Conference key agreement with single-photon interference
Federico Grasselli, Hermann Kampermann, Dagmar Bru{\ss}

TL;DR
This paper introduces a new multipartite quantum key agreement protocol using single-photon interference and W-class states, enhancing security and efficiency in high-loss quantum communication scenarios.
Contribution
It generalizes twin-field QKD to a multipartite setting with a novel W-class entangled state, providing a secure conference key agreement scheme.
Findings
Protocol is secure in finite-key regime
Outperforms bipartite schemes under certain conditions
Effective in high-loss quantum channels
Abstract
The intense research activity on Twin-Field (TF) quantum key distribution (QKD) is motivated by the fact that two users can establish a secret key by relying on single-photon interference in an untrusted node. Thanks to this feature, variants of the protocol have been proven to beat the point-to-point private capacity of a lossy quantum channel. Here we generalize the main idea of the TF-QKD protocol introduced by Curty et al. to the multipartite scenario, by devising a conference key agreement (CKA) where the users simultaneously distill a secret conference key through single-photon interference. The new CKA is better suited to high-loss scenarios than previous multipartite QKD schemes and it employs for the first time a W-class state as its entanglement resource. We prove the protocol's security in the finite-key regime and under general attacks. We also compare its performance with…
Click any figure to enlarge with its caption.
Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9
Figure 10
Figure 11
Figure 12Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Conference key agreement with single-photon interference
Federico Grasselli, Hermann Kampermann and Dagmar Bruß
Institut für Theoretische Physik III, Heinrich-Heine-Universität Düsseldorf, Universitätsstraße 1, D-40225 Düsseldorf, Germany
Abstract
The intense research activity on Twin-Field (TF) quantum key distribution (QKD) is motivated by the fact that two users can establish a secret key by relying on single-photon interference in an untrusted node. Thanks to this feature, variants of the protocol have been proven to beat the point-to-point private capacity of a lossy quantum channel. Here we generalize the main idea of the TF-QKD protocol introduced by Curty et al. to the multipartite scenario, by devising a conference key agreement (CKA) where the users simultaneously distill a secret conference key through single-photon interference. The new CKA is better suited to high-loss scenarios than previous multipartite QKD schemes and it employs for the first time a -class state as its entanglement resource. We prove the protocol’s security in the finite-key regime and under general attacks. We also compare its performance with the iterative use of bipartite QKD protocols and show that our truly multipartite scheme can be advantageous, depending on the loss and on the state preparation.
The most mature and developed application of quantum communication [1, 2] is certainly quantum key distribution (QKD) [3, 4, 5, 6, 7, 8]. The majority of the QKD protocols proposed so far involve just two end-users, Alice and Bob, who want to establish a secret shared key. Nowadays there is a vibrant research towards protocols which are proven to be secure in the most adversarial situation possible (i.e. reducing the assumption on the devices) [9, 10, 11, 12, 13, 14], but at the same time are also implementable with today’s technology [15, 16, 17, 18]. In this context, a protocol which recently received great attention is the Twin-Field (TF) QKD protocol originally proposed by Lucamarini et al. [19], further developed to prove its security [20, 21, 22, 23, 24, 25, 26, 27] and experimentally implemented [28, 29, 30, 31]. Indeed, the TF-QKD protocol relies only on single-photon interference occurring in an untrusted node, making it a measurement-device-independent (MDI) QKD protocol capable of overcoming the repeaterless bounds [32, 33].
In a scenario where several users are required to share a common secret key, one can for instance perform bipartite QKD protocols between pairs of users and then use the secret keys established in this way to encode the final common secret key. Alternatively, one can perform a truly multipartite QKD scheme –also known as conference key agreement (CKA)– whose purpose is to deliver the same secret key to all the parties involved in the protocol [34, 35, 36, 37, 38]. In order to accomplish such a task, a resource which seems necessary is the multipartite Greenberger-Horne-Zeilinger (GHZ) state [34, 35, 36, 37] or a multipartite private state –a “twisted” version of the GHZ state [39, 40].
In this work we introduce a CKA which exploits for the first time the multipartite entanglement of a -class state [41], in order to deliver the same secret key to all users. Despite having a number of users involved, the scheme relies on single-photon interference in an untrusted node and it is inspired by the bipartite TF-QKD protocol by Curty et al. [24]. We prove the security of our CKA in the finite-key scenario, allowing Eve to perform the most general attacks (coherent attacks) on the transmitted signals. We compare the performance of our genuinely multipartite QKD scheme with the iterative use of bipartite QKD protocols, both in the asymptotic regime and in the finite-key regime. In doing so, we show that performing a truly multipartite scheme can yield a higher secret key rate, depending on the loss and on the state preparation.
The paper is structured as follows. In Sec. 1 we present the CKA based on single-photon interference, while in Sec. 2 we discuss the establishment of a secret conference key where the entanglement resource is a state. In Sec. 3 we prove the CKA security in the finite-key scenario (the detailed proof is given in A). In Sec. 4 we provide simulations of the protocol’s secret key rate and compare them with the repeated use of bipartite schemes (further comparisons in C). We present our conclusions in Sec. 5. In B we report in detail the calculations of the relevant parameters for an honest implementation of the protocol.
1 Conference key agreement
As anticipated in the introduction, our CKA scheme is an extension of the original bipartite TF-QKD protocol [24, Protocol 1] to a scenario with users who want to establish a secret conference key. The parties distill the secret key by sending optical pulses to an untrusted node and by performing suitable measurements on a qubit they hold. In order to keep the notation symmetric, the parties involved in the multipartite QKD protocol are named: , , …, . The protocol is composed of rounds, each round is characterized by the following seven steps (see figure 1):
Every party () prepares an optical pulse in an entangled state with a qubit , given by:
[TABLE]
where , is the vacuum state, is the single-photon state, and is the computational basis of qubit . 2. 2.
Every party sends her optical pulse to the untrusted node via optical channels characterized by transmittance , in a synchronized manner. 3. 3.
The central node applies a Bell-multiport beam splitter [42, 43, 44, 45, 46, 47] with input and output ports111We assume that there are at least as many input ports of the beam splitter as parties taking part to the protocol, i.e. . to the incoming pulses and features a threshold detector at each output port (). The action of the multiport beam splitter is defined by the unitary transformation given in figure 1. 4. 4.
The central node announces the measurement outcome for every detector , with and corresponding to a no-click and a click event, respectively. The round gets discarded if , i.e. whenever single-photon interference did not occur in the central node. The probability that only detector clicked is . 5. 5.
According to a preshared secret key of bits222Where is the binary entropy function., the round is classified as a parameter-estimation (PE) round with probability or as a key-generation (KG) round with probability . There are on average PE rounds that do not get discarded.
- (a)
In case of a PE round, every party measures her qubit in the -basis and then announces the measurement outcome to compute the frequency: . 2. (b)
In case of a KG round, conditioned on detector clicking, measures her qubit in the basis of the operator (where and are the Pauli operators), with ( is given in figure 1). The parties announce randomly chosen measurement results in order to estimate the quantum bit error rate (QBER) by computing the frequency: , i.e. the frequency of discordant outcomes. 6. 6.
The secret key shared by the users is extracted from the remaining raw key bits of the KG rounds. 7. 7.
The parties perform classical post-processing and correct their errors to match ’s raw key.
Remarks. Note that the quantity is the frequency of the outcome +1 when the parties measure the operator . By making an analogy with the bipartite scenario, one can view as an estimation of the phase-error rate between and the other parties (when the phase-error rate is defined as in [24]).
Since the Bell-multiport beam splitter redirects each incoming photon with equal probability to each potential output port, the probability of having a click in only one specific detector is the same for all detectors, i.e. reads the same for . For this reason, the total probability of having exactly one click in any detector is given by .
In an honest implementation of the protocol, where the parties’ state preparation and the operations of the central node are carried out as described above, the state of the qubits from which the parties distill a secret key is approximately a -class state of qubits [41], as we show in Sec. 2. Therefore, the protocol here introduced represents an alternative to other multipartite QKD protocols [34, 35, 36, 37] where the entanglement resource used to generate the key is, instead, a noisy version of the GHZ state of qubits. Moreover, the -class state used by the CKA is an entangled state which is post-selected after the interference of one single photon at the multiport beam splitter. Thus the resulting key rate scales linearly with the transmittance of one of the quantum channels linking the parties to the central node. This is in contrast to the other mentioned multipartite QKD protocols [34, 35, 36, 37], where the distribution of an -qubit GHZ state (e.g. encoded in orthogonal polarizations of a photon) would lead to a key rate which scales with (with being the transmittance of the link between one party and the node distributing the GHZ state). This makes our CKA much more suited to high-loss scenarios than previously proposed multipartite QKD protocols.
2 Multipartite QKD with a state
As mentioned at the end of Sec. 1, the entanglement resource exploited to distill the secret key is a noisy -class state of qubits [41], which is post-selected after single-photon interference occurred in the central node. In fact, the optimization of the CKA key rate (Sec. 4) over the parameter weighting the initial superposition of the qubit-photon state always yields values of close to 1. This means that the quantum signal sent by the parties is strongly unbalanced towards the vacuum. Thus the events in which one of the detectors clicks are mainly caused by the arrival and detection of one photon. However, because of the balanced superposition generated by the multiport beam splitter, the detected photon could be sent by any party with equal probability. Since the photon is initially entangled to the qubit in state , the qubits’ state conditioned on the detection is a coherent superposition of states in which one qubit is in state and all the others are in state , that is the mentioned -class state. A secret conference key can then be extracted by proper measurements performed on such a state.
Let’s start by considering the simplistic scenario in which the parties share the -partite state:
[TABLE]
It has been proven [34] that the parties cannot extract perfectly correlated outcomes in any set of local measurement bases (for ). Indeed, the only -qubit state achieving that and yielding uniformly distributed random measurement outcomes is the GHZ state. Nevertheless, the -partite state can still be used to extract a secret conference key. The key bits are given by the outcomes of the -basis measurements performed by the parties on their respective qubit. The expected QBER between any two parties is given by , which amounts to subtracting the fraction from the secret key rate due to error correction ( is the binary entropy). On the other hand, the eavesdropper’s knowledge about the key can be estimated via the phase-error rate (as defined in Sec. 1, more details in A), which turns out to be zero on the state. This is crucial for having a non-zero key rate even when the number of parties is large. The resulting asymptotic key rate, when the parties share an -partite state, is given by .
Our CKA is constructed following the same philosophy. The only difference is that the conditional state shared by the parties after the detector’s click is not exactly the state given by (2.1), but rather a noisy -class state (the full expression is given in B). Indeed, the multiport beam splitter introduces complex phases in the balanced superposition of states shared by the parties, that depend on which detector clicked. For this reason, we require the parties to adjust their KG measurements in the plane in order to remove such phases and obtain the same QBER they would observe by measuring in the -basis had they shared the standard state (2.1). However, the adjusted KG measurements do not commute with the operations performed in the untrusted node and prevent the CKA to be recast as an MDI prepare-and-measure scheme, opposed to its bipartite version [24]. Consequently, the multipartite scheme presented here is more challenging to implement than its bipartite counterpart. Nonetheless, the operations that the parties are required to perform seem to be within technological reach [48, 49]. In particular, the qubit system could be realized by a nitrogen-vacancy electron spin, whose coherence time has recently reached the order of seconds [50]. The entanglement between the electron spin and the photon’s Fock state would then be generated via selective optical pulses and coherent rotations [48].
3 Finite-key analysis
The protocol presented in Sec. 1 can be effectively regarded as an -partite QKD protocol solely characterized by the unknown quantum state , which is the global state of the parties’ qubits in all the rounds that were not discarded333On average, the number of rounds that are not discarded by the CKA is .. In this way we allow the eavesdropper, who is in total control of the untrusted node, to perform any kind of operation (coherent attacks) on the whole set of signals sent by the parties in the different rounds. As described above, in each round the parties perform trusted measurements on the state , according to the preshared key they hold. The security of such a multipartite QKD protocol can be proven thanks to the finite-key analysis developed in [36]. In particular, since (who holds the key to which all the other parties correct their raw key) measures her qubit only in the two mutually unbiased bases and , the protocol’s security proof follows analogous lines to the one of the -BB84 protocol presented in [36]. The detailed proof of the CKA security is given in A.
Theorem 1
The CKA in Sec. 1, with the optimal 1-way error-correction protocol (which is -fully secure and -robust) and where the secret key generated by two-universal hashing has length
[TABLE]
is -secure with , where is defined as:
[TABLE]
and is the positive root of the following equation:
[TABLE]
We remark that the length of the preshared key must be subtracted from the secret key length in order to have the net amount of fresh secret key bits. We also remark that our leakage estimation considers the worst-case QBER affecting the parties’ raw keys, which is (with high probability) not larger than the QBER observed in appositely designated KG rounds with the appropriate statistical correction. This is in contrast to several other finite-key analyses [51, 52, 53, 54], where either the QBER is assumed to be known a priori or its estimation does not account for statistical fluctuations.
In the asymptotic regime (), the finite-size effects are not present and the secret key rate () reads:
[TABLE]
where and are the probabilities correspondent to the frequencies defined in Sec. 1.
4 Simulations
In this Section we provide plots of the secret key rate –number of secret key bits per round– achieved by the CKA both with finite-key effects (3.1) and in the asymptotic regime (3.4), as a function of the loss in one of the channels linking a party to the central node, measured in dB (). We assume that the protocol is honestly implemented as described in Sec. 1 and we account for a dark count probability of in every detector (which can be attained with superconducting nanowire single photon detectors [29]) and for a polarization and a phase misalignment between and each other party of 2%. The relevant error rates and probabilities for this configuration are given in B. The plots are optimized over the parameter of the initial superposition between the two qubit-photon states, unless otherwise stated. The finite-key plots are further optimized over the probability of performing a PE round and over the security parameters and , constrained by a fixed total security parameter of .
In order to assess the performance of our CKA with an untrusted node, we consider the situation in which the central node is removed and the parties are linked by a star network, where the transmittance of the link between any two parties is . For this configuration, we consider the conference key rate generated by the following strategy and compare it to our CKA key rate. One selected party performs the best possible bipartite QKD scheme with every other party in the network, i.e. times. Because of the network symmetry, every bipartite secret key has the same length and its asymptotic rate is upper bounded by the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound [33] given by: . Then, the selected party encodes the final conference key by using the keys she/he established singularly with each other party. Hence, the conference key length is equal to the bipartite keys’ lengths, but the total number of rounds444By round we mean a set of steps of a given QKD protocol which contains only one transmission of quantum signals (more parties at the same time can transmit a quantum signal). needed to establish the conference key is given by the number of rounds performed by a pair of parties, multiplied by the number of bipartite schemes (). Thus the conference key rate achieved by this strategy is upper bounded by:
[TABLE]
We will refer to (4.1) as the direct-transmission bound, even though we emphasize that it only upper bounds the achievable conference key rate when the strategy we just described is employed. Indeed, we do not claim that this strategy yields the highest possible conference key rate for the considered network configuration. In this Section we show that our CKA provides an advantage, in terms of performance, with respect to the above strategy (4.1).
4.1 Asymptotic regime
In figure 2 we plot the asymptotic key rate of the CKA (Eq. 3.4, solid and dotted lines) as a function of the loss in one of the quantum channels, for different number parties establishing the secret conference key. In particular, the solid lines are obtained by fixing , i.e. the number of input (output) ports of the beam splitter is given by the number of parties taking part to the protocol. The dotted lines are instead obtained by fixing the number of ports to . Finally, the dashed lines represent the direct-transmission bound (4.1) for the correspondent number of parties.
We observe that the CKA key rate can surpass the direct-transmission bound for sufficiently high losses. This is expected since the CKA key rate basically scales linearly with the transmittance of the quantum channel linking one party to the central node, while the direct-transmission rate scales linearly with the transmittance () of the whole channel linking two parties [33]. We note, however, that the performance advantage of the CKA with respect to the direct-transmission bound decreases for increasing number of parties. This is due to the fact that an increase of the number of parties is more detrimental for the CKA rate, as it severely affects the QBER, than for the direct-transmission bound, where it simply increases the total number of rounds dividing the key length. Moreover, the presence of dark counts in the detectors prevents the CKA from outperforming the direct-transmission bound if the number of parties is too large (see the case in figure 2). As a matter of fact, for increasing number of parties the key rate optimization yields a lower probability of having a single click in one of the detectors, thus increasing the relative effect of dark counts.
From figure 2 we also deduce that performing the CKA with a higher number of ports in the beam splitter (dotted lines, where ) is advantageous at low losses and disadvantageous at high losses. The advantage of having more output ports is that the probability that two photons arrive at the same detector diminishes (this is an error source in our CKA). However, these errors could only occur if there is a non-negligible probability that two photons arrive at the central node, i.e. when the losses are low. At the same time, the presence of more output ports –and thus detectors– increases the chances of a dark count. And the negative effect of dark counts on the performance becomes tangible when their probability is comparable to the probability of having a click in a detector, i.e. at high losses.
Another relevant scenario for assessing the CKA performance in comparison to the iteration of bipartite protocols could be the following. The parties are given the same CKA experimental setup but they are now allowed to use it in pairs (or larger subgroups) in consecutive runs, effectively performing the original TF-QKD protocol [24, Protocol 1] between one selected party and every other party. The different established keys are then used to encode the final conference key, similarly to the direct-transmission scenario. This strategy can then be compared to the case where the parties choose to use the CKA setup all at once, thus performing a truly multipartite QKD scheme. A detailed analysis of this comparison in the asymptotic regime is given in C. It turns out that, depending on the loss and on the state preparation, it is still advantageous to perform a multipartite protocol instead of iteratively executing bipartite protocols, on the CKA experimental setup.
4.2 Finite-key effects
In 3(a) we plot the finite-key conference rate (Eq. 3.1 divided by ) as a function of the number of rounds , for different fixed values of the loss (20dB and 30dB, solid and dot-dashed lines) and different number of parties. We stress the fact that we normalize the key length to the total number of rounds (), i.e. we also take into account the rounds that get discarded due to double-clicks or no click in the detectors. The horizontal dashed lines correspond to the value of the direct-transmission bound (4.1) for the various combinations of losses and number of parties. We observe that the number of rounds leading to a non-zero key rate is in general higher than other multipartite schemes (see for example [36]). This is caused by the fact that the CKA devised here relies on single-photon interference events, which are only a fraction of all the events occurring in an experiment run. A considerable amount of rounds gets thus discarded, but still contributes to the rounds’ count. Nevertheless, the number of rounds needed for a non-zero key rate is comparable to other bipartite TF-QKD protocols [55, 56]. On the other hand, the advantage of relying on single-photon interference in a multipartite scenario is the excellent scaling of the protocol’s key rate with respect to losses, which allows it to overcome the asymptotic direct-transmission bound (dashed lines) even with a finite number of rounds.
In 3(b) we instead plot the minimum number of rounds () such that the finite-key rate () does not decrease more than 90% with respect to its asymptotic value (3.4), i.e.: . The threshold is plotted as a function of the number of parties () and for fixed values of the loss. We observe that increases both with the number of parties and with the loss. The reason is that, in both cases, the fraction of the total number of rounds that gets discarded increases. This has a negative effect both on the asymptotic rate and on the finite-key rate, however the effect on the latter is greater, thus requiring a larger number of rounds to maintain the finite-key rate within 90% range of the asymptotic one. Indeed, a larger fraction of discarded rounds decreases the prefactor in both the finite- and the asymptotic-key rates, but it additionally decreases the number of rounds used for PE in the finite-key regime. This causes larger statistical fluctuations and thus a smaller finite-key rate.
5 Conclusions
In this work we introduced a new multipartite QKD protocol that exploits for the first time the correlations derived from an -partite state [41] to establish a secret conference key among the users. In an honest implementation of the protocol, the state is post-selected thanks to the interference of a single photon in a central node, extending the idea of the bipartite Twin-Field QKD protocol devised in [24] to the multipartite scenario. Hence the resulting key rate scales linearly with the transmittance of one of the quantum channels linking the parties to the central node, making the protocol particularly suited for conference keys established in high-loss scenarios.
We prove the protocol’s security in the finite-key regime by considering the most adversarial situation possible, i.e. coherent attacks are allowed by the eavesdropper. In order to achieve this, we rely on previous results on the finite-key security of multipartite QKD schemes derived in [36] and employ the entropic uncertainty relation [57].
We provide simulations of the conference key rate both in the finite- and in the asymptotic-key regime. We compare the performance of our conference key agreement (CKA) to that achieved by performing bipartite QKD schemes between one party and each of the others and then using the established keys to encode the conference key. In particular, we analyze the cases where the bipartite schemes are performed with the same setup used for the CKA (in C) and in the direct-transmission scenario (i.e. the central node is removed and the optimal bipartite QKD scheme is performed). We show that, in both cases, the execution of a truly multipartite scheme could be advantageous even when finite-key effects are accounted for.
Although the feasibility of the proposed CKA requires further investigation, with this work we demonstrate that, in principle, multipartite QKD does not necessarily need a GHZ-class state as its entanglement resource and that it can be implemented even in high-loss scenarios.
We thank Marcos Curty, Daniel Miller and Hua-Lei Yin for helpful discussions. This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 675662.
Appendix A Security proof
In order to prove the security of our CKA in the finite-key scenario, we start from the general security statement given in [36, Theorem 1]. The resulting secret key length is thus determined by the amount of information the eavesdropper has about the secret key and by the information the parties leak during the classical post-processing. The former is quantified by the min-entropy , where is the classical-quantum state of ’s raw key and the eavesdropper’s quantum system which is partially correlated to it. Since the eavesdropper’s system is unknown, one cannot directly compute the mentioned min-entropy. Nevertheless, it can be bounded by means of the uncertainty relation [57] as follows:
[TABLE]
where the max-entropy on the r.h.s. quantifies the uncertainty of ’s -measurement results when the -outcomes of the remaining parties are known, if all parties would measure in the rounds yielding the raw-key. The max-entropy can be upper bounded via the phase-error rate –as defined in Sec. 1– of the raw-key rounds. We get:
[TABLE]
where is the binary entropy function: . Finally, since the parties do not directly observe the phase-error rate of the rounds producing the raw key, this can be inferred through the theory of random sampling without replacement. In particular, the phase-error rate of the raw key () can be upper bounded with high probability, once the observed phase-error rate () is known. For this, we make use of the following tail inequality [55, Lemma 1] which features a tighter bound with respect to the Serfling inequality.
Lemma 1
[55].* Let be a random binary string of bits, be a random sample (without replacement) of m entries from the string and be the remaining bit string. Upon calling and the frequencies of bit value 1 in string and , respectively, for any it holds:*
[TABLE]
where is the positive root of the following equation:
[TABLE]
By applying Lemma 1 to the case of , we can finally bound the eavesdropper knowledge about the secret key as follows:
[TABLE]
The remaining part of the secret key length that needs to be estimated is the leaked information during classical post-processing. This is readily estimated through the observed QBER between and any other party, by means of [36, Theorem 2].
Putting these considerations together, we obtain the security statement given in Th. 1.
Appendix B Channel model
In this Section we compute the QBER (), the phase-error rate () and the probability that a given detector clicked (), assuming that the protocol is implemented as described in Sec. 1. We also account for a dark count probability in each detector and we consider the specific scenario in which there are a polarization and a phase misalignment of angles and , respectively, between and each other party. In the simulations of Sec. 4 we set: and . For simplicity, we assume that the input signals of the parties enter the first ports of the -port beam splitter. Nevertheless, the results in terms of achieved key rate are independent of which input ports are used, thanks to the balanced redistribution of the input photons to the output ports of the considered Bell-multiport beam splitter (see figure 1). We remark that the expressions derived here together with the asymptotic key rate given in (3.4) reproduce those of the original TF-QKD protocol [24, Protocol 1] in the case of two parties () with a balanced 2-port beam splitter ().
We first derive the QBER, the phase-error rate and the probability assuming no dark counts in the detectors, i.e. every click is caused by the arrival of one or more photons. In the last Subsection we use the derived expressions to obtain analogous quantities, with the assumption that every detector has a probability of clicking conditioned on no photon arriving.
B.1 Qubits’ state conditioned on one click
According to the protocol, the global state of the parties’ qubits and signals, before sending the signals to the central node, reads:
[TABLE]
where the phase mismatch is defined as zero if and as if , which means that every other party has the same phase mismatch with respect to . The signals are then sent to the central node through lossy optical channels, which are modeled as beam splitters with transmittance . The global state after the transmission of the signals to the untrusted relay reads:
[TABLE]
where is the creation operator of the lost photon in channel , is a -bit vector that runs from 0 to in binary notation (covering all the possible combinations of qubit states) and is the Hamming weight of vector . From now on, we denote as the bijective function that takes as input a binary vector and outputs the correspondent decimal number.
We assume now that the polarization of the photons sent by is rotated by an angle with respect to ’s signal:
[TABLE]
where is defined as zero if and as if , while the subscripts P and indicate the polarization of ’s signal and its orthogonal direction, respectively.
Finally, the global state after the application of the Bell-multiport beam splitter on the incoming signals (its action on the incoming creation operators is reported in figure 1) is:
[TABLE]
where and are the creation operators of the output signals in the two orthogonal polarizations and is reported in figure 1. At this point, every output signal is measured in the respective threshold detector. Since the detectors do not distinguish the polarization of the output signals, we will use the subscript to indicate the combined Hilbert space of the signals exiting port , when there is no ambiguity.
We are now ready to compute the conditional state of the qubits when only detector clicked:
[TABLE]
where is the probability that only detector clicked, is the normalized conditional state of the qubits and is the projector on the vacuum state of output signal . In order to compute (2.5), we start by calculating the following quantity:
[TABLE]
where the effect of the projectors is to select the outcome signal and to remove the case , since it would correspond to a vacuum state for the outcome signal . We now focus on rewriting the following term:
[TABLE]
where we expanded the product in the first line of (2.7) by introducing a sum over the binary vector . The sum runs over all the -bit vectors for which whenever , for all –the condition . This is to make sure that the -th factor in the first line does not contribute to the expanded product in the second line whenever . The remaining bits of that are not affected by the mentioned condition, can be either 1 or 0. If we intend that, for this particular term in the sum, the contribution of the -th factor in the first line of (2.7) is given by its first addend (). While if and , we mean that the contribution is coming from the second addend (). The exponents in the second line of (2.7) are chosen according to these rules. Finally, (2.8) is obtained by using the definition of from figure 1 and by applying the creation operators on the vacuum. We now expand the remaining product in (2.8) with the same technique and obtain the following expression:
[TABLE]
We now substitute (2.9) back into (2.6) and note that the effect of the projectors is to remove the case from (2.9). Hence we get:
[TABLE]
By substituting (2.10) into (2.5) we finally get the state of the qubits conditioned on clicking:
[TABLE]
We use the Kronecker deltas to reduce the sums over and . The third delta fixes the value of : . The fixed value of combined with the other constraints on this vector imply additional constraints on . In particular, implies while implies . Finally the first two deltas imply , which combined with the third delta yields . Putting everything together allows to simplify (2.11) as follows:
[TABLE]
where the sets of binary vectors , and are defined as follows:
[TABLE]
We can now sum over the vectors since no term depends on them in (2.12):
[TABLE]
where the asterisk on the binomial coefficient means that it is defined as zero if and . Finally, since every term just depends on , we can sum over all the vectors with equal Hamming weight and obtain the final expression for the conditional state of the qubits when detector clicked:
[TABLE]
B.2 Probability of exactly one click
We can now compute the probability of having just one click in detector by simply computing the trace of both sides in (2.17):
[TABLE]
In order to obtain an easier expression to compute, we distinguish the cases: , and the special case :
[TABLE]
We can now partially sum over the vectors since the terms in the sums only depend on the Hamming weight of these vectors:
[TABLE]
By employing the following identity:
[TABLE]
both in the second and last row of (2.20), we get the following expression:
[TABLE]
The remaining sum over can be similarly simplified as follows:
[TABLE]
By substituting (2.23) into (2.22) and by partially summing over vectors we obtain the final expression for the probability that only detector clicks:
[TABLE]
We observe that the probability that only detector clicks is independent of the particular detector because of the symmetric action of the multiport beam splitter.
B.3 QBER
Starting from the conditional state (2.17), we can compute the QBER between and ’s outcomes when they measure their qubit in the eigenbasis of the operator and , respectively, with ( and are the Pauli operators). The operator has eigenvalues and correspondent eigenvectors: .
To start with, we compute the following quantity:
[TABLE]
and we insert it into the probability that measured the outcome +1 and measured the outcome -1, when clicked:
[TABLE]
where is a set of at most 2 binary vectors, defined as: \mathcal{Q}(\vec{b})=\{\vec{b},\,\overline{b_{1}}b_{2}\dots\overline{b_{k}}\dots b_{N}\mbox{(iff b_{1}\oplus b_{k}=1)}\}555The straight line over a bit indicates its negation.. This means that the sum over is reduced to just one term, namely , plus the possibility of a second term in which differs from in position 1 and , as long as the bits of vector differ from each other in those positions. Now we compute the sum over as follows:
[TABLE]
where the set simplifies to: . We notice that the first addend in (2.27) is proportional to (2.18):
[TABLE]
Finally, we split the sums over in the two sub-cases: and and we notice that the two contributions differ only in the exponential term. By summing the two contributions, the exponential factor produces a cosine function and one gets:
[TABLE]
In a similar fashion, one computes the probability of measuring the outcome -1 and measuring the outcome +1 and obtains an identical expression to (2.29). In conclusion, the QBER conditioned on clicking is given by twice the probability given in (2.29).
By fixing the angles and as mentioned in the protocol’s description: and we minimize the QBER and thus increase the secret key rate. This requires to adjust her measurement depending on which detector clicked, implying that such measurement does not commute with the operations performed by node . On the other hand, the QBER is now minimal and reads the same regardless of which couple one considers or which detector clicks:
[TABLE]
where is given in (2.24).
B.4 Phase-error rate
Finally we compute the phase-error rate, defined as the probability that the product of the -measurement results of all the parties equals +1 (i.e. the qubit of an even number of parties collapsed in state , which corresponds to the outcome ):
[TABLE]
where the quantum state conditioned on detector clicking is given in (2.17) and the case is excluded since does not appear in (2.17). By following analogous steps to those presented in B.2 we obtain the following expression for the phase-error rate:
[TABLE]
B.5 Dark counts
So far we computed the quantities , and assuming that every click in the detectors is due to the arrival of one or more photons. By naming the event in which one or more photons arrive at detector and no other photon arrives at any other detector, we can formally express the computed quantities as:
[TABLE]
For the setup presented in Sec. 1 and the channel model described at the beginning of this Section, the explicit expressions of (2.33), (2.34) and (2.35) are given in (2.24), (2.30) and (2.32), respectively.
We now assume that every detector is characterized by a probability of clicking conditioned on no photon arriving. We also define to be the event in which only detector clicks and to be the event in which no photon arrives at any detector. Then, the error rates and and the probability that enter the key rate formula and that model the correspondent observed quantities read as follows:
[TABLE]
where , and are defined in (2.33), (2.34) and (2.35), respectively, while the probabilities related to the arrival of no photon read:
[TABLE]
The probabilities (2.39), (2.40) and (2.41) are obtained by following similar steps to those presented in this Section and that led to the final expressions for , and , respectively. The starting point in this case is the conditional state of the qubits when no photon arrived at any detector:
[TABLE]
Appendix C Optimized conference key agreement
Although we have shown in Sec. 4 that a truly multipartite QKD scheme can outperform the iterative use of any bipartite QKD scheme in the direct-transmission scenario (i.e. the central node is removed), this does not necessarily hold when one has at hand the CKA experimental setup and uses it to perform bipartite QKD protocols. In other words, it might be possible to outperform the multipartite CKA by iteratively executing its bipartite version (fix in Eq. 3.4) between one selected party and all the other users, and then using the established secret keys to encode the final conference key via one-time pad encryption. In this case the asymptotic conference key rate would be according to the reasoning given at the beginning of Sec. 4, where is given in (3.4). More generally, it might be advantageous to group the parties in subsets of equal cardinality, let them perform the CKA within the subset, and then use the secret keys established in each subset to encode the conference key. Since one selected party must belong to every subset in order to distribute the final conference key to the others in a secure way, there are subsets of users each. In this case the asymptotic conference key rate would read: . In order to investigate which of these configurations yields the highest asymptotic conference key rate, we optimize the rate with respect to the possible subdivisions of the parties in groups of equal cardinality (i.e. we maximize it with respect to all the divisors of ):
[TABLE]
which includes the cases where the parties are iteratively performing bipartite protocols () and where the parties are performing the CKA all at once like in figure 2 ().
In 4(a) we plot the optimized conference key rate for parties (Eq. 3.1, solid lines) as a function of the loss in each quantum channel, for different fixed values of the parameter and a fixed number of input (output) ports of the beam splitter: . We also plot the direct transmission bound (4.1) for the same number of parties. The correspondent optimal number of parties within each subset depends on the loss and on the value of , and it is given in 4(b).
From 4(a) we observe that the resulting key rate, although not being optimized over the parameter , is similar to the key rate in figure 2 for most losses, since we fixed to values close to the optimal ones. Furthermore, it performs better than the standard CKA with five parties in the high-loss region. Indeed, as already explained in figure 2, the effect of dark counts becomes greater when more parties are performing the CKA at the same time. Thus, allowing for a lower number of parties within each subset increases the maximum tolerated loss.
In 4(b) we observe that at low losses it is optimal for the five parties to perform a truly multipartite scheme rather than iteratively performing bipartite protocols. The reason is that in the ideal scenario of extremely low losses () and close to 1, there is only one party successfully sending one photon to the central node to be detected. In this case the post-selected state shared by the parties is the -class state used for establishing the secret key. Of course, there are more chances that this event is going to happen when more parties are involved, thus a multipartite scheme is advantageous with respect to an iteration of bipartite schemes. One can see this also analytically, by showing that the asymptotic rate (3.4) of the CKA performed by parties all at once can be approximated as follows (when the above assumptions hold):
[TABLE]
while the rate achieved by subdividing the task in bipartite schemes is:
[TABLE]
By numerically comparing (3.2) with (3.3) for sufficiently high values of , one notices that the former results in a higher key rate. When the value of decreases, the probability that two or more parties send their photon to the central node increases, reducing the key rate. Being such events more likely when more parties are involved, the iterative execution of bipartite schemes is favored. Similarly, increasing the loss transforms the same events –which are more likely with more parties– from neglected events (if they cause double clicks) to harmful events (when some photons get lost in the transmission), thus favoring the iteration of schemes with a low number of parties.
References
- [1] N. Gisin and R. Thew. Nat. Photon. 1, 165–171 (2007).
- [2] H. J. Kimble. Nature 453, 1023 (2008).
- [3] C. H. Bennett and G. Brassard. Proc. IEEE Int. Conf. on Computers, Systems and Signal Processing, pp 175–9 (1984).
- [4] A. K. Ekert. Phys. Rev. Lett. 67, 661 (1991).
- [5] V. Scarani, H. Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev. Rev. Mod. Phys. 81, 1301 (2009).
- [6] H.-K. Lo, M. Curty, and K. Tamaki. Nat. Photon. 8, 595–604 (2014).
- [7] E. Diamanti, H.-K. Lo, B. Qi and Z. Yuan. npj Quantum Inf. 2, 16025 (2016).
- [8] S. Pirandola et al. preprint arXiv:1906.01645.
- [9] H.-K. Lo, M. Curty, and B. Qi. Phys. Rev. Lett. 108, 130503 (2012).
- [10] S. Abruzzo, H. Kampermann, and D. Bruß. Phys. Rev. A 89, 012301 (2014).
- [11] C. Panayi, M. Razavi, X. Ma, and N. Lütkenhaus. New J. Phys. 16, 043005 (2014).
- [12] K. Azuma, K. Tamaki, and W. J. Munro. Nat. Comm. 6, 10171 (2015).
- [13] U. Vazirani and T. Vidick. Phys. Rev. Lett. 113, 140501 (2014).
- [14] R. A. Friedman, F. Dupuis, O. Fawzi, R. Renner, and T. Vidick. Nat. Commun. 9, 459 (2018).
- [15] H.-L. Yin et al.. Phys. Rev. Lett. 117, 190501 (2016).
- [16] A. Boaron et al. Phys. Rev. Lett. 121, 190502 (2018).
- [17] S.-K. Liao et al. Nature 549, 43 (2017).
- [18] H. Takenaka et al. Nat. Photon. 11, 502 (2017).
- [19] M. Lucamarini, Z. L. Yuan, J. F. Dynes, and A. J. Shields. Nature 557, 400 (2018).
- [20] K. Tamaki, H.-K. Lo, W. Wang, and M. Lucamarini. preprint arXiv:1805.05511.
- [21] X. Ma, P. Zeng, and H. Zhou. Phys. Rev. X 8, 031043 (2018).
- [22] C. Cui et al. Phys. Rev. Appl. 11, 034053 (2019).
- [23] J. Lin and N. Lütkenhaus, Phys. Rev. A 98, 042332 (2018).
- [24] M. Curty, K. Azuma, and H.-K. Lo. npj Quantum Information 5, 64 (2019).
- [25] X.-Y. Zhou, C.-H. Zhang, C.-M. Zhang, and Q. Wang. Phys. Rev. A 99, 062316 (2019).
- [26] F. Grasselli and M. Curty. New J. Phys. 21, 073001 (2019).
- [27] F. Grasselli, A. Navarrete, and M. Curty. preprint arXiv:1907.05256.
- [28] Y. Liu et al. preprint arXiv:1902.06268.
- [29] M. Minder, M. Pittaluga, G. L. Roberts, M. Lucamarini, J. F. Dynes, Z. L. Yuan, and A. J. Shields. Nat. Photon. 13, 334-338 (2019).
- [30] X. Zhong, J. Hu, M. Curty, L. Qian and H.-K. Lo. preprint arXiv:1902.10209.
- [31] S. Wang et al. Phys. Rev. X 9, 021046 (2019).
- [32] M. Takeoka, S. Guha, and M. M. Wilde. Nat. Comm. 5, 5235 (2014).
- [33] S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi. Nat. Comm. 8, 15043 (2017).
- [34] M. Epping, H. Kampermann, C. Macchiavello, and D. Bruß. New J. Phys. 19, 093012 (2017).
- [35] J. Ribeiro, G. Murta, and S. Wehner. Phys. Rev. A 97, 022307 (2018).
- [36] F. Grasselli, H. Kampermann, and D. Bruß. New J. Phys. 20, 113014 (2018).
- [37] Y. Jo and W. Son. OSA Continuum 2, 814-826 (2019).
- [38] C. Ottaviani, C. Lupo, R. Laurenza, and S. Pirandola. preprint arXiv:1709.06988.
- [39] R. Augusiak and P. Horodecki. Phys. Rev. A 80, 042307 (2009).
- [40] S. Bäuml and K. Azuma. Quantum Sci. Technol. 2 024004 (2017).
- [41] W. Dür, G. Vidal, and J. I. Cirac. Phys. Rev. A 62, 062314 (2000).
- [42] M. Żukowski, A. Zeilinger, and M. A. Horne. Phys. Rev. A 55, 2564 (1997).
- [43] Y. L. Lim and A. Beige. Phys. Rev. A 71, 062311 (2005).
- [44] A. Peruzzo, A. Laing, A. Politi, T. Rudolph, and J. L. O’Brien Nat. Comm. 2, 224 (2011).
- [45] N. Spagnolo et al. Nat. Comm 4, 1606 (2013).
- [46] W. R. Clements et al. Optica 3, 1460-1465 (2016).
- [47] G. N. M. Tabia Phys. Rev. A 86, 062107 (2012).
- [48] H. Bernien et al. Nature 497 pages 86–90 (2013).
- [49] F. Rozpedek et al. Phys. Rev. A 99, 052330 (2019).
- [50] M. H. Abobeih, J. Cramer, M. A. Bakker, N. Kalb, M. Markham, D. J. Twitchen, and T. H. Taminiau. Nat. Comm. 9, 2552 (2018).
- [51] V. Scarani and R. Renner. Phys. Rev. Lett. 100, 200501 (2008).
- [52] L. Sheridan, T. P. Le, and V. Scarani. New J. Phys. 12, 123019 (2010).
- [53] M. Tomamichel, C. Lim, N. Gisin, and R. Renner. Nat. Comm. 3, 634 (2012).
- [54] M. Curty, F. Xu, W. Cui, C. Lim, K. Tamaki, and H.-K. Lo. Nat. Comm. 5, 3732 (2014).
- [55] H.-L. Yin and Z.-B. Chen. preprint arXiv:1903.09093.
- [56] F.-Y. Lu et al. preprint arXiv:1901.04264.
- [57] M. Tomamichel and R. Renner. Phys. Rev. Lett. 106, 110506 (2011).
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] N. Gisin and R. Thew. Nat. Photon. 1 , 165–171 (2007).
- 2[2] H. J. Kimble. Nature 453 , 1023 (2008).
- 3[3] C. H. Bennett and G. Brassard. Proc. IEEE Int. Conf. on Computers, Systems and Signal Processing , pp 175–9 (1984).
- 4[4] A. K. Ekert. Phys. Rev. Lett. 67 , 661 (1991).
- 5[5] V. Scarani, H. Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev. Rev. Mod. Phys. 81 , 1301 (2009).
- 6[6] H.-K. Lo, M. Curty, and K. Tamaki. Nat. Photon. 8 , 595–604 (2014).
- 7[7] E. Diamanti, H.-K. Lo, B. Qi and Z. Yuan. npj Quantum Inf. 2 , 16025 (2016).
- 8[8] S. Pirandola et al. preprint ar Xiv :1906.01645.
