Experimental composable security decoy-state quantum key distribution using time-phase encoding

Encryption is an important foundation for ensuring information security. With the rapid development of quantum computing technology, current public-key encryption systems will be seriously threatened. Quantum key distribution (QKD) allows two remote users to exchange information-theoretic secure key via the quantum laws. Since the first QKD protocol, BB84, was proposed by Bennett and Brassard in 1984 Bennett and Brassard (IEEE Press, New York, 1984). After nearly 40 years of development, BB84 QKD has become the most practical protocol in quantum information science Liao et al. (2018). By exploiting the weak coherent light to replace the single-photon source, the security and feasibility of BB84 QKD have been widely demonstrated experimentally in fiber Tanaka et al. (2008); Yin et al. (2008); Liu et al. (2010); Lucamarini et al. (2013); Fröhlich et al. (2017); Boaron et al. (2018), free space Schmitt-Manderbach et al. (2007); Liao et al. (2017) and chip integration Ma et al. (2016); Sibson et al. (2017); Bunandar et al. (2018) with the help of decoy-state method Wang (2005); Lo et al. (2005a). To implement the qubit encoding of QKD, one usually has three options: polarization, phase and time-phase. Recent years, the time-phase encoding has received increasing favor in practical system due to two advantages. One is that the reference frame is independent in time basis, which leads a stable and low bit error rate in raw key Yin et al. (2016). The other is the polarization disturbance immunity in both time and phase bases, which can be deployed in complex field environment while polarization coding systems cannot.

The original BB84 protocol and its security proof Shor and Preskill (2000) directly provide the phase error rate via the total bit error rate of two bases, which is based on the symmetry of two bases. There are three conditions of this protocol: basis-independent probability selected by Alice, basis-independent probability selected by Bob and the basis-independent detection efficiency, which results in that only half of the raw data can be used to extract key. In order to satisfy the basis-independent detection efficiency condition, one has to reduce the detection efficiency (including intrinsic loss and efficiency of detector at the receiver) of two bases to be consistent Liao et al. (2018); Tanaka et al. (2008); Yin et al. (2008); Liu et al. (2010); Liao et al. (2017), resulting in the lower key rate.

Although QKD can provide fresh secure key in real-time Liao et al. (2018), the low secret key rate is always the Achilles’ heel if one applies the one-time pad encryption. The key rate can be directly doubled at most through the efficient BB84 scheme Lo et al. (2005b) without any new technique requirement. The efficient BB84 scheme exploits the biased basis choice and removes the basis-independent detection efficiency condition. To further increase the key rate, combining a biased basis choice with the decoy-state method is proposed  Wei et al. (2013); Jiang et al. (2016); Mao et al. (2017) by an additional basis-independent detection efficiency condition that usually cannot be satisfied and brings security loopholes in the practical system. Recently, a four-intensity decoy-state BB84 QKD Yu et al. (2016) uses a subtle fact, the expected yields of single-photon component prepared in two bases are the same for a given measurement basis, to remove basis-independent detection efficiency condition and provide a higher key rate. A proof-of-principle experiment Liu et al. (2019) with polarization encoding has shown tens of times key rate improvement in the case of large basis detection efficiency asymmetry. However, the security and feasibility of this protocol are acquired in the finite data with an assumption that Eve is restricted to particular types of attacks. Unfortunately, such assumptions cannot be guaranteed in reality.

In this work, we provide the rigorous finite-key analysis for four-intensity decoy-state BB84 QKD protocol. The security analysis is based on a combination of entropy uncertainty relation Tomamichel et al. (2012); Lim et al. (2014) and a finite-key security bounds Yin et al. (2020). We exploit the autonomous time-phase encoding system to experimentally realize this protocol and continuously distribute secret keys for two months, where there is a 1.8 dB difference between the efficiency of two bases at the receiver. The real-time extracted secret key rate is more than 60 kbps over 50 km single-mode fiber and can be secure against coherent attacks in the universally composable framework Müller-Quade and Renner (2009).

We consider a four-intensity decoy-state BB84 QKD protocol, where the basis and intensity chosen with probabilities that are biased. Specifically, the intensities of $\mathsf{Z}$ basis sent by Alice are $\mu$ and $\nu$, the intensity of $\mathsf{X}$ basis is $\omega$, together with the vacuum state without basis information. The bases $\mathsf{Z}$ and $\mathsf{X}$ are selected by Bob with probabilities $q_{z}$ and $q_{x}=1-q_{z}$, respectively. The following is a detailed description of the protocol.

1. Preparation. Alice exploits the laser to prepare weak pulses with intensities $\mu$ and $\nu$ in $\mathsf{Z}$ basis, $\omega$ in $\mathsf{X}$ basis and the vacuum state given by a random bit $y_{i}$. The probability of selecting intensity $k$ is $p_{k}$ with $k\in\{\mu,\nu,\omega,0\}$. The weak optical pulses go through the insecure quantum channel to Bob.

2. Measurement. Bob randomly selects basis $\mathsf{Z}$ and $\mathsf{X}$ with probabilities $q_{z}$ and $q_{x}$ to measure the received pulses, respectively. Bob records the effective events and corresponding bit $y_{i}^{\prime}$. At least one detector click means an effective event. For multiple detector click, he randomly records a bit value and a basis for passive basis detection.

3. Reconciliation. Alice and Bob exploit the authenticated classical channel to announce the effective event, basis and intensity information. They repeat steps 1 to 3 until $|\mathcal{Z}_{k}|\geq n^{z}_{k}$ and $|\mathcal{X}_{k}|\geq n^{x}_{k}$, where the $\mathcal{Z}_{k}$ ($n^{z}_{k}$) is set (number) of $k$ intensity prepared by Alice and measured in $\mathsf{Z}$ basis by Bob.

4. Parameter estimation. Alice and Bob select a size of $n^{z}_{\mu}+n^{z}_{\nu}$ in $\mathcal{Z}_{\mu}\cup\mathcal{Z}_{\nu}$ to get a raw key pair $({\bf{Z}}_{\rm A},{\bf{Z}}_{\rm B})$. They announce the bit value of set $\mathcal{X}_{\omega}$ and compute the corresponding number of bit error $m_{\omega}^{x}$. All sets are used to compute the observed number of vacuum events $s_{0}^{zz}$ and single-photon events $s_{1}^{zz}$ and the observed phase error rate of single-photon events $\phi_{1}^{zz}$ in ${\bf{Z}}_{\rm A}$. If $\phi_{1}^{zz}\leq\phi_{\rm{tol}}$, they move on to step 5. Otherwise, they abort the data and start again.

5. Postprocessing. Alice and Bob apply an error correction with leaking at most $\lambda_{\rm EC}$ bits of information. They adopt a universal₂ hash function to perform an error-verification by consuming $\lceil\log_{2}\frac{1}{\varepsilon_{\rm cor}}\rceil$ bits of information Wegman and Carter (1981). At last, they use a universal₂ hash function to perform privacy amplification on their raw key to get a secret key pair ($\textbf{S}_{\rm A}$,$\textbf{S}_{\rm B}$) with $\ell$ bits.

The four-intensity decoy-state BB84 QKD protocol is $\varepsilon_{\rm cor}$-correct and $\varepsilon_{\rm sec}$-secret in the universally composable framework with Lim et al. (2014); Yin et al. (2020)

$$\begin{split}\ell=&\underline{s}_{0}^{zz}+\underline{s}_{1}^{zz}\left[1-h\left(\overline{\phi}_{1}^{zz}\right)\right]\\ &-\lambda_{\rm EC}-\log_{2}\frac{2}{\varepsilon_{\rm cor}}-6\log_{2}\frac{22}{\varepsilon_{\rm sec}},\end{split}$$

(1)

where $h(x):=-x\log_{2}x-(1-x)\log_{2}(1-x)$, $\Pr[{\bf{S}}_{\rm A}\not={\bf{S}}_{\rm B}]\leq\varepsilon_{\rm cor}$ and $(1-p_{\rm abort})\|\rho_{\rm AE}-U_{\rm A}\otimes\rho_{\rm E}\|_{1}/2\leq\varepsilon_{\rm sec}$. Thereinto, $\rho_{\rm AE}$ represents the joint state of ${\bf{S}}_{\rm A}$ and ${\bf{E}}$, $U_{\rm A}$ is the uniform mixture of all possible values of ${\bf{S}}_{\rm A}$, and $p_{\rm abort}$ is the probability that the protocol aborts. $\underline{x}$ and $\overline{x}$ denote the lower and upper bounds of observed value $x$.

Using the decoy-state method for finite sample sizes Lim et al. (2014), the expected numbers of vacuum event $\underline{s}_{0}^{zz^{*}}$ and single-photon event $\underline{s}_{1}^{zz^{*}}$ in ${\bf{Z}}_{\rm A}$ can be written as

$\displaystyle\underline{s}_{0}^{zz^{*}}\geq$

$\displaystyle(e^{-\mu}p_{\mu}+e^{-\nu}p_{\nu})\frac{\underline{n}_{0}^{z^{*}}}{p_{0}},$

(2)

and

	$\displaystyle\underline{s}_{1}^{zz^{*}}\geq$	$\displaystyle\frac{\mu^{2}e^{-\mu}p_{\mu}+\mu\nu e^{-\nu}p_{\nu}}{\mu\nu-\nu^{2}}$		(3)
		$\displaystyle\times\left(e^{\nu}\frac{\underline{n}_{\nu}^{z^{*}}}{p_{\nu}}-\frac{\nu^{2}}{\mu^{2}}e^{\mu}\frac{\overline{n}_{\mu}^{z^{*}}}{p_{\mu}}-\frac{\mu^{2}-\nu^{2}}{\mu^{2}}\frac{\overline{n}_{0}^{z^{*}}}{p_{0}}\right),$

where $x^{*}$ is the corresponding expected value of given observed value $x$, and the upper and lower bounds can be acquired by using the variant of Chernoff bound Yin et al. (2020)

	$\displaystyle\overline{x}^{*}$	$\displaystyle=x+\beta+\sqrt{2\beta x+\beta^{2}},$
	$\displaystyle\underline{x}^{*}$	$\displaystyle=x-\frac{\beta}{2}-\sqrt{2\beta x+\frac{\beta^{2}}{4}}.$

with $\beta=\ln\frac{22}{\varepsilon_{\rm sec}}$. The expected number of single-photon event $\underline{s}_{1}^{xx^{*}}$ in $\mathcal{X}_{\omega}$ can be given by Yu et al. (2016)

$\displaystyle\underline{s}_{1}^{xx^{*}}\geq$

$\displaystyle\frac{\mu\omega e^{-\omega}p_{\omega}}{\mu\nu-\nu^{2}}\left(e^{\nu}\frac{\underline{n}_{\nu}^{x^{*}}}{p_{\nu}}-\frac{\nu^{2}}{\mu^{2}}e^{\mu}\frac{\overline{n}_{\mu}^{x^{*}}}{p_{\mu}}-\frac{\mu^{2}-\nu^{2}}{\mu^{2}}\frac{\overline{n}_{0}^{x^{*}}}{p_{0}}\right),$

(4)

where one exploits the fact that the expected yield of single-photon prepared in $\mathsf{X}$ basis is equal to $\mathsf{Z}$ basis given the same measurement basis $\mathsf{X}$. Besides, the expected number of bit error $\underline{t}_{1}^{xx^{*}}$ associated with the single-photon event in $\mathcal{X}_{\omega}$ is Yu et al. (2016)

$\displaystyle\overline{t}_{1}^{xx}$

$\displaystyle\leq m_{\omega}^{x}-\underline{t}_{0}^{xx},$

(5)

with

$\displaystyle\underline{t}_{0}^{xx^{*}}$

$\displaystyle=\frac{e^{-\omega}p_{\omega}}{2p_{0}}\underline{n}_{0}^{x^{*}},$

(6)

where one utilizes the fact that expected value $m_{0}^{x^{*}}=n_{0}^{x^{*}}/2$. For a given expected value, one can use the Chernoff bound to obtain the upper and lower bounds of observed value Yin et al. (2020)

	$\displaystyle\overline{x}$	$\displaystyle=x^{*}+\frac{\beta}{2}+\sqrt{2\beta x^{*}+\frac{\beta^{2}}{4}},$
	$\displaystyle\underline{x}$	$\displaystyle=x^{*}-\sqrt{2\beta x^{*}}.$

The hypothetically observed phase error rate associated with the single-photon events in ${\bf{Z}}_{\rm A}$ can be obtained by using the random sampling without replacement Yin et al. (2020),

$$\overline{\phi}_{1}^{zz}=\frac{\overline{t}_{1}^{xx}}{\underline{s}_{1}^{xx}}+\gamma^{U}\left(\underline{s}_{1}^{zz},\underline{s}_{1}^{xx},\frac{\overline{t}_{1}^{xx}}{\underline{s}_{1}^{xx}},\frac{\varepsilon_{\rm sec}}{22}\right),$$

(7)

where

$$\gamma^{U}(n,k,\lambda,\epsilon)=\frac{\frac{(1-2\lambda)AG}{n+k}+\sqrt{\frac{A^{2}G^{2}}{(n+k)^{2}}+4\lambda(1-\lambda)G}}{2+2\frac{A^{2}G}{(n+k)^{2}}},$$

(8)

with $A=\max\{n,k\}$ and $G=\frac{n+k}{nk}\ln{\frac{n+k}{2\pi nk\lambda(1-\lambda)\epsilon^{2}}}$. The variant of Chernoff bound is used eight times, the Chernoff bound is used four times and the random sampling is used one time. Composing the error terms of finite-sample, we get the factor is 22, including 9 error terms due to the smooth min-entropy estimation Lim et al. (2014).

We built a compact and autonomous time-phase encoding QKD system, which continuously distributes secret keys over an optical fiber link using four-intensity decoy-state BB84 protocol secure against coherent attacks. The physical implementation is outlined in Fig. 1. The master laser produces phase-randomized 1.6 ns-wide laser pulses at 1550.12 nm and a repetition rate of 200 MHz. Two pairs of pulses with relative phases 0 and $\pi$ at a 2 ns time delay generated by an asymmetric interferometer are injected into two slave lasers through the optical circulator, respectively. By controlling the trigger electrical signal of two slave lasers, Alice randomly prepares quantum states in $\mathsf{Z}$ (time) and $\mathsf{X}$ (phase) basis using 400 ps-wide laser pulses. The decoy-state scheme is stably implemented by using an intensity modulator, a biased beam splitter with 1:99 and a PIN diode. A fiber Bragg grating with a 50 GHz nominal bandwidth is aligned to remove extra spurious emission and pre-compensate for the pulse broadening in the fiber transmission. The repetition rates of 100 kHz synchronization pulses with 2 ns-wide at 1310 nm are transmitted from Alice to Bob via the quantum channel by using wavelength division multiplexed. The intensities are set as $\mu=0.35$, $\nu=0.15$ and $\omega=0.3$ with the corresponding probabilities $p_{\mu}=0.78$, $p_{\nu}=0.1$ and $p_{\omega}=0.08$.

After the wavelength division demultiplexer, Bob utilizes a biased beam splitter with 3:7 to implement passive choice measurement basis, where the probability of $70\%$ is detected in time ($\mathsf{Z}$) basis and the probability of $30\%$ is detected in phase ($\mathsf{X}$) basis. The phase variation of the interferometer is compensated by a phase shifter, where the feedback algorithm is completed in advanced RISC machines (ARM). There is a 1.8 dB inherent loss difference between two bases due to the optical element. Four 200 megahertz-gated InGaAs/InP single-photon detectors with effective gate width 450 ps are exploited to detect quantum signals. The efficiency of detector is $20\%$ at a 120 dark count per second. The dead times of detectors in $\mathsf{Z}$ and $\mathsf{X}$ are 3 $\mu$s and 5 $\mu$s, respectively. The detection counts of $\mathsf{Z}$ and $\mathsf{X}$ basis will be affected differently due to the dead time, which also introduces the difference in detection efficiency. The secure and efficient synchronization scheme Liu and Yin (2019) is used for four gated-mode single-photon detectors calibration.

We continuously run this QKD system for two months over 50.4 km G.652D single-mode fiber with 9.4 dB loss. The real-time extractable secret key rate is always more than 60 kbps in the universally composable framework with $\varepsilon_{\rm sec}=10^{-10}$. The Winnow algorithm Buttler et al. (2003) with 1.42 inefficiency of error correction is used to perform the error correction for a block size of 512 kb. An error verification is carried out after each error correction via the LFSR-based Toeplitz matrix construction Krawczyk (1994) with 64 bit. Privacy amplification will be performed by using the concatenation of Toeplitz matrix and the identity matrix  Hayashi (2011) after accumulating data about 4 Mb with error correction ten times, where the data excludes the amount of information leaked in error correction. We exploit lasers with 1270 and 1290 nm and PIN diodes to realize classical communication with 8B/10B encoding, which will introduce less noise compared with commercial transceiver if quantum and classic channels share one fiber. In order to reduce the noise of synchronization optical pulses, we discard the count of 100 ns before and after each synchronization optical pulse. Authentication, reconciliation, error correction, error verification and privacy amplification are all carried out in a field-programmable gate array (FPGA) on each side, while the parameter estimation is proceeded in ARM.

In summary, we have experimentally realized the four-intensity decoy-state BB84 QKD with time-phase encoding and exploited tight security bounds for finite-key analysis with composable security against coherent attacks. Our experiment demonstrates that the basis-independent detection efficiency condition has been removed with 1.8 dB difference between time and phase basis of receiver. The stability of our system is very well due to the time-phase encoding. The phase randomness and spectral consistency are guaranteed by the pulsed laser seeding technique Comandar et al. (2016). Although the secret key rate of 60 kbps is not very high over 50 km fiber. It’s enough for some encrypted tasks, for example, voice communication. Limiting the secret key generation rate is mainly due to the system repetition frequency and the saturation count rate of the single-photon detector, which will be improved in the future.

We gratefully acknowledge support from the National Natural Science Foundation of China under Grant No. 61801420, the Fundamental Research Funds for the Central Universities.