basis choice setup. The variant in Ref. [47] is considered in the case where the decoy sequence keeps the original setting as ${ | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$. In figure 5, the dark count rate $p_d$ is set to $10^{-7}$ and the detection efficiency $\eta _d$ is set to $99\%$. The results reveal that the lower bound on the key rate for the COW-QKD using passive basis choice and active basis choice are both tighter than the result given by the variant in Ref. [43]. The secure key distribution in this work also achieves a longer transmittance distance compared with the variant in Ref. [47]. We also almost maintain the original setting of the COW protocol.

 figure: Fig. 5.

Fig. 5. Comparison of asymptotic secret key rates of COW-QKD in this work and the variants of COW-QKD using active basis choice [43,47]. The misalignment error $e_a$ is set to $1\%$, and the dark count rate is set to $10^{-7}$. The variant in Ref. [43] uses 6 optical pulses in each signal block and all blocks of signals share a common phase. The variant in Ref. [47] uses the original setting of the decoy sequence ${ | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$. Our work using passive basis choice can still surpass the variant of COW-QKD using active basis choice within 50 km.

Download Full Size | PDF

Table 1 summarizes the performance of this study with the variants of the COW-QKD protocol [43,47]. The asymptotic security of all these COW-typed QKD protocols has been proven against coherent attacks. Compared with this work, the variant of COW-QKD in Ref. [43] also extends the secure key distribution over 90 km using active basis choice; however, it changed the original protocol a lot (coding with m-signal blocks). The variant in Ref. [47] almost maintains the setting of the original COW protocol as in this work. However, its secret keys can only be distributed within 20 km using active basis choice (Here, we consider the variant protocol in Ref. [47], maintaining the original COW-QKD decoy sequence ${ | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$). Our work using passive basis choice also shows good performance, which is presented in parentheses.

Tables Icon

Table 1. Comparison between variants of the COW-QKD protocol. Here, “a.” denotes the active basis choice and “p.” denotes the passive basis choice. The dark-count rate $p_d$ is set to $10^{-7}$, and the misalignment error $e_a$ = $1\%$.

View Table

5. Conclusion

In this study, we provide an asymptotic security proof for the practical implementation of COW-QKD under coherent attacks and derive the lower bound on the secure key rate. The security proof no longer relies on coherence between adjacent pulses to detect eavesdropping. Instead, we sort the observed quantities to estimate the upper bound on the phase error rate. Our result is tighter than the lower bound on the key rate of the variant COW-QKD [43] because we calculate the component of the vacuum states more carefully. Maintaining all current experimental apparatus and techniques, we extend the secure key distribution to 100 km, which paves the way for the secure implementation of COW-QKD.

A. Upper bound on phase error rate

Here, we first consider the case in which Bob applies a passive basis choice to distribute incoming pulses into the data and monitoring lines. The gain of the state ${ | {\phi } \rangle }$ heralded by detector $D_{M_{i}}$ ($i=0$ or $1$) clicking can be given by

$$Q_{\phi}^{M_{i}}={ \langle {\phi} | }\hat{\mathcal{M}}_{i}^{+}\hat{\mathcal{M}}_{i}{ | {\phi} \rangle },$$
where $\hat {\mathcal {M}}_{i}$ is the Kraus operator corresponding to detector $D_{M_{i}}$.

In the nonclassical protocol, the gains of the states ${ | {0_z} \rangle }$ and ${ | {1_z} \rangle }$ detected by detector $D_{M_i}$ on the monitoring line, that is, $Q_{0_{z}}^{M_{i}}$ and $Q_{1_{z}}^{M_{i}}$, can be written as $Q_{0_{z}}^{M_{i}}=Q_{1_{z}}^{M_{i}}=\left (1-p_d\right )^{2}e^{-t_B\mu \eta }c1\left (1-c1\right )$, where $c1=\left (1-p_d\right )e^{-(1-t_B)\mu \eta /2}$. The gains $Q_{0_{x}}^{M_{1}}$ and $Q_{0_{x}}^{M_{0}}$ of the nonclassical states ${ | {0_x} \rangle }$ on the monitoring line are $Q_{0_{x}}^{M_{0}}=\frac {2}{N^{+}}\left (1-p_d\right )^{3}\left (1-c1\right ), \left [e^{-(1+t_B)\mu /2}c2\right.$ $\left.+e^{-(1-t_B)\mu \eta /2}c3\right ]$ and $Q_{0_{x}}^{M_{1}}=\frac {2}{N^{+}}\left (1-p_d\right )^{2}c1 \{e^{-(1+t_B)\mu /2}\left [c4-\left (1-p_d\right )c2\right ]+c3\left (1-c1\right )\}$, where the parameters $c2=e^{(1-t_B)\mu (1-\eta )/2}+e^{-(1-t_B)\mu (1-\eta )/2}$, $c3=e^{-t_{B}\mu \eta }-e^{-t_{B}\mu }$ and $c4=e^{(1-t_B)\mu /2}+e^{-(1-t_B)\mu /2}$.

In the COW protocol, because the nonclassical state ${ | {0_{x}} \rangle }$ cannot be acquired, we cannot directly estimate the gain $Q_{0_{x}}^{M_i}={ \langle {0_x} | }\hat {\mathcal {M}}_{i}^{+}\hat {\mathcal {M}}_{i}{ | {0_x} \rangle }$. We express ${ | {0_{x}} \rangle }$ using the states ${ | {0,0} \rangle }$, ${ | {\alpha, \alpha } \rangle }$, and ${ | {\beta,\beta } \rangle }$ as follows:

$${ | {0_{x}} \rangle }=\frac{e^{-\mu}{ | {0,0} \rangle }+{ | {\alpha,\alpha} \rangle }-(1-e^{-\mu}){ | {\beta,\beta} \rangle }}{e^{-\mu/2}\sqrt{2(1+e^{-\mu})}},$$
where the state ${ | {\beta } \rangle }=({ | {\alpha } \rangle }-e^{-\mu /2}{ | {0} \rangle })/\sqrt {1-e^{-\mu }}$ denotes the normalized non-vacuum part of the state ${ | {\alpha } \rangle }$. The pairs of states ${ | {0,0} \rangle }$ and ${ | {\alpha,\alpha } \rangle }$ correspond to decoy sequences sent by Alice. Thus, we can rewrite the gain $Q_{0_{x}}^{M_i}$ as
$${ \langle {0_x} | }\hat{\mathcal{M}}_{i}^{+}\hat{\mathcal{M}}_{i}{ | {0_x} \rangle }=\sum_{l,k}s_{l}s_{k}{ \langle {\phi_{l}} | }\mathcal{M}_{i}^{+}\mathcal{M}_{i}{ | {\phi_{k}} \rangle },$$
where, ${ | {\phi _l} \rangle },{ | {\phi _k} \rangle }\in \{{ | {0,0} \rangle },{ | {\alpha,\alpha } \rangle },{ | {\beta,\beta } \rangle }\}$, $s_l$, and $s_k$ are the corresponding state coefficients in Eq. (9). By utilizing the Cauchy inequality [16,65], we have that
$$\left|s_{l}s_{k}{ \langle {\phi_{l}} | }\mathcal{M}_{i}^{+}\mathcal{M}_{i}{ | {\phi_{k}} \rangle }\right| \le|s_{l}s_{k}|\sqrt{\left|\hat{\mathcal{M}}_{i}{ | {\phi_{l}} \rangle }\right|^{2}}\sqrt{\left|\hat{\mathcal{M}}_{i}{ | {\phi_{k}} \rangle }\right|^{2}}.$$

Combining this result with the limit $0\le { \langle {\beta,\beta } | } \hat {\mathcal {M}}_{i}^{+}\hat {\mathcal {M}}_{i}{ | {\beta,\beta } \rangle } \le 1$, the upper bound for ${Q}^{M_1}_{0_{x}}$ and the lower bound for ${Q}^{M_0}_{0_{x}}$ can be expressed as

$$\begin{aligned} \overline{Q}_{0_{x}}^{M_{1}}= & \frac{1}{N^{+}}\left(e^{\frac{\mu}{2}}\sqrt{Q_{\alpha\alpha}^{M_{1}}}+e^{-\frac{\mu}{2}}\sqrt{Q_{00}^{M_{1}}}\right)^{2}\\ & +\frac{N^{-}}{N^{+}}\left(\frac{e^{\mu}N^{-}}{4}+e^{\mu}\sqrt{Q_{\alpha\alpha}^{M_{1}}}+\sqrt{Q_{00}^{M_{1}}}\right),\\ \underline{Q}^{M_0}_{0_{x}}= & \frac{1}{N^{+}}\left(e^{\frac{\mu}{2}}\sqrt{Q_{\alpha\alpha}^{M_{0}}}-e^{-\frac{\mu}{2}}\sqrt{Q_{00}^{M_{0}}}\right)^{2}\\ & -\frac{N^{-}}{N^{+}}\left(e^{\mu}\sqrt{Q_{\alpha\alpha}^{M_{0}}}+\sqrt{Q_{00}^{M_{0}}}\right).\\ \end{aligned}$$

Here, the gains of state ${ | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$ on the monitoring line are $Q_{\alpha \alpha }^{M_{0}}=\left (1-p_d\right )^{3}\left [1-\left (1- \right.p_d\right )\left. e^{-2\mu (1-t_B)\eta }\right ]c5$, and $Q_{\alpha \alpha }^{M_{1}}=p_d\left (1-p_d\right )^{3}e^{-2\mu (1-t_B)\eta }c5$, where $c5= \left (-2e^{-2t_B\mu }+2e^{-t_B\mu -t_B\mu \eta }\right.$ $\left.+e^{-2t_B\mu \eta }\right )$ and the gains of the states ${ | {0} \rangle }_{2k-1}{ | {0} \rangle }_{2k}$ on the monitoring line are $Q_{00}^{M_{i}}=p_d(1-p_d)^{3}$.

In addition, when Bob applies an active basis choice setup, the gains $Q_{0_{z}}^{M_{i}}$, $Q_{1_{z}}^{M_{i}}$, $Q_{\alpha \alpha }^{M_{i}}$, and $Q_{00}^{M_{i}}$ are given by $Q_{0_{z}}^{M_{i}}=Q_{1_{z}}^{M_{i}}=c1\left (1-c1\right )$. $Q_{\alpha \alpha }^{M_{0}}=\left (1-p_d\right )\left [1-\left (1-p_d\right )e^{-2\mu (1-t_B)\eta }\right ]$, $Q_{\alpha \alpha }^{M_{1}}=p_d\left (1-p_d\right )e^{-2\mu (1-t_B)\eta }$ and $Q_{00}^{M_{i}}=p_d(1-p_d)$, with other formulas unchanged.

B. Security against coherent attacks

Here, we extend the security of COW-QKD against coherent attacks. We consider a process in which a pair of states is sent at two time points, $2k-1$ and $2k$ $(k=1,2,\ldots, K)$ as one round, and the entire process of the COW protocol is performed by repeating this round $K$ times. Following a similar security analysis as in the main text, we assume an equivalent prepare-and-measure nonclassical protocol. Let the Kraus operator $\hat {\mathcal {M}}_{i}^{l}$ correspond to the announcement of detector $D_{M_{i}}$ associated with the $l$-th round $(l=1,2,\ldots,K)$. We denote the probability of the event that Alice decides to send the nonclassical optical mode ${ | {0_x} \rangle }$ as $p_{0_x}$. For any arbitrary small quantity $\epsilon \geq 0$, according to Azuma’s inequality [66], we have that

$$\left| \sum_{l=1}^{K} p_{0_x} Q_{0_x}^{l,{M_i}} - N_{0_x}^{l,{M_i}} \right| < \epsilon \left|K \right|$$
holds, except for the minuscule probability, $2e^{-K\epsilon ^{2}/2}$. Here, $Q_{0_x}^{l,{M_i}}$ corresponds to the probability that the nonclassical optical mode ${ | {0_x} \rangle }$ is detected by the detector $D_{M_i}$ on the monitoring line associated with the $l$-th round. $N_{0_x}^{l,{M_i}}$, as an observed quantity, is the actual number of events that the nonclassical optical mode ${ | {0_x} \rangle }$ sent by Alice is detected by the detector $D_{M_i}$ on the monitoring line. When $K$ tends to infinity in the asymptotic limit, we can deduce from Eq. (13) that
$$\frac{N_{0_x}^{l,{M_i}}}{K} \approx \frac{\sum_{l=1}^{K} p_{0_x} Q_{0_x}^{l,{M_i}} }{K}$$

Here, $Q_{0_x}^{l,{M_i}}$ satisfies Eq. (12), and all gains of the COW-QKD protocol in Eq. (12) are associated with the $l$-th round (which corresponds to the condition of the security proof against collective attacks). Combining this result with the upper bound on the phase error rate derived from Eq. (7) in the main text, we find that the estimation result of the phase error rate is consistent in the asymptotic limit when considering collective and coherent attacks. Thus, the asymptotic security of COW-QKD against coherent attacks is proven.

Funding

National Natural Science Foundation of China (61801420); Natural Science Foundation of Jiangsu Province (BK20211145); Fundamental Research Funds for the Central Universities (020414380182); Key Research and Development Program of Nanjing Jiangbei New Aera (ZDYD20210101); Key-Area Research and Development Program of Guangdong Province (2020B0303040001).

Acknowledgments

We thank Charles Ci Wen Lim, Nicolas Gisin, and Ignatius William Primaatmaja for enlightening the discussions and making the security proof of this work more rigorous.

Disclosures

The authors declare no conflicts of interest.

Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.

References

1. C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing, in Proceedings of the Conference on Computers, Systems and Signal Processing, (IEEE Press, New York, 1984), p. 175.

2. A. K. Ekert, “Quantum cryptography based on bell’s theorem,” Phys. Rev. Lett. 67(6), 661–663 (1991). [CrossRef]  

3. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301 (2009). [CrossRef]  

4. F. Xu, X. Ma, Q. Zhang, H.-K. Lo, and J.-W. Pan, “Secure quantum key distribution with realistic devices,” Rev. Mod. Phys. 92(2), 025002 (2020). [CrossRef]  

5. S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ottaviani, J. L. Pereira, M. Razavi, J. S. Shaari, M. Tomamichel, V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden, “Advances in quantum cryptography,” Adv. Opt. Photonics 12(4), 1012–1236 (2020). [CrossRef]  

6. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4(10), 686–689 (2010). [CrossRef]  

7. H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108(13), 130503 (2012). [CrossRef]  

8. S. L. Braunstein and S. Pirandola, “Side-channel-free quantum key distribution,” Phys. Rev. Lett. 108(13), 130502 (2012). [CrossRef]  

9. Y.-H. Zhou, Z.-W. Yu, and X.-B. Wang, “Making the decoy-state measurement-device-independent quantum key distribution practically useful,” Phys. Rev. A 93(4), 042324 (2016). [CrossRef]  

10. H.-L. Yin, T.-Y. Chen, Z.-W. Yu, H. Liu, L.-X. You, Y.-H. Zhou, S.-J. Chen, Y. Mao, M.-Q. Huang, W.-J. Zhang, H. Chen, M. J. Li, D. Nolan, F. Zhou, X. Jiang, Z. Wang, Q. Zhang, X.-B. Wang, and J.-W. Pan, “Measurement-device-independent quantum key distribution over a 404 km optical fiber,” Phys. Rev. Lett. 117(19), 190501 (2016). [CrossRef]  

11. M. Lucamarini, Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Overcoming the rate–distance limit of quantum key distribution without quantum repeaters,” Nature 557(7705), 400–403 (2018). [CrossRef]  

12. X. Ma, P. Zeng, and H. Zhou, “Phase-matching quantum key distribution,” Phys. Rev. X 8(3), 031043 (2018). [CrossRef]  

13. X.-B. Wang, Z.-W. Yu, and X.-L. Hu, “Twin-field quantum key distribution with large misalignment error,” Phys. Rev. A 98(6), 062323 (2018). [CrossRef]  

14. J. Lin and N. Lütkenhaus, “Simple security analysis of phase-matching measurement-device-independent quantum key distribution,” Phys. Rev. A 98(4), 042332 (2018). [CrossRef]  

15. H.-L. Yin and Y. Fu, “Measurement-device-independent twin-field quantum key distribution,” Sci. Rep. 9(1), 3045 (2019). [CrossRef]  

16. M. Curty, K. Azuma, and H.-K. Lo, “Simple security proof of twin-field type quantum key distribution protocol,” npj Quantum Inf. 5(1), 64 (2019). [CrossRef]  

17. C. Cui, Z.-Q. Yin, R. Wang, W. Chen, S. Wang, G.-C. Guo, and Z.-F. Han, “Twin-field quantum key distribution without phase postselection,” Phys. Rev. Appl. 11(3), 034053 (2019). [CrossRef]  

18. H.-L. Yin and Z.-B. Chen, “Coherent-state-based twin-field quantum key distribution,” Sci. Rep. 9(1), 14918 (2019). [CrossRef]  

19. M. Minder, M. Pittaluga, G. Roberts, M. Lucamarini, J. Dynes, Z. Yuan, and A. Shields, “Experimental quantum key distribution beyond the repeaterless secret key capacity,” Nat. Photonics 13(5), 334–338 (2019). [CrossRef]  

20. G. Brassard, N. Lütkenhaus, T. Mor, and B. C. Sanders, “Limitations on practical quantum cryptography,” Phys. Rev. Lett. 85(6), 1330–1333 (2000). [CrossRef]  

21. W.-Y. Hwang, “Quantum key distribution with high loss: Toward global secure communication,” Phys. Rev. Lett. 91(5), 057901 (2003). [CrossRef]  

22. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94(23), 230503 (2005). [CrossRef]  

23. H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. 94(23), 230504 (2005). [CrossRef]  

24. M. Koashi, “Unconditional security of coherent-state quantum key distribution with a strong phase-reference pulse,” Phys. Rev. Lett. 93(12), 120501 (2004). [CrossRef]  

25. V. Scarani, A. Acín, G. Ribordy, and N. Gisin, “Quantum cryptography protocols robust against photon number splitting attacks for weak laser pulse implementations,” Phys. Rev. Lett. 92(5), 057901 (2004). [CrossRef]  

26. K. Tamaki and H.-K. Lo, “Unconditionally secure key distillation from multiphotons,” Phys. Rev. A 73(1), 010302 (2006). [CrossRef]  

27. H.-L. Yin, Y. Fu, Y. Mao, and Z.-B. Chen, “Security of quantum key distribution with multiphoton components,” Sci. Rep. 6(1), 29482 (2016). [CrossRef]  

28. K. Inoue, E. Waks, and Y. Yamamoto, “Differential phase shift quantum key distribution,” Phys. Rev. Lett. 89(3), 037902 (2002). [CrossRef]  

29. K. Inoue, E. Waks, and Y. Yamamoto, “Differential-phase-shift quantum key distribution using coherent light,” Phys. Rev. A 68(2), 022317 (2003). [CrossRef]  

30. D. Stucki, N. Brunner, N. Gisin, V. Scarani, and H. Zbinden, “Fast and simple one-way quantum key distribution,” Appl. Phys. Lett. 87(19), 194108 (2005). [CrossRef]  

31. T. Sasaki, Y. Yamamoto, and M. Koashi, “Practical quantum key distribution protocol without monitoring signal disturbance,” Nature 509(7501), 475–478 (2014). [CrossRef]  

32. D. Stucki, C. Barreiro, S. Fasel, J.-D. Gautier, O. Gay, N. Gisin, R. Thew, Y. Thoma, P. Trinkler, F. Vannel, and H. Zbinden, “Continuous high speed coherent one-way quantum key distribution,” Opt. Express 17(16), 13326–13334 (2009). [CrossRef]  

33. D. Stucki, N. Walenta, F. Vannel, R. T. Thew, N. Gisin, H. Zbinden, S. Gray, C. Towery, and S. Ten, “High rate, long-distance quantum key distribution over 250 km of ultra low loss fibres,” New J. Phys. 11(7), 075003 (2009). [CrossRef]  

34. N. Walenta, A. Burg, D. Caselunghe, J. Constantin, N. Gisin, O. Guinnard, R. Houlmann, P. Junod, B. Korzh, N. Kulesza, M. Legré, C. W. Lim, T. Lunghi, L. Monat, C. Portmann, M. Soucarros, R. T. Thew, P. Trinkler, G. Trolliet, F. Vannel, and H. Zbinden, “A fast and versatile quantum key distribution system with hardware key distillation and wavelength multiplexing,” New J. Phys. 16(1), 013047 (2014). [CrossRef]  

35. B. Korzh, C. C. W. Lim, R. Houlmann, N. Gisin, M. J. Li, D. Nolan, B. Sanguinetti, R. Thew, and H. Zbinden, “Provably secure and practical quantum key distribution over 307 km of optical fibre,” Nat. Photonics 9(3), 163–168 (2015). [CrossRef]  

36. P. Sibson, C. Erven, M. Godfrey, S. Miki, T. Yamashita, M. Fujiwara, M. Sasaki, H. Terai, M. G. Tanner, C. M. Natarajan, R. H. Hadfield, J. L. O’Brien, and M. G. Thompson, “Chip-based quantum key distribution,” Nat. Commun. 8(1), 2041 (2017). [CrossRef]  

37. P. Sibson, J. E. Kennard, S. Stanisic, C. Erven, J. L. O’Brien, and M. G. Thompson, “Integrated silicon photonics for high-speed quantum key distribution,” Optica 4(2), 172–177 (2017). [CrossRef]  

38. G. L. Roberts, M. Lucamarini, J. F. Dynes, S. J. Savory, Z. Yuan, and A. J. Shields, “Modulator-free coherent-one-way quantum key distribution,” Laser Photonics Rev. 11(4), 1700067 (2017). [CrossRef]  

39. J. Dai, L. Zhang, X. Fu, X. Zheng, and L. Yang, “Pass-block architecture for distributed-phase-reference quantum key distribution using silicon photonics,” Opt. Lett. 45(7), 2014–2017 (2020). [CrossRef]  

40. M. Peev, C. Pacher, R. Alléaume, C. Barreiro, J. Bouda, W. Boxleitner, T. Debuisschert, E. Diamanti, M. Dianati, J. F. Dynes, S. Fasel, S. Fossier, M. Fürst, J.-D. Gautier, O. Gay, N. Gisin, P. Grangier, A. Happe, Y. Hasani, M. Hentschel, H. Hübel, G. Humer, T. Länger, M. Legré, R. Lieger, J. Lodewyck, T. Lorünser, N. Lütkenhaus, A. Marhold, T. Matyus, O. Maurhart, L. Monat, S. Nauerth, J.-B. Page, A. Poppe, E. Querasser, G. Ribordy, S. Robyr, L. Salvail, A. W. Sharpe, A. J. Shields, D. Stucki, M. Suda, C. Tamas, T. Themel, R. T. Thew, Y. Thoma, A. Treiber, P. Trinkler, R. Tualle-Brouri, F. Vannel, N. Walenta, H. Weier, H. Weinfurter, I. Wimberger, Z. L. Yuan, H. Zbinden, and A. Zeilinger, New J. Phys.11, 075001 (2009).

41. IDQuantique, Geneva, Switzerland, https://www.idquantique.com/quantum-sensing/products/clavis3-qkd-platform/.

42. C. Branciard, N. Gisin, and V. Scarani, “Upper bounds for the security of two distributed-phase reference protocols of quantum cryptography,” New J. Phys. 10(1), 013031 (2008). [CrossRef]  

43. T. Moroder, M. Curty, C. C. W. Lim, L. P. Thinh, H. Zbinden, and N. Gisin, “Security of distributed-phase-reference quantum key distribution,” Phys. Rev. Lett. 109(26), 260501 (2012). [CrossRef]  

44. D. M. Innocenzo, I. W. Robert, L. R. George, K. P. Taofiq, R. Thomas, S. Mirko, L. Marco, Y. Zhiliang, and J. S. Andrew, “Real-time operation of a multi-rate, multi-protocol quantum key distribution transmitter,” Optica 8(6), 911–915 (2021). [CrossRef]  

45. J. González-Payo, R. Trényi, W. Wang, and M. Curty, “Upper security bounds for coherent-one-way quantum key distribution,” Phys. Rev. Lett. 125(26), 260510 (2020). [CrossRef]  

46. R. Trényi and M. Curty, “Zero-error attack against coherent-one-way quantum key distribution,” New J. Phys. 23(9), 093005 (2021). [CrossRef]  

47. Y. Wang, I. W. Primaatmaja, E. Lavie, A. Varvitsiotis, and C. C. W. Lim, “Characterising the correlations of prepare-and-measure quantum networks,” npj Quantum Inf. 5(1), 17 (2019). [CrossRef]  

48. N. J. Beaudry, T. Moroder, and N. Lütkenhaus, “Squashing models for optical measurements in quantum communication,” Phys. Rev. Lett. 101(9), 093601 (2008). [CrossRef]  

49. Z. Cao, H. Zhou, X. Yuan, and X. Ma, “Source-independent quantum random number generation,” Phys. Rev. X 6, 011020 (2016). [CrossRef]  

50. R. Konig, R. Renner, and C. Schaffner, “The operational meaning of min- and max-entropy,” IEEE Trans. Inf. Theory 55(9), 4337 (2009). [CrossRef]  

51. J. M. Renes and R. Renner, “One-shot classical data compression with quantum side information and the distillation of common randomness or secret keys,” IEEE Trans. Inf. Theory 58(3), 1985–1991 (2012). [CrossRef]  

52. M. Tomamichel and R. Renner, “Uncertainty relation for smooth entroes,” Phys. Rev. Lett. 106(11), 110506 (2011). [CrossRef]  

53. M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat. Commun. 3(1), 634 (2012). [CrossRef]  

54. H.-W. Li, S. Wang, J.-Z. Huang, W. Chen, Z.-Q. Yin, F.-Y. Li, Z. Zhou, D. Liu, Y. Zhang, G.-C. Guo, W.-S. Bao, and Z.-F. Han, “Attacking a practical quantum-key-distribution system with wavelength-dependent beam-splitter and multiwavelength sources,” Phys. Rev. A 84(6), 062308 (2011). [CrossRef]  

55. H.-W. Li, Z.-Q. Yin, S. Wang, Y.-J. Qian, W. Chen, G.-C. Guo, and Z.-F. Han, “Randomness determines practical security of bb84 quantum key distribution,” Sci. Rep. 5(1), 16200 (2015). [CrossRef]  

56. S.-H. Sun, Z.-Y. Tian, M.-S. Zhao, and Y. Ma, “Security evaluation of quantum key distribution with weak basis-choice flaws,” Sci. Rep. 10(1), 18145 (2020). [CrossRef]  

57. N. T. Islam, C. C. W. Lim, C. Cahall, J. Kim, and D. J. Gauthier, “Provably secure and high-rate quantum key distribution with time-bin qudits,” Sci. Adv. 3(11), e1701491 (2017). [CrossRef]  

58. D. Rusca, A. Boaron, M. Curty, A. Martin, and H. Zbinden, “Security proof for a simplified bennett-brassard 1984 quantum-key-distribution protocol,” Phys. Rev. A 98(5), 052336 (2018). [CrossRef]  

59. A. Boaron, G. Boso, D. Rusca, C. Vulliez, C. Autebert, M. Caloz, M. Perrenoud, G. Gras, F. Bussières, M.-J. Li, D. Nolan, A. Martin, and H. Zbinden, “Secure quantum key distribution over 421 km of optical fiber,” Phys. Rev. Lett. 121(19), 190502 (2018). [CrossRef]  

60. A. Boaron, B. Korzh, R. Houlmann, G. Boso, D. Rusca, S. Gray, M.-J. Li, D. Nolan, A. Martin, and H. Zbinden, “Simple 2.5 ghz time-bin quantum key distribution,” Appl. Phys. Lett. 112(17), 171108 (2018). [CrossRef]  

61. H. Liu, Z.-W. Yu, M. Zou, Y.-L. Tang, Y. Zhao, J. Zhang, X.-B. Wang, T.-Y. Chen, and J.-W. Pan, “Experimental 4-intensity decoy-state quantum key distribution with asymmetric basis-detector efficiency,” Phys. Rev. A 100(4), 042313 (2019). [CrossRef]  

62. H.-L. Yin, P. Liu, W.-W. Dai, Z.-H. Ci, J. Gu, T. Gao, Q.-W. Wang, and Z.-Y. Shen, “Experimental composable security decoy-state quantum key distribution using time-phase encoding,” Opt. Express 28(20), 29479–29485 (2020). [CrossRef]  

63. Y.-A. Chen, Q. Zhang, T.-Y. Chen, W.-Q. Cai, S.-K. Liao, J. Zhang, K. Chen, J. Yin, J.-G. Ren, Z. Chen, S.-L. Han, Q. Yu, K. Liang, F. Zhou, X. Yuan, M.-S. Zhao, T.-Y. Wang, X. Jiang, L. Zhang, W.-Y. Liu, Y. Li, Q. Shen, Y. Cao, C.-Y. Lu, R. Shu, J.-Y. Wang, L. Li, N.-L. Liu, F. Xu, X.-B. Wang, C.-Z. Peng, and J.-W. Pan, “An integrated space-to-ground quantum communication network over 4, 600 kilometres,” Nature 589(7841), 214–219 (2021). [CrossRef]  

64. M. Koashi, “Simple security proof of quantum key distribution based on complementarity,” New J. Phys. 11(4), 045018 (2009). [CrossRef]  

65. X.-B. Wang, X.-L. Hu, and Z.-W. Yu, “Practical long-distance side-channel-free quantum key distribution,” Phys. Rev. Appl. 12(5), 054034 (2019). [CrossRef]  

66. K. Azuma, “Weighted sums of certain dependent random variables,” Tohoku Math. J. 19(3), 357–367 (1967). [CrossRef]  

67. S. Pirandola, R. García-Patrón, S. L. Braunstein, and S. Lloyd, “Direct and reverse secret-key capacities of a quantum channel,” Phys. Rev. Lett. 102(5), 050503 (2009). [CrossRef]  

68. S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, “Fundamental limits of repeaterless quantum communications,” Nat. Commun. 8(1), 15043 (2017). [CrossRef]  

Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.

Cited By

Optica participates in Crossref's Cited-By Linking service. Citing articles from Optica Publishing Group journals and other participating publishers are listed here.

Alert me when this article is cited.


Figures (5)
Fig. 1.
Fig. 1. Schematic of COW-QKD in our work. Alice randomly sends a sequence of states ${ | {0} \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$, ${ | {\alpha } \rangle }_{2k-1}{ | {0} \rangle }_{2k}, { | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$, and ${ | {0} \rangle }_{2k-1}{ | {0} \rangle }_{2k}$ to Bob. Then, a beam-splitter of transmittance $t_B$ distributes incoming pulses into the data line and monitoring line at the receiving side, Bob. The quantum states can be experimentally realized by Alice by modulating ${ | {0} \rangle }$ or ${ | {\alpha } \rangle }$ using an intensity modulator (IM) in each time bin. Compared with the original version, where the sequences of states can be prepared in a similar manner, there is no extra technical requirement in our modification. $D_T$, $D_{M_{0}}$, and $D_{M_{1}}$ are the single-photon detectors.

View in Article | Download Full Size | PDF

Fig. 2.
Fig. 2. Secret key rates in the asymptotic case using passive basis choice with different misalignment errors, $e_a=0$ and $5\%$. The key rate scales linearly with $0.005\eta ^{2}$ when $e_a=0$, which is much lower than the upper bound on the secret key rate of order $O(\eta ^{2})$ given in Refs. [45,46].

View in Article | Download Full Size | PDF

Fig. 3.
Fig. 3. Comparison of secret key rates using passive basis choice and active basis choice in the asymptotic case. The dashed yellow line represents the upper bound on the phase error rate $E^{u}_p$ using active basis choice. The misalignment error $e_a$ is set to $2\%$.

View in Article | Download Full Size | PDF

Fig. 4.
Fig. 4. Comparison of asymptotic secret key rates of COW-QKD in our work, our nonclassical protocol, the decoy-state BB84 QKD and the PLOB bound. The misalignment error $e_a=2\%$ is set as the same. The nonclassical protocol in our work can reach the key rate of order $O(\eta )$.

View in Article | Download Full Size | PDF

Fig. 5.
Fig. 5. Comparison of asymptotic secret key rates of COW-QKD in this work and the variants of COW-QKD using active basis choice [43,47]. The misalignment error $e_a$ is set to $1\%$, and the dark count rate is set to $10^{-7}$. The variant in Ref. [43] uses 6 optical pulses in each signal block and all blocks of signals share a common phase. The variant in Ref. [47] uses the original setting of the decoy sequence ${ | {\alpha } \rangle }_{2k-1}{ | {\alpha } \rangle }_{2k}$. Our work using passive basis choice can still surpass the variant of COW-QKD using active basis choice within 50 km.

View in Article | Download Full Size | PDF

Tables (1)

Tables Icon

Table 1. Comparison between variants of the COW-QKD protocol. Here, “a.” denotes the active basis choice and “p.” denotes the passive basis choice. The dark-count rate p d is set to 10 7 , and the misalignment error e a = 1 % .

View Table

Equations (14)

Equations on this page are rendered with MathJax. Learn more.

| ψ = 1 2 ( | + z A | 0 z A + | z A | 1 z A ) = N + 2 | + x A | 0 x A + N 2 | x A | 1 x A ,
R ~ = 1 P z K [ H min ϵ ( Z ~ A | E ) H max ϵ ( Z ~ A | Z ~ B ) ] = 1 P z K [ n z H max ϵ ( X ~ A | B ) n z f h ( E z ) ] = Q z [ 1 h ( E x ) f h ( E z ) ] ,
ρ = ( | 0 z 0 z | + | 1 z 1 z | ) / 2 = ( N + | 0 x 0 x | + N | 1 x 1 x | ) / 4.
E z = Q 0 z T 1 + Q 1 z T 0 Q 0 z T 0 + Q 0 z T 1 + Q 1 z T 0 + Q 1 z T 1 ,
E x = N + Q 0 x M 1 + N Q 1 x M 0 N + ( Q 0 x M 0 + Q 0 x M 1 ) + N ( Q 1 x M 0 + Q 1 x M 1 ) = N + Q 0 x M 1 + [ 2 ( Q 0 z M 0 + Q 1 z M 0 ) N + Q 0 x M 0 ] 2 ( Q 0 z M 0 + Q 0 z M 1 + Q 1 z M 0 + Q 1 z M 1 ) ,
R = Q [ 1 h ( E p u ) f h ( E b ) ] ,
E p u = N + Q ¯ 0 x M 1 + [ 2 ( Q 0 z M 0 + Q 1 z M 0 ) N + Q _ 0 x M 0 ] 2 ( Q 0 z M 0 + Q 0 z M 1 + Q 1 z M 0 + Q 1 z M 1 ) ,
Q ϕ M i = ϕ | M ^ i + M ^ i | ϕ ,
| 0 x = e μ | 0 , 0 + | α , α ( 1 e μ ) | β , β e μ / 2 2 ( 1 + e μ ) ,
0 x | M ^ i + M ^ i | 0 x = l , k s l s k ϕ l | M i + M i | ϕ k ,
| s l s k ϕ l | M i + M i | ϕ k | | s l s k | | M ^ i | ϕ l | 2 | M ^ i | ϕ k | 2 .
Q ¯ 0 x M 1 = 1 N + ( e μ 2 Q α α M 1 + e μ 2 Q 00 M 1 ) 2 + N N + ( e μ N 4 + e μ Q α α M 1 + Q 00 M 1 ) , Q _ 0 x M 0 = 1 N + ( e μ 2 Q α α M 0 e μ 2 Q 00 M 0 ) 2 N N + ( e μ Q α α M 0 + Q 00 M 0 ) .
| l = 1 K p 0 x Q 0 x l , M i N 0 x l , M i | < ϵ | K |
N 0 x l , M i K l = 1 K p 0 x Q 0 x l , M i K
Select as filters
Select Topics Cancel
Top
       
© Copyright 2024 | Optica Publishing Group. All rights reserved, including rights for text and data mining and training of artificial technologies or similar technologies.
Privacy | Terms of Use