Biased decoy-state measurement-device-independent quantum cryptographic conferencing with finite resources

RuiKe Chen; WanSu Bao; Chun Zhou; Hongwei Li; Yang Wang; HaiZe Bao

doi:10.1364/OE.24.006594

1. Introduction

Quantum key distribution (QKD) [1,2] allows two authorized parties, Alice and Bob, to generate secret keys in the presence of eavesdropper who may have unlimited computing resources and technological advances. Theoretically, the unconditional security of QKD is guaranteed by the laws of quantum mechanics [3–5 ]. However, imperfections of the QKD devices bring about differences between theoretical and practical security of QKD. Indeed, especially by exploiting imperfections in the detectors in practical realizations, several specific attacks [6–14 ] have been successfully launched against practical QKD systems.

To fill this gap between theory and practice, an innovative scheme measurement-device-independent QKD (MDI-QKD) have been proposed by Lo, Curty and Qi [15] that removes all detector side-channel attacks. Whereafter, a quantity of work in both theory [16–27 ] and experiment [28–33 ] are done to push MDI-QKD from idea to application. However, almost all of them are so-called two-party protocols, that is, distributing secret key between two authorized parties, Alice and Bob. Yet, multiparty quantum communication protocols do exist, such as quantum cryptographic conferencing (QCC) [34–36 ], quantum secret sharing (QSS) [37–43 ] and third-man quantum cryptography [44]. Even with state-of-the-art technologies, all of them still face the same constraints-lack of high intensity source and remote reliable distribution of the GHZ states.

Fortunately, recently Yao Fu et al proposed a feasible scheme called Measurement-Device-Independent Quantum cryptographic conferencing (MDI-QCC) [23] which manifests the possibility for practical applications of multiparty quantum communication with measurement-device-independent (MDI) [15] technologies. More concretely, MDI-QCC is a protocol for multiparty QKD [34] by combining the decoy-state [45–47 ] and the MDI technologies, which realizes a common secret keys to be securely shared among the multiparty legitimate users. As an example of a MDI-QCC scheme (see Fig. 1), each of Alice, Bob and Charlie prepares quantum states with weak coherent pulses just the same as the states in the BB84 protocol [48] and sends them to an untrusted fourth party located in the middle node, David. David is supposed to perform a GHZ-state measurement which projects the incoming signals into a GHZ state and broadcasts the measurement result. In MDI-QCC, the measurement setting is only used to post-select entanglement [23] (in an equivalent virtual protocol) among Alice, Bob and Charlie, so all detector side-channel attacks are removed.

Fig. 1 MDI-QCC scheme. Alice, Bob and Charlie encode their bits in the polarization degrees of freedom of phase-randomised WCPs and David uses the linear optics quantum relay which is assumed to identify two of the eight GHZ states.

Download Full Size | PDF

In practical situations, a real QKD system is completed in finite time which leads to the fi-nite size effect of processing data. This problem has recently drawn increasing attention and tight finite-key analyses for typical standard QKD [49–57 ] have also been derived. Of these, Tomamichel et al. [56] presented tight finite-key analysis of BB84 protocol based on the uncertainty relation for smooth entropies and this method is extended to the protocols like passive decoy state protocol [58], one-sided device independent QKD [59] and B92 protocol [60] in finite regime.

Here, we would like to point out that in the MDI-QCC protocol given by Yao Fu et al the security bound they give is in asymptotic limit and the probability of choosing basis is balanced. It is well-known that the biased basis choices contribute to the secret key rate which is indicated by the proposed efficient decoy-state BB84 protocol. Thus, in this paper we design a biased decoy-state MDI-QCC and analyse the performance of the protocol in both the finite-key and infinite-key regime.

The rest of this paper is organized as follows. In Sec. 2, we put forward the protocol of biased decoy-state MDI-QCC in detail. Sec. 3 introduces the method and formulas that are used in our finite-key analysis. The numerical simulation for our results is shown in Sec. 4 and the conclusion is summarized in Sec. 5.

2. Protocol definition

The setup is illustrated in Fig. 1. Alice, Bob and Charlie generate quantum states with phase-randomised laser separately. Each pulse is prepared in a BB84 state with biased bases, denoted as Z and X. The states are sent to the fourth party—an untrusted relay David located in the middle node. David is supposed to perform a GHZ-state measurement.

Next, David announces whether or not his measurements are successful and which GHZ state he obtained. Alice, Bob and Charlie keep the data that correspond to the instances where the relay outputs successful results and they use the same basis in their transmission. Finally, Alice flips part of her bits. Then Alice, Bob and Charlie share the same cryptographic conferencing raw key. It should be pointed out that the GHZ entanglement purification technique [61–63 ] guarantees the information-theoretic security of our multiparty quantum communication protocol. A detailed description of the biased decoy-state MDI-QCC protocol are presented below.

State Preparation. Alice, Bob and Charlie repeat the first four steps of the protocol for i = 1,...,N. till the conditions in Sifting step are met. For each i, Alice chooses an intensity $u_{i}^{a} \in U : = {μ, υ, 0}$ with probability p _{a_i} ∈ W := {p_μ, p_υ, p ₀}, a basis $α_{i}^{a} \in {Z, X}$ with probability q _{a_i} ∈ {p_Z = 1 − p_X, p_X} and a random bit k_i ∈ {0, 1}. Next, she generates a quantum signal (e.g., a phase-randomised WCP) of intensity $μ_{i}^{a}$ prepared in the basis of $α_{i}^{a}$ given by k_i. Likewise, Bob and Charlie do the same. That is, Bob(Charlie) also generates a quantum signal of intensity $μ_{i}^{b}$ ( $μ_{i}^{c}$ ) prepared in the basis of $α_{i}^{b}$ ( $α_{i}^{c}$ ) given by k_i.
Distribution. Alice, Bob and Charlie send their quantum signals to the untrusted fourth party David located in the middle node.
Measurement. David performs a GHZ-state measurement which projects the incoming signals into a GHZ state. He only identifies two of the eight GHZ states which are $| Φ_{0}^{+} 〉 = 1 / \sqrt{2} (| H H H 〉 + | V V V 〉)$ and $| Φ_{0}^{-} 〉 = 1 / \sqrt{2} (| H H H 〉 - | V V V 〉)$ . In any case, he announces whether or not his measurement was successful. If successful, he reveals which GHZ state he obtained. Notice that only if all of Alice, Bob and Charlie choose X basis and David obtains a GHZ state $| Φ_{0}^{-} 〉$ , Alice performs a bit flip. The data of Z basis are used to generate the cryptographic conferencing keys, while the data of X basis are totally used to estimate errors.
Sifting. If David declares a successful measurement, Alice, Bob and Charlie broadcast (via an authenticated channel) the intensity and the basis settings they chose. Alice, Bob and Charlie divide the raw key into following three sets: $N_{000} : = {i : (u_{i}^{a} = 0) \land (u_{i}^{b} = 0) \land (u_{i}^{c} = 0) \land ({k^{'}}_{i} \in {0, 1})}$ $\begin{matrix} X_{α β γ} : = {i : (u_{i}^{a} = α) \land (u_{i}^{b} = β) \land (u_{i}^{c} = γ) \\ \land (α_{i}^{a} α_{i}^{b} α_{i}^{c} = X X X) \land ({k^{'}}_{i} \neq \emptyset)} \\ (α β γ \neq μ μ μ, α β \neq 000) \end{matrix}$ $\begin{matrix} Z_{α β γ} : = {i : (u_{i}^{a} = α) \land (u_{i}^{b} = β) \land (u_{i}^{c} = γ) \\ \land (α_{i}^{a} α_{i}^{b} α_{i}^{c} = Z Z Z) \land ({k^{'}}_{i} \neq \emptyset)} \\ (α β γ \neq 000) \end{matrix}$ Where k′_i ≠ ∅ indicates that David obtain a successful measurement. The protocol repeats these steps until |N ₀₀₀| ≥ n ₀₀₀, $| X_{α β γ} | \geq n_{α β γ}^{X}$ , $| Z_{α β γ} | \geq n_{α β γ}^{Z}$ where n ₀₀₀, $n_{α β γ}^{X}$ , $n_{α β γ}^{Z}$ are selected in advance and α, β, γ ∈ U.
Parameter Estimation. First, a raw key (X_A, X_B, X_C) is generated by choosing a random sample of size $n^{Z} = \sum_{α, β, γ \in U} n_{α β γ}^{Z}$ of Z = ∪_α,β,γ∈U Z_αβγ where $n_{000}^{Z} = n_{000} (1 - p_{X})$ and n^Z is the postprocessing block size. Note that all intensity settings Alice, Bob and Charlie chose in Z basis are used to generate raw key and we can calculate the lower bound of $s_{111}^{Z}$ with decoy state. Second, they announce a random sample of size $n^{X} = \sum_{α, β, γ \in U, α β γ \neq 000} n_{α β γ}^{X}$ of X = ∪_α,β,γ∈U X_αβγ to compute the corresponding number of bit errors $w_{α β γ}^{X}$ . Note that with decoy states, we can also calculate the upper bound of $e_{111}^{X}$ .
Post Processing. First, let Alice’s raw key be the standard. Bob and Charlie apply a one-way error correction scheme and correct their strings so that Bob’s and Charlie’s raw key match Alice’s. If error correction fails, they abort the protocol. Second, to make the leakage of information on keys as little as possible, Alice chooses a two-universal hash function randomly to extract the final secret key. Then Bob and Charlie use the same two-universal hash function as Alice does to extract the final secret key.

It should be noted that our protocol is apparently different from that of [23]. Firstly, in State Preparation, the biased probability of choosing basis is clearly characterized. However, in the protocol definition of [23] the biased probability of choosing basis is balanced. Secondly, in Sifting and Parameter Estimation, we extract the raw key from all the data of Z basis, while the data of X basis are totally used to estimate errors. That is, all intensity levels including the vacuum states, decoy states and signal states in the Z basis contribute to the raw keys in our protocol, which brings larger raw keys than the one in [23].

3. Finite-key analysis

In practical implementations of QKD, the number of signals used to draw a secure key are finite. This leads to the effect of finite-size data in real-life experiments which means various statistical fluctuation [53]exists in the parameter estimation step. Hence, in this paper, we mainly consider the finite-size effect on the estimation of single-photon yield, single-photon error rate and for simplicity, we consider that single-photon error rate ( $e_{111}^{X}$ ) caused by the three single-photon pulses in the X basis is equal to the phase error rate $e_{111}^{P Z}$ in Z basis.

3.1. Single-photon detections

We assume Alice(Bob and Charlie) has three sources o_A, υ_A, μ_A (o_B, υ_B, μ_B and o_C, υ_C, μ_C), which can only emit three different states ρ _{o_A} = |0〉〈0|, ρ _{υ_A}, ρ _{μ_A} (ρ _{o_B} = |0〉〈0|, ρ _{υ_B}, ρ _{μ_B}, ρ _{o_C} = |0〉〈0|, ρ _{υ_C}, ρ _{μ_C}), respectively. Suppose

\begin{array}{l} ρ_{υ_{A}} = \sum_{k} a_{k} | k 〉 〈 k |, ρ_{μ_{A}} = \sum_{k} {a^{'}}_{k} | k 〉 〈 k | \\ ρ_{υ_{B}} = \sum_{k} b_{k} | k 〉 〈 k |, ρ_{μ_{B}} = \sum_{k} {b^{'}}_{k} | k 〉 〈 k | \\ ρ_{υ_{C}} = \sum_{k} c_{k} | k 〉 〈 k |, ρ_{μ_{C}} = \sum_{k} {c^{'}}_{k} | k 〉 〈 k | \end{array}

and we request the states satisfy the following condition:

\frac{{a^{'}}_{k}}{a_{k}} \geq \frac{{a^{'}}_{2}}{a_{2}} \geq \frac{{a^{'}}_{1}}{a_{1}}, \frac{{b^{'}}_{k}}{b_{k}} \geq \frac{{b^{'}}_{2}}{b_{2}} \geq \frac{{b^{'}}_{1}}{b_{1}}, \frac{{c^{'}}_{k}}{c_{k}} \geq \frac{{c^{'}}_{2}}{c_{2}} \geq \frac{{c^{'}}_{1}}{c_{1}}, k \geq 2

Let $s_{n m k}^{Z}$ be the number of successful detections observed by David given that Alice sends n-photon states, Bob sends m-photon states and Charlie sends k-photon states all in Z basis. Note let $n_{α β γ}^{Z}$ be total number of successful detections observed by David when Alice, Bob and Charlie set the intensity of α, β, γ in Z basis respectively. In the asymptotic limit, we have

n_{α β γ}^{Z} = \sum_{n, m, k = 0}^{\infty} p_{α β γ | n m k}^{Z} s_{n m k}^{Z}, \forall α, β, γ \in U

where

p_{α β γ | n m k}^{Z} = \frac{p_{α β γ, z} a_{n} b_{m} c_{k}}{τ_{n m k}^{Z}}

τ_{n m k}^{Z} = \sum_{α, β, γ \in U} p_{α β γ, z} a_{n} b_{m} c_{k}

p_αβγ,z = p_αp_βp_γp_Z and p_α, p_β, p_γ ∈ W.

p_{α β γ | n m k}^{Z}

is the conditional probability of choosing the intensity α, β, γ given that Alice sent n-photon states, Bob sent m-photon states and Charlie sent k-photon states.

Explicitly, consider the number of successful events happened corresponding to pulses from source μ_aυ_bυ_c(μ_aμ_bμ_c) in Z basis that is in State Preparation step where Alice choose an intensity υ_a, Bob choose an intensity μ_b and Charlie choose an intensity υ_c.

n_{μ_{a} υ_{b} υ_{c}}^{Z *} = p_{μ} p_{υ} p_{υ} p_{Z} \cdot ({a^{'}}_{1} + b_{1} c g_{111} + {a^{'}}_{1} b_{2} c_{1} g_{121} + G_{μ_{a} υ_{b} υ_{c}})

n_{μ_{a} μ_{b} μ_{c}}^{Z *} = p_{μ} p_{μ} p_{μ} p_{Z} \cdot ({a^{'}}_{1} {b^{'}}_{1} {c^{'}}_{1} g_{111} + {a^{'}}_{1} {b^{'}}_{2} {c^{'}}_{1} g_{121} + G_{μ_{a} μ_{b} μ_{c}})

where

\begin{matrix} \frac{n_{μ_{a} υ_{b} υ_{c}}^{Z *}}{p_{μ} p_{υ}^{2}} = \frac{n_{μ_{a} υ_{b} υ_{c}}^{Z}}{p_{μ} p_{υ}^{2}} - \frac{{a^{'}}_{0} n_{0 υ_{b} υ_{c}}^{Z}}{p_{0} p_{υ}^{2}} - \frac{b_{0} n_{μ_{a} 0 υ_{c}}^{Z}}{p_{μ} p_{0} p_{υ}} - \frac{c_{0} n_{μ_{a} υ_{b} 0}^{Z}}{p_{μ} p_{υ} p_{0}} + \frac{{a^{'}}_{0} b_{0} n_{00 υ_{c}}^{Z}}{p_{0}^{2} p_{υ}} \\ + \frac{{a^{'}}_{0} c_{0} n_{0 υ_{b} 0}^{Z}}{p_{0}^{2} p_{υ}} + \frac{b_{0} c_{0} n_{μ_{a} 00}^{Z}}{p_{μ} p_{0}^{2}} + \frac{2 {a^{'}}_{0} b_{0} c_{0} n_{000}^{Z}}{p_{0}^{3}} \end{matrix}

\begin{matrix} \frac{n_{μ_{a} μ_{b} μ_{c}}^{Z *}}{p_{μ}^{3}} = \frac{n_{μ_{a} μ_{b} μ_{c}}^{Z}}{p_{μ}^{3}} - \frac{{a^{'}}_{0} n_{0 μ_{b} μ_{c}}^{Z}}{p_{0} p_{μ}^{2}} - \frac{b_{0} n_{μ_{a} 0 μ_{c}}^{Z}}{p_{0} p_{μ}^{2}} - \frac{{c^{'}}_{0} n_{μ_{a} μ_{b} 0}^{Z}}{p_{0} p_{μ}^{2}} + \frac{{a^{'}}_{0} {b^{'}}_{0} n_{00 μ_{c}}^{Z}}{p_{0}^{2} p_{μ}} \\ + \frac{{a^{'}}_{0} {c^{'}}_{0} n_{0 μ_{b} 0}^{Z}}{p_{0}^{2} p_{μ}} + \frac{{b^{'}}_{0} {c^{'}}_{0} n_{μ_{a} 00}^{Z}}{p_{0}^{2} p_{μ}} + \frac{2 {a^{'}}_{0} {b^{'}}_{0} {c^{'}}_{0} n_{000}^{Z}}{p_{0}^{3}} \end{matrix}

and

G_{μ_{a} υ_{b} υ_{c}} = \sum_{n, m, k \in G_{0}} {a^{'}}_{n} b_{m} c_{k} g_{n m k}

G_{μ_{a} μ_{b} μ_{c}} = \sum_{n, m, k \in G_{0}} {a^{'}}_{n} {b^{'}}_{m} {c^{'}}_{k} g_{n m k}

g_{m n k} = \frac{s_{n m k}^{Z}}{τ_{n m k}^{Z}} (n \geq 1, m \geq 1, k \geq 1)

G_{0} = {(n, m, k) | n \geq 1, m \geq 1, k \geq 1, n + m + k \geq 4, (n, m, k) \neq {(2, 1, 1), (1, 1, 2)}

In order to get a lower bound of $s_{111}^{Z}$ denoted as $s_{111}^{Z low}$ , we should derive the lower bound of $g_{111}^{Z}$ denoted as $g_{111}^{Z low}$ with Eqs. (2) and (3). First. Combining Eqs. (2) and (3), we obtain the expression of $g_{111}^{Z}$ by eliminating g ₁₂₁. we can get

g_{111}^{Z} = g_{111}^{Z low} + \sum_{(m, n, k \in G_{0})} f_{n m k} g_{n m k}^{Z}

where

g_{111}^{Z low} = \frac{({b^{'}}_{2} {c^{'}}_{1} p_{μ}^{2} n_{μ_{a} υ_{b} υ_{c}}^{Z *} - b_{2} c_{1} p_{υ}^{2} n_{μ_{a} μ_{b} μ_{c}}^{Z *})}{{a^{'}}_{1} c_{1} {c^{'}}_{1} (b_{1} {b^{'}}_{2} - {b^{'}}_{1} b_{2}) p_{μ}^{3} p_{υ}^{2} p_{Z}}

f_{n m k} = \frac{{a^{'}}_{n} (b_{2} {b^{'}}_{m} c_{1} {c^{'}}_{k} - {b^{'}}_{2} b_{m} {c^{'}}_{1} c_{k})}{{a^{'}}_{1} c_{1} {c^{'}}_{1} (b_{1} {b^{'}}_{2} - {b^{'}}_{1} b_{2})}

Under the conditions presented in Eq. (1), we can easily find out that (b ₁ b′ ₂ − b′ ₁ b ₂) ≥ 0 and (b ₂ b′_mc ₁ c′_k − b′ ₂ b_mc′ ₁ c_k) ≥ 0 for all m ≥ 1, k ≥ 1. Then we know that f_nmk ≥ 0 hold for all (n, m, k) ∈ G ₀. With this fact, we obtain a lower bound of $g_{111}^{Z}$ from Eqs. (2) and (3) by setting g_mnk = 0, (m, n, k) ∈ G ₀ such that $g_{111}^{Z low} \leq g_{111}$ where $g_{111}^{Z low}$ is defined by Eq. (4).

In finite regime, every GHZ-state measurement performed by David can be regarded as a independent event. We employ Chernoff bound [64,65] to character the statistical fluctuation. It should be pointed out that the fluctuation bounds given by Hoeffding inequality [66] or Azuma’s inequality [67]are far from ideal in long-distance QKD. The main reason is that they do not take the a priori distribution into consideration. In contrast, Chernoff bound exploits the property of the distribution and provides good bounds even in a high-loss regime. We have that the expected value $n_{α β γ}^{Z}$ and the actual value ${\tilde{n}}_{α β γ}^{Z}$ satisfies $n_{α β γ}^{Z} = {\tilde{n}}_{α β γ}^{Z} + δ_{ε}$ except with error probability ε_H + ε_M + ε̂_M, where δ_ε lies in the interval [−Δ_αβγ, Δ̂_αβγ] with ${\hat{Δ}}_{α β γ} = g ({\tilde{n}}_{α β γ}^{Z}, {\hat{ε}}_{M}^{4} / 16)$ and $Δ_{α β γ} = g ({\tilde{n}}_{α β γ}^{Z}, ε_{M}^{3 / 2}))$ and where $g (x, y) = \sqrt{2 x ln (y^{- 1})}$ . Considering the fluctuations of the expected value $n_{α β γ}^{Z}$ , we have

s_{111}^{Z low} = \frac{({b^{'}}_{2} {c^{'}}_{1} p_{μ}^{2} {\tilde{n}}_{μ_{a} υ_{b} υ_{c}}^{Z *} - b_{2} c_{1} p_{υ}^{2} {\tilde{n}}_{μ_{a} μ_{b} μ_{c}}^{Z *}) \cdot τ_{111}^{Z low}}{{a^{'}}_{1} c_{1} {c^{'}}_{1} (b_{1} {b^{'}}_{2} - {b^{'}}_{1} b_{2}) p_{μ}^{3} p_{υ}^{2} p_{Z}}

where

\begin{array}{l} {\tilde{n}}_{μ_{a} υ_{b} υ_{c}}^{Z *} = & {\tilde{n}}_{μ_{a} υ_{b} υ_{c}}^{Z} - Δ_{μ υ υ} - ({a^{'}}_{0} p_{μ} ({\tilde{n}}_{0 υ_{b} υ_{c}}^{Z} + {\hat{Δ}}_{0 υ υ}) + b_{0} p_{υ} ({\tilde{n}}_{μ_{a} 0 υ_{c}}^{Z} + {\hat{Δ}}_{μ 0 υ}) + c_{0} p_{υ} ({\tilde{n}}_{μ_{a} υ_{b} 0}^{Z} + {\hat{Δ}}_{μ υ 0}) / p_{0} \\ + ({a^{'}}_{0} b_{0} p_{μ} p_{υ} ({\tilde{n}}_{00 υ_{c}}^{Z} - Δ_{00 υ}) + {a^{'}}_{0} c_{0} p_{μ} p_{υ} ({\tilde{n}}_{0 υ_{b} 0}^{Z} - Δ_{0 υ 0}) + b_{0} c_{0} p_{υ}^{2} ({\tilde{n}}_{μ_{a} 00}^{Z} - Δ_{μ 00})) / p_{0}^{2} \\ + 2 {a^{'}}_{0} b_{0} c_{0} p_{μ} p_{μ}^{2} ({\tilde{n}}_{000}^{Z} - Δ_{000}) / p_{0}^{3} \end{array}

\begin{array}{l} {\tilde{n}}_{μ_{a} μ_{b} μ_{c}}^{Z *} = & {\tilde{n}}_{μ_{a} μ_{b} μ_{c}}^{Z} - Δ_{μ μ μ} - p_{μ} ({a^{'}}_{0} ({\tilde{n}}_{0 μ_{b} μ_{c}}^{Z} + {\hat{Δ}}_{0 μ μ}) + {b^{'}}_{0} ({\tilde{n}}_{μ_{a} 0 μ_{c}}^{Z} + {\hat{Δ}}_{μ 0 μ}) + {c^{'}}_{0} ({\tilde{n}}_{μ_{a} μ_{b} 0}^{Z} + {\hat{Δ}}_{μ μ 0})) / p_{0} \\ + p_{μ}^{2} ({a^{'}}_{0} {b^{'}}_{0} ({\tilde{n}}_{00 μ_{c}}^{Z} - Δ_{00 μ}) + {a^{'}}_{0} {c^{'}}_{0} ({\tilde{n}}_{0 μ_{b} 0}^{Z} - Δ_{0 μ 0}) + {b^{'}}_{0} {c^{'}}_{0} ({\tilde{n}}_{μ_{a 00}}^{Z} - Δ_{μ 00})) / p_{0}^{2} \\ + p_{μ}^{3} (2 {a^{'}}_{0} {b^{'}}_{0} {c^{'}}_{0} ({\tilde{n}}_{000}^{Z} - Δ_{000})) / p_{0}^{3} \end{array}

3.2. Single-photon errors

First, let $v_{n m k}^{X}$ be the error numbers given that Alice sends n -photon states, Bob sends m-photon states and Charlie sends k-photon states all in X basis and noted that $τ_{n m k}^{X} = \sum_{α, β, γ \in U} p_{α β γ, X} a_{n} b_{m} c_{k}$ , p_αβγ,X = p_αp_βp_γp_X.

Then, consider the error caused by the three single-photon pulses in the X basis, say $e_{111}^{X}$ . Similar to the total gain, the total error numbers with source αβγ chosen by Alice, Bob and can be written as

w_{v v v}^{X *} = p_{v} p_{v} p_{v} p_{X} \cdot (a_{1} b_{1} c_{1} r_{111} + a_{1} b_{1} c_{2} r_{112} + a_{2} b_{1} c_{1} r_{211} + a_{1} b_{2} c_{1} r_{121} + R_{v v v})

where

\begin{array}{l} \frac{w_{v v v}^{X *}}{p_{υ}^{3}} = & \frac{w_{v v v}^{X}}{p_{υ}^{3}} - \frac{1}{p_{0} p_{υ}^{2}} (a_{0} w_{0 v v}^{X} + b_{0} w_{v 0 v}^{X} + c_{0} w_{v v 0}^{X}) + \frac{1}{p_{0}^{2} p_{υ}} (a_{0} b_{0} w_{00 v}^{X} + a_{0} c_{0} w_{0 v 0}^{X} + b_{0} c_{0} w_{v 00}^{X}) \\ + \frac{2 a_{0} b_{0} c_{0} w_{000}^{X}}{p_{0}^{3}} \end{array}

R_{v v v} = \sum_{(n, m, k) \in G_{0}} a_{n} b_{m} c_{k} r_{n m k}

and

r_{n m k} = \frac{v_{n m k}^{X}}{τ_{n m k}^{X}} (n \geq 1, m \geq 1, k \geq 1)

According to Eq. (6), we can find out the upper bound of $v_{111}^{X}$ such that

v_{111}^{X} \leq \frac{τ_{111}^{X} w_{v v v}^{X *}}{a_{1} b_{1} c_{1} \cdot p_{v}^{3} p_{X}}

For finite sample sizes, also using Chernoff bound for independent events [64, 65], we have that the expected value $w_{v v v}^{X}$ and the actual value ${\tilde{w}}_{v v v}^{X}$ satisfies $w_{α β γ}^{X} = {\tilde{w}}_{α β γ}^{X} + δ_{ε}$ , except with error probability ε_H + ε_M + ε̂_M, where δ_ε lies in the interval [−Λ_αβγ, Λ̂_αβγ] with ${\hat{Λ}}_{α β γ} = g ({\tilde{w}}_{α β γ}^{X}, {\hat{ε}}_{M}^{4} / 16)$ and $Λ_{α β γ} = g ({\tilde{w}}_{α β γ}^{X}, ε_{M}^{3 / 2})$ , and where $g (x, y) = \sqrt{2 x ln (y^{- 1})}$ . Considering the fluctuations of the expected value $w_{v v v}^{X}$ , we have

v_{111}^{X} \leq \frac{τ_{111}^{X} {\tilde{w}}_{v v v}^{X *}}{a_{1} b_{1} c_{1} \cdot p_{v}^{3} p_{X}}

where

\begin{array}{l} w_{v v v}^{X *} = & ({\tilde{w}}_{v v v}^{X} + {\hat{Λ}}_{v v v}) - \frac{p_{υ}}{p_{0}} (a_{0} ({\tilde{w}}_{0 v v}^{X} - Λ_{0 v v}) + b_{0} ({\tilde{w}}_{v 0 v}^{X} - Λ_{v 0 v}) + c_{0} ({\tilde{w}}_{v v 0}^{X} - Λ_{v v 0})) \\ + \frac{p_{υ}^{2}}{p_{0}^{2}} (a_{0} b_{0} ({\tilde{w}}_{00 v}^{X} + {\hat{Λ}}_{00 v}) + a_{0} c_{0} ({\tilde{w}}_{0 v 0}^{X} + {\hat{Λ}}_{0 v 0}) + b_{0} c_{0} ({\tilde{w}}_{v 00}^{X} + {\tilde{Λ}}_{v 00})) \\ + \frac{2 a_{0} b_{0} c_{0} p_{υ}^{3} ({\tilde{w}}_{000}^{X} + {\hat{Λ}}_{00})}{p_{0}^{3}} \end{array}

3.3. Secret key rate

We analyse the behavior of the secret key rate provided in [23] in finite regime such that

R_{QCC} = (n_{v}^{Z} + s_{111}^{Z} [1 - H (v_{111}^{X} / N q)] - H (E_{μ ν ω}^{Z *}) f n_{μ ν ω}^{Z}) / N

For the average overall gain $n_{v}^{Z}$ , $n_{α β γ}^{Z}$ and the average quantum bit error numbers $w_{α β γ}^{X}$ , they can be directly measured in the experiment. Then for simulation purpose, $n_{v}^{Z}$ , $n_{α β γ}^{Z}$ and $w_{α β γ}^{X}$ can be theoretically calculated based on the channel model which are show in supplemental material of [23]. Here, all of them have been elided for brevity.

4. Numerical simulation

In order to compare with results in the asymptotic case, we consider the same experimental setup in [23], where Alice, Bob and Charlie encode their bits in the polarization degrees of freedom of phase-randomised WCPs and David uses the linear optics quantum relay which is assumed to identify two of the eight GHZ states. By assuming a fiber-based channel model, we numerically show the performance of our protocol with finite-length key.

Let η_c = 10^−βL/10 be the fiber transmission; η_d is the quantum efficiency of David’s detectors; p_d is the background count rate; f is the error-correction efficiency; e_d represents the overall misalignment-error probability of the system. For better comparison, we borrow experimental parameters from [23] listed in Table 1.

Table 1. List of experimental parameters for simulations: β is the loss coefficient of the fiber; η_d is the efficiency of Davids detectors; p_d is the background count rate; f is the error-correction efficiency; e_d represents the overall misalignment-error probability of the system.

View Table

In Fig. 2, we present the numerically stimulation of secret-key rates with different values of p_x when the total pulses N are fixed to be 10¹¹. One can see that the secret key rate increases gradually with gradual decreasing of p_x and when the p_x is close to 0.1, the secret key rate scarcely increases. In finite regime, the bigger p_x means more precise estimation for $v_{n m k}^{X}$ . Otherwise, the bigger p_Z means more generation of raw key. Thus, weighing the pros and cons, p_x = 0.1 is found to be optimal for the scenario where the total pulses N are fixed to be 10¹¹.

Fig. 2 Secret key rate vs fiber length with different probabilities of choosing X basis. The curves from left to right are numerically optimized for a different p_x=0.9, 0.7, 0.5, 0.3, 0.1. A realistic finite size of data N is fixed to be 10¹¹. The intensity of one decoy state is 0.005 and the other decoy state is a vacuum state, while the signal state is optimized for different distances. The efficiency of Davids detectors is 90%.

Download Full Size | PDF

In Fig. 3, the numerically optimized secret-key rates from left to right are obtained by Eq. (7) for a fixed number of total pulses N=10^j with j = 11, 11.5, 12,...,13, respectively, where p_x is optimally chosen for each N. We can see that a finite data size reduces the efficiencies, while it also demonstrates the possibility of implementations of MDI-QCC within a reasonable data size (10¹¹).

Fig. 3 Secret key rate vs transmission distance. The curves from left to right are numerically optimized for a fixed number of total pulses N=10^j with j = 11, 11.5, 12,...,13. The intensity of one decoy state are 0.005 and the other decoy state is a vacuum state, while the signal state is optimized for different distances.The efficiency of Davids detectors is 90%.

Download Full Size | PDF

In Fig. 4, in infinite-key regime(dashed curves), we can see that our decoy-state analysis is tighter than that of [23]. That is, we can achieve the nonzero asymptotic secret key rate in long distance with approximate to 200km.

Fig. 4 Secret key rate vs transmission distance. The red dashed curve denotes the asymptotic secret key rate calculated with the decoy analysis in [23]. The blue dashed curve denotes the asymptotic secret key rate calculated with the decoy analysis presented in Sec. III. The intensity of the signal state and one decoy state are 0.4 and 0.005 respectively, while the other decoy state is a vacuum state. The efficiency of Davids detectors is 40%.

Download Full Size | PDF

5. Conclusion

In conclusion, we present a biased decoy-state measurement-device-independent quantum cryptographic conferencing protocol in detail and give the finite-key analysis for this protocol by using Chernoff bound. From numerical simulations, we remark that finite resources have a great effect on the secret key rate and it is possible to perform secure MDI-QCC over a reasonable distances with finite data size of 10¹¹.

Importantly, the finite-key analysis we present in Sec. III is valid for other practical single photon sources of which the photon-number distribution should satisfy Eq. (1), such as triggered spontaneous parametric down-conversion sources. In addition, our analysis can also be directly applied to the finite-key analysis of MDI-QSS [23] protocol.

Furthermore, we present tighter analytical formulas for the decoy-state analysis to estimate the lower bound of the yield ( $s_{111}^{Z}$ ) and the upper bound of errors ( $v_{111}^{X}$ ) of three-single-photon pulses sent by Alice Bob and Charlie. Our results clearly demonstrate that we can achieve the nonzero asymptotic secret key rate in long distance with approximate to 200km. In future work, further research is to present tight finite analysis against general attacks with the uncertainty relation for smooth entropies.

Acknowledgments

The authors gratefully acknowledge the financial support from the National Basic Research Program of China (Grant No. 2013CB338002) and the National Natural Science Foundation of China (NSFC) (Grants No.11304397 and No.61505261).

References and links

1. N. Gisin, G. Ribordy, W. Tittel, and H Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74, 145 (2002) [CrossRef]

2. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dusek, N. Lutkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81, 1301 (2009) [CrossRef]

3. H.-K. Lo and H.F. Chau, “Unconditional security Of quantum key distribution over arbitrarily long distances,” Science 283, 2050 (1999) [CrossRef] [PubMed]

4. P. W. Shor and J. Preskill, “Simple proof of security of the BB84 quantum key distribution protocol,” Phys. Rev. Lett. 85, 441 (2000) [CrossRef] [PubMed]

5. D. Mayers, “Unconditional security in quantum cryptography,” J. ACM 48, 351 (2001) [CrossRef]

6. B. Qi, C.-H. F. Fung, H.-K. Lo, and X. Ma, “Time-shift attack in practical quantum cryptosystems,” Quantum Inf. Comput. 7, 73 (2007)

7. C.-H. F. Fung, B. Qi, K. Tamaki, and H.-K. Lo, “Phase-remapping attack in practical quantum-key-distribution systems,” Phys. Rev. A 75, 032314 (2007) [CrossRef]

8. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Phys. Rev. A 78, 042333 (2008) [CrossRef]

9. F. Xu, B. Qi, and H.-K. Lo, “Experimental demonstration of phase-remapping attack in a practical quantum key distribution system,” New J. Phys. 12, 113026 (2010) [CrossRef]

10. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4, 686 (2010) [CrossRef]

11. Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Avoiding the blinding attack in QKD,” Nat. Photonics 4, 800 (2010) [CrossRef]

12. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Avoiding the blinding attack in QKD,” Nat. Photonics 4, 801 (2010) [CrossRef]

13. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun. 2, 349 (2011) [CrossRef] [PubMed]

14. H.-W. Li, S. Wang, J.-Z. Huang, W. Chen, Z.-Q. Yin, F.-Y. Li, Z. Zhou, D. Liu, Y. Zhang, G.-C. Guo, W.-S. Bao, and Z.-F. Han, “Attacking a practical quantum-key-distribution system with wavelength-dependent beam-splitter and multiwavelength sources,” Phys. Rev. A 84, 062308 (2011) [CrossRef]

15. H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108, 130503 (2012) [CrossRef] [PubMed]

16. X. Ma, C.-H.F. Fung, and M. Razavi, “Statistical fluctuation analysis for measurement-device-independent quantum key distribution,” Phys. Rev. A 86, 052305 (2012) [CrossRef]

17. X. Ma and M. Razavi, “Alternative schemes for measurement-device-independent quantum key distribution,” Phy. Rev. A 86, 062319 (2012) [CrossRef]

18. X.-B. Wang, “Three-intensity decoy-state method for device-independent quantum key distribution with basis-dependent errors,” Phys. Rev. A 87, 012320 (2013) [CrossRef]

19. F. Xu, M. Curty, B. Qi, and H.-K. Lo, “Practical aspects of measurement-device-independent quantum key distribution,” New J. Phys. 15, 113007 (2013) [CrossRef]

20. M. Curty, F. Xu, W. Cui, C. C. W. Lim, K. Tamaki, and H.-K. Lo, “Finite-key analysis for measurement-device-independent quantum key distribution, ” Nat. Commun. 5, 3732 (2014) [CrossRef] [PubMed]

21. F. Xu, B. Qi, Z. Liao, and H.-K. Lo, “Long distance measurement-device-independent quantum key distribution with entangled photon sources,” Appl. Phys. Lett. 103, 061101 (2013) [CrossRef]

22. F. Xu, H. Xu, and H.-K. Lo, “Protocol choice and parameter optimization in decoy-state measurement-device-independent quantum key distribution,” Phys. Rev. A 89, 052333 (2014) [CrossRef]

23. Y. Fu, H.-L. Yin, T.-Y. Chen, and Z.-B. Chen, “Long-distance measurement-device-independent multiparty quantum communication,” Phys. Rev. Lett. 114, 090501 (2015) [CrossRef] [PubMed]

24. C. Zhou, W.-S. Bao, W. Chen, H.-W. Li, Z.-Q. Yin, Y. Wang, and Z.-F. Han, “Phase-encoded measurement-device-independent quantum key distribution with practical spontaneous-parametric-down-conversion sources,” Phys. Rev. A 88, 052333 (2013) [CrossRef]

25. C. Zhou, W.-S. Bao, H.-L Zhang, H.-W. Li, Y. Wang, Y. Li, and X. Wang, “Biased decoy-state measurement-device-independent quantum key distribution with finite resources,” Phys. Rev. A 91, 022313 (2015) [CrossRef]

26. F. Xu, “Measurement-device-independent quantum communication with an untrusted source,” Phys. Rev. A 92, 012333 (2015) [CrossRef]

27. Y.-H. Zhou, Z.-W. Yu, and X.-B. Wang, “Making the decoy-state measurement-device-independent quantum key distribution practically useful,” http://arxiv.org/abs/1502.01262

28. A. Rubenok, J. A. Slater, P. Chan, I. Lucio-Martinez, and W. Tittel, “Real-world two-photon interference and proof-of-principle quantum key distribution immune to detector attacks,” Phys. Rev. Lett. 111, 130501 (2013) [CrossRef] [PubMed]

29. Y. Liu, T.-Y. Chen, L.-J. Wang, H. Liang, G.-L. Shentu, J. Wang, K. Cui, H.-L. Yin, N.-L. Liu, L. Li, X. Ma, J. S. Pelc, M. M. Fejer, C.-Z. Peng, Q. Zhang, and J.-W. Pan, “Experimental measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 111, 130502 (2013) [CrossRef] [PubMed]

30. T. Ferreira da Silva, D. Vitoreti, G. B. Xavier, G. C. do Amaral, G. P. Temporao, and J. P. von der Weid, “Proof-of-principle demonstration of measurement-device-independent quantum key distribution using polarization qubits,” Phys. Rev. A 88, 052303 (2013) [CrossRef]

31. Z. Tang, Z. Liao, F. Xu, B. Qi, L. Qian, and H.-K. Lo, “Experimental demonstration of polarization encoding measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 112, 190503 (2014) [CrossRef] [PubMed]

32. Y.-L. Tang, H.-L. Yin, S.-J. Chen, Y. Liu, W.-J. Zhang, X. Jiang, L. Zhang, J. Wang, L.-X. You, J.-Y. Guan, D.-X. Yang, Z. Wang, H. Liang, Z. Zhang, N. Zhou, X. Ma, T.-Y. Chen, Q. Zhang, and J.-W. Pan, “Measurement-device-independent quantum key distribution over 200 km,” Phys. Rev. Lett. 113, 190501 (2014) [CrossRef] [PubMed]

33. R. Valivarthi, I. Lucio-Martinez, P. Chan, A. Rubenok, C. John, D. Korchinski, C. Duffin, F. Marsili, V. Verma, M. D. Shaw, J. A. Stern, S. W. Nam, D. Oblak, Q. Zhou, J. A. Slater, and W. Tittel, “Measurement-device-independent quantum key distribution: from idea towards application,” J. Mod. Opt. 62, 1141 (2015) [CrossRef]

34. S. Bose, V. Vedral, and P. L. Knight, “Multiparticle generalization of entanglement swapping,” Phys. Rev. A 57, 822 (1998) [CrossRef]

35. K. Chen and H.-K. Lo, “Multi-partite quantum cryptographic protocols with noisy GHZ states,” Quantum Inf. Comput. 7, 689 (2007)

36. C. Zhu, F. Xu, and C Pei, “W-state analyzer and multi-party measurement-device-independent quantum key distribution,” Sci. Rep. 5, 17449 (2015) [CrossRef] [PubMed]

37. M. Hillery, V. Buzek, and A. Berthiaume, “Quantum secret sharing,” Phys. Rev. A 59, 1829 (1999). [CrossRef]

38. R. Cleve, D. Gottesman, and H.-K. Lo, “How to share a quantum secret,” Phys. Rev. Lett. 83, 648 (1999). [CrossRef]

39. W. Tittel, H. Zbinden, and N. Gisin, “Experimental demonstration of quantum secret sharing,” Phys. Rev. A 63, 042301 (2001). [CrossRef]

40. Y.-A. Chen, A.-N. Zhang, Z. Zhao, X.-Q. Zhou, C.-Y. Lu, C.-Z. Peng, T. Yang, and J.-W. Pan, “Experimental quantum secret sharing and third-man quantum cryptography,” Phys. Rev. Lett. 95, 200502 (2005) [CrossRef] [PubMed]

41. S. Gaertner, C. Kurtsiefer, M. Bourennane, and H. Weinfurter, “Experimental demonstration of four-party quantum secret sharing,” Phys. Rev. Lett. 98, 020503 (2007) [CrossRef] [PubMed]

42. C. Schmid, P. Trojek, M. Bourennane, C. Kurtsiefer, M. Żukowski, and H. Weinfurter, “Experimental single qubit quantum secret sharing,” Phys. Rev. Lett. 95, 230505 (2005) [CrossRef] [PubMed]

43. B. A. Bell, D. Markham, D. A. Herrera-Mart, A. Marin, W. J. Wadsworth, J. G. Rarity, and M. S. Tame, “Experimental demonstration of graph-state quantum secret sharing,” Nat. Commun. 5, 5480 (2014) [CrossRef] [PubMed]

44. M. Żukowski, A. Zeilinger, M. A. Horne, and H. Weinfurter, “Quest for GHZ states,” Acta Phys. Pol. A 93, 187 (1998) [CrossRef]

45. W.-Y. Hwang, “Quantum key distribution with high loss: toward global secure communication,” Phys. Rev. Lett. 91, 057901 (2003) [CrossRef] [PubMed]

46. H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. 94, 230504 (2005) [CrossRef] [PubMed]

47. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94, 230503 (2005) [CrossRef] [PubMed]

48. C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in Proceedings IEEE of International Conference on Computers, Systems and Signal Processing (IEEE, 1984), pp. 175–179

49. M. Hayashi, “Upper bounds of eavesdroppers performances in finite-length code with the decoy method,” Phys. Rev. A 76, 012329 (2007) [CrossRef]

50. J. Hasegawa, M. Hayashi, T. Hiroshima, and A. Tomita, “Security analysis of decoy state quantum key distribution incorporating finite statistics,” http://arxiv.org/abs/0707.3541

51. H.-W. Li, Y.-B. Zhao, Z.-Q. Yin, S. Wang, Z.-F. Han, W.-S. Bao, and G.-C. Guo, “Security of decoy states QKD with finite resources against collective attacks,” Opt. Commun. 282, 4162 (2009) [CrossRef]

52. M. Christandl, R. König, and R. Renner, “Postselection technique for quantum channels with applications to quantum cryptography,” Phys. Rev. Lett. 102, 020504 (2009) [CrossRef] [PubMed]

53. X. F. Ma, B. Qi, Y. Zhao, and H. K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A 72, 012326 (2005) [CrossRef]

54. N.H.Y. Ng, M. Berta, and S. Wehner, “Min-entropy uncertainty relation for finite-size cryptography,” Phys. Rev. A 86, 042315 (2012) [CrossRef]

55. M. Hayashi and T. Tsurumaru, “Concise and tight security analysis of the BennettCBrassard 1984 protocol with finite key lengths,” New. J. Phys. 14, 093014 (2012) [CrossRef]

56. M. Tomamichel, C.C.W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat. Commun. 3, 634 (2012) [CrossRef] [PubMed]

57. C.C.W. Lim, M. Curty, N. Walenta, F. Xu, and H. Zbinden, “Concise security bounds for practical decoy-state quantum key distribution,” Phys. Rev. A 89, 022307 (2014) [CrossRef]

58. C. Zhou, W.-S. Bao, H.-W. Li, Y. Wang, Y. Li, Z.-Q. Yin, W. Chen, and Z.-F. Han, “Tight finite-key analysis for passive decoy-state quantum key distribution under general attacks,” Phys. Rev. A 89, 052328 (2014) [CrossRef]

59. Y. Wang, W.-S. Bao, H.-W. Li, C. Zhou, and Y. Li, “Finite-key analysis for one-sided device-independent quantum key distribution,” Phys. Rev. A 88, 052322 (2013) [CrossRef]

60. M. Mafu, K. Garapo, and F. Petruccione, “Finite-size key in the Bennett 1992 quantum-key-distribution protocol for Rényi entropies,” Phys. Rev. A 88, 062306 (2013). [CrossRef]

61. E. N. Maneva and J. A. Smolin, “Improved two-party and multi-party purification protocols,” Contemp. Math. 305, 203 (2002) [CrossRef]

62. C. H. Bennett, D. P. DiVincenzo, J. A. Smolin, and W. K. Wootters, “Mixed-state entanglement and quantum error correction,” Phys. Rev. A 54, 3824 (1996) [CrossRef] [PubMed]

63. W. Dür, J. I. Cirac, and R. Tarrach, “Separability and distillability of multiparticle quantum systems,” Phys. Rev. Lett. 83, 3562 (1999) [CrossRef]

64. H. Chernoff, “A measure of asymptotic efficiency for tests of a hypothesis based on the sum of observations,” Ann. Math. Sat. 23, 493 (1952) [CrossRef]

65. M. Curty, F. Xu, W. Cui, C. C. W Lim, K. Tamki, and H. K. Lo, “Finite-key analysis for measurement-device-independent quantum key distribution,” Nat. Commun. 5, 3732 (2014). [CrossRef] [PubMed]

66. W. Hoeffding, “Probability inequalities for sums of bounded random variables,” J. Am. Stat. Assoc. 58, 13 (1963) [CrossRef]

67. K. Azuma, “Weighted sums of certain dependent random variables,” Tôhoku Math. J. 19, 357 (1967). [CrossRef]

Biased decoy-state measurement-device-independent quantum cryptographic conferencing with finite resources

Abstract

1. Introduction

2. Protocol definition

3. Finite-key analysis

3.1. Single-photon detections

3.2. Single-photon errors

3.3. Secret key rate

4. Numerical simulation

5. Conclusion

Acknowledgments

References and links

Cited By

Figures (4)

Tables (1)

Equations (30)

Optics Express