Noisy entanglement-assisted classical capacity as a security framework for two-way quantum key distribution protocols
NNoisy entanglement-assisted classical capacity as a security framework fortwo-way quantum key distribution protocols
Quntao Zhuang , , ∗ Zheshen Zhang , and Jeffrey H. Shapiro Research Laboratory of Electronics, Massachusetts Institute of Technology, Cambridge, Massachusetts 02139, USA Department of Physics, Massachusetts Institute of Technology, Cambridge, Massachusetts 02139, USA
Quantum key distribution (QKD) offers unconditional security against eavesdropping [1], butstate-of-the-art secret key rates (SKRs) for QKD are only ∼ Alice’s Measurement Security checking General unitary Opera8on Eve’s Measurement E Bob’s Unitary Encoding S B W V Y FIG. 1. Single-use schematic of aGaussian TW-QKD protocol.
Gaussian TW-QKD protocols.—
Figure. 1 shows a singleuse of a general Gaussian TW-QKD protocol. Alice preparesa signal-reference pair (
Y, W ) in a two-mode squeezed vacuum(TMSV) state with mean photon number N S . She measuresa portion of W for security checking, and sends the signal Y to Bob through a forward channel that is controlled by Eve.In general, Eve performs a unitary operation on Y and herpure-state input V , retaining its E output and delivering itssignal output S to Bob. (Note that V and E can have multiplemodes per channel use.) In Eve’s coherent attack, her unitaryoperation can act jointly on all channel uses [6].Figure 2 contains a schematic plot of the protocol after Bob receives S . He measures a portion of S for security checking, and encodes a random symbol x on the remainder. Alice and Bob’s securitychecking uses homodyne measurements [7, 8] to estimate constraints on the covariance matrix ofthe joint state ˆ ρ SW ; in the asymptotic regime these estimates will be perfect. Bob encodes x with a unitary ˆ U x composed of a phase shift θ x and a displacement d x that are easily realizedwith linear optics. Conditioned on the message x , the encoded mode has annihilation operatorˆ a (cid:48) ( x ) S = e iθ x ˆ a S + d x . The d x ’s are assumed to be zero-mean Gaussian random variables, implyingthat encoding on a vacuum state will average to produce a thermal state. The encoding scheme issymmetric, i.e., (cid:80) x P X ( x ) e iθ x d x = 0, and energy constrained, viz., E X = (cid:80) x P X ( x ) | d x | . Thusit includes the random-displacement encoding scheme used in Refs. [5, 9] and the phase encodingemployed in FL-QKD [3, 10]. The unconditional state of ( S (cid:48) , W ) is non-Gaussian in general.Bob’s encoded signal passes through channel Ψ that models the part of the return channel thatis not under Eve’s control, e.g., loss in Bob’s terminal, but we will allow Ψ to be any Gaussianchannel without excess noise: a pure-loss channel (transmissivity η ), a quantum-limited amplifier(gain G B ), or a quantum-limited phase conjugator (gain G B ). After Ψ, Bob sends its output B toAlice through a channel controlled by Eve. Alice jointly measures the light she receives with partof W to obtain a raw key from which the secret key will be distilled after Alice and Bob use theircovariance-matrix constraints to bound the information gained by Eve. ∗ [email protected] a r X i v : . [ qu a n t - ph ] A p r Bounding eavesdropper’s information gain.—
In the asymptotic regime, a QKD protocol’ssecret-key efficiency (SKE), in bits per channel use, against a coherent attack is given bythe Devetak-Winter formula [6, 11] SKE = max [ ξI AB − I E , I AB is Alice and Bob’s Bob m e a s u r e m e n t U E S S N N B U x W Alice Eve
FIG. 2. Gaussian TW-QKD protocolfrom Eve’s perspective.
Shannon information in bits per channel use, ξ is their recon-ciliation efficiency, and I E is Eve’s Holevo-information gain inbits per channel use. (Note that Alice and Bob’s SKR equals R SKE, where R is Bob’s symbol rate.) The maximizationin the Devetak-Winter formula needs to be performed overall possible attacks that pass the security checking measure-ments, i.e., that are consistent with Alice and Bob’s measuredcovariance-matrix constraints. We will perform that maxi-mization on χ E ≡ I E /M E , Eve’s Holevo information in bitsper mode, where M E is the number of modes used per en-coded symbol. Thus, because ξI AB can be inferred from Alice and Bob’s reconciliation step, theasymptotic security proof of the TW-QKD protocols rests on putting an upper bound on χ E .Bounding χ E for a TW-QKD protocol is complicated by Eve’s simultaneously attacking theforward and backward channels [3, 5, 9, 12–14]. Consequently, the usual techniques, such asthe entropic uncertainty principle [15], are not applicable here because of loss. Recognizing thatthe TW-QKD protocol shown in Fig. 2 can be regarded as noisy entanglement-assisted classi-cal communication from Bob to Eve, we use the noisy entanglement-assisted classical capac-ity formula [4] to place on upper bound on χ E . Thus we establish a new security frameworkfor TW-QKD protocols. Consider a multiple channel uses QKD session over M mode pairs.We use the same notation as Fig. 1 with subscripts indicating the different mode pairs, i.e., S = S S · · · S M , W = W W · · · W M , and B = B B · · · B M . For Gaussian protocols, the ˆ U x ’s are our result,coherent attackprevious result,special attack0 2 4 6 8 10 - - -
101 L / km Log ( r D W / R ) L (km) l og ( SKE ) (a) TMSV protocol with ran-dom displacement. M E = E = E = E =
200 M E = E = - - - - - -
10 L / km Log ( r D W / R ) L (km) l og ( SKE ) (b) FL-QKD protocol. G B =10 , N S is optimized. FIG. 3. Secret-key rates versus path length L . covariant with Ψ, thus Eve’s informa-tion gain is upper bounded by a maxi-mization, given the covariance-matrix con-straints, over multiple mode pairs, i.e., themulti-letter formula [4], χ ( M ) E = max ˆ ρ SW F [ ˆ ρ SW ] , with (1) F [ ˆ ρ SW ] ≡ S ( ˆ ρ B ) − E (Ψ ⊗ M ) c ⊗I [ ˆ ρ SW ] , (2)where each ˆ ρ B m = (cid:80) x P X ( x ) Ψ[ ˆ U † x ˆ ρ S m ˆ U † x ],i.e., we have assumed independent encod-ing on each mode pair. With dependent en-coding, Eq. (1) is still an upper bound. Atrace-preserving completely-positive map φ has complementary channel we denote as φ c , and the entropy gain of φ on state ˆ ρ is E φ [ ˆ ρ ] ≡ S ( φ [ ˆ ρ ]) − S ( ˆ ρ ). To reduce Eq. (1) to a single mode-pair (single-letter) formula, we use the subad-ditivity of F [ ˆ ρ SW ] [4], and, because Ψ is a Gaussian channel, this also ensures that the maximumof Eq. (1) is achieved by a Gaussian-state ˆ ρ SW [4] under the given covariance-matrix constraints.At this point we introduce the covariance-matrix constraints that Alice and Bob will ob-tain from their security checking. The first will be the total mean photon number of the sig-nal received by Bob, (cid:80) Mn =1 (cid:104) ˆ a † S n ˆ a S n (cid:105) = M κ S N S . The second will be the total cross correla-tion between Alice’s retained and Bob’s received modes, (cid:80) Mm,n =1 ( | (cid:104) ˆ a S m ˆ a W n (cid:105) | + | (cid:104) ˆ a S m ˆ a † W n (cid:105) | ) =(1 − f E ) κ S M N S ( N S + 1). Here, f E , κ S quantify Eve’s intrusion on the quantum channels, and0 ≤ f E ≤
1, required by physics. By constraining the covariance matrix we can bound χ E , because χ E decreases with increasing κ S and it increases with increasing f E . The total mean photon numberconstrains the covariance matrix’s diagonal elements, while (cid:80) Mm,n =1 ( | (cid:104) ˆ a S m ˆ a W n (cid:105) | + | (cid:104) ˆ a S m ˆ a † W n (cid:105) | ) ≥| (cid:80) Mn =1 (cid:104) ˆ a S n ˆ a W n (cid:105) | + | (cid:80) Mn =1 (cid:104) ˆ a S n ˆ a † W n (cid:105) | implies that the covariance matrix’s off-diagonal elementsgive a lower bound on the total correlation.By using optimization techniques similar to those in Ref. [3], we can show that our constraintspermit Eq. (1) to be reduced to a single-letter formula that can be evaluated as a function of theintrusion parameters κ S , f E . With Eve’s information gain in hand, the SKE can then be obtainedfrom the Devetak-Winter formula. In the examples that follow, we will use κ S equal to the one-wayfiber loss κ S = 10 − . L that Alice and Bob will see when they are connected by L km of fiber. TMSV protocol with random displacement [5, 9] .— In this protocol, Alice has access to the fullTMSV, Bob encodes each mode using random displacements with power E X , and Ψ is the noiselessidentity channel. Figure 3(a) compares our SKE lower bound with the SKE result from Refs. [5, 9]when f E = 0 , ξ = 1 and E X (cid:29) , N S (cid:29)
1. Our lower bound, which applies for a coherent attackin the asymptotic regime, is much lower than the one from Refs. [5, 9], which only applies fora special class of collective attacks. We believe that much of this gap is due to our giving Eveall the light on the backward channel, which is an overly conservative assumption given the shortdistances involved, e.g., κ S = 0 .
63 for L = 10 km. For TW-QKD protocols like FL-QKD, which arecapable of long-distance operation, we expect that our SKE lower bound will be tighter at thoselong distances, e.g., when κ S = 0 . L = 50 km. FL-QKD protocol [3, 10, 16] .— FL-QKD offers Gbps SKRs at long distances by virtue of threefeatures. First, Alice uses low-brightness amplified spontaneous emission light (ASE), togetherwith TMSV light, in her transmission to Bob, while retaining a high-brightness ASE reference as ahomodyne-detection local oscillator for measuring Bob’s encoded message. Nevertheless, even withonly partial access to the purification W , Alice can still establish asymptotic security. Second, Bobuses a high-gain ( G B (cid:29)
1) amplifier as his Ψ, which overcomes the backward-channel loss issue thatplagues previous TW-QKD protocols [5, 9]. Finally, Bob uses multi-mode encoding, M E (cid:29)
1, thatallows Alice to decode Bob’s message despite the low-brightness of the signal light she transmitted.Previous work [3, 10, 16] has only proven Fl-QKD’s security against a frequency-domain collectiveattack. Here we apply our framework to obtain its asymptotic SKE against a coherent attack.FL-QKD, uses phase encoding, so its E X = 0. Although alphabets larger than binary areknown to be beneficial [10], here we will consider binary encoding with phases θ = 0 , θ = π representing the bit values 0 and 1. Figure 3(b) plots FL-QKD’s SKE against a coherent attack inthe asymptotic regime assuming f E = 0 , ξ = 1 for a variety of M E values where we have optimizedover the source brightness at each distance. The red line corresponds to the operating point of M E = 200 as used in Refs. [3, 10] for the frequency-domain collective attack. We see that with M E (cid:29) R = 10 Gbps, FL-QKD provides Gbps SKRs at long distances. Note that FL-QKD’s SKE against the coherent attack—as determined here—coincides with the SKE obtained inRef. [3] against the frequency-domain collective attack, and hence the SKE incurred with f E > [1] C. H. Bennett and G. Brassard, Theor. Comput. Sci. , 7 (2014).[2] M. Lucamarini et al ., Opt. Express , 24550 (2013).[3] Q. Zhuang, Z. Zhang, J. Dove, F. N. C. Wong, and J. H. Shapiro, Phys. Rev. A , 012322 (2016).[4] Q. Zhuang, Y. Zhu, and P. W. Shor, arXiv:1609.08592 [quant-ph] .[5] S. Pirandola, S. Mancini, S. Lloyd, and S. L. Braunstein, Nat. Phys. , 726 (2008).[6] V. Scarani et al ., Rev. Mod. Phys. , 1301 (2009).[7] R. Garc´ıa-Patr´on and N. J. Cerf, Phys. Rev. Lett. , 190503 (2006).[8] M. Navascu´es, F. Grosshans, and A. Ac´ın, Phys. Rev. Lett. , 190502 (2006).[9] C. Ottaviani, S. Mancini, and S. Pirandola, Phys. Rev. A , 062323 (2015).[10] Q. Zhuang, Z. Zhang, and J. H. Shapiro, arXiv:1702.02424 [quant-ph].[11] I. Devetak and A. Winter, Proc. Royal Soc. A , 207 (2005).[12] N. J. Beaudry, M. Lucamarini, S. Mancini, and R. Renner, Phys. Rev. A , 062302 (2013).[13] Y.-G. Han et al ., Sci. Rep. , 4936 (2014).[14] C. I. Henao and R. M. Serra, Phys. Rev. A , 052317 (2015).[15] M. Berta, M. Christandl, R. Colbeck, J. M. Renes, and R. Renner, Nat. Phys. , 659 (2010).[16] Z. Zhang, Q. Zhuang, F. N. C. Wong, and J. H. Shapiro, Phys. Rev. A95