Deterministic Quantum Key Distribution with Untrusted Relay and Finite Sources

Here, we first emphasize and list the assumptions on which the security of this protocol is based.

• First, the sources are security, i.e., the preparation basis of |φⁱ〉 is not leaked to Eve before step 3, or in other words, the bit string b is unknown to Eve before step 3. Pre-shared entanglement between |φⁱ〉 and Eve’s ancilla |ε〉_E is also excluded.

• Second, Alice’s bit string a is not leaked to Eve. Alice has free will to choose the encoding and the control operators randomly.

• Third, Eve can access quantum memory devices that have for arbitrary long coherence time.

Based on the above assumptions, we can infer that the security basis of this protocol is founded on two key points. First, Eve cannot distinguish between the qubits that pass through the EM and the ones that pass through the CM until Alice’s announcements in step 4. Second, the density matrix of ρBi\rho _B^i is invariant under Alice’s operations in the EM (CM), ρAB∣EM(CM)i=ρBi=I2\rho _{AB\mid EM(CM)}^i = \rho _B^i = {I \over 2}. Thus, in the view of Eve, the evolution of ρiB\rho _i^B has nothing to do with Bob’s preparation bases. Then, three conclusions can be drawn in the following.

• Eve cannot get any information about the encoding bits a_k from the measurement results E_k : a_k ⊕ b_k.

• In the view of Eve, this protocol is equivalent to the one in which Alice randomly uses four operations {I, iY, Z, X} for encoding. Thus, due to the CM, Eve will inevitably introduce QBER if she tries to get the information of a_k via attacks.

We first consider the ideas of the so-called zero-error attacks [24,25]. Suppose that, in the i-th round, Eve emits a fake state |φEi〉\left| {\varphi _E^i} \right\rangle , randomly in the bases {Z, X}, to Alice and then tries to extract Alice’s encoding bits ak by measuring |φEak〉\left| {\varphi _E^{{a_k}}} \right\rangle in the UR after passing |φ_E〉. through the EM(CM)(|φ_E〉 is transformed to be|φEak〉 )\left. {\left| {\varphi _E^{{a_k}}} \right\rangle } \right). Through this attack, on the one hand, Eve can get all the information of a_k after Alice announces the index i of each EM(CM) round. On the other hand, Eve will inevitably introduce errors when she reports, honestly or dishonestly, the measurement results E_k to Bob for EC and PA. Eve faces two folds in each round as she has a 1/2 probability of misguessing Bob’s preparation basis: if Alice chooses the CM, the error rate of the measurement result is Q_CM; If Eve, to escape from being detected by the CM, tampers with a measurement result (i.e.,1 → 0) with a probability p_t(0 ≤ p_t ≤ 1) and reports it to Bob, it will cause errors if Alice had chosen the EM in this round, the error rate is denoted as Q_EM. It is easy to figure out that Q_EM = 0.5 • p_t • (1 – P_CM) and Q_CM = 0.25 • (1 – p_t) • P_CM. By the above attacks (individual attacks), Eve can get all of ak at the cost of introducing the maximum noise, QCMmax=0.25•PCMQ_{CM}^{\max } = 0.25 \bullet {P_{CM}}. For specific, in this protocol, we set P_CM = 0.25, thus QCMmax=6.25%(QEM=0)Q_{CM}^{\max } = 6.25\% \left( {{Q_{EM}} = 0} \right) which can be easily detected by Alice and Bob. Of course, theoretically speaking, P_CM can be arbitrarily chosen within the interval (0, 1) by legitimate parties, i.e., set P_CM = 0.125 and so on. The only difference is that increasing the value of P_CM increases security of the protocol, but at the expense of the encoding rate. It is proper to choose PCM = 0.25, which guarantees both security (typically, the error rate of information transfer on a standard optical fiber with length 120∼400km is below 5%) and a relatively high encoding rate of this UR-DQKD. Therefore, Eve should balance her strategy to keep Q_CM = Q_EM, while Alice and Bob can fight against this kind of attack by setting the noise threshold, Q_CM = Q_EM = Q_max ≈ 5.4%. Then the security of this protocol can be well captured by considering collective attacks.

Now we consider the security bound for this protocol under the general collective attacks [26]. Eve performs the attacks 𝒰⌢E{_E} on each ρBi\rho _B^i and her initial ancilla |ε〉_E, then, after Alice’s encoding operation O⌢ak={ Iak=0,iϒak=1 }{_{{a_k}}} = \left\{ {{I^{{a_k} = 0}},i{Y^{{a_k} = 1}}} \right\}, she extracts a_k at any time from the entire quantum system ρABE|O^ak=∑akO⌢ak{ 𝒰⌢E(ρBk⊗|ε〉E〈ε|)𝒰⌢E† }O⌢ak†(ak=0,1){\rho ^{ABE\left| {{{\hat O}_{{a_k}}}} \right.}} = \sum\nolimits_{{a_k}} {{{}_{{a_k}}}} \left\{ {{{}_E}\left( {\rho _B^k \otimes |\varepsilon {\rangle _E}\langle \varepsilon |} \right)_E^\dag } \right\}\;_{{a_k}}^\dag \left( {{a_k} = 0,\;1} \right) after completing the decoding measurement in the UR (She can randomly report the measurement results to Bob at the premise of maintaining the balance Q_CM = Q_EM = Q_max ≈ 5.4%). The maximum amount of information that Eve can get from ρABE|O⌢ak{\rho ^{ABE\left| {{{}_{{a_k}}}} \right.}} is I_E = h(Q_EM) in a depolarizing quantum channel (QC) (we emphasize that the depolarizing quantum channel can characterize the noise of most of the current optical quantum hardware in practice), where h(x) (the binary Shannon entropy) is given by h(x) = –x log₂ x – (1 – x) log₂ (1 – x). Under ideal settings (perfect single-photon sources, no channel losses, and perfect photon-detector efficiency), the key rate of this protocol is given by (details of the rigorous security proof are presented in Appendix A). 1K=1−2h(QEM),K = 1 - 2h\left( {{Q_{EM}}} \right),

It reveals that the quantum channel noise in this protocol constrains Eve’s ability to steal the maximum amount of information.

Here we argue that, in this protocol, Eve can not obtain more information by performing the general coherent attack mentioned in the LM05 protocol [15] than the one via the above general collective attack. In the coherent attack, in each round, Eve performs the first unitary attack 𝒰⌢1{_1} on |φⁱ〉 with one of her ancillas |ε〉_E and stores the resulting ancillas |ε_X〉_E after the first attack. Then, after passing |φⁱ〉 through the EM(CM), Eve performs the second unitary attack 𝒰⌢2 on |φaii〉{_2}{\rm{ on }}\left| {\varphi _{{a_i}}^i} \right\rangle with her fresh ancilla |η〉_E and stores the resulting ancillary states |η_ϒ〉_E. Of course, the second attack includes the resulting state of the first ancilla, where X and Y denote, respectively, the indices of her ancillary nonorthogonal vectors (i.e., X = 00,01,10,11, ϒ = 000000,000001,…,111111). This attack aims to create coherence between |ε_X〉_E and |η_ϒ〉_E thus creating coherence between |φⁱ〉 and |φaki〉\left| {\varphi _{{a_k}}^i} \right\rangle . Eve takes advantage of the coherence to make an optimal guess of a_k by measuring |ε_XE, |η_ϒ〉_E and |φaki〉\left| {\varphi _{{a_k}}^i} \right\rangle after step 3. From equation (14) in Ref. [15], we can figure out that the QBER Eve can introduce is Q_EM = 1/2 – 1/8(1 + cosx)². Setting x = x′ in equation (13) of Ref. [15], we can obtain the upper bound of I_AE = 1 – h [(1 + sinx)/2], where cos x = 〉ε₀₀|ε₁₁〉 specifies the angle between ε₀₀ and ε₁₁ (two normalized and nonorthogonal vectors of Eve’s first ancilla). Then finally, we can obtain the upper bound of IAE=1−h(1+1−4(ζ−1/2)22){I_{AE}} = 1 - h\left( {{{1 + \sqrt {1 - 4{{(\zeta - 1/2)}^2}} } \over 2}} \right) under the coherent attack, where ζ=1−2QCM\zeta = \sqrt {1 - 2{Q_{CM}}} . It takes the maximum(I_AE ≈ 0.54) at the cost of introducing the maximum noise (Q_EM ≈ 18%) under the coherent attack (ensuring the key rate K = 0). While in this protocol, I_E takes its maximum (I_E ≈ 0.5) at Q_EM ≈ 11.4% under the collective attack (ensuring the key rate K = 0). Note that Alice breaks the coherence in the CM (Alice randomly performs the Pauli Z operator or the Pauli X operator in the CM), thus, the maximum Q_CM that Eve can introduce is equal for any coherent and incoherent attack. With the noise threshold Q_CM = Q_EM = Q_max ≈ 5.4%, the upper bound of I_AE = 0.157 under the general coherent attack, while I_E = h(Q_CM) = 0.303 under the general collective attack. It indicates that, in this protocol, the general coherent attack is not the optimal one for Eve as the CM breaks the coherence between |φⁱ〉 and|φaki〉\left| {\varphi _{{a_k}}^i} \right\rangle .

In this section, we derive the performance formula for this protocol, close to the real-world QKD system. We first present the reasonable models of the devices for this protocol, based on current technology.

We assume that Bob uses single photons as the source (SPS). In each round, Bob successfully emits a singlephoton state to the quantum channel with probability P₁ (efficiency of single-photon state collection) or a vacuum state due to random losses with the probability P₀, P₁ + P₀ = 1. Note that high-performance single-photon sources (SPS) have made significant progress in recent QKD experiments and P₁ can be over 99% in practice [27]. Here we set P₁ = 90%.

The quantum channel (optical fiber) transmittance t_AB can be expressed as tAB=10−βLAB10{t_{AB}} = {10^{ - {{\beta {L_{AB}}} \over {10}}}} where, β is the decay coefficient of the fiber between Alice and Bob, and L_AB is the length of the fiber.

We consider a threshold photon detector in the UR that cannot resolve the photon number of each photon pulse, but can only distinguish a vacuum pulse from a non-vacuum pulse.

Then, the total efficiency of the QKD system is η = t_ABη_AB, where η_AB = t_At_Bη_E denotes the total transmittance of the devices in Alice and Bob’s sides (t_At_B) and the UR (η_E). Here, the efficiency of the photon delay on Alice’s side, which can be nearly unity with today’s technology, is merged into the UR.

From the above models, the performance formula for this protocol can be written as 2Kfinite ≥PEM•g{ ϒ1[ 1−h(e1) ]−fECh(eg) },{K_{{\rm{finite }}}} \ge {P_{EM}} \bullet g\left\{ {{Y_1}\left[ {1 - h\left( {{e_1}} \right)} \right] - {f_{EC}}h\left( {{e_g}} \right)} \right\},

Details of each term in Equation (2) are listed below.

• The factor P_EM is the probability of implementing the EM, and g is the total gain in the UR from Bob’s SPS.

• ϒ₁ is defined as the yield of a single-photon pulse, i.e., the condition probability of a detection event in the UR given that Bob sends out a single-photon pulse. Note that ϒ₀ (typically 10⁻⁵ ~ 10 ⁻⁶) is the background detection rate that is independent of the SPS detection.

• e₁ and e_g are, respectively, the error rate of single-photon pulses and the overall QBER. f_EC ≥ 1 is the directional error correction efficiency.

Usually, g and e_g can be obtained directly from experiments, while the parameters ϒ₁ and e₁ must be estimated tightly. Here, we give the theoretically expected bound of each term in Equation (2) to get the bound of K_finite.

The total gain g is given by 3g=∑i=0i=1ϒiPi=ϒ0P0+ϒ1P1.g = \sum\limits_{i = 0}^{i = 1} {{Y_i}} {P_i} = {Y_0}{P_0} + {Y_1}{P_1}.

The total QBER is given by 4eg•g=∑i=01eiϒiPi=e0ϒ0P0+QEMϒ1P1,{e_g} \bullet g = \sum\limits_{i = 0}^1 {{e_i}} {Y_i}{P_i} = {e_0}{Y_0}{P_0} + {Q_{EM}}{Y_1}{P_1}, where, Q_EM in Equation (4) is the QBER induced by optical devices, thus attributed to Eve. In a depolarizing quantum channel with high visibility, Q_EM typically is 1%~5%. e₀ in Equation (4) denotes the error rate of the random background, and is reasonably set to be 0.5.

Based on the assumption presented in [28], in the finite sources scenario, the lower bound of ϒ₁ in this protocol can be written as 5ϒ1L=ϒ0+(1−ϒ0)η−δϒ1/g,Y_1^L = {Y_0} + \left( {1 - {Y_0}} \right)\eta - {\delta _{Y1}}/g, where δ_ϒ1 denotes the statistic fluctuation of the single-photon gain.

The upper bound of e₁ is given by 6e1𝒰=eg+δeϒ1L,e_1^u = {{{e_g} + {\delta _e}} \over {Y_1^L}}, where δ_e is the statistic fluctuation of e_g in a finite source scenario.

According to the law of large numbers and the finite sources theorem [29–31], δ_ϒ1 and δ_e are, respectively, given by 7δϒ1=2ln(1/εPE)+4ln(N+1)4N,{\delta _{{Y_1}}} = \sqrt {{{2\ln \left( {1/{\varepsilon _{PE}}} \right) + 4\ln (N + 1)} \over {4N}}} , 8δe=2ln(1/εPE)+4ln(N•PEM+1)4N•PEM.{\delta _e} = \sqrt {{{2\ln \left( {1/{\varepsilon _{PE}}} \right) + 4\ln \left( {N \bullet {P_{EM}} + 1} \right)} \over {4N \bullet {P_{EM}}}}} .

Note, ϒ₁ should be tightly estimated over all N pulses, while δ_e should be tightly estimated only over the pulses from the EM, and this protocol has four outcomes of the positive operator-valued measurement, POVM, in the UR). Then, with the above Equations (3)–(8), we can calculate the lower bound of K_finite. Simulation results of Equation (2) are presented in Figure 2 with the parameters of today’s QKD technology, as listed in Table 1.

Figure 2.

As a function of the transmission distance L_AB between Alice and Bob. We simulate the lower bounds of the finite-key-rate K_finite in three cases: (N =10⁸) green-solid-line, (N =10¹⁰) blue-solid-line, and (N = 10¹²) red-solid-line, Q_EM = 1.5%, η_E = 14.5%; (N = 10⁸) green-dash-dotted-line, (N = 10¹⁰) blue-dash-dotted-line, and (N = 10¹²) red-dash-dotted-line, Q_EM = 5%, η_E = 14.5%.

Figure 2 shows that: the finite lengths of sources have significant effects on the limit transmission distance; with Q_EM = 1.5%, N ≥ 10⁸, cut off those key rates below 10⁻⁸, the performance is over 248km∽10⁻⁸ bits/pulse, and the limit transmission distance can be extended over 320 km with N ≥ 10¹²; even with Q_EM = 5%, much higher than the current value in practice, the performance is over 143km∽10⁻⁸ bits/pulse, and the limit transmission distance can be extended over 180 km with N ≥ 10¹².

Figure 3 shows that: the UR-DQKD doubles the performance of the current DQKD, and the effect of the finite lengths of sources is negligible when N is large enough, i.e., N ≥ 10¹⁶; brief comparison with the performance of the MDI-QKD, i.e., the dashed line in Figure 3 in Ref. [32], the key rate and the limit transmission distance of this protocol perform better than that of the MDI-QKD. All critical parameters for comparison are the same as those in Table 1 (Q_EM = 1.5%, ϒ₀ = 8 × 10⁻⁸, η_E = 14.5%, f_EC = 1.15, and β = 0.2) except for the sources: infinite decoy states of coherent pulses in the MDI-QKD, finite SPS based on the recent experiment progress in this protocol. Theoretically speaking, for the MDI-QKD with infinite decoy states, besides the signal coherent pulses with intensity μ_Alice = μ_Bob = μ, Alice and Bob send infinite faint coherent pulses with intensities v_i(v_i ∈ {v₁, ν₂, …, v_m}, m → ∞, and v_i < μ) to the UR to tightly estimate the gain Y₁₁ and the error rate e₁₁ of the key rate equation (B31) in Ref. [32], which makes the key rate of the MDI-QKD with infinite coherent pulses asymptotic to that of the MDI-QKD with infinite single photons. Note that the optimal μ, approximately 0.2∽0.6, slightly varies with the transmission distance L_AB and is numerically optimized in Figure 3. Therefore, under the above conditions, it is justified to make a performance comparison between the infinite decoy states MDI-QKD and this UR-DQKD with finite SPS.

Figure 3.

As a function of the transmission distance L_AB between Alice and Bob. We take a brief comparison of the performance of the UR-DQKD with that of the current DQKD such as the LM05 [15] and the MDIQKD [32].