Boosting Quantum Key Distribution via the End-to-End Loss Control

Abstract

With the rise of quantum technologies, data security increasingly relies on quantum cryptography and its most notable application, quantum key distribution (QKD). Yet, current technological limitations, in particular, the unavailability of quantum repeaters, cause relatively low key distribution rates in practical QKD implementations. Here, we demonstrate a remarkable improvement in the QKD performance using end-to-end line tomography for the wide class of relevant protocols. Our approach is based on the real-time detection of interventions in the transmission channel, enabling an adaptive response that modifies the QKD setup and post-processing parameters, leading, thereby, to a substantial increase in the key distribution rates. Our findings provide everlastingly secure efficient quantum cryptography deployment potentially overcoming the repeaterless rate-distance limit.

1. Introduction

As we step towards the quantum computing era, quantum cryptography is emerging as the primary solution for ensuring data security. A cornerstone of quantum cryptography is quantum key distribution (QKD). This technique harnesses unique quantum properties, such as the no-cloning property of quantum states and quantum entanglement, to securely share encryption keys between two or more parties. Paired with the symmetric classical cryptography routines, the QKD becomes a silver bullet against the security threats posed by quantum computers. Yet, deploying the QKD in the real world meets strong challenges. While the QKD protocols, such as BB84, boast theoretical security, their practical implementations face a wide range of challenges. in particular, the practical realization of quantum transmission channels is marred by substantial signal losses, and it is assumed that an eavesdropper, Eve, can seize and manipulate these losses to her advantage. Here, we show how physical control over the channel losses can ward off the known attacks targeted at exploiting those losses against the existing prepare-and-measure QKD protocols, in particular, Decoy-State BB84 [1,2,3,4,5] and COW [6,7,8]. Furthermore, we find how this physical loss control can be used to overcome the fundamental PLOB (Pirandola-Laurenza-Ottaviani-Banchi) bound [9]. This boundary predicts an exponential decrease in key rates in correspondence with increasing communication distance, posing a significant limitation to long-distance secure quantum communications.

Our approach shifts the conventional quantum cryptography paradigm, which assumes that an eavesdropper, Eve, can capture and exploit all losses occurring in the transmission channel. We state that during the transmission along the optical fiber, most of the signal losses occur due to scattering on the fiber density fluctuations in the channel and that it is practically impossible to collect these scattered losses. Thus, by complementing quantum mechanical restriction imposed on a potential eavesdropper with realistic restrictions stemming from the development of technology, we narrow the class of attacks that have to be considered down to attacks utilizing deliberate local interventions. Moreover, relying on the end-to-end loss control method proposed in [10], legitimate users can detect these local intrusions. Remarkably, we find that our approach enables legitimate users to employ higher signal intensities and radically improves key distribution rates.

We demonstrate the high quantum cryptography potential that can be realized utilizing the physical end-to-end control without making strong assumptions about the eavesdropper’s capabilities. These assumptions will be explored in depth in Section 2 and Section 3. Section 4 describes the scheme utilized in Section 5 and Section 6 for analyzing the influence of the proposed method on BB84 and COW QKD protocols, respectively. Section 7 provides the comparison of the proposed loss control technique with the conventional decoy-state approach, Section 8 touches upon the limitations of our approach and, finally, Section 9 presents our conclusions.

2. Eavesdropping of Natural Losses

Most of the QKD realizations leverage telecom equipment and employ optical fiber as a transmission channel. The losses in the fiber channel stem predominantly from the Rayleigh scattering, caused by homogeneously distributed quenched disorder. Building on Quantum Thermodynamics considerations, see Ref. [10], we argue that these natural losses cannot be effectively harvested by Eve. We carry out an illustrative analysis, the results of which show that efficient eavesdropping of natural losses would require the length of the collection apparatus that is impossible to practically realize at the present level of technology.

In the most QKD protocols, the classical information is encoded via the parameters of the coherent states. We thus set that the bits 0 and 1 are encoded by the coherent states $|{\gamma }_0\rangle$ and $|{\gamma }_1\rangle$, respectively. Let us consider a fiber channel segment of the length l. In the absence of local leakages, the fraction of the signal scattered at this segment is given by

$$r_l=1-{10}^{-\xi l},$$

(1)

where $\xi =0.02{\mathrm{km}}^{-1}$ is the attenuation constant typical for fiber. Then, in order to obtain information, Eve has to be able to distinguish between the equiprobable effective lost components $|\sqrt{r_l}{\gamma }_0\rangle$ and $|\sqrt{r_l}{\gamma }_1\rangle$. The maximum amount of information $I_l$ that can be extracted from these states is upper-bounded by the fundamental Holevo quantity $\chi$ [11], which in this case can be written as

$$I_l\le \chi =h_2\left(\frac{1-\left|\langle \sqrt{r_l}{\gamma }_0|\sqrt{r_l}{\gamma }_1\rangle \right|}{2}\right),$$

(2)

where $h_2\left(x\right)=-x{log}_{2}x-(1-x){log}_2(1-x)$ is binary entropy.

When considering protocols that utilize phase-randomized coherent states, such as practical realizations of BB84, where information is carried by polarization, we assume that Eve acquires a bit each time when a non-zero count of photons is retrieved from the scattered signal. Thus, the average information associated with the bit is defined by the Poisson statistics

$$I_l\le 1-e^{-r_l{\left|\gamma \right|}^2},$$

(3)

where ${\left|\gamma \right|}^2$ is the average photon number in each signal pulse regardless of the encoded bit value.

Figure 1 depicts the information leakage, attributable to Rayleigh scattering, as a function of l. Three curves correspond to distinct types of protocols, differing by the physical parameters selected for information encoding, the intensity, phase, and polarization. We find that to gain a considerable informational advantage over the legitimate users, Eve would need to cover a line segment exceeding a hundred meters. This condition makes an undetectable attack utilizing the natural losses unfeasible.

Notably, in the case of the bit-encoding states with equal energies, like polarization or phase encoding methods, the provided upper bounds are significantly higher than the amount of information that can be practically extracted. In principle, a potential eavesdropper may measure the losses from each scattering center individually. However, the resulting precision will be completely obscured by the quantum noise, and the obtained information will be much smaller than information estimations of Equations (2) and (3). Thus, a collective measurement unifying, for efficacy, all occurring losses into one narrow wave packet with the amplitude $\sqrt{r_l}{\gamma }_{0,1}$ is necessary for approaching the upper bounds. This problem is comparable, in its complexity, with reversing the evolution of a scattered wavefront [12,13,14,15].

3. Line Tomography

The line tomography as a constituent part of the key distribution process was originally proposed and thoroughly discussed in Ref. [10]. In this section, we briefly outline its basis and discuss its inalienable components. In our approach, losses other than natural are monitored through line tomography. By accurately quantifying the exploitable leakages, users precisely identify the amount of information potentially intercepted by Eve. This knowledge enables them to execute the most efficient privacy amplification procedure, thus, enhancing key distribution rates. Furthermore, it allows Alice and Bob to appropriately modify the parameters of the bit-encoding quantum states, making them less discernible to Eve, which, as we will show later, boosts the key rates even further.

Line tomography involves two distinct procedures: Optical Time-Domain Reflectometry (OTDR) and transmittometry, both of which contribute to a comprehensive knowledge of the losses in the line. Each component utilizes high-intensity test pulses which are dispatched at high frequencies, running concurrently with the bit-encoding states.

The OTDR is based on recording backscattered optical radiation from test pulses that travel through the fiber. The distance to a particular scattering point is calculated by measuring the time delay of its arrival, while the intensity of the backscattered signal provides information about the magnitude of any detected leakage. Figure 2 sketches an exemplary reflectogram (upper trace) and the corresponding loss tomogram (lower trace). The tomogram is derived from the reflectogram by fitting it with a combination of a linear decline function, representing natural losses (keep in mind that the reflectogram is a semi-log plot), and weighted step-like functions. The tomogram maps the discrete derivative values of the step-like functions to the respective positions, thus pinpointing the local leakages. To achieve the loss detection accuracy of 0.5% and better test pulses must comprise about ${10}^{11}$ photons, while the time duration of a pulse is about 1 $\mathsf{\mu }$s and wavelength $\lambda$ is 1530 nm.

At the same time, transmittometry detects the transmitted components of the test pulses, enabling a cross-comparison of input and output intensities between the users. Although this method does not allow users to identify the exact locations of local leakages, it does provide the total leakage value $r_{\mathrm{E}}$, calculated using the a priori known baseline of natural losses. Transmittometry can be further enhanced by modulating test pulses at high frequencies, similar to what is used in the lock-in technique. The test pulses’ modulation is primarily needed to suppress the $1/f$ low-frequency noise of the laser emission. Analyzing the peaks of input and output spectral power corresponding to the modulation frequency (∼MGz) allows users to calculate the lost proportion of the light. The $1/f$ noise is effectively suppressed, which enhances the accuracy of transmittometry. The fiber structure and hence line tomogram are physically unclonable functions [16]. Thus, global actions by Eve, such as substituting the line with a lossless channel or completely blocking certain signals, can be readily detected due to their significant impact on the line tomogram. We discuss this issue in detail in [10,16]. Consequently, these drastic Eve’s actions would not provide an efficient method to interfere, since in case of these actions, the key generation will be immediately terminated by the legitimate users. Therefore, Eve’s interventions are limited to creating minor local leakages which, however, are accurately measured by users and, correspondingly, are taken into account. Note that Eve is not able to selectively skip the high-intensity test pulses while being able to seize the low-intensity signal pulses, since physical detection of intensity requires her direct installation of splitters into the line. This would induce significant losses and significantly affect the reflectorgram of the line for a tangible period of time detectable by transmitometry. Moreover, measuring signal intensities causes time delays in the signal transmission from Alice to Bob which is also noticeable.

The primary constraint of the approach pertains to the accuracy of the loss control. Reflectometers are characterized by their resolution, which enables the localization of line discontinuities and the documentation of silica structure. If the resolution is not sufficient, the reflectogram, serving as an unclonable physical fingerprint of the line, would not enable registering some of the very localized anomalies in the line. Accumulating sufficient data to construct a meaningful reflectogram can also be time-intensive. Transmittometry provides an immediate update of the total effective loss magnitude, even before the reflectogram is fully constructed. Yet, its precision is restricted by line noises that need to be mitigated. Another limitation emerges when local line losses exceed a certain threshold at any point. In such cases, the transmission must be paused and the line inspected. This level of loss can indicate the potential installation of an interception equipment by Eve.

It is important to note that before starting the key generation process, Alice and Bob perform line tomography to determine the natural losses in the channel. Only at this preliminary step, the legitimate users must be certain that Eve does not introduce additional losses in the line. Eve may also exploit some of the predetermined leakages in the line, e.g., losses at connectors or fiber bends. For a particular line, such leakages have to be taken into account and added to the total leakage $r_{\mathrm{E}}$.

4. Analysis Scheme

Line tomography can be applied to a wide range of the QKD protocols and enable legitimate users to optimize the parameters of the bit-encoding states and post-processing and, thus, to significantly enhance the key rate, all while maintaining the same security threshold. Modified intensities of the bit-encoding pulses depend on the loss detection accuracy and may reach ${10}^2$ photons per pulse (see Figure A1 and Figure A2 for details). However, the specifics of each protocol do affect how the improved key rates are calculated. Depending on whether the protocol incorporates randomization of the bit-encoding states’ phases [17,18,19,20] or not, the prepare-and-measure QKD protocols can be divided into two categories.

The first category includes protocols that employ quantum systems having a finite Hilbert space, specifically, qubits. In the ideal scenario, these protocols would use single photons for encoding. Despite the latest achievements in single photon sources for QKD, e.g., based on quantum dots [21], the weak phase-randomized coherent states are often utilized in the practical realization of these protocols, since they are more available and easier to exploit. The well-known examples of protocols of this group include the Decoy-State BB84 [1,2,3,4,5,22,23], Six-State [24], T-12 [25,26], and SARG04 [27]. One of the most powerful attacks on these protocols is the photon number splitting (PNS) attack [5,27,28,29] which allows Eve to collect surplus photons from the multiphoton pulses and forward the rest photons to Bob via a lossless channel. This attack provides an upper bound for the secret key rate, which, remarkably, together with the optimal single-photon attack, turns out to be the lower bound for the Decoy-state BB84 [5].

The second category includes protocols that encode information using pure coherent states and do not involve phase randomization. Protocols that fall under this category include Coherent One-Way protocols [6,7,8,30], early versions of the Differential Phase Shift protocols [31,32], Strong Reference B92 protocols [33,34,35] and Y-00 protocols [36,37]. The full security proof includes analysis of a general coherent attack, but to upper-bound the key generation rate in these protocols, we may consider the beam-splitting (BS) attack [38,39,40], in which Eve steals the portion of the signal expected to be lost in the line and then retransmits the remaining part to Bob through an ideal channel.

In the following analysis, we deal with the influence of the loss control approach on two distinct protocols: the Decoy-State BB84 and Coherent One-Way protocols, each exemplary of one of the two identified groups. The approach used in these protocols enables legitimate users to separate artificial losses from natural ones and, thus, precisely estimate the information available to Eve. This refined estimation results in a less destructive reduction of the key length during the privacy amplification stage (compared to the original versions of the protocols). We show that the improvement of privacy amplification in itself leads to a boost in the key generation rates for the considered protocols. Moreover, loss control allows legitimate users to utilize higher intensities of the signal states. We analyze the influence of the intensities increase on the key generation rate and show that it leads to additional enhancement without sacrificing the everlasting security of the resulting key (see Section 8).

For the modified versions of the protocols, we primarily focus on the most feasible type of attack, the local leakage modeled by the beam-splitter. Given that photons are chargeless, the only practicable method for an eavesdropper to interact with the transmitted signal is the altering the fiber medium. Consequently, any attack strategies that deviate from local leakage attacks would necessitate significant changes to the line tomogram. Such alterations would trigger the protocols to cease operations, assuming that the resolution of the line tomography is sufficient to enable users to detect and pinpoint any modifications to the fiber medium.

5. The BB84 Protocol

We begin our analysis with the Decoy-State BB84, an exemplary QKD protocol using phase randomization. Our objective is to determine the achievable key rates, first in the presence, and then in the absence of the line tomography. In this protocol, Alice encodes random bits utilizing four distinctive quantum states. These states constitute two sets of mutually unbiased orthonormal basises, namely the eigenbasis of the Pauli matrices, ${\sigma }_x$ and ${\sigma }_z$. The first set, X, consists of the ${|0\rangle }_x$ and ${|1\rangle }_x$ states; the second set, Z, contains ${|0\rangle }_z=\left({|0\rangle }_x+{|1\rangle }_x\right)/\sqrt{2}$ and ${|1\rangle }_z=\left({|0\rangle }_x-{|1\rangle }_x\right)/\sqrt{2}$ states. Bob receives each state, guesses the basis with the 50% success rate, and measures the states accordingly. Once all measurements are completed, Alice discloses the correct basises, leading the users to discard any bit positions where the guessed and actual basises do not align. The remaining bit sequence undergoes post-processing to correct errors and eliminate the leaked information. A visual layout of the protocol is depicted in Figure 3a.

Initially, the BB84 protocol was designed to be implemented via single-photon states [1]. The security of such a realization was strictly proven [41,42,43], yet, practical implementation of a single-photon generator is the highly demanding engineering task and, in practice, phase randomized weak coherent states are utilized as information carriers instead of single-photon pulses [44,45,46]. Due to phase randomization, a mixed state $\widehat{\rho }$, a statistical mixture of the Fock photon-number states, is sent each time instead of the pure coherent state $|\gamma \rangle$,

$$\widehat{\rho }=\frac{1}{2\pi }\underset{0}{\overset{2\pi }{\int }}d\phi |\gamma e^{i\phi }\rangle \langle \gamma e^{i\phi }|=\sum _{n=0}^{\infty }{P}_{\gamma }\left(n\right)|n\rangle \langle n|,$$

(4)

where $|n\rangle$ is the n-photon Fock state and $P_{\gamma }\left(n\right)=e^{-{\left|\gamma \right|}^2}{\left|\gamma \right|}^{2n}/n!$ is the Poisson distribution [29].

Thus, with the probability $P_{\gamma }\left(0\right)$, Alice sends a vacuum state to the optical line. With the probability $P_{\gamma }\left(1\right)$, she sends a single-photon state and with the probability $1-P_{\gamma }\left(0\right)-P_{\gamma }\left(1\right)$, she sends a multi-photon state. The presence of the multi-photon pulses allows Eve to perform the photon-number splitting (PNS) attack which involves replacing the original quantum channel with an ideal, lossless one and performing the non-demolition photon-number measurement [18,28,29]. Eve collects one photon from each of the multi-photon pulses and stores the obtained photons in quantum memory until the basis reconciliation stage. In order to compensate for the additional losses created during the PNS attack, Eve is to send the remaining photons to Bob via an ideal channel. The condition $\langle 0_x|1_x\rangle =\langle 0_z|1_z\rangle =0$ enables Eve to distinguish between the logical bits ‘0’ and ‘1’ without a mistake by carrying out the measurement over kept photon in an appropriate basis. Hence, only single-photon pulses emitted by Alice’s laser guarantee secure key distribution. In order to estimate the contribution to the raw key provided by the single-photon pulses, legitimate users have to implement the decoy-state method [3,4,5] which involves sending the additional pulses differing in intensities from the signal ones and analyzing their parameters at the receiver’s side.

5.1. Secret Key Rate in Modified BB84

Adopting the proposed method based on the losses monitoring in the BB84 protocol, we build up the efficiency of the protocol, since Eve’s attacks get restricted to inflicting local artificial losses that are not disruptive enough to be noticed by the line tomography. An eavesdropper may store intercepted photons until basis reconciliation and apply optimal measurement to obtain full information about a bit. Thus, whenever at least one photon is intercepted, Eve knows the bit value of the raw key:

$$I\left(\mathrm{A},\mathrm{E}\right)=\sum _{n=1}^{+\infty }{P}_{\sqrt{r_{\mathrm{E}}}\gamma }\left(n\right)=1-P_{\sqrt{r_{\mathrm{E}}}\gamma }\left(0\right)=1-e^{-r_{\mathrm{E}}{\left|\gamma \right|}^2},$$

(5)

where $r_{\mathrm{E}}$ is the portion of the signal that Eve may seize imperceptibly. In case of obtaining the conclusive result, receiving a non-zero number of photons, and correctly guessing Alice’s basis choice, Bob obtains full information about the bit value as well. If $D_{\mathrm{AB}}$ is the distance between Alice and Bob, the transmittance of the whole optical line is determined as $T={10}^{-\xi D_{\mathrm{AB}}}$, $\xi =0.02{\mathrm{km}}^{-1}$. Thus, the probability of the conclusive result is

$$p_{✓}=\frac{1}{2}\left(1-P_{\sqrt{T(1-r_{\mathrm{E}})}\gamma }\left(0\right)\right)=\frac{1}{2}\left(1-e^{-T(1-r_{\mathrm{E}}){\left|\gamma \right|}^2}\right).$$

(6)

In such a case, Bob’s information about Alice’s raw key, i.e., about the bit string Alice obtains after the post-selection stage, is $I(\mathrm{A},\mathrm{B})=1-(h_2\left(p_{\mathrm{err}}^x\right)-h_2\left(p_{\mathrm{err}}^z\right))/2$, where $p_{\mathrm{err}}^x$ and $p_{\mathrm{err}}^z$ is error probabilities in the bases x and z respectively. The analysis of errors’ influence is provided in Appendix C. Applying the Devetak-Winter equation [47], we explicitly calculate the final key generation rate $L_f$ for the modified version of the protocol

$$\begin{array}{c}{L}_f\ge L{p}_{✓}·\left(I\left(\mathrm{A},\mathrm{B}\right)-I\left(\mathrm{A},\mathrm{E}\right)\right)\\ =\frac{L}{2}·\left(1-\frac{1}{2}{h}_2\left(p_{\mathrm{err}}^x\right)-\frac{1}{2}{h}_2\left(p_{\mathrm{err}}^z\right)-e^{-T(1-r_{\mathrm{E}}){\left|\gamma \right|}^2}\right)·e^{-r_{\mathrm{E}}{\left|\gamma \right|}^2},\end{array}$$

(7)

where L is the rate at which Alice’s random number generator produces bits. This key generation rate estimation can be optimized over signal intensity ${\left|\gamma \right|}^2$. Optimal intensity for Equation (7) is depicted in Figure A1 of Appendix A.

5.2. Comparison with Standard Decoy-State BB84

For the unmodified version of the Decoy-State BB84 protocol, we provide the upper bound on the secret key generation rate, see Appendix B for details,

$$L_f^{\mathrm{orig}}\le L·\frac{1}{2}\left[{T\left|\gamma \right|}^2{e}^{-{\left|\gamma \right|}^2}-\left(1-e^{-{T\left|\gamma \right|}^2}\right)\frac{1}{2}\left(h_2\left(p_{\mathrm{err}}^x\right)+h_2\left(p_{\mathrm{err}}^z\right)\right)\right].$$

(8)

Figure 4 shows the dependence of the key rate on the distance between legitimate users $D_{\mathrm{AB}}$ for original and modified versions of the BB84. Precise estimation of Eve’s information, which our method provides, enables legitimate users to exploit signal pulses with dozens of photons (see Figure A1). At a distance of 200 km with today’s reflectometers one may reach the detection accuracy of 0.5% and enhance the performance of the protocol by about 100 times. Even in the pessimistic case of the detection accuracy, $r_{\mathrm{E}}=0.10$, one can boost the key generation rate several times. Also, Alice and Bob may monitor the losses and not tune the average photon number in the signal pulses. In this case, legitimate users, modifying only privacy amplification (dashed lines at Figure 4), increase the key generation rate more than 2 times. In comparison, the asymptotic behavior of the key rate provided by the PLOB at a 200 km distance is limited to values around ${10}^{-4}$, which is the order of magnitude lower than the rates achievable with the appropriate level of leakage detection accuracy. To conclude, a significant boost can be achieved without modifying the QKD equipment, one only needs to monitor the losses in the line and carry out more rational privacy amplification. It makes the QKD protocols available for a wide range of users at the present time.

6. Coherent One-Way Protocol

In the COW protocol, see Figure 5a, Alice utilizes an attenuated laser and prepares coherent states with the intensity ${\left|\gamma \right|}^2$ to encode a random bit string into two-pulse sequences composed of the non-empty and empty pulses, $0\to |0\rangle |\gamma \rangle ,1\to |\gamma \rangle |0\rangle$. Through the optical fiber, prepared states are sent to Bob, who measures them by single photon detector ${\mathrm{D}}_{\mathrm{B}}$. The detector monitors the pulses’ arrival time, according to which Bob makes bit decisions. Since the coherent and vacuum states are non-orthogonal, the detector ${\mathrm{D}}_{\mathrm{B}}$ sometimes does not click on the non-empty pulses. Bob considers such measurement results as inconclusive and discards them at the post-selection stage.

Bob’s scheme also includes the interferometer, the long arm of which has the length assuring that the two non-empty neighboring pulses interfere at the last beam-splitter (see Figure 5a). Thus, the detector ${\mathrm{D}}_{\mathrm{M}2}$ does not react to the arriving pulse sequence of the form $|\gamma \rangle |\gamma \rangle$, contained in the sequence corresponding to logical bits “01” ($|0\rangle |\gamma \rangle |\gamma \rangle |0\rangle$). If an eavesdropper blocks a part of such a sequence, the visibility between detectors ${\mathrm{D}}_{\mathrm{M}2}$ and ${\mathrm{D}}_{\mathrm{M}1}$ will inevitably change. As a result, the attacks that include blocking a part of transmitted pulses in the original scenario of the COW can be potentially detected by sending the control states $|\gamma \rangle |\gamma \rangle$.

6.1. Secret Key Rate in Modified COW

Next, we delve into the analysis of the COW in the context of the loss control approach that restricts the eavesdropper’s actions to local interventions in the line (see Figure 5b). If $r_{\mathrm{E}}$ is the minimal detectable artificial leakage, an eavesdropper has to measure the states from the ensemble $|\sqrt{r_{\mathrm{E}}}\gamma \rangle |0\rangle ,|0\rangle |\sqrt{r_{\mathrm{E}}}\gamma \rangle$, the Holevo quantity [11] $\chi$ of which upper-bounds the mutual information between Alice and Eve

$$I\left(\mathrm{A},\mathrm{E}\right)\le \chi =h_2\left(\frac{1-{\left|\langle 0|\sqrt{r_{\mathrm{E}}}\gamma \rangle \right|}^2}{2}\right).$$

(9)

In this context, Eve does not introduce any errors in the raw key. Hence, when Bob obtains a conclusive measurement result, the mutual information between Alice and Bob is one bit: $I\left(\mathrm{A},\mathrm{B}\right)=1$, here we neglect the dark counts in detectors and other equipment’s imperfections. The probability that measures a single bit-carrying signal through which Bob gets a conclusive outcome is determined by the Poisson statistics of the coherent state $|\sqrt{T(1-r_{\mathrm{E}})}\gamma \rangle$ 

$$p_{✓}=1-{\left|\langle 0|\sqrt{T(1-r_{\mathrm{E}})}\gamma \rangle \right|}^2=1-e^{-T(1-r_{\mathrm{E}}){\left|\gamma \right|}^2}.$$

(10)

After post-selection and privacy amplification procedures, the length of the final key $L_f$ is also calculated according to the Devetak-Winter approach

$$L_f=p_{✓}L·\left(I\left(\mathrm{A},\mathrm{B}\right)-I\left(\mathrm{A},\mathrm{E}\right)\right)\ge p_{✓}L·\left(1-h_2\left(p_{\mathrm{err}}\right)-h_2\left(\frac{1-e^{-r_{\mathrm{E}}{\left|\gamma \right|}^2}}{2}\right)\right).$$

(11)

6.2. Comparison with Original COW

To find an upper bound of the key rate in the original protocol, it is sufficient to consider any of the possible eavesdropping attacks. We consider the beam-splitting (BS) attack which is not the most optimal eavesdropping on the COW but which is a suitable reference since in our approach such an attack appears to be a basic one. As an example of a more powerful attack, we mention the one based on the soft filtering operation [40]. We analyze the BS attack, in which Eve replaces the optical line with the ideal one and intercepts the signal’s part expected to be lost. Thus, Eve, simulating the natural losses in the channel with a proportion of $1-T$, has to distinguish between states $|\sqrt{1-T}\gamma \rangle |0\rangle ,|0\rangle |\sqrt{1-T}\gamma \rangle$. The maximum information that Eve can obtain, on average, about Alice’s bit is bounded by the Holevo quantity, which for pure equiprobable states has the form

$$I\left(\mathrm{A},\mathrm{E}\right)\le \chi =h_2\left(\frac{1-{\left|\langle 0|\sqrt{1-T}\gamma \rangle \right|}^2}{2}\right).$$

(12)

Similarly to the previous consideration of the local leakage $r_{\mathrm{E}}$, errors will not occur for the conclusive results at Bob’s side ($I\left(\mathrm{A},\mathrm{B}\right)=1$). The probability of a conclusive outcome is determined by the Poisson statistics of the coherent state $|\sqrt{T}\gamma \rangle$ 

$$p_{✓}=1-{\left|\langle 0|\sqrt{T}\gamma \rangle \right|}^2=1-e^{-{T\left|\gamma \right|}^2}.$$

(13)

Thus, the resulting key generation rate for the BS-attack can be estimated as follows

$$L_f^{\mathrm{orig}}\le p_{✓}L·\left(I\left(\mathrm{A},\mathrm{B}\right)-I\left(\mathrm{A},\mathrm{E}\right)\right)=p_{✓}L·\left(1-h_2\left(p_{\mathrm{err}}\right)-h_2\left(\frac{1-e^{-{(1-T)\left|\gamma \right|}^2}}{2}\right)\right).$$

(14)

Figure 6 displays the result of numerical simulations for the COW with the loss control approach and the original version of the protocol. The normalized key rate $L_f/L$ is depicted as a function of the transmission distance $D_{\mathrm{AB}}$ for different values $r_{\mathrm{E}}$: 0.005, 0.01, 0.10. For each portion of the stolen signal, $r_{\mathrm{E}}$, and distance $D_{\mathrm{AB}}$, the optimal intensity ${\left|\gamma \right|}^2$ is found to maximize the key rate determined by Equation (11). Applying the loss control approach allows for an increase in the intensity of signal pulses up to dozens of photons, see Figure A2 of Appendix A, and significantly boosts the key rate compared to the original version of the COW. The modified protocol produces a higher key rate even in the pessimistic case where Eve gets stolen about 10% of the signal. At a distance of 200 km and leakage detection precision $r_{\mathrm{E}}=0.005$, the COW performance can be improved about 100 times in terms of key rates. Without modifying the signal average photon number, legitimate users can double the achievable key generation rate, see dashed lines at Figure 6. Again, if we are able to ensure the loss control of the level $r_{\mathrm{E}}<0.1$, we can overcome the PLOB bound.

7. Loss Control Compared to the Decoy-State Method

The decoy-state method, utilized in the BB84, allows for legitimate users to detect, by estimating the number of non-blocked single-photon pulses, Eve’s attacks using the complete blocking of some transmitted states. This method, employing decoy pulses with intensities different from ones in the bit-encoding states, is mostly aimed to cope with the PNS attack that appears to be highly relevant in the context of the experimental QKD realizations. Our approach also exploits special test pulses in addition to the signal ones but allows us to detect a wider spectrum of eavesdropping attacks. Based on the natural losses analysis and on the infeasibility of their exploitation, we step beyond the conventional decoy-state method and acquire the ability to determine the portion of the signal available to Eve. Precise estimate of the eavesdropper’s information in the proposed approach leads to the less destructive compression of the key during the privacy amplification stage and allows for the utilization of bit-encoding states with hundreds of photons.

8. Beyond the Prepare-and-Measure QKD

In our work, we concentrate on the enhancement of the prepare-and-measure QKD protocols. Notably, protocols belonging to other classes can be modified as well. One can consider the Twin-Field (TF) QKD protocol [48] as an example. The working principle of the TF-QKD lies in sending the quantum state from Alice and Bob to the intermediate measurement point. The setting is equivalent to using one quantum repeater that results in overcoming the PLOB bound. Applying our approach to the TF-QKD protocol, legitimate users may monitor the losses from both ends of the line and, thus, they can produce secret keys with rates significantly exceeding the ones achieved in the state-of-the-art realizations [49,50,51,52,53,54,55,56].

It is important to clarify that our approach is formulated in the framework of the device-dependent QKD (according to the definition by R. Renner [57]), protocols that rely “on the exact specification of the deployed devices for their security proof”. Examples of such protocols are all the prepare-and-measure and the entanglement-based QKD. Our method is more device-dependent than conventional QKD protocols since we also rely on the OTDR and transmittometry devices (see

Table 1. Cryptography approaches comparison. Post-quantum cryptography, Point-to-point QKD, MDI QKD and Point-to-Point with loss control have different properties with regard to key rate, everlasting security and device dependency. In the table, “✓” means that key generated by a particular method is secure in time and resistant to both software and hardware future developments, while “✗” means that the key does not posses the everlasting security property.

	Secret Key Rate	Everlasting Security	Device Dependency
Post-quantum cryptography	high	✗	—
Point-to-point QKD	relatively low	✓	relatively high
MDI QKD	low	✓	medium
Point-to-point QKD with loss control	relatively high	✓	high

). Thus, protocols that belong to the device independent QKD [58,59,60,61,62] including the MDI variant of the Twin-Field QKD [63] are beyond the framework of our work. Nevertheless, the key generated using our approach is everlastingly secure, meaning that the key remains secret in time even against the non-existing technologies or attacks [64,65,66,67].

9. Discussion

The fundamental PLOB bound [9] of the key rate arises from the fact that all losses occurring in a quantum channel can be effectively measured by an eavesdropper. In this paradigm, protocols that do not exploit quantum repeaters provide relatively small key rates at hundreds of kilometers. Aimed at deflecting known attacks associated with channel losses, our approach acknowledges that it is unfeasible to gain information from natural losses. At the same time, we assert that any intrusive actions by a global eavesdropper, like substituting a channel with an ideal one, can be detected via line tomography. As a result, Alice and Bob separate the natural losses from local artificial leakages and determine the part of the signal available to an eavesdropper. Legitimate users, thus, may carry out privacy amplification with a less destructive reduction of the key length. This complements the results of [68] devoted to secret key rate increase observed under another kind of technological constraints imposed on a potential eavesdropper. While, in this paper, we do not consider the efficiency of the methods combination, we see it as a promising area for future research.

Intriguingly, it turns out that our approach also allows the users to increase the average photon number in bit-encoding states. This method, as we illustrate in the context of the COW and BB84 protocols, leads to a substantial enhancement in the key generation rate. At a distance of 200 km our method provides a 100 times higher key rate than the original versions of the protocols. Based on the proposed approach, with the appropriate level of leakage detection, we can potentially overcome the PLOB bound without exploiting quantum repeaters or devices acting as repeaters, for example, amplifiers. To overcome PLOB, we do not introduce mathematical modifications in existing analysis but change the model of the key generation process by relying on physically motivated assumptions.

Notably, while our method is applied to the existing QKD recipes and is based on the physics-motivated assumptions about the eavesdropper’s opportunities, we leave an information-theoretical security proof for the increased photon number method, as well as a more formal security treatment, taking into account non-asymptotic effects, for our forthcoming work.