Practical quantum key distribution with non-phase-randomized coherent states
Li Liu, Yukun Wang, Emilien Lavie, Arno Ricou, Chao Wang, and Fen Zhuo Guo, Charles Ci Wen Lim

TL;DR
This paper introduces a six-coherent-state phase-encoding QKD protocol that can tolerate high losses, making coherent-state QKD more viable for long-distance secure communication with realistic system parameters.
Contribution
It proposes a new six-coherent-state protocol with enhanced loss tolerance and a security proof based on semi-definite programming, extending the feasible distance for coherent-state QKD.
Findings
Tolerates up to 38 dB loss with realistic parameters
Can handle up to 56 dB loss with zero noise
Suggests coherent-state QKD as a promising high-speed secure method
Abstract
Quantum key distribution (QKD) based on coherent states is well known for its implementation simplicity, but it suffers from loss-dependent attacks based on optimal unambiguous state discrimination. Crucially, previous research has suggested that coherent-state QKD is limited to short distances, typically below 100 km assuming standard optical fiber loss and system parameters. In this work, we propose a six-coherent-state phase-encoding QKD protocol that is able to tolerate the total loss of up to 38 dB assuming realistic system parameters, and up to 56 dB loss assuming zero noise. The security of the protocol is calculated using a recently developed security proof technique based on semi-definite programming, which assumes only the inner-product information of the encoded coherent states, the expected statistics, and that the measurement is basis-independent. Our results thus suggest…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Practical quantum key distribution with non-phase-randomized coherent states
Li Liu
State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China
School of Science, Beijing University of Posts and Telecommunications, Beijing, 100876, China
Department of Electrical & Computer Engineering, National University of Singapore, Singapore
Yukun Wang
Department of Electrical & Computer Engineering, National University of Singapore, Singapore
Emilien Lavie
Department of Electrical & Computer Engineering, National University of Singapore, Singapore
Arno Ricou
Centre for Quantum Technologies, National University of Singapore, Singapore
Chao Wang
Department of Electrical & Computer Engineering, National University of Singapore, Singapore
Fen Zhuo Guo
State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 100876, China
School of Science, Beijing University of Posts and Telecommunications, Beijing, 100876, China
Charles Ci Wen Lim
Department of Electrical & Computer Engineering, National University of Singapore, Singapore
Centre for Quantum Technologies, National University of Singapore, Singapore
Abstract
Quantum key distribution (QKD) based on coherent states is well known for its implementation simplicity, but it suffers from loss-dependent attacks based on optimal unambiguous state discrimination. Crucially, previous research has suggested that coherent-state QKD is limited to short distances, typically below 100 km assuming standard optical fiber loss and system parameters. In this work, we propose a six-coherent-state phase-encoding QKD protocol that is able to tolerate the total loss of up to 38 dB assuming realistic system parameters, and up to 56 dB loss assuming zero noise. The security of the protocol is calculated using a recently developed security proof technique based on semi-definite programming, which assumes only the inner-product information of the encoded coherent states, the expected statistics, and that the measurement is basis-independent. Our results thus suggest that coherent-state QKD could be a promising candidate for high-speed provably-secure QKD.
††preprint: APS/123-QED
I Introduction
Quantum key distribution (QKD) Bennett and Brassard (1984) is one of the most established quantum information technologies to date. Its basic goal is to distribute secret keys between two remote users (called Alice and Bob) embedded in an untrusted network. Importantly, unlike conventional key distribution methods, QKD is provably-secure and can be safely used with any cryptographic protocol that requires long-term security assurance. For an overview of QKD and its recent developments, we refer the interested reader to Refs. Gisin et al. (2001); Scarani et al. (2009); Lo et al. (2014).
In prepare-and-measure QKD, there are generally two classes of coherent-state protocols, namely those that are based on phase randomization and those that give the phase reference information to Eve (the adversary). In the former, one first uniformly randomizes the phase of the coherent state to create a mixture of photon number states, i.e.,
[TABLE]
This mixture follows a Poisson distribution and emits a single-photon state with probability and multi-photon states with probability , where is the mean photon number of the signal. Then, by using a statistical technique called the decoy-state method to bound the fraction of detected single-photon states, one can get secret key rates that are comparable to that with a true single-photon source Hwang (2003); Lo et al. (2005); Wang (2005). In the following, we shall refer to phase-randomized coherent-state QKD as decoy-state QKD since they often mean the same protocol in practice.
In the case that the phase reference is given to Eve, she no longer sees a mixture of photon number states, but a coherent state that is randomly drawn from a set of possible preparations , which is necessarily linearly independent. Crucially, based on this phase information, Eve can optimize her attack strategy to distinguish between different subsets of the preparation set Dus̆ek et al. (2000); Sun et al. (2012); Tang et al. (2013). In the worst case scenario (given the channel loss is sufficiently high), she can determine the exact value of by performing unambiguous state discrimination. For this reason, most existing security analyses of non-phase-randomized coherent-state QKD show that the tolerable channel loss is significantly below that of decoy-state QKD Yuen (1996); Lo and Preskill (2007). For example, assuming standard experimental settings, we find that the maximum distance (fiber length) of the phase-encoding coherent-state QKD protocol is generally shorter than 100 km, while decoy-state QKD can achieve up to about 250 km (see the simulation results below).
However, in practice, it may be more attractive to consider non-phase-randomized coherent-state QKD. The main reason is that the set of security assumptions for non-phase-randomized coherent-state QKD is typically less stringent than that of decoy-state QKD. To appreciate this point, we note that it is very important for decoy-state QKD systems to completely randomize the phase of their quantum signals. If this assumption is not met, then there could be serious security loopholes Sun et al. (2012); Tang et al. (2013). Recently, it has been pointed out that the requirement of ideal continuous phase randomization can be replaced by discrete phase randomization Cao et al. (2015). This work represents an important step towards making decoy-state QKD more practical, however it introduces additional complexity into the security analysis, which can be tricky when considering finite-length keys. Thus, for practical reasons, it may still be of interest to investigate new coherent-state QKD protocols that can distribute secret keys over longer distances.
In order to achieve good secret key rates using non-phase-randomized coherent states, it is important to have a tight estimation of Eve’s information about the secret key. While in principle one could obtain a tight estimation of Eve’s information by considering all the possible eavesdropping strategies, it is computationally intractable to fully characterize them, especially if the underlying Hilbert space dimension is unknown. To resolve this technical difficulty, here we employ the numerical tool introduced in Ref. Wang et al. (2019) to bound Eve’s information, which roughly speaking, converts the characterization problem of Eve’s strategies into a tractable hierarchy of semi-definite programs (SDP). It has been shown in Ref. Wang et al. (2019) that the SDP method provides a tighter bound on Eve’s information as compared to existing methods that use the so-called quantum coin method Lo and Preskill (2007). Additionally, the SDP method is semi-device-independent (SDI) Pawłowski and Brunner (2011); Bowles et al. (2014); Wang et al. (2015); Woodhead and Pironio (2015); Himbeeck et al. (2017); Rusca et al. (2019), namely the detailed characterization of Bob’s measurements is no longer necessary, but different to previous SDI which based on dimension or energy assumption, the analysis here is made based on the known inner product information of the coherent states. As such, the security certified by this method is robust against a large class of quantum device flaws and imperfections.
In this work, we propose a six-coherent-state protocol and show that it offers significant advantages in both secret key rate and transmission distance over existing coherent-state QKD protocols Lo and Preskill (2007); Wang et al. (2019). The organization of the paper is as follows: in Sec. II, for pedagogical reasons, we first review a standard coherent-state QKD protocol that encodes the secret key into the relative phase of the coherent states. In Sec. III, we first introduce a six-coherent-state protocol which allows the test coherent states to use different mean photon number from that of the key states. Then, we use the method introduced in Ref. Wang et al. (2019) to derive the secret key rate of the protocol and simulate its expected performance using standard experimental parameters. Finally, we conclude our findings in Sec. IV.
II Phase-encoding BB84 coherent-state QKD
In this section, we first review a popular coherent-state QKD protocol, which is inspired by the celebrated Bennett & Brassard 1984 (BB84) QKD Bennett and Brassard (1984). Here, the protocol encodes the secret bit into the relative phase of two coherent states, where the first coherent state is the signal state (the modulated signal) and the second coherent state is the reference state (fixed and whose phase reference is given to Eve). More specifically, Alice sends one of four states randomly:
[TABLE]
where the phase of is relative to a fixed classical phase reference frame that Eve can access. Here, the subscript and denote the signal state and reference state, respectively. Then, Bob measures the signal he receives in either key basis or test basis. When Bob measures the signal in key basis, he combines the two modes in an interferometer, and directs modes , to two different threshold photon detectors, where
[TABLE]
In ideal case, if Alice sends to Bob and he measures in the key basis, detector (model ) will click (with some probability depending on the channel loss ) and detector (model ) will not click. Likewise, if Alice sends , then detector will not click and detector will click with some probability. Hence, Bob can determine the bit value that Alice encodes in key basis. When Bob measures in the test basis, he directs modes , to the detectors, where
[TABLE]
Similarly, Bob can determine the bit value that Alice encodes in test basis. Then, Alice and Bob retain only the successful events in which they choose the same basis through public communication. After performing error correction step and privacy amplification step, Alice and Bob obtain the final secure key.
To prove the security of the protocol, one can either use the quantum coin method Lo and Preskill (2007) or the SDP method proposed in Ref. Wang et al. (2019). It has been demonstrated in the latter that the SDP method provides a tighter security analysis. Interestingly, Ref. Wang et al. (2019) also suggested that it may be useful to vary the test coherent states. In particular, the authors demonstrated that, in the case of coherent-one-way QKD, it is possible to significantly extend the key distribution distance by varying the intensity of the test coherent state in the protocol. In light of this observation, we propose the following phase-encoding QKD protocol.
III Six-coherent-state QKD
Here, we detail our proposed six-coherent-state protocol, and illustrate one of its possible implementation schemes in Fig. 1.
Preparation.-Alice randomly prepares one of those six quantum code states : , , , , , , shown in Fig. 2. Then, she sends it to Bob via the quantum channel. The states and are used to extract keys, while the rest are used to estimate Eve’s information about the secret key. In this case, the key bit is encoded in the relative phase of the signal state and reference state. Here, the intensities and phases are free parameters, which will be used to optimize the secret key rate.
Measurement.-Upon receiving the state, Bob directs it to the interferometer to recover the bit information. We use positive-operator valued measures (POVMs) to describe Bob’s interference operations: Bob randomly performs one of two possible POVMs denoted by , where represents basis choice. Taking signal loss and detection inefficiency into account, each measurement has three possible outcomes , where represents the empty detection event. In the event that both detectors click, Bob assigns a random bit to it. Additionally, we require that Bob’s measurements satisfy basis-independent assumption: measurement operators corresponding to detection loss are the same for both measurement settings, i.e. . This is to ensure that the probability of detecting a signal is independent of Bob’s measurement choice, which is necessary to rule out detection side-channel attacks exploiting the channel loss Lydersen et al. (2010). Thus Bob’s three-outcome POVM is equivalent to a two-outcome POVM that determines the key bit, preceded by a basis-independent “filter”.
Parameter estimation and key distillation.-Alice and Bob announce their basis choices through the public channel and decide if the error rates fulfill certain thresholds. If the test is successful, then Alice and Bob proceed with error correction and privacy amplification to extract a secret key.
To compute the security of the protocol, we can use a certain entropic uncertainty relation for quantum memories Berta et al. (2010) and Fano’s inequality Cover and Thomas (2006). Using these, it can be shown that the asymptotic secret key rate of QKD against collective attacks is
[TABLE]
where and are the bit error rate and phase error rate of the key basis, is the probability of detection in key basis, and is the binary entropy function. The extension to general attacks is then achieved by using proof techniques like the post-selection technique Christandl et al. (2009) or entropy accumulation theorem Dupuis et al. (2016). These results imply that it is sufficient to consider security against collective attacks.
III.1 SDP optimization problem for bounding Eve’s information
From Eq. (5), we see that the secret key rate is obtained once we know the detection probability, bit error rate, and the phase error rate. To obtain these values, we first consider that Alice, Bob and Eve share a purified tripartite state after the transmission,
[TABLE]
where Eve’s set of possible operations has been considered in and . Conditioned on Bob observing a successful detection, the bit error rate of the key basis is then given by
[TABLE]
The phase error rate in this case is the bit error rate that Alice and Bob would have observed if has been measured in the basis by Alice and basis by Bob. Mathematically, this is given by
[TABLE]
One can see that and are experimentally accessible, while the phase error rate , which related to Eve’s information about the secret bit is not. To get a tight estimation of , in principle one should optimize over Eve’s set of possible operations, namely captured in the transformed states and under the constraints imposed by the expected statistics. However, as we mentioned earlier, this type of characterization problem is often intractable or impossible to solve directly.
Here, we employ the numerical tool introduced in Ref. Wang et al. (2019) to estimate the phase error rate, which converts the initial characterization problem into a hierarchy of semi-definite programs. More specifically, each hierarchy forms a convex set which outer-approximates the quantum set. Importantly, by going to higher hierarchies, the approximation becomes tighter. The quantum set here means the set of measurement statistics compatible with the set of prepared quantum signals and Bob’s measurements. Thus, in using this method, we can optimize over the various convex sets to bound Eve’s information, which in turn, provides a lower bound on the secret key rate of the protocol.
With this SDP method, the detailed characterization of the quantum signals and measurements, including their dimension, is no longer required in the analysis. Therefore, the transmission channel can be seen as an isometric evolution in higher dimension that takes the initial quantum signal state to some pure output signal state , which is shared between the receivers Bob and the network environment (possibly Eve). The inner product of the output states is preserved after the transmission, i.e. . In the same way, the POVMs can be assumed as projective measurements in higher dimension. Then, we say that the probabilities of observing outcomes given setting and admits a quantum system, if there exist a quantum state and operators such that
[TABLE]
where the operators follow the properties:
[TABLE]
A family of necessary conditions satisfied by the quantum observed probabilities thus can be introduced. Denote as a finite set of operators, where each element is a linear combination of products of . We define the block Gram matrix :
[TABLE]
in which is defined as the inner-product of the vectors and , for all , . is the -entry of the matrix and represents the standard orthonormal basis of . Evidently, the matrix is Hermitian and positive-semi-definite (PSD) Horn and Johnson (2013) by definition.
Taking for example, the matrix is depicted in Fig. 3. The whole matrix is partitioned into sub-blocks by the classifier , where each sub-block has size and is illustrated in Fig. 4.
The entries of every sub-block partly reflect the properties of - satisfied by the operators and the overlaps of the signal states. For instance, property (ii) implies that we can introduce the identity operator and remove one of the operators; property (i) implies and ; meanwhile the property (iii) implies . In addition, since the overlaps of the code states are known, we have .
From the definition, each set of operators yields a different Gram matrix and different linear constraints. The choice of a particular may seem arbitrary, but not all operators in are independent. Moreover, they can be organized in a hierarchical structure, such that can be defined inductively,
[TABLE]
Thus, with each increase of the hierarchy, not only the dimension of the Gram matrix becomes larger, but also more new linear constraints are introduced. For example,
[TABLE]
We denote the quantum set by , which is formed by the probability distributions admitting a quantum system and the overlaps of the code states. Moreover, let the set of probability distributions defined by hierarchy of step be denoted as . Then, we have that . In fact, it has been demonstrated in Ref. Wang et al. (2019) that in the limit of (i.e., ), converges to . Ultimately, this means that the secret key rate obtained by the SDP can only be tighter when considering higher hierarchies.
To compute Eq. (5), we thus only need to maximize using SDP under the conditions that and are fixed to some experimental model. In particular, the SDP problem for maximizing the phase error rate is:
[TABLE]
where ’s and ’s are constant matrices. Note that ’s are used to pick up the terms in which are associated with the observed distributions ; meanwhile ’s are used to pick up the terms in which are associated with the linear constraints induced by the quantum operators and states.
III.2 Numerical simulation
We simulate the secret key rate of the protocol using a realistic model, which includes total loss (including channel loss and detection efficiency), misalignment error of the optics, and the dark counts of single photon detectors. As Bob uses two threshold detectors, there are four possible outcomes when he measures a signal. By mapping double clicks randomly into 0 or 1, Bob’s measurement realizes a POVM with three outcomes: 0, 1 and inconclusive. Note that the double clicks are interpreted as key bits Inamori et al. (2007); Lo and Preskill (2007). In order to obtain a realistic detection model, we consider the error model illustrated in Fig. 5.
We assume that the detector dark count rate is and misalignment error rate is . For a given total loss , the probability of detectors clicking and not clicking without misalignment error are
[TABLE]
where represents detector and , is Bob’s basis choice, and denote the signal and reference portion of the state respectively.
Let denotes the probability of getting the outcome . We have that
[TABLE]
Considering the misalignment error , the probabilities of are
[TABLE]
Thus, the statistics of each POVM measurement on each coming states can be evaluated, as shown in Tab. 1. Accordingly, the probability of detecting a signal for key basis and the corresponding bit error rate are then given by
[TABLE]
Subsequently, we maximize over the set of compatible probabilities using the first level of the hierarchy and the results of the numerical optimization with errors (blue curve) and without errors (rose curve) are shown in Fig. 6. In the absence of errors, the tolerable total loss is extended to more than 55 dB, which is extremely close to the collective beam-splitting attack bound (an upper bound on the secret key rate). This suggests that the six-coherent-state QKD protocol is pretty robust against the total loss in the absence of errors. Taking into account practical errors, the tolerable total loss reaches up to 38 dB, which is significantly higher than previous results Lo and Preskill (2007); Wang et al. (2019) (around 23, 25 dB respectively) assuming the same error model specified in Fig. 5. As compared with the protocol in Ref. Wang et al. (2019), additional two test states are included in our protocol to give better characterization of the quantum system between Alice and Bob. Thus, a tighter bound on Eve’s information could be obtained.
Moreover, through the optimization, we observe that the secret key rate is optimized when and . This is expected since corresponds to larger overlaps between the six coherent states, which imply that it will be more challenging for Eve to distinguish them, meanwhile provides more characterization of the test basis (), and thus, resulting in a higher secret key rate. Therefore, in practice, one has to only modulate the amplitude between two levels ( and ) which makes our protocol highly practical and suitable for high-speed implementation.
For completeness, we also plot the secret key rate, obtained using decoy-state method, of the protocol in Ref. Boaron et al. (2018) that is based on time-bin encoding of phase-randomised coherent states. The asymptotic secret key rate is estimated using the formula given in Ref. Ma et al. (2005), without taking into account of the statistical corrections of finite-length keys. Considering the same simulation parameters (i.e., total loss , misalignment error and dark count rate), the plot of secret key rate against loss of the decoy-state QKD protocol is shown in Fig. 6. The comparison shows that secret key rate of our protocol is comparable to that of the one-decoy-state protocol in low loss regime. Specifically, the key rates differ by only one order of magnitude in the region when the loss is less than 25 dB. For further comparison, we also simulated the optimized secret key rates of BB84 protocol with 2 decoy states and infinite number of decoy states, and our protocol still shows appreciable performance in the short distance regime.
IV Conclusion
In conclusion, on the one hand, phase randomization is a critical assumption made in the analysis of most coherent state QKD protocols and any deviation from preparing perfectly phase-randomized coherent states may pose serious threats of a security breach. On the other hand, existing analysis on non-phase-randomized coherent states are overly pessimistic and yield secret key rates that are inferior to alternative protocols based on the decoy-state method. In this paper, we presented and analyzed the security of a six-coherent-state phase encoding QKD protocol based on non-phase-randomized coherent states. Our analysis requires fewer assumptions on both the quantum state preparation and measurement processes as it relies solely on the overlaps of the code states as well as the observed statistics. Simulating with realistic experimental model (dark count rate of and misalignment error of ), our protocol can tolerate a total loss of up to 38 dB, which is much higher than previous works. Moreover, we observed that the secure key rates of our protocol are comparable with the BB84 decoy-state protocol in the low loss regime. In addition to the improved key rates, our protocol only requires the modulation of six relative phases and two amplitudes, which is easy to implement. Hence, we have shown that one could implement coherent state QKD without performing phase randomization and yield comparable key rates with other known protocols.
Acknowledgements.
We would like to thank Hugo Zbinden and Goh Koon Tong for the valuable comments and careful reading of the manuscript. This research is supported by the National Research Foundation (Singapore), the Ministry of Education (Singapore), the National University of Singapore, the Asian Office of Aerospace Research and Development, and the National Natural Science Foundation of China (Grant No.61572081 and No.61672110). Li Liu kindly acknowledges support from the China Scholarship Council.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1Bennett and Brassard (1984) C. H. Bennett and G. Brassard, in Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing (IEEE Press, New York, 1984) pp. 175–179.
- 2Gisin et al. (2001) N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. Phys. 74 , 145 (2001).
- 3Scarani et al. (2009) V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dus̆ek, N. Lütkenhaus, and M. Peev, Rev. Mod. Phys. 81 , 1301 (2009).
- 4Lo et al. (2014) H. K. Lo, M. Curty, and K. Tamaki, Nat. Photon. 8 , 595 (2014).
- 5Hwang (2003) W. Y. Hwang, Phys. Rev. Lett. 91 , 057901 (2003).
- 6Lo et al. (2005) H. K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94 , 230504 (2005).
- 7Wang (2005) X. B. Wang, Phys. Rev. Lett. 94 , 230503 (2005).
- 8Dus̆ek et al. (2000) M. Dus̆ek, M. Jahma, and N. Lütkenhaus, Phys. Rev. A 62 , 022306 (2000).
