Akihiro MizutaniFaculty of Engineering, University of Toyama, Gof*cku 3190, Toyama 930-8555, JapanMasanori Terash*taFaculty of Engineering, University of Toyama, Gof*cku 3190, Toyama 930-8555, JapanJunya MatsubayashiFaculty of Engineering, University of Toyama, Gof*cku 3190, Toyama 930-8555, JapanShogo MoriFaculty of Engineering, University of Toyama, Gof*cku 3190, Toyama 930-8555, JapanIbuki MatsukuraFaculty of Engineering, University of Toyama, Gof*cku 3190, Toyama 930-8555, JapanSuzuna TagawaFaculty of Engineering, University of Toyama, Gof*cku 3190, Toyama 930-8555, JapanKiyoshi TamakiFaculty of Engineering, University of Toyama, Gof*cku 3190, Toyama 930-8555, Japan
Abstract
Differential-phase-shift (DPS) quantum key distribution stands as a promising protocol due to its simpleimplementation, which can be realized with a train of coherent pulses and a passive measurement unit.Besides, this protocol has the advantage of being robust against imperfections in the light source.Unfortunately,however, as for the measurement unit, existing security proofs put unrealistic assumptions on it, which could be securityloopholes in actual implementations.In this paper, we enhance the implementation security of the DPS protocol by incorporating a major imperfectionin the measurement unit.Specifically, our proof enables us to employ practical beam splitters with a known range of the transmittance rather than the one with exactly 50%, as was assumed in the existing security proofs.Our numerical simulations demonstrate that even with fluctuations of in the transmittance from the ideal value,the key rate degrades only by a factor of 0.57.This result highlights the feasibility of the DPS protocol with practical measurement setups.
I introduction
Quantum key distribution (QKD)tamaki2014 enables distant parties to achieve information-theoretically secure communication.Among major QKD protocolsekert91 ; bennett92 ; brub98 ; sarg ; cow ; continuous ; inoue2002 ,the differential-phase-shift (DPS) QKD protocolinoue2002 has a feature with its simple implementation, involvinga train of coherent pulses from a laser source and a passive measurement unit.Due to its simplicity, several experiments were conducted in Refs.ex00 ; ex0 ; ex1 ; tokyoqkd ,including field demonstration in the Tokyo QKD networktokyoqkd .On the other hand, contrary to the simplicity in the experiments, the security proof of this protocol was a challenging problem; the difficulty arises from the fact that the secret key is extracted from the relative phases of adjacent pulses and all the pulses are interconnected, leading to the necessity of considering a large Hilbert space.
To overcome this difficulty,previous information-theoretic security proofsdps2009 ; dps2012 ; dps2017 ; dps2019 ; dps2020 ; dps2023 ; dps2024 introduced blocks comprising several emitted pulses and considered extracting at most one-bit secret key from each block.This is also the case for DPS type protocols111Note that the DPS protocol is categorized as distributed-phase-reference QKD, and another prominent protocol is the coherent-one-way (COW) protocolcow1 ; cow2 ; cow3 ; cow4 ; cow5 .,such as the round-robin DPS protocolrrdps ; rrdpsmi ; rrdpsex ; rrdpssa ; akgo ; rrdpsnatp ; rrdpsnatc ,the small-number-random DPS protocolhatake2017 and the differential quadrature phase shift protocoldqps .In particular, Ref.dps2020 provides a security proof under the most relaxed assumptions for the sourcedevice, revealing that as long as the source emits identical and independent states,the security of the DPS protocol can be guaranteed.Interestingly,this work does not assume exact knowledge about the emitted states; the amount of privacy amplification can bedetermined according to statistics that Alice obtains from the source characterization experiment in which she measuresthe photon number distribution up to three photons.Althoughthe assumptions on the source devices in the DPS protocol were relaxed so far,all the existing security proofsdps2009 ; dps2012 ; dps2017 ; dps2019 ; dps2020 ; dps2023 ; dps2024 ; endo22 ; arxivsand made ideal assumptions on Bob’s measurement unit; the transmittance of the beam splitters (BSs) inside Bob’sMach-Zehnder interferometer is assumed to be exactly 50%. Unfortunately, however, such an assumption is demanding because it is almost unfeasible to manufacture the perfect BS in practice.To implement the DPS protocol in the real world, it is crucial to establish security proofs that take into account imperfections in the measurement device.
In this paper, we relax this demanding assumption to employ a more feasible BS in which the transmittance surely lies within a certain range. Based on this more experimentally friendly assumption, we provide an information-theoretic security proof of the DPS protocol.We also numerically simulate the resulting key rate (see Fig.4),and it demonstrates that even under practical fluctuations 0.5% and 1% inthe transmittance from the ideal value,the respective key rates are found to degrade only by a factor of 0.57 and 0.27.This result shows that the key rate does not degrade drasticallyeven under practical fluctuations in the transmittance of the BSs,which suggests the feasibility of the DPS protocol with realistic measurement setups.
The rest of the paper is organized as follows.First, in Sec.II, we explain the DPS protocol including the assumptions on users’ devices. Next, in Sec.III we prove the security of our DPS protocolbased on complementaritykoashi2009 . After that, in Sec.IVwe present our simulation results of the DPS protocol and compare the key ratesassuming different ranges of the transmittance: 50%0%, 50%0.5%, and 50%1%.Finally, we summarize the paper in Sec.V.
II DPS QKD with practical Mach-Zehnder interferometer
In this section, we explain our assumptions on Alice and Bob’s devices and describe our DPS protocol.
II.1 Assumptions on devices
For Alice’s source device, we assume the following conditions.
(A1)
For each pulse emission, Alice uniformly and randomly chooses bit , and according to the chosen bit,she prepares state of system . We call consecutive three emitted pulses block, and the state of a single block is written as
(1)
with and .We suppose that bit information is only encoded to the th emitted pulse, and Eve cannot access to system that purifies state. denotes the purified state of .
(A2)
The probabilities of the th emitted pulse being the vacuum state are independent of the chosen bit, namely,
(2)
Here, denotes the vacuum state.
(A3)
We assume that the probability of any block emitting photons is upper-bounded by for , i.e.,
As for Bob’s measurement unit, we assume the following conditions.
(B1)
Bob employs two photon-number-resolving (PNR) detectors and that discriminate between the vacuum, a single photon, and two or more photons of a specific single optical mode.The detection inefficiency is modeled as a beam splitter (BS) followed by an ideal detector with a unit quantum efficiency.The quantum efficiencies are identical for both PNR detectors and are denoted by .Moreover, we assume that the dark counting of the detector is simulated by a stray photon source positionedin front of Bob’s measurement unit.
(B2)
Let and be transmittance of two BSs in the Mach-Zehnder interferometerwith respect to the single optical mode detected by the detectors.For later convenience, a BS with transmittance is denoted by -BS.The transmittance of the BSs is assumed to be constant during the execution of the QKD protocol.Alice and Bob do not know the exact transmittance but its ranges:
Here, we describe the procedures of our DPS protocol (see Fig.1).Our protocol is identical to the previous worksdps2019 ; dps2020 ; dps2023 with the only difference being the transmittance of the beam splitters (BSs) inside Bob’s measurement unit.
1.
Alice and Bob respectively execute the following steps (a) and (b) times.
(a)
Alice uniformly and randomly chooses three bits , and according to the chosen bits,she sends state of a single block to Bob via a quantum channel.
(b)
Bob splits the incoming three pulses into two pulse trains using the first BS (BS1).The th pulse with passing through the lower and upper arms of the Mach-Zehnder interferometerare labeled by and , respectively.The pulse pairs and , and and interfere at the second BS (BS2).We define the time slots of detection of the first and second pulse pairs as TS1 and TS2, respectively.We define a “detection event” as the one in which Bob detects one photon in total in TS1 and TS2.The detectionevent at TS (with ) determines the raw key bit depending on which of the two detectors clicks.
2.
Bob defines the set of detection events with length, the set of time slots at which Bob obtained the detection event,i.e., , and the raw key bits .Here, and () respectively denote the values of and of the th detection event.Within the detection events,Bob randomly assigns each detection event to a code event with probability or a sample event with probability (where ).Then, he obtains the code set with length ,the sample set with length ,his sifted key , and the sample bit sequence.
3.
Bob announces , and via an authenticated public channel.
4.
Alice obtains her sifted key and the sample bit sequence .
5.
Alice estimates the bit error rate in the code events from the bit error rate in the sample events, selects a bit error correction code, and sends the syndrome information of her sifted key to Bob by consuming pre-shared secret keyof length .
6.
Alice and Bob execute privacy amplification to respectively shorten and by to obtain their final keys of length .
After the execution of the protocol, the net length of the increased secret key is given by
(6)
For later use, we define the following parameters
(7)
where wt represents the weight, i.e., the number of ones in the bit sequence .
III security proof
In this section, we present the security proof of our DPS protocol. In Sec.III.1,we introduce virtual procedures conducted by Alice and Bob.When evaluating the security of the sifted key based on complementaritykoashi2009 ,we are interested in how accurately Alice can predict the outcome of the measurement that is complementary to the one for obtaining the sifted key, and the virtual protocol is useful to consider this scenario.As the parameter to quantify the accuracy of the prediction, we employ the phase error rate,which determines the amount of privacy amplification,and those errors are events in which Alice fails to predict the complementary measurement outcomes.In Sec.III.2, we discuss the relationship between the number of phase errors and the amount of privacy amplification performed in the actual protocol.Phase errors cannot be directly observed in the actual protocol, and instead they have to be estimated from the quantities that can be observed in the actual experiment. For this,Sec.III.3 introduces the operators for obtaining bit and phase error events, and thenin Sec.III.4, we derive the upper bound on the number of phase errors using experimentally observed data.
III.1 Alternative procedures for Alice and Bob
In the security proof, it is convenient to consider the virtual protocol in which Alice prepares the following entangled state
Introduction: My name is Terrell Hackett, I am a gleaming, brainy, courageous, helpful, healthy, cooperative, graceful person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.