Optimized protocol for twin-field quantum key distribution
Rong Wang, Zhen-Qiang Yin, Feng-Yu Lu, Shuang Wang, Wei Chen, Chun-Mei, Zhang, Wei Huang, Bing-Jie Xu, Guang-Can Guo, Zheng-Fu Han

TL;DR
This paper presents a unified framework for twin-field quantum key distribution protocols by discretizing global phases, showing that increasing phase discretization extends communication distance but reduces short-distance key rates.
Contribution
It introduces a unified view of different TF-QKD protocols through phase discretization, optimizing the trade-off between distance and key rate.
Findings
Discretizing global phases unifies various TF-QKD protocols.
Increasing phase discretization extends maximum communication distance.
Higher phase discretization reduces secret key rate at short distances.
Abstract
Twin-field quantum key distribution (TF-QKD) and its variant protocols are highly attractive due to the advantage of overcoming the rate-loss limit for secret key rates of point-to-point QKD protocols. For variations of TF-QKD, the key point to ensure security is switching randomly between a code mode and a test mode. Among all TF-QKD protocols, their code modes are very different, e.g. modulating continuous phases, modulating only two opposite phases, and sending or not sending signal pulses. Here we show that, by discretizing the number of global phases in the code mode, we can give a unified view on the first two types of TF-QKD protocols, and demonstrate that increasing the number of discrete phases extends the achievable distance, and as a trade-off, lowers the secret key rate at short distances due to the phase post-selection.
| Parameters | Values |
|---|---|
| Dark count rate | |
| Error correction efficiency | 1.15 |
| Detector efficiency | 14.5% |
| Misalignment error | 1.5% |
| The maximal channel loss (dB) | |
| 1 | 72.3 |
| 2 | 80.8 |
| 4 | 81.3 |
| 81.5 |
| The maximal channel loss (dB) | |
| 1 | 67.0 |
| 2 | 75.3 |
| 4 | 75.8 |
| 75.8 |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Optimized protocol for twin-field quantum key distribution
Rong Wang
Zhen-Qiang Yin
Feng-Yu Lu
Shuang Wang
Wei Chen
CAS Key Laboratory of Quantum Information, CAS Center for Excellence in Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei 230026, China
State Key Laboratory of Cryptology, P. O. Box 5159, Beijing 100878, P. R. China
Chun-Mei Zhang
Institute of Quantum Information and Technology, Nanjing University of Posts and Telecommunications, Nanjing 210003, China
Wei Huang
Bing-Jie Xu
Science and Technology on Communication Security Laboratory, Institute of Southwestern Communication, Chengdu, Sichuan 610041, China
Guang-Can Guo
Zheng-Fu Han
CAS Key Laboratory of Quantum Information, CAS Center for Excellence in Quantum Information and Quantum Physics, University of Science and Technology of China, Hefei 230026, China
State Key Laboratory of Cryptology, P. O. Box 5159, Beijing 100878, P. R. China
Abstract
Twin-field quantum key distribution (TF-QKD) and its variant protocols are highly attractive due to the advantage of overcoming the rate-loss limit for secret key rates of point-to-point QKD protocols. For variations of TF-QKD, the key point to ensure security is switching randomly between a code mode and a test mode. Among all TF-QKD protocols, their code modes are very different, e.g. modulating continuous phases, modulating only two opposite phases, and sending or not sending signal pulses. Here we show that, by discretizing the number of global phases in the code mode, we can give a unified view on the first two types of TF-QKD protocols, and demonstrate that increasing the number of discrete phases extends the achievable distance, and as a trade-off, lowers the secret key rate at short distances due to the phase post-selection.
pacs:
Valid PACS appear here
INTRODUCTION
Quantum key distribution (QKD) BB84 ; Ekert1991quantum provides two distant parties (Alice and Bob) with a secure random bit string against any eavesdropper (Eve) guaranteed by the law of quantum mechanics. During last three decades, QKD has rapidly developed both in theory and experiment Inoue2002DPS ; Lo2012MDI ; gobby2004quantum ; Jouguet2013Experimental ; Wang2015RFIMDI , and it is on the way to a wide range of implementation. Among all QKD experiments before, without quantum repeaters, the maximum key rates are bounded with respect to the channel transmittance , defined as the probability for an effective detector click caused by a transmitted photon. So, one of the crucial tasks for the theorists is to find the maximum key rate achievable under ideal implementation (based on perfect single-photon sources, pure-loss channels, perfect detectors, perfect post-processing and so on). With the aim of finding an upper bound of secret key rate, the theorists have provided several answers pirandola2009direct ; takeoka2014fundamental ; pirandola2017fundamental . The recent work has provided the fundamental limit called Pirandola-Laurenza-Ottaviani-Banchi (PLOB) boundpirandola2017fundamental , which establishes that the secret key rate without quantum repeaters must satisfy .
Remarkably, the twin-field (TF) QKD protocol, proposed by Lucamarini et al. lucamarini2018overcoming , is capable of overcoming this PLOB bound with some restrictions on Eve’s strategies, which is mainly attributed to the single-photon interferometric measurement at the third untrusted party Eve. In other words, a single photon came from either Alice or Bob interferes at Eve’s beam splitter and clicks the detector, which means that generating a secret key bears a unilateral transmission loss. Because of this dramatic breakthrough, a variant of TF-QKD protocols have been proposed consequentially ma2018phase ; wang2018twin ; cui2019twin ; curty2019simple ; lin2018simple ; tamaki2018information and some protocols have been demonstrated experimentally minder2019experimental ; wang2019beating ; liu2019experimental ; zhong2019proof ; chen2020sending . For variant TF-QKD protocols, the key idea to ensure the security is switching probabilistically between a code mode and a test mode, where the former is for key generation, and the latter is for parameter estimationtamaki2018information . Among all TF-QKD protocols, their code modes are very different, e.g. modulating continuous phases lucamarini2018overcoming ; ma2018phase , modulating only two opposite phases cui2019twin ; curty2019simple ; lin2018simple , and sending or not sending signal pulseswang2018twin . The code modes of the first two kinds are similar in some sense. Intuitively, they may be explained by a unified view.
Interestingly, by discretizing the global phases of Alice and Bob’s emitted pulses in the code mode, we can give a unified view on two kinds of TF-QKD protocols lucamarini2018overcoming ; ma2018phase ; cui2019twin ; curty2019simple ; lin2018simple . Specifically, Alice and Bob encode classical bit [math], into phases [math], of a coherent state, respectively, then randomize them by adding a phase chosen randomly . According to whether or not perform phase post-selection in the test mode, we introduce two protocols. To prove their security, we establish a universal framework against collective attacks, which can be extended to robust against coherent attacks lu2019practical with the technique in christandl2009postselection . The security analysis indicates that increasing the number of discrete phases can extend the achievable distance, but lower the secret key rate at short distances due to the phase post-selection. Furthermore, simulation results show that a small number of random phases (say M=2) may be the best choice for practical implementations.
RESULTS
We firstly describe details of our proposed TF-QKD protocols that have discrete phase randomization in the code mode, and the schematic setup is shown in Fig 1.
Protocol I
Step 1. Alice and Bob randomly choose code mode or test mode in each trial.
Step 2. If a code mode is selected, Alice (Bob) randomly generates a key bit () and a random number () and then prepares the coherent state (), where . If a test mode is selected, Alice (Bob) generates a random phase () and emits coherent state (), where () is randomly chosen from a pre-decided set.
Step 3. Alice and Bob send their quantum states to the untrusted receiver Eve. For each trial, only three outcomes are acceptable, which are ”Only detector clicks”, ”Only detector clicks” and ”No detectors click”, and Eve announces one of these outcomes. Note that the outcome ”Both detectors and click” is considered as ”No detectors click”.
Step 4. Alice and Bob repeat the above steps many times. For the successful detection outcomes (only detector L or R clicks), Alice and Bob publicly announce which trials are the code modes and which trials are the test modes. For each successful trial in the code mode, Alice and Bob announce their and , and keep , as their raw key if . Moreover, Bob should flip his key if Eve announces ”Only detector clicks”.
Step 5. For each trial that both Alice and Bob select test mode, Alice and Bob announce with random phase and with random phase , and only keep the trial that and or .
Step 6. Alice and Bob perform information reconciliation and privacy amplification to extract the final secure keys.
For the simplicity in experiments, we can remove post-selection in the test mode, and the simplified protocol runs as follows.
Protocol II
Step 1. Same as Protocol I
Step 2. Same as Protocol I
Step 3. Alice and Bob send their quantum states to the untrusted receiver Eve. For each trial, only three outcomes are acceptable, which are ”Only detector clicks”, ”Only detector clicks” and ”No detectors click”. Note that, the outcome ”Both detectors and click” is considered as ”No detectors click” in the code mode, and is considered as only detector or clicks with equal probability in the test mode. Consequentially, Eve announces one of these outcomes.
Step 4. Alice and Bob repeat the above steps many times. For the successful detection outcomes (only detector or clicks), Alice and Bob publicly announce which trials are the code modes and which trials are the test modes. For each successful trial in the code mode, Alice and Bob announce their and , and keep , as their raw key if . Moreover, Bob should flip his key if Eve announces ”Only detector clicks”.
Step 5. For each trial that both Alice and Bob select the test mode, the yield , probability of Eve announcing the successful outcome provided Alice emits -photon state and Bob emits -photon state, can be estimated.
Step 6. Same as Protocol I
Our security proof is based on Devetak-Winter’s bound devetak2005distillation , concretely, bounding the information leakage . Thus, the secret key rate is given by
[TABLE]
where is the counting rate, is the shifting factor, is the error rate, and is the error correction efficiency. By applying infinite decoy states Hwang2003Decoy ; Lo2005Decoy ; Wang2005Decoy ; Ma2005Decoy in the test mode, we can simulate the performance of our two protocols with different . The simulation parameters are given in Table I. For Protocol I, we present the numerical simulations of secret key rate in Fig 2 and the maximal channel loss in Table II. If we remove the sifting efficiency, the limitary channel loss with is dB as shown in Table II. According to Fig 2 and Table II, it’s sufficient to apply TF-QKD with which almost reaches the theoretical limit channel loss. Analogously, for Protocol II, we get simulation results comparable to those of Protocol I, and we show the secret key rate in Fig 3 and the theoretical limit channel loss in Table III. When removing the sifting factor, the maximal channel loss of Protocol II with is dB.
When we compare Protocol I with Protocol II, the latter one does not require post-selection in the test mode, as a trade-off, the maximal channel loss will be lower. Here, we consider the relationship with several varietal TF-QKD protocols ma2018phase ; cui2019twin ; curty2019simple ; lin2018simple . When , Protocol I is exactly the PM-QKD ma2018phase if we relax the post-selection condition or and add a corresponding sifting factor. When , Protocol II is the same as cui2019twin ; curty2019simple ; lin2018simple in the code mode, the difference is the way to estimate the information leakage or the ”phase error”. To some extent, our proposed TF-QKD protocols with discrete phase randomization in code mode cover the four varietal TF-QKD protocols above.
DISCUSSION
In summary, we have introduced a variant TF-QKD with discrete phase randomization in the code mode and proven its security in asymptotic scenarios. Our protocol can be viewed as a generalization of the four varietal TF-QKD protocols ma2018phase ; cui2019twin ; curty2019simple ; lin2018simple to some extent. The security proof discloses that the transmission distance becomes longer with exponentially increasing, as a trade-off, the secret key rate is lower at short distances. As a result, the transmission distance reaches a limitation when tends to infinity. Numerical simulations show that it’s sufficient to apply TF-QKD with , for it almost reaches the limitary transmission distance at the cost of about half of secret key rate, compared with the case of , at short distance. Furthermore, post-selection in the test mode is not convenient in experiment, thus, we remove it to make experiments simpler in a modified protocol. We find that the removal of post-selection in the test mode has very limited influence on the secret key rate and achievable distance. Our findings expect TF-QKD can be run with optimal phase randomization actively, i.e. at short distance one can simply bypass phase randomization, while a phase randomization of [math] or is sufficient at the long distance case.
During the preparation of this paper, we find that Primaatmaja et al. primaatmaja2019versatile proposed an open question that if coding phase in TF-QKD under different bases can improve secret key rate significantly. Their open question is answered by our finding that is almost optimal in some sense.
METHODS
Security proof
Here, we present security proof Protocol I. Firstly, we analyze the composite states shared by Alice and Bob when they both select the test mode. In the case of and , the composite state of Alice and Bob can be written as
[TABLE]
where the fock state is defined as
[TABLE]
and the probability is given by
[TABLE]
where is the light intensity. In the case of and (mod ), the composite state of Alice and Bob can be written as
[TABLE]
where the fock state is defined as
[TABLE]
with probability .
In what follows, we concentrate on bounding Eve’s Holevo information. Eve’s general collective attack can be given by
[TABLE]
where state is Eve’s ancilla. Then, Eve is supposed to announce one of legal outcomes ”Only detector clicks” ”Only detector clicks” and ”No detectors click” determined by her measurement results ”,,”, respectively. In the case of and , , and are some arbitrary quantum states referring to Eve’s measurement results ”,,” respectively. , and satisfying + are the yields referring to Eve’s measurement results ”,,” respectively. Similarly, in the case of and , , and are some arbitrary quantum states referring to Eve’s measurement results ”,,” respectively. , and satisfying + are the yields referring to Eve’s measurement results ”,,” respectively.
Without loss of generality, we firstly consider the secret key rate when her measurement result is ””. When Alice and Bob both select the code mode, the initial prepared state and , with matched-basis trials , can be given by
[TABLE]
For the sake of simplicity, we define unnormalized states
[TABLE]
where . We also define other unnormalized states
[TABLE]
After Eve’s attack according to Eq.(7) and her announcing ””, Alice and Bob keep trials only if . Thus, the unnormalized state of Eve conditioned on Alice’s classical bit can be given by
[TABLE]
where . The probability of Alice obtaining a shifted key in a code mode when Eve announces ”” is
[TABLE]
and correspondingly an error click occurs if , thus, the error rate of shifted key is given by
[TABLE]
Thanks to the strong subadditivity of von Neumann entropy (the detailed derivation how we apply the strong subadditivity is in the Appendix A of wang2018security ), Eve’s Holevo information with her announcing ”” is given by
[TABLE]
where is binary Shannon entropy and the second inequality holds due to Jensen’s inequality. For each trial that and Eve announces ””, the secret key rate is given by
[TABLE]
where is error correction efficiency. What we need to do next is to calculate the average secret key rate for different when Eve announces ””. Without considering the sifting factor, the average secret key rate when Eve announces ”” is given by
[TABLE]
We use to denote the average gain and to denote the average error rate of shifted key, which are written as
[TABLE]
Thanks to the concavity of binary Shannon entropy, we utilize Jensen’s inequality to minimize . For the second term of Eq.(16) on the right, we have
[TABLE]
The condition for equality of Eq.(18) is that . Similarly, for the third term of Eq.(16) on the right, we have
[TABLE]
Here we define . Consequently, we have
[TABLE]
Similarly, when Eve’s measurement result is ””, the analysis of secret key rate is almost the same with the ones when she announces ””. Thus, the secret key rate when Eve announces ”” is given by
[TABLE]
where is given by
[TABLE]
The trials when Eve’s measurement result is ”” will not contribute to the secret key. Thus, the total secret key rate is . The total gain and the total error rate of shifted key are given by
[TABLE]
In order to find the lower bound of the total secret key rate , we apply the Jensen’s inequality to the estimation items in Eq.(15) and Eq. (21), and we can get
[TABLE]
where the equality holds when , and
[TABLE]
where we define
[TABLE]
Consequently, the total secret key rate formula can be expressed by
[TABLE]
where is the shifting factor. And the problem of finding the lower bound of the total secret key rate can be converted into finding the upper bound of ,
[TABLE]
Simulation
In this section, we simulate the performance of our TF-QKD protocols, and the simulation method is very similar to Ma et al. ma2018phase . Ideally, for Protocol I, Alice and Bob can estimate precisely by infinite decoy-state method.
We assume that the total efficiency of channels and detectors is , dark counting rate of single photon detectors (SPD) is per trial, the optical misalignment is , and the mean photon number of each pulse emitted by Alice and Bob is . The counting rate is given by
[TABLE]
and the error rate is
[TABLE]
Applying infinite decoy states, can be given by
[TABLE]
We define
[TABLE]
Thanks to Cauchy inequality, we have
[TABLE]
Thus, we can get an equivalent upper bound of given by
[TABLE]
Security proof for Protocol II
The security proof of Protocol II is almost the same as Protocol I. In Protocol II, Eve’s general collective attack is given by
[TABLE]
where represents the photon-number base prepared by Alice and Bob, , and are some arbitrary quantum states referring to Eve’s measurement results ”,,” respectively.Besides, , and satisfying + are the yields referring to Eve’s measurement results ”,,” respectively. Compared to the expression of Eve’s general collective attack in Protocol I, it can be argued that the general collective attack is actually the same as Protocol I if we set
[TABLE]
Consequently, applying the security proof method to Protocol II, we find that the expression of the upper bound of is same as the one of Protocol I. In Protocol II, for removing phase post-selection, we estimate the yield rather than to bound . Combining Eq.(9) and Eq.(36), we obtain
[TABLE]
where and are the assembles referring to even number set and odd number set respectively. Similar to Eq.(33), by utilizing Cauchy inequality, we have
[TABLE]
where . Due to the decoy-state method implemented, satisfies the constraints
[TABLE]
Thus, we have obtained the upper bound of given as follows
[TABLE]
Briefly, the upper bound of in Protocol II is given by,
[TABLE]
** as a function of **
For the sake of analyzing the upper bound of with the increase of , we define the upper bound of as a function of positive integer , which is given by
[TABLE]
As binary Shannon entropy increases when and decreases when , it’s sufficient to consider the case of . It can be proven that
[TABLE]
where is a positive integer. In order to prove Eq.(43), we rewrite Eq.(42) as follows
[TABLE]
where we denote and as and respectively. For is absolutely a nonnegative term, we have
[TABLE]
where the inequality holds because of the nonnegative cross term . Similarly,
[TABLE]
where we use subscript instead of . The nonnegative cross term vanishes when , then, we have
[TABLE]
Thus, we have proven Eq.(43). Then we obtain that the upper bound of decreases with exponentially increasing. In other words, the achievable distance becomes longer as exponentially increasing. As a result, the achievable distance comes to a limitation when tends to infinity.
Finite-decoy method for Protocol II with
For Protocol II does not require phase post-selection in the test mode, it is more practical than Protocol I. For Protocol II, it almost reaches the limitary transmission distance with shown in TABLE III, thus, it is interesting and necessary to consider applying finite decoy states in the test mode.
When finite decoy states are implemented, finding the upper bound of is equivalent to the following optimized problem
[TABLE]
where . As Fig 4 shows, the performance is maintained using only three intensity settings. That is, we only need three decoy intensities , and the signal intensity is chosen from one of them.
Data availability
The data that support the findings of this study are available from the corresponding author upon reasonable request
ACKNOWLEDGEMENTS
This work has been supported by the National Key Research and Development Program of China (Grant No. 2018YFA0306400); National Natural Science Foundation of China (Grant Nos. 61822115, 61961136004, 61775207, 61702469, 61771439, 61627820, 61675189); National Cryptography Development Fund (Grant No. MMJJ20170120); Anhui Initiative in Quantum Information Technologies.
Competing interests
The authors declare that they have no competing interests.
AUTHOR CONTRIBUTIONS
Z.-Q.Y., S.W., W.C., G.-C.G., Z.-F.H., and R.W. conceived the basic idea of the security proof. R.W. finished the details of the security proof. Z.-Q.Y., R.W., F.-Y.L., C.-M.Z., W.H., and B.-J.X. designed the simulations. Z.-Q.Y. and R.W. wrote the paper.
REFERENCES
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1(1) Bennett, C. H. & Brassard, G. in Proc.IEEE Int.Conf.on Comp.Sys.and Signal Processing 175-179 (Bangalore,India,1984).
- 2(2) Ekert, A. K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661 (1991).
- 3(3) Inoue, K.,Brunner, N.& Yamamoto, Y. Differential phase shift quantum key distribution. Phys. Rev. Lett. 89, 037902 (2002).
- 4(4) Lo, H. -K. et al. Measurement-Device-Independent Quantum Key Distribution. Phys. Rev. Lett. 108, 130503 (2005).
- 5(5) Gobby, C., Yuan, Z. L., & Shields, A. J. Quantum key distribution over 122 km of standard telecom fiber. Appl. Phys. Lett. 84, 3726 (2004).
- 6(6) Jouguet, P. et al. Experimental demonstration of long-distance continuous-variable quantum key distribution. Nat. Photonics 115, 160502 (2013).
- 7(7) Wang, C. et al. Phase-reference-free experiment of measurement-device-independent quantum key distribution. Phys. Rev. Lett. 115, 160502 (2015).
- 8(8) Pirandola, S. et al. Direct and reverse secret-key capacities of a quantum channel. Phys. Rev. Lett. 102, 050503 (2009).
