1. Introduction
Quantum key distribution (QKD) allows two parties to establish a shared secret key that is secure even against computationally unbounded adversaries. This is a task that is impossible to achieve using classical communication alone, unless computational assumptions are made on the adversary’s capabilities. However, QKD has several limitations, especially in terms of distance. See [
1,
2,
3] for a general survey on QKD.
In general, the key-rate of a QKD system is severely restricted by the total transmittance of the channel between parties. Several strategies can mitigate this, including trusted node networks [
4,
5,
6] and quantum repeaters [
7,
8,
9]. Quantum network research, in general, is a rapidly growing topic both for QKD [
10] and the more general Quantum Internet [
11] (the latter of which can support QKD, but also other applications such as distributed computing [
12,
13,
14] and distributed quantum sensing [
15,
16,
17,
18]). However, an interesting third alternative for boosting QKD distances are so-called twin-field QKD (TF-QKD) protocols [
19,
20,
21,
22,
23,
24] which can even beat the PLOB bound [
25].
Proving security of QKD protocols (TF or otherwise) is an important task, and developing novel proof techniques can be vital for advancing the state of the art (in addition to providing an additional proof of security which, itself, is interesting). Since TF-QKD can already be demonstrated experimentally over long distances [
26,
27] (even up to over 800 km [
28]), it is important to study rigorously the underlying security proofs for these systems as they are applicable using today’s technology. Doing so affords researchers more mathematical tools to handle new protocols, and may even lead to improvements in performance under certain conditions as newer techniques may provide more optimistic security results in some cases (or, more formally, more optimistic bounds on the quantum min entropy between the users and an adversary system).
In this paper, we re-visit a TF-QKD protocol introduced in [
19] and develop an entirely new proof of security using methods of quantum sampling as introduced in [
29], and sampling-based entropic uncertainty relations [
30]. Our proof is fairly simple and can be used potentially for other TF-QKD protocols. In particular, our method might be easily adapted to the sending-not-sending TF protocol [
31].
While our new proof does not improve on previously produced key-rates, we feel it is still interesting to develop alternative methods. Indeed, by now numerous proofs of security have been performed for BB84, all leading to the same result; yet different methods can be applied to different protocols later “down the road”, and thus developing alternative techniques is an important area of research in quantum cryptography. We also make two small changes to the original protocol (which our new security proof can handle easily) and show some interesting behaviors of these new protocols, including improved performance. We are not aware of these two variants in the current literature, thereby making them a second contribution of this paper.
2. Preliminaries
We now introduce some notation and other preliminary concepts and technical lemmas that will be important in our work later. Let be a d-dimensional alphabet. Given a word and a subset , we write to denote the substring of q which is indexed by t and to mean the substring indexed by the complement of t. If t is a singleton , we often simply write to represent the i’th character of q.
Given
and two real numbers,
x and
y, we write the following:
Given a word
and a particular character
, we write
to denote the number of times
a appears in the word
q:
We use
to denote the number of times
a and
b appear in
q:
Let X be a random variable taking value , with probability . Then, denotes the Shannon entropy of X, namely . All logarithms in the paper are base two, unless otherwise specified. We use to denote the binary Shannon entropy, defined as .
A quantum state or density operator is a Hermitian positive semi-definite operator of unit trace, acting on some Hilbert space . If acts on , we write to denote the quantum state resulting from a partial trace over E, namely . This notation is similar for states acting on additional Hilbert spaces.
The Bell basis [
32,
33,
34] is spanned by states
:
where
and
are the Hadamard basis states,
. Given a word
, we write
to denote
.
Given a density operator
, we write
to be the von Neumann entropy of
defined as
. The conditional quantum min entropy is defined as follows [
35]:
where
is used to indicate that the operator
is positive semi-definite. The smooth conditional min entropy, denoted as
, is defined as follows [
35]:
where the supremum is over all density operators
such that
, where
is the trace distance of operator
A.
Quantum min entropy is a vital quantity in quantum cryptography as it relates directly to the number of uniform random secret bits one may extract from a quantum state [
35]. In particular, given
where the
A register is classical and the
E register is quantum,
privacy amplification may be used to extract a uniform secret bit string. Let
be the result after applying the privacy amplification process to
. Then, it holds the following [
35]:
In particular, after privacy amplification, the resulting output is almost a uniform random ℓ-bit string, independent of Eve’s system. To determine a suitable size for ℓ, one only need to measure the min entropy of the state before privacy amplification. For a given , the final key is said to be secure.
Quantum min entropy has a number of useful properties that we will require later. First, given a state of the form
(i.e., a state classical on
Z), the following holds:
The following lemma allows us to bound the entropy in a state after performing a certain type of quantum operation on it, if we know the min entropy in a suitable state that is close in trace distance:
Lemma 1 (from [
36])
. Let ρ and σ be two quantum states and be some CPTP map that acts as follows:Then, the following holds:where the probability is over the outcome x and . Finally, the following lemma allows us to bind the min entropy of a superposition of Bell states (the lemma is found in [
37], though its proof uses techniques similar to those in [
29,
35] for bounding the min entropy of a general superposition state):
Lemma 2 (from [
37] based on a proof in [
29,
35])
. Let andwhere recall is the number of times 1 and 3 appear in the string i. Let be the state resulting from taking , measuring all A particles in the Z basis and then tracing out the B register. Then, the following holds: Quantum Sampling
Our new proof of security will utilize a quantum sampling framework introduced by Bouman and Fehr in [
29]. In this section, we review some of their work that we will need later.
A classical sampling strategy over is a triple of algorithms. The first is a process that randomly chooses a subset with probability . The second is a guessing function . The third is a target function . The strategy will first choose a random subset and observe . Next, a guess is computed ; this guess should be close to the value of the target function, but evaluated on the unobserved portion of the string . That is, .
Formally,
and a subset
t should be fixed. Then, the set of good words should be defined as follows:
Recall, we wrote that
if and only if
. A good word is one where the guess is always
close to the target for the given subset
t. The classical error probability of the sampling strategy is defined simply as follows:
From this definition, it holds that for any word , if the sampling strategy is performed on it, the probability that it fails (namely that the guess is not close to the target) is at most .
The main result from [
29] was to extend this to the quantum domain. A classical sampling strategy can be promoted to a quantum one in a natural way: given a quantum state
where the
A register consists of
N qudits, each qudit of dimension
d, one chooses a subset
t and measures the qudits, indexed by
t, in some
d dimensional orthonormal basis
. This measurement results in a classical outcome
. Then, according to Bouman and Fehr’s main result, the unmeasured portion behaves like a superposition of words that are
close to the guess (with respect to the given target). To formalize this, a basis
B is fixed and the following space is considered:
This subspace is called the ideal subspace; a state within it is called an ideal state. Note that if one is given an ideal state
(which only makes sense at the moment for a specific subset
t according to this definition and thus the superscript index), and if one performs a measurement in the
B basis on subset
t resulting in outcome
, the post measured state must collapse to one that is of the following form:
Namely, it must collapse to a superposition of words that are close to the observed value (with respect to the given guess and target functions). The states may not be necessarily ideal; however, the following theorem says that for any quantum state, one can define a collection of ideal states that are close in trace distance to the given state.
Theorem 1 (from [
29], but re-worded slightly for our application and approach)
. Let , B be a d-dimensional orthonormal basis, and be a pure quantum state where the A register consists of N qudits, each qudit of dimension d. It is assumed that the dimension of each system N is known. Given a classical sampling strategy with error probability , there is a collection of ideal states , indexed by all subsets t such that :Furthermore, Note that, the original proof of Theorem 1 assumes Eve’s ancilla is finite dimensional. This is without loss of generality in our proof since we are considering ideal sources.
Before leaving this section, we discuss an important sampling strategy which we will use later. This strategy was analyzed in [
37] for Bell states. Given a word
, a subset of size
m is uniformly chosen at random from all
m size subsets of
. The guess and target functions are simply
. This defines the set of good words as follows:
where recall
is the number of 1’s and 3’s in the word
.
The failure probability of this strategy was proven in [
37] as follows:
3. Protocol
We now describe the specific TF-QKD protocol, introduced in [
19], which we will be analyzing. A single round of the quantum communication stage consists of the following operations:
Alice prepares an entangled quantum state of the form:
where the
A register is a private qubit memory, while the
a register consists of a single photon in either the vacuum state
or a non-vacuum state
. This register will be transmitted to a central server. Finally,
q is a publicly known parameter chosen by Alice and Bob which will be optimized later.
Similarly, Bob creates the state:
The A and B registers are kept private, while the a and b registers are sent to a central server.
The central server routes the incoming registers through a 50:50 beam splitter with two detectors, and . The outcome of the detectors are reported to Alice and Bob. The possible outcomes are “0” (meaning detector clicked); “1” (meaning detector clicked); “” (meaning no detector clicked); and “” (meaning any other outcome, such as both detectors clicking).
If the server reported “” or “”, Alice and Bob discard this round and their private qubits. If the server reported “1”, Bob applies a Pauli Z gate to his private ancilla, thereby flipping the phase of the state.
If the server reported either “0” or “1”, Alice and Bob should now hold a Bell state . They will measure their private qubits in either the Z or the X basis. Some of the Z and X measurements will be used to test the fidelity of the state; the remaining Z basis states will be used for key distillation.
We note that there is a simple change to the above protocol which turns it into an equivalent prepare-and-measure protocol where Alice and Bob do not need to measure or hold private memories. For more details on that, the reader is referred to the original paper [
19].
To see why the above protocol works, consider a single round. At the beginning, Alice and Bob create the joint state:
At this point, the
registers are sent through a 50:50 beam splitter. We denote the output modes of the BS as
and
. We simply denote the action of this splitter (up to phase rotation) as follows:
where
is the state resulting from the action of the beam splitter upon the receipt of two photons, one from Alice and one from Bob; the exact description of this state is not important for the following discussion.
After applying the BS to Equation (
20), but before measuring the output of the BS, the state evolves to (after permuting subspaces) the following:
At this point, a measurement of the BS output register is performed and the outcome is broadcast. Assuming that is “small”, whenever a “” or “” is measured, Alice and Bob’s state should collapse to an entangled Bell state; when the outcome is , Bob will apply a Pauli Z gate to transform the state to . Since , there will be some error in the multi-photon case, and this is something that users must optimize. Thus, interestingly, for this TF-QKD protocol, even when there is no channel noise and everything is ideal, there will always be some error in Alice and Bob’s raw key, which error correction must later repair.
At this point, we comment that two varieties of the above protocol may be introduced, which we denote as Π
and Π
. For Π
, Alice and Bob will only use rounds where the server reports an outcome of
(if any other outcome is reported, including
, that round is discarded); similarly, Π
is defined to be the same, but Alice and Bob will only use rounds where the server reports an outcome of
. The original protocol, where Alice and Bob use rounds where the server reports either
or
, will be denoted Π
. While Π
and Π
may discard more rounds, we show later that improvements in key-rates can be found in some instances based on channel statistics. This is due to the asymmetric nature of the protocol (which we discuss in more detail in
Section 5.1). We are not aware of these slight modifications being analyzed in prior literature.
Entanglement-Based Version
Instead of analyzing the above protocol, we will instead analyze the following entanglement-based protocol. It is not difficult to see that security of the following entanglement-based version will imply security of the above prepare-and-measure version. The entanglement-based version operates as follows:
Eve creates a quantum state , where the A and B portions consist of N qubits each, while the C portion lives in a Hilbert space spanned by orthonormal basis for all (here, “v” will denote a vacuum observation and “?” an “other” event). The E portion is arbitrary. Alice and Bob are given the A and B registers, while the C register is sent to a trusted third party Charlie.
Charlie measures his entire C register in the basis, broadcasting the result to all parties. Alice and Bob discard all qubits rounds where the reported outcome was “” or “?”. Let be the number of remaining systems not discarded.
Alice and Bob choose a random subset of size (which may depend on ), and measure their respective systems, indexed by this subset, in the X basis which they subsequently broadcast to determine the fidelity of their state.
Alice and Bob measure the remaining systems in the Z basis, leading to their raw key. They then further process this through error correction and privacy amplification as normal.
Entanglement-based versions of Π and Π are defined similarly, with only step 2 being changed.
Note that in the entanglement-based version, Bob does not apply a Pauli correction gate, since Eve gets to prepare not only Alice and Bob’s state but also the state that would normally have been output from the BS; it is advantageous for Eve to “simulate” the Pauli correction before sending it to Bob (though she does not have to; however, not doing so would lead to additional X basis noise). It is not difficult to see that security of the entanglement based version above will imply security of the actual TF-QKD protocol. In the next section, we show a new proof of security, deriving an entropy bound for the entanglement-based version, which will subsequently produce a key-rate bound for the TF-QKD protocol.
We note that the protocols above are not novel; they are, at most, very slight variations of protocols from [
19]. Π
is identical to prior work in [
19], while Π
and Π
are only minor variations of that protocol. As discussed in the introduction, the novelty of our work is in an alternative security proof, derived in the following section.
5. Evaluation
We now evaluate the key-rate assuming a lossy channel with detector mismatches and inefficiencies. In particular, each channel will have a transmittance of . We will assume, for evaluation purposes, that the server is honest, but has faulty devices. Thus, the server will perform the correct measurement; however, the detectors will have a non-zero dark count rate and a non-unit efficiency f. The measurement may also be misaligned in that it may report “0” when it should have, ideally, observed “1”.
To evaluate, we require certain expected values for along with the expected noise. Let (respectively ) be the probability that the server sends the message “0” (respectively “1”). Then, the expected value of is simply , where N is the total number of rounds Alice and Bob perform for the protocol. To find these values under our evaluation setup, we trace the protocol’s execution.
First, consider the joint state created by Alice and Bob:
The qubits are sent through a lossy channel which, as in [
19]. We model a beamsplitter with transmittance
; it is as follows:
Note that we introduced a new state to ensure that the above is unitary; however, and cannot be distinguished by the parties and will look like a vacuum in either case.
The above causes the joint state to evolve into the following:
At this point, the system enters the server’s measurement device which, before the actual measurement is performed, we model as a unitary operator
C, where for any
:
Ideally, . Note that the additional system in the above definitions are used only to ensure unitarity of C and that the server’s subsequent measurement cannot distinguish between and . Following the application of C, the server will measure the first of the two systems in its control, thereby leading to the reported outcome. Note that, since and are technically indistinguishable, both observations are reported simply as a “vacuum” by the server.
Applying
C to the joint state in Equation (
33), but before the actual measurement, yields the following:
At this point, the server measures and reports the outcome. This measurement will be affected by dark counts (
) and the detector efficiency (
f). For simplicity in evaluation, we will simply assume that the double-photon outcomes (namely,
) do not interfere, constructively or destructively, with the other terms in the
term. We will then simply assume that the probability of observing a
in
is
and the probability of observing
is
. It turns out that, since
q is large generally, this term does not significantly affect the key-rate and so this assumption does not play a major role in hurting or benefiting the key-rate. From this, we obtain the following:
Similarly, we obtain the following:
Next, we need the
Z basis and
X basis noise, conditioned on Alice and Bob not discarding the round, i.e., conditioned on the server sending a non-vacuum message in the Π
protocol case or conditioned on sending either “0” or “1” for the Π
or Π
protocol case. Let
be the probability of a
Z basis error
and the server sending the message “0”. Similarly, define
,
, and
. From the above equations, the following expressions are easily found:
From these, the required conditional noise values may be determined for our evaluation scenario.
In our evaluations, we set , which was found to be roughly the optimal value. We also set to be . We found no significant affect on the key-rate for other values due to the high value of q and so we simply set this value as . For finite key rates, we set .
To evaluate, we use Corollary 1, setting
, where
Q is the
Z basis error noise (e.g.,
for Π
; this is similar for other protocol settings). A graph of the resulting asymptotic key-rates is shown in
Figure 1 (comparing to the PLOB bound [
25]). The finite key results are shown in
Figure 2. Note that our key-rates agree asymptotically to previous results for the Π
version and so we do not compare them to prior works for that setting; for other settings (namely Π
and Π
), we are not aware of any security proof, and so there is no comparison beyond comparing to Π
.
5.1. A Discussion on the Asymmetric Nature of the Protocol
It is worth taking a closer look as to why Π
and Π
perform differently from the standard version Π
. First, consider Equations (
36) and (
37). Note that, even under ideal conditions of
,
, and
(which is what would be expected if all devices were perfect and there were simply natural loss
), for any
, it holds that
. Similarly,
. The same inequalities hold for imperfect devices (i.e., when
and
). This can be seen more clearly in
Figure 3. Thus, anytime the server sends message 0, there is actually a greater chance of error than in the case of message 1. Therefore, under most conditions and under this channel scenario, discarding all messages of 0 actually improves the performance of the system. The users may decide,
after measuring the channel statistics, to determine which mode of operation to perform; thus, the users can always optimize their choice of protocol after the quantum data have been transmitted and can therefore always choose the mode that will return the higher number of key-bits. It would be interesting to analyze these three protocols under other channel scenarios, beyond depolarizing. Note that our security proof can handle
any channel scenario; however, we chose only depolarization channels for our evaluations in this section.
6. Closing Remarks
In this paper, we revisited a TF-QKD protocol introduced in [
19] and derived a new proof of security for it. Our new proof uses methods from quantum sampling techniques [
29]. While our new proof agrees with prior works and does not show higher key-rates compared to them, we still feel that alternative proof techniques are interesting and important. We also investigated two slight variants of the protocol and showed how they can lead to improved key-rates in some scenarios.
Many interesting future problems remain. It would be fruitful to further explore the two variants and see if additional improvements can be made. Furthermore, a finite key proof using decoy-state methods (using our sampling-based proof approach) would be interesting, especially for Π
and Π
. Adapting our proof technique to other TF-QKD protocols would also be very interesting; a particular candidate to start with would be the sending or not-sending (SNS) TF-QKD protocol [
31] due to its similar encoding mechanism. Also, it would be interesting to discover whether or not asymmetric protocols (similar to Π
and Π
analyzed in this work) can be defined and shown to be more efficient for such protocols like the SNS TF-QKD mechanism.
Also, leading into more practical device considerations, it is known that for single-photon interference protocols (such as the TF protocol discussed in this paper), there are still challenges with matching the mode of the photon and detector, which ultimately affects the protocol’s performance [
38]. Such issues must be considered in future works to address applicability issues of the protocol.