Unconditional security of sending or not sending twin-field quantum key distribution with finite pulses
Cong Jiang, Zong-Wen Yu, Xiao-Long Hu, and Xiang-Bin Wang

TL;DR
This paper analyzes the finite-key effects in the Sending-or-Not-Sending twin-field quantum key distribution protocol, demonstrating it can achieve unconditional security over long distances even with practical imperfections.
Contribution
It provides a comprehensive finite-key analysis for the protocol, showing unconditional security under general attacks with realistic parameters.
Findings
Secure key generation over 500 km distance
Unconditional security under coherent attacks
Robustness to large misalignment errors
Abstract
The Sending-or-Not-Sending protocol of the twin-field quantum key distribution (TF-QKD) has its advantage of unconditional security proof under any coherent attack and fault tolerance to large misalignment error. So far this is the only coherent-state based TF-QKD protocol that has considered finite-key effect, the statistical fluctuations. Here we consider the complete finite-key effects for the protocol and we show by numerical simulation that the protocol with typical finite number of pulses in practice can produce unconditional secure final key under general attack, including all coherent attacks. It can exceed the secure distance of 500 in typical finite number of pulses in practice even with a large misalignment error.
| 0.5 |
|---|
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Unconditional security of sending or not sending twin-field quantum key distribution with finite pulses
Cong Jiang1,2, Zong-Wen Yu1,3, Xiao-Long Hu1,2 and Xiang-Bin Wang1,2,4111Email Address: [email protected] at Center for Atomic and Molecular Nanosciences, Tsinghua University, Beijing 100084, China
1State Key Laboratory of Low Dimensional Quantum Physics, Department of Physics,
Tsinghua University, Beijing 100084, Peoples Republic of China
2 Synergetic Innovation Center of Quantum Information and Quantum Physics, University of Science and Technology of China
Hefei, Anhui 230026, China
3Data Communication Science and Technology Research Institute, Beijing 100191, China
4 Jinan Institute of Quantum technology, SAICT, Jinan 250101, Peoples Republic of China
Abstract
The Sending-or-Not-Sending protocol of the twin-field quantum key distribution (TF-QKD) has its advantage of unconditional security proof under any coherent attack and fault tolerance to large misalignment error. So far this is the only coherent-state based TF-QKD protocol that has considered finite-key effect, the statistical fluctuations. Here we consider the complete finite-key effects for the protocol and we show by numerical simulation that the protocol with typical finite number of pulses in practice can produce unconditional secure final key under general attack, including all coherent attacks. It can exceed the secure distance of 500 in typical finite number of pulses in practice even with a large misalignment error.
I Introduction
Quantum key distribution (QKD) could provide unconditionally secure communication BENNETT (1984); Gisin et al. (2002); Gisin and Thew (2007); Scarani et al. (2009); Shor and Preskill (2000); Koashi (2009); Tamaki et al. (2003); Kraus et al. (2005) of two parties, Alice and Bob. But the security in ideal case Shor and Preskill (2000); Koashi (2009); Tamaki et al. (2003); Kraus et al. (2005) dose not guarantee the security in practice Huttner et al. (1995); Yuen (1996); Brassard et al. (2000); Lütkenhaus (2000); Lütkenhaus and Jahma (2002); Lydersen et al. (2010); Gerhardt et al. (2011); Hayashi (2007); Scarani and Renner (2008). Fortunately, the decoy-state method Hwang (2003); Wang (2005a); Lo et al. (2005); Wang et al. (2007a); Rosenberg et al. (2007); Schmitt-Manderbach et al. (2007); Peng et al. (2007); Liao et al. (2017); Peev et al. (2009); Chen et al. (2010); Sasaki et al. (2011); Fröhlich et al. (2013); Boaron et al. (2018); Wang et al. (2008a); Wang (2005b); Adachi et al. (2007); Wang et al. (2007b, 2008b, 2009); Tamaki et al. (2014); Yu et al. (2016); Xu et al. (2009); Chau (2018) could help us beating the photon-number-splitting (PNS) attack Huttner et al. (1995); Yuen (1996); Brassard et al. (2000); Lütkenhaus (2000); Lütkenhaus and Jahma (2002) and guarantee the security with imperfect light sources. Besides decoy-state mehtod, there are other protocols such as RRDPS protocol Sasaki et al. (2014); Takesue et al. (2015) proposed to beat PNS attack. Measurement-device-independent (MDI)-QKD Braunstein and Pirandola (2012); Lo et al. (2012) can solve all possible loopholes of detection. And the decoy-state MDI-QKD Wang (2013); Rubenok et al. (2013); Liu et al. (2013); Tang et al. (2014a, b); Wang et al. (2015); Comandar et al. (2016); Yin et al. (2016); Wang et al. (2017); Curty et al. (2014); Xu et al. (2014); Yu et al. (2015); Zhou et al. (2016); Jiang et al. (2017) protocol could help us ensure the security of protocol performed by imperfect light sources and detectors.
The 4-intensity protocol Zhou et al. (2016) together with the joint-constraints Yu et al. (2015) has greatly improved the key rate and distance of the MDI-QKD. Using this protocol, a distance exceeding 400 km has been experimentally demonstrated Yin et al. (2016) for the MDI-QKD. However, the key rate of all the prior art decoy-state protocols and the MDI-QKD protocols protocols cannot be better than the linear scale of the channel transmittance. It cannot exceed the known bound of the repeaterless QKD, such as the PLOB bound Pirandola et al. (2017) or the TGW bound Takeoka et al. (2014). Recently, a QKD protocol named Twin-Field (TF) QKD was proposed Lucamarini et al. (2018) whose key rate , where is the channel transmittance, and thus has attracted much attention. But the later announcement of the phase information in Ref. Lucamarini et al. (2018) will casuse security loopholes Wang et al. (2018a, b), and many variants of TF-QKD have been proposed Wang et al. (2018b); Tamaki et al. (2018); Ma et al. (2018); Cui et al. (2019); Curty et al. (2018); Yu et al. (2019); Lu et al. (2019) to close the loophole. A series of experiments Minder et al. (2019); Liu et al. (2019); Wang et al. (2019); Zhong et al. (2019) have been done to demonstrate those protocols. In particular, an efficient protocol for TF-QKD through sending-or-not-sending (SNS protocol) has been given in Ref. Wang et al. (2018b). The SNS protocol has been experimentally demonstrated in proof-of-principle in Ref. Minder et al. (2019), and realized in real optical fiber with the effects of statistical fluctuation being taken Liu et al. (2019). The unconditional security of SNS protocol in the asymptotic case has been proved Wang et al. (2018b) and SNS protocol relaxes the requirement for single photon interference accuracy. The key rate of SNS is still considerable even if the misalignment error is as large as . Among all those variants of TF QKD with coherent states, the SNS QKD protocol is the only one that takes the effect of statistical fluctuation and finite decoy states into consideration Yu et al. (2019). Here we show an analysis of the complete effect of finite-key size of SNS QKD protocol.
The main tool we use to analyse the effect of finite-key size is the universally composable framework Müller-Quade and Renner (2009). An complete QKD protocol usually includes the preparation and distribution of quantum states, measurement of received quantum states, parameter estimation, error correction and private amplification. After the error correction step, Alice gets a bit string , and Bob get an estimate string of . If the error rate is too large, the results of error correction is an empty string and the protocol aborts. A protocol is called -correct if the probability that and aren’t the same, Pr.
Besides, the quantum state of Alice may be attacked by Eve in the distribution and measurement steps and some information would be leaked to Eve. To ensure the security of final secret keys, Alice and Bob apply a privacy amplification scheme based on two-universal hashing Renner (2005) to extract two shorter strings of length from and . We denote the density operator of the system of Alice and Eve as . If
[TABLE]
where denotes the fully mixed state of Alice’s system of strings of length and is the density operator of Eve’s system, the protocol is called -secret Curty et al. (2014); König et al. (2007); Tomamichel et al. (2012). According to the composable framework, a protocol is called -secure if it is both -correct and -secret, and .
This paper is arranged as follows. In Sec. II, we introduce the main results of the effect of finite-key size. And in Sec. III, we present our numerical simulation results. The article ends with some concluding remarks. The details of calculation are shown in the Methods part.
II The effect of finite-key size of SNS protocol
As shown in Ref. Wang et al. (2018b), there are two windows in SNS protocol, the windows and the windows. In a window, Alice (Bob) randomly decides to send a phase-radomized coherent state () with a probability , or sends nothing (a vacuum state ). In an window (note that the window defined here is a slightly different from the definition of the window in Ref. Wang et al. (2018b), thus we use a different symbol.), Alice and Bob randomly send out a phase-randomized coherent state.
The windows are decoy windows and will be used to estimate the counting rate and phase-flip error rate of the single photon state or that Alice decides sending and Bob decides not sending or Alice decides not sending and Bob decides sending in the windows. The asymptotic case is considered in Ref. Wang et al. (2018b), and there are infinite intensities in windows and infinite pulses in the whole protocol, thus and could be estimated exactly.
Alice and Bob send their prepared pulses to Charlie, and Charlie is assumed to perform interferometric measurements on the received pulses and announces the measurement result to Alice and Bob. If one and only one detector clicks in the measurement process, Charlie will also announce whether the left detector or right detector clicks. The effective events of windows and windows are defined individually: it is an effective event of windows if one and only one detector clicks; it is an effective event of windows if one and only one detector clicks and Alice and Bob send the coherent state with the same intensity, and their phases satisfy the post-selection criterion, which is
[TABLE]
where and are the phases of coherent states prepared by Alice and Bob respectively, and can take an arbitrary value which can be different from time to time as Alice and Bob like, so as to obtain a satisfactory key rate for the protocol Liu et al. (2019). Note that according to the security proof of Ref. Wang et al. (2018b) in the poset-selction criterion there Wang et al. (2018b), both and can take arbitrary values there Wang et al. (2018b). However, in applying the criterion, we only need the value which is actually only one value. Thus we could just use in Eq. (2) here. The value of is decided by the size of phase slice, , that Alice and Bob choose Lucamarini et al. (2018). The Eq. (2) is equivalent to
[TABLE]
Same with that in Ref. Yu et al. (2019), here means the degree of the minor angle enclosed by the two rays that enclose the rotational angle of degree , e.g., , .
The phases of coherent states in windows are never be announced in the public channel, thus the coherent states in windows are phase-randomized coherent states which are equivalent to classical mixture of different photon numbers. Only the effective events of single-photon states in those windows that Alice decides sending and Bob decides not sending or Alice decides not sending and Bob decides sending, are untagged events, thus we have the following formula of final key rate
[TABLE]
where is the counting rate of pulses in windows and is the corresponding error rate, is the binary Shannon entropy function, is the error correction inefficiency, and and are defined in the beginning of this section.
However, the number of pulses is finite in practice and thus there can not be infinite intensities in windows. Here we consider the four-intensity decoy state SNS protocol Yu et al. (2019). In each time, Alice and Bob randomly choose the decoy window or signal window with probabilities and . If the decoy window is chosen, Alice (Bob) randomly chooses vacuum state , or (vacuum state , or ) with probabilities , and respectively, where is random in . If the signal window is chosen, Alice (Bob) randomly chooses vacuum state , or phase-randomized weak coherent state of intensity , with probabilities and . Then Alice and Bob prepare the chosen states and send them to Charlie. Charlie is assumed to perform interferometric measurements on the received quantum signals and announces the measurement result to Alice and Bob. If one and only one detector clicks in the measurement process, Charlie will also announces whether the left detector or right detector clicks. Then Alice and Bob will take it as an one-detector heralded event. After Alice and Bob repeat the above steps for times, they perform the following data post-processing steps.
-
Sifting. If both Alice and Bob choose the signal window, it is a window. If both Alice and Bob choose the decoy window, it is an window. Besides, we define that if both Alice and Bob decide to send the phase-randomized coherent state with intensity , as window, which is a subset of windows. According to the criterion introduced in the beginning of this section, Alice and Bob decide whether an one-detector heralded event is an effective event. We define three kinds of sets, , and . The set includes all effective events in windows. The set includes all effective events in windows. And the set includes all other one-detector heralded events.
-
Parameter estimation. For the events in the set , Alice will denote it as bit [math] if she sends a vacuum state, and denote it as bit if she sends a phased-randomized weak coherent state. In the same time, Bob will denote it as bit if he sends a vacuum state, and denote it as bit [math] if he sends a phased-randomized weak coherent state. Finally Alice and Bob form the -bit strings and according to the events in set . Then through the decoy-state method, Alice and Bob estimate according to the events in and estimate according the events in set , where is the lower bound of bits caused by untagged events in or , and is the upper bound of phase-flip error rate of the untagged bits. The details of how to calculate and are shown in the Methods part.
-
Error correction. Alice and Bob perform an information reconciliation scheme to correct , and Bob will obtain an estimate of from . To achieve this goal, Alice sends Bob bits of error correction data. Then Alice computes a hash of of length using a random universal hash function, and she sends the hash and hash function to Bob Renner (2005). If the hash that Bob computes is the same with Alice, the probability that and aren’t the same, Pr, is less than . If the hash that Bob computes is not the same with Alice, the protocol aborts.
-
Private amplification. Alice and Bob apply a privacy amplification scheme based on two-universal hashing Renner (2005) to extract two shorter strings of length from and . Alice and Bob obtain strings and which is the final secret key after privacy amplification.
The protocol is -correct if the error correction step is passed. If the final length of secret keys, , satisfies
[TABLE]
the protocol is -secret. And according to the composable framework, the security coefficient of the whole protocol is , where . Here, is the failure probability of error correction; is the accuracy of estimating the smooth min-entropy, which is also the failure probability that the real value of isn’t in the bound that we estimate; is the failure probability of privacy amplification; is the failure probability that the real value of isn’t in the bound that we estimate. The value of is related to the specific error correction schemes, and in general , where is the error rate of strings and .
III Numerical simulation
If an experiment of SNS protocol is done, we can first calculate the lower and upper bound of with Eqs. (13), (17)-(21) from their observed values. And we can get the upper bound of in a similar way. Then we can get the lower bound of and the upper bound of with Eqs. (15) and (16). Then we can get the lower bound of and the upper bound of with Eqs (22)-(26). Finally, we can get how many bits of secret keys we could extract from this experiment with Eq. (5). The problem is that we do not have such observed values and we need to simulate what values we would observe in the experiment with the experimental parameters list in Table. 1. All symbols appearing in this paragraph is defined in Sec. IV.2.
We use the linear model to simulate the observed values of experiment with the experimental parameters list in Table. 1. Without loss of generality, we assume the distance between Alice and Charlie and the distance between Bob and Charlie are the same, and we assume the property of Charlie’s two detectors are the same. The total transmittance of the experiment set-ups is , where is the distance between Alice and Bob. The simulation of those observed values are shown in Sec. IV.3, which are related to and other parameters list in Table. 1.
Here we set and , and thus security coefficient of the whole protocol is . The reason we set and is that we use the Chernoff bound for four times to estimate and (Notice that we could handle and together in Eq. (13)). In order to fairly compare the performance of generating final keys of different total pulse numbers, , we define the key rate of per sending pulse, .
Fig. 1 and Fig. 2 are our simulation results of this work and Ref. Yu et al. (2019) with the experimental parameters list in Table. 1. The only difference of Fig. 1 and Fig. 2 is that in Fig. 1 and in Fig. 2. The results of this work and Ref. Yu et al. (2019) is almost overlap while we set , but the difference of the results is obvious while we set , especially in the end of the lines. Still, the secure distance of SNS protocol can still reach up to 500 with misalignment error and total pulses, even if we take all the effects of finite-key size into consideration.
Fig. 3 and Fig. 4 are our simulation results of another two groups of experimental parameters. We set and in Fig. 3 and and in Fig. 4. The other experimental parameters we use are listed in Table 1. Same with Fig. 1 and Fig. 2, we simulate three groups of results where . Comparing Fig. 3 with Fig. 4, we can find that the secure distances are improved at most 100 if the dark count is reduced by an order of magnitude. Still, the complete effect of finite size is reflected in the end of lines especially when the total number of pulses, , is relatively small.
IV Conclusion
In this paper, we show an analysis of the finite-key size effect of SNS protocol and get the relation of final key length and the security coefficient, as shown in Eq. (5). Eq. (5) is derived by the method proposed in Ref. Tomamichel et al. (2012), and thus it can produce unconditional secure final key under general attack, including all coherent attacks. The numerical results show that the secure distance of SNS protocol can still reach up to 500 with misalignment error and total pulses, even if we take all the effects of finite-key size into consideration. This clearly shows that the SNS protocol Wang et al. (2018b) of TF-QKD is on the one hand secure under general attack, i.e., as secure as the existing decoy-state MDI-QKD, on the other hand more efficient than the existing decoy-state MDI-QKD by many orders of magnitudes in key rate at long distance domain.
Acknowledgement: We thank Hai Xu for discussions. We acknowledge the financial support in part by Ministration of Science and Technology of China through The National Key Research and Development Program of China grant No. 2017YFA0303901; National Natural Science Foundation of China grant No. 11474182, 11774198 and U1738142.
Methods
IV.1 The relation of the length of final key and
In this protocol, any attack to quantum channel and detectors is allowed only if it doesn’t break the rules of quantum mechanics, and we call the attacker as Eve. We denote the system of Eve after error correction as . If Alice and Bob apply a privacy amplification scheme based on two-universal hashing to extract two shorter strings of length from , the protocol is -secret Renner (2005); Tomamichel et al. (2010)
[TABLE]
where is the -smooth min entropy. It measures the max probability of guessing right giving . could be decomposed as , where is the system of leakage information while Alice and Bob perform error correction and is the system of Eve before error correction. According to the chain rules Renner (2005), we have
[TABLE]
where . And we could decompose the string as , where is the bits caused by untagged-photon events and is the other bits of Curty et al. (2014). Thus according to the chain rules Vitanov et al. (2013), we have
[TABLE]
where and .
Besides, we denote basis as and basis as , where can be an arbitary value. To get the lower bound of , we need to use the uncertainty relation of smooth min and max entropy Tomamichel et al. (2012); Tomamichel and Renner (2011). It says that if the untagged-photon states prepared in basis and basis are orthogonal unbiased, and if the states originally prepared and measured under the Z-basis are now prepared and measured under the X-basis and obtained strings and by Alice and Bob respectively, then we have
[TABLE]
Finally we have
[TABLE]
Combining Eqs. (5), (6) and (10) and setting , we have
[TABLE]
Finally, containing the failure probability that the real value of isn’t in the bound that we estimate, , we have
[TABLE]
IV.2 The calculation method of and
The method we use here is similar with Ref. Yu et al. (2019). In an window with different intensities from Alice and Bob, they don’t announce any phase information in the protocol, therefore the coherent states sent out from each sides can be regarded as classical mixture of different photon numbers. We denote and , where and are the density operator of the coherent states used here in windows. And this also applies to Bob’s quantum state. In the whole protocol, Alice and Bob obtain instances when Alice sends state and Bob sends state . And after the sifted step, Alice and Bob obtain one-detector heralded events. We denote the counting rate of source as . With all those definitions, we have
[TABLE]
Besides, we need define two new subsets of windows, and , to estimate the upper bound of . contains all the instance that both Alice and Bob prepare and and . contains all the instance that both Alice and Bob prepare and and . Same with that in Ref. Yu et al. (2019), here means the degree of the minor angle enclosed by the two rays that enclose the rotational angle of degree , e.g., , . The number of instances in is
[TABLE]
We denote the number of effective events of right detectors responding from as , and the number of effective events of left detectors responding from as . And we get the counting error rate of , .
If we denote the expected value of the counting rate of untagged photons as , the lower bound of is
[TABLE]
where is the expected value of , and and are the upper bound and lower bound of when we estimate the expected value from its observed value.
The expected value of the phase-flip error rate of the untagged photons satisfies Yu et al. (2019)
[TABLE]
Here we use the fact that the error rate of vacuum state is always .
Chernoff bound. The formulas of and are represented by expected values, but the values we get in experiment are observed values. To close the gap between the expected values and observed values, we need Chernoff bound Jiang et al. (2017); Chernoff et al. (1952). Let be random samples, detected with the value 1 or 0, and let denote their sum satisfying . is the expected value of . We have
[TABLE]
where we can obtain the values of and by solving the following equations
[TABLE]
where is the failure probability. Thus we have
[TABLE]
Still Eqs. (15) and (16) are the lower bound of the expected values of the counting rate and the upper bound of the phase flip error rate of single-photons. The final question is what their real values are in this specific experiment, and we need the Chernoff bound to help us estimate their real values from their expected values. Similar to Eqs. (17)- (20), the observed value, , and its expected value, , satisfy
[TABLE]
where we can obtain the values of and by solving the following equations
[TABLE]
We define , and we have Yu et al. (2019)
[TABLE]
This ends the estimate of and .
IV.3 The simulation of observed values
We use the linear model to simulate the observed values of experiment with the experimental parameters list in Table. 1. Without loss of generality, we assume the distance between Alice and Charlie and the distance between Bob and Charlie are the same, and we assume the properties of Charlie’s two detectors are the same. If the total transmittance of the experiment set-ups is , then we have
[TABLE]
where are defined in Eqs. (13) and (14) and
[TABLE]
where is the [math]-order hyperbolic Bessel functions of the first kind.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1BENNETT (1984) C. BENNETT, in Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing (1984), pp. 175–179.
- 2Gisin et al. (2002) N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Reviews of modern physics 74 , 145 (2002).
- 3Gisin and Thew (2007) N. Gisin and R. Thew, Nature photonics 1 , 165 (2007).
- 4Scarani et al. (2009) V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, Reviews of modern physics 81 , 1301 (2009).
- 5Shor and Preskill (2000) P. W. Shor and J. Preskill, Physical review letters 85 , 441 (2000).
- 6Koashi (2009) M. Koashi, New Journal of Physics 11 , 045018 (2009).
- 7Tamaki et al. (2003) K. Tamaki, M. Koashi, and N. Imoto, Physical review letters 90 , 167904 (2003).
- 8Kraus et al. (2005) B. Kraus, N. Gisin, and R. Renner, Physical review letters 95 , 080501 (2005).
