Abstract
Twin-field interference-based quantum conference key agreement protocols have been proposed and have achieved good performance in terms of the key rate and transmission distance in the finite-key regime. However, its performance significantly decreases when the strict constraint is broken regarding the optical pulse intensity and probability. Here, we propose a post-matching QCKA protocol to remove this constraint while obtaining a higher key rate. Numerical results in the symmetric case show that our protocol can obtain a transmission distance 25% more than the previous asymmetric QCKA protocol when the decoy state optical pulse intensity is 1% higher than the ideal value of the constraint, and can obtain a transmission distance 100% higher when the decoy state optical pulse intensity is 10% higher than the ideal value of the constraint.
© 2022 Optica Publishing Group under the terms of the Optica Open Access Publishing Agreement
1. Introduction
Quantum networks can distribute keys among multiple users and guard information security when quantum computers are introduced and popularized in the future. The quantum conference key agreement (QCKA) [1–4], which distributes keys among multiple parties over long distances, plays a vital role in the construction and development of quantum networks. To distribute keys among multiple parties, one can, for instance, perform the quantum key distribution (QKD) [5–13] protocol between every two users and then use the secret keys established in this manner to encode the final common secret key. However, as shown by Ref. [14], we obtain a relatively higher key rate and longer transmission distance by performing the conference key agreement protocol to deliver the same secret key to all parties involved in the protocol than by performing the QKD process separately between multiple parties and then encrypting the final common key using the obtained key. The fundamental laws of quantum mechanics and one-time-paid encryption [15] guarantee secure multiparty quantum communication [2,16]. In the era of rapid development of quantum communication technology, some QCKA protocols have been demonstrated theoretically [17–25] and experimentally [26]. There are many QCKA protocols [12,27–30] inspired by QKD protocols. These protocols are equating to allocations of quantum resources, particularly multiple party Greenberger-Horne-Zeilinger (GHZ) states or the "twisted" version of the GHZ state [1,31,32].
To achieve a relatively mature application of QKD [33–45], the recently proposed and high-profile twin-field QKD (TFQKD) protocol [39,46–60] has been consistently proposed. Where an untrusted relay , which is always presented as Charlie, is employed as the transmission node. TFQKD enables researchers to break the Pirandola-Laurenza-Ottaviani-Banchi (PLOB) bound [61] by transforming the relationship between the key rate and channel loss based on the decoy state from a linear to square-root relationship. QCKA protocols inspired by TFQKD have been proposed and perform better in terms of the key rate and transmission distance. Subsequent QCKA protocols inspired by TFQKD were proposed and have progressed in terms of protocol practicality. For example, the asymmetric QCKA protocol [30], based on the sending-or-not-sending (SNS) two-field QKD protocol [48], obtains better transmission distances than previous methods [23] in the asymmetric case. In tripartite key distribution scenarios, asymmetric situations involving unequal distances between the three users are often involved. The existing asymmetric QCKA protocol can distribute keys at long distances among three asymmetric parties, but the protocol has a strict restrictive relationship on light intensity modulation and the corresponding probability, similar to SNS QKD protocols [53,54]. In a practical tripartite quantum key distribution scenario, users need to modulate the light intensity strictly according to the constraint mentioned above, which greatly increases the difficulty of implementing asymmetric QCKA protocols. In addition, these constraints cannot be strictly satisfied. This issue is problematic as even a small deviation from the constraints can significantly reduce the code formation rate of the protocol. Additionally, the three users involved are frequently online and offline, and it is more difficult to modulate the light intensity strictly according to the constraints each time.
We propose a post-matching QKCA protocol that can achieve a higher key rate while removing the constraints on optical intensity and probability based on two-photon two-field QKD [60]. The security proof of our protocol is provided by proving that the effective density matrix of the X basis is equal to the density matrix of the Z basis, and introducing a virtual protocol to obtain the entangled GHZ states between the three parties. We also analyzed the simulation results of our protocol, investigated the secret key formation and transmission distance of the asymmetric QCKA protocols under deviating constraints, and compared our protocol with asymmetric QCKA protocols in various scenarios. In our finite-key regime simulation of the symmetric case, the protocol can achieve a transmission distance $25\%$ greater than the previous asymmetric QCKA protocol when the decoy state optical pulse intensity (named $\nu _b$) is $1\%$ higher than the constraint and can obtain a transmission distance $100\%$ greater when $\nu _b$ is $10\%$ higher than the constraint. In the finite-key regime simulation of the asymmetric case (where the distance between sender Alice and receiver Charlie is 50 km longer than that between sender Bob and receiver Charlie), our protocol can achieve a transmission distance of $22\%$ more than the previous asymmetric QCKA protocol when the optical pulse intensity $\nu _b$ is $1\%$ higher than the constraint and can obtain a transmission distance $90\%$ higher when $\nu _b$ is $10\%$ higher than the constraint. In addition, this protocol also has better applicability in complex cases because of the intrinsic reduction of the base value of the phase error rate. In the construction of quantum networks, severe asymmetries due to channel distance and channel loss often occur, and some nodes also have increased misalignment error rates owing to complicating factors such as atmospheric disturbance or terrain complexity. Therefore, we believe that our protocol has promising prospects for practical application.
2. Post-matching QCKA protocol
A schematic representation of our post-matching QCKA protocol is shown in Fig. 1; the protocol is described as follows.
1 Preparation. At each time bin $i\in \{1,2,\ldots,N\}$, Alice chooses a random phase $\theta _{a}^{i}\;\in [0,2\pi )$ and random classical bit $r_{a}^{i}\in \{0, 1\}$. Subsequently, she prepares a phase-randomized weak pulse $| {e^{\textbf {i}(\theta _{a}^{i}+r_{a}^{i}\pi )}\sqrt {k_{a}^{i}}} \rangle$ with probability $p_{k_a}$, where $k_a^{i}\in \{\mu _a,~\nu _a,~\mathbf {o}_{a},~\hat {\mathbf {o}}_{a}\}$ correspond to the signal, decoy, preserve-vacuum, and declare-vacuum intensities, respectively. Similarly, Bob prepares a phase-randomized weak coherent pulse $| {e^{\textbf {i}(\theta _{b}^{i}+r_{b}^{i}\pi )}\sqrt {k_{b}^{i}}} \rangle$ ($k_b^{i}\in \{\mu _b,~\nu _b,~\mathbf {o}_{b},~\hat {\mathbf {o}}_{b}\}$). The intensities of Alice and Bob satisfy the relation $\mu _a>\nu _a>\mathbf {o}_{a}$ $=\hat {\mathbf {o}}_{a} = 0$ and $\mu _b>\nu _b>\mathbf {o}_{b}$ $=\hat {\mathbf {o}}_{b} = 0$. Alice and Bob send the corresponding pulses, $| {e^{\textbf {i}(\theta _{a}^{i}+r_{a}^{i}\pi )}\sqrt {k_{a}^{i}}} \rangle$ and $| {e^{\textbf {i}(\theta _{b}^{i}+r_{b}^{i}\pi )}\sqrt {k_{b}^{i}}} \rangle$, to Charlie through insecure quantum channels. In experimental implementation, phase-locking and phase-tracking techniques are necessary. The phase-locking techniques include the method that injects the Charlie’s seed laser to Alice and Bob’s slave lasers for locking phases of both Alice and Bob’s lasers to that of Charlie’s. As for phase-tracking techniques which are required in our protocol, Alice and Bob each send a bright reference light to Charlie to measure the phase noise difference $\phi _{ab}^{i}$.
2 Measurement. We denote the events that Charlie detects signal with SPD1 and SPD2 (SPD3 and SPD4) as Z basis events (X basis events). For each time bin $i$, Charlie passively selects bases and performs measurements using beam splitters and single-photon detectors. During the basis selection, Charlie receives the signal from Alice (Bob), which is measured in the Z basis with probability $t_a$ ($t_b$) and in the X basis with probability $1-t_a$ ($1-t_b$). A successful event is obtained when only one detector clicks. Charlie publicly announces the basis information for each successful event. If he broadcasts the event in which at least one of Alice and Bob chooses the decoy or declare-vacuum intensity, the three parts communicate their intensities and phase information with each other via an authenticated channel. The unannounced detection events in the basis of $Z$, that is, $\{\mu _a,\mathbf {o}_{b}\}$, $\{\mu _a,\mu _b\}$, $\{\mathbf {o}_{a},\mu _b\}$, and $\{\mathbf {o}_{a},\mathbf {o}_{b}\}$, are used to generate key bits. We suppose that event serial number $i$ and $j$ satisfy the relationship $i<j$. For these events, Alice randomly matches time bin $i$ of intensity $\mu _a$ ($\mathbf {o}_{a}$) with another time bin $j$ of intensity $\mathbf {o}_{a}$ ($\mu _a$). Then, she sets her bit value to 0 (1) and sends serial numbers $i$ and $j$ to the remaining parts. In the corresponding time bins, if Bob chooses intensities $k_b^{i}=\mu _b$ $(\mathbf {o}_{b})$ and $k_b^{j}=\mathbf {o}_{b}$ $(\mu _b)$, then he sets a bit value of 0 (1). Bob announces an event in which $k_b^{i} = k_b^{j}=\mathbf {o}_{b}$ or $\mu _b$. Thus, the valid events on the $Z$ basis are $\{\mu _a \mathbf {o}_{a},~ \mathbf {o}_{b}\mu _b\}$, $\{\mu _a\mathbf {o}_{a},~\mu _b\mathbf {o}_{b}\}$, $\{\mathbf {o}_{a}\mu _a,~ \mathbf {o}_{b}\mu _b\}$, and $\{\mathbf {o}_{a}\mu _a,~\mu _b\mathbf {o}_{b}\}$. For the Z basis, Charlie obtains bit 0 (1) when SPD1 (SPD2) clicks only in the $i$ time beam and SPD2 (SPD1) in the $j$ time beam. For the X basis, after the interference measurement, he publicly announces whether he obtained a successful detection event and which detector clicked.
We denote $\{k_a,~k_b\}$ as a successful detection event where Alice sends intensity $k_a$ and Bob sends intensity $k_b$. The compressed notation $\{k_a^{i}k_a^{j},~ k_b^{i}k_b^{j}\}$ indicates that $\{k_a^{i},~k_b^{i}\}$ and $\{k_a^{j},~ k_b^{j}\}$ are matched; the first label refers to time bin $i$, and the second to time bin $j$. Alice and Bob repeat the first two steps for $N$ rounds to obtain sufficient data.
3 Reconciliation. For the announced detection events in the X basis, we define the global phase difference in time bin $i$ as $\theta ^{i}:= \theta _a^{i}- \theta _b^{i} +\phi _{ab}^{i}$. Alice, Bob, and Charlie maintain detection events $\{\nu _a^{i},~\nu _b^{i}\}$ only if $\theta ^{i}~\in \{-\delta,\delta \}\cup \{\pi -\delta,\pi +\delta \}$. They randomly select two retained detection events that satisfy $\left |\theta ^{i} -\theta ^{j}\right |= 0$, or satisfy $\left |\theta ^{i} -\theta ^{j}\right |=\pi$ and match these events. These are denoted as $\{\nu _a^{i}\nu _a^{j},\nu _b^{i}\nu _b^{j}\}$. By calculating classical bits $r_a^{i} \oplus r_a^{j}$ and $r_b^{i} \oplus r_b^{j}$, Alice, Bob, and Charlie extract the $X$ basis bit value, respectively.
The detection events $\{o_a,\nu _b\}$, $\{\nu _a,o_b\}$, $\{\hat {\mathbf {o}}_a,\mu _b\}$, $\{\mu _a,\hat {\mathbf {o}}_b\}$, $\{\hat {\mathbf {o}}_a,o_b\}$, and $\{\mathbf {o}_a, \hat {\mathbf {o}}_b\}$ on the X basis are used for decoy analysis, where $o_{a(b)}\in \{\mathbf {o}_{a(b)}, \hat {\mathbf {o}}_{a(b)}\}$. Afterwards, in the $Z$ basis, Bob always flips his bit. In the $X$ basis, Bob flips a part of his bits to correlate them with those of Alice (see Table 1).
4 Parameter estimation. Alice, Bob, and Charlie randomly select parts of the unannounced bits that are measured in the $Z$ basis and exploit them to form the raw key bit $n^{z}$. The remaining unannounced bits measured in the $Z$ basis are used to compute the bit error rate $E^{z}$. The decoy state method [33,34] is also used to estimate the number of vacuum events $s_{0\mu _b}^{z}$ and the number of single-photon pairs $s_{11}^{z}$ on the $Z$ basis. The bits that have been detected and announced on the $X$ basis are used to calculate the total error count of single-photon pairs $t_{11}^{x}$ on the $X$ basis, with which we can obtain the phase error rate of single-photon pairs $\phi _{11}^{z}$ on the $Z$ basis (see Appendix B.2 for details).
5 Post-processing. The final keys are distilled using error correction, error verification, and a privacy amplification algorithm. Similar to Ref. [62], the length of the final secret key $\ell$ with the total security $\varepsilon _{\textrm {TP}}=\varepsilon _{\textrm {sec}} + \varepsilon _{\textrm {cor}}$ can be written as follows:
3. Security analysis
In the first step of the security proof, we introduce a virtual protocol.
1. Alice and Bob prepare entangled states, and both perform quantum non-demolition measurements jointly. The states are set as $| {10} \rangle _{a(b)}^{ij}= | {1} \rangle _{a(b)}$, $| {01} \rangle _{a(b)}^{ij}= | {0} \rangle _{a(b)}$ on the Z basis and ${\frac { | {1} \rangle _{a(b)}\pm | {1} \rangle _{a(b)}}{\sqrt {2}}} = | {\pm } \rangle _{a(b)}$ on the X basis. The entangled states are $| {\Phi } \rangle _{Aa}=1/\sqrt {2}( | {0} \rangle _{A} | {0} \rangle _{a}+ | {1} \rangle _{A} | {1} \rangle _{a})$, where $A$ ($B$) represents the quantum bit system held by Alice (Bob), and $a$ ($b$) is the quantum state sent to Charlie. For both reserved and sent states, $\left \{ | {0} \rangle, | {1} \rangle \right \}$ are two eigenvectors of the Z basis, and the eigenvectors of the X basis are $\left \{ | {+} \rangle, | {-} \rangle \right \}$. After entangled state preparation, Alice and Bob jointly perform an operation called quantum nondemolition measurement. This measurement operation is carried out before states $a$ and $b$ are sent to part Charlie, and only the cases for which different eigenvectors are shared by $a$ and $b$ are reserved. Therefore, we obtain the entangled state among the systems $A$, $B$, $a$, and $b$:
2. Alice, Bob, and Charlie randomly choose bases Z or X to measure the reserved systems A and B, respectively, and the equivalent sent state C. As mentioned before for the state preparation, the eigenvectors of basis Z or X are $\left \{ | {0} \rangle, | {1} \rangle \right \}$ or $\left \{ | {+} \rangle, | {-} \rangle \right \}$.
3. Alice, Bob, and Charlie announce the preparation and measurement bases for all rounds.
4. Alice, Bob, and Charlie obtain raw key bits by exploiting random bits in the Z basis, and they use the disclosed bits in the X basis for information leakage estimation. A secure key is acquired through error correction and privacy amplification. In this process, the decoy-state method is exploited to calculate the Z-basis bit error rate of single-photon pairs and the Z-basis phase error rate of single-photon pairs. At the end of this procedure, we obtain the asymptotic key rate as
where $Y_{11}$, $e_{11}^{z}$, and $e_{11}^{x}$ represent the single-photon pair gain, bit error rate in the $Z$ basis, and bit error rate in the $X$ basis, respectively.5. Alice, Bob, and Charlie utilize the classical error-correction algorithm to distill the final key.
Then, we demonstrate that the density matrices in the Z and X bases are equal. In our post-matching QCKA protocol, the three parts obtain their original keys from the Z basis. The preshared state of Alice (Bob) is $| {\phi ^{+}} \rangle _{Aa}=1/\sqrt {2}( | {1,0} \rangle ^{i,j}_A | {1,0} \rangle ^{i,j}_a+ | {0,1} \rangle ^{i,j}_A | {0,1} \rangle ^{i,j}_a)$ ($| {\phi ^{+}} \rangle _{Bb}=1/\sqrt {2}( | {1,0} \rangle ^{i,j}_B | {1,0} \rangle ^{i,j}_b+ | {0,1} \rangle ^{i,j}_B | {0,1} \rangle ^{i,j}_b)$), when time bins $i$ and $j$ are matched. $| {1,0} \rangle ^{i,j}$ and $| {0,1} \rangle ^{i,j}$ are the two eigenvectors of the Z basis, and the eigenvectors of the X basis are $1/\sqrt {2}( | {1,0} \rangle ^{i,j}+ | {0,1} \rangle ^{i,j})$ and $1/\sqrt {2}( | {1,0} \rangle ^{i,j}- | {0,1} \rangle ^{i,j})$. We replace $| {1,0} \rangle ^{i,j}$, $| {0,1} \rangle ^{i,j}$ with $| {+z} \rangle$, $| {-z} \rangle$, and $1/\sqrt {2}( | {1,0} \rangle ^{i,j}+ | {0,1} \rangle ^{i,j})$, $1/\sqrt {2}( | {1,0} \rangle ^{i,j}- | {0,1} \rangle ^{i,j})$ with $| {+x} \rangle$, $| {-x} \rangle$. The joint state density matrix of Alice, Bob, and Charlie in the Z basis is
As for the joint state in the X basis, it is shown as the form of coherent state direct product $| {\Psi } \rangle = | {\psi _1} \rangle | {\psi _2} \rangle$, $| {\psi _1} \rangle = | {e^{i(\theta +r_{a}^{i}\pi )}\alpha _{a}} \rangle _{A}^{i}\otimes | {e^{i(\varphi +r_{a}^{j}\pi )}\alpha _{a}} \rangle _{A}^{j}\otimes | {e^{i(\theta +r_{b}^{i}\pi )}\alpha _{b}} \rangle _{B}^{i}\otimes | {e^{i(\varphi +r_{b}^{j}\pi )}\alpha _{B}} \rangle _{b}^{j}$, $| {\psi _2} \rangle = | {e^{i(\theta +r_{a}^{i}\pi )}\alpha _{a}} \rangle _{a}^{i}\otimes | {e^{i(\varphi +r_{a}^{j}\pi )}\alpha _{a}} \rangle _{a}^{j}\otimes | {e^{i(\theta +r_{b}^{i}\pi )}\alpha _{b}} \rangle _{b}^{i}\otimes | {e^{i(\varphi +r_{b}^{j}\pi )}\alpha _{b}} \rangle _{b}^{j}$, where the angle $\theta$ and $\varphi$ are both randomized. The density matrix of this four-coherent state is
4. Performance and discussion
4.1 Asymmetric QCKA simulation with deviation of restriction in finite-key condition
For comparison, we first introduce the simulation formula with the deviation of restriction in the asymmetric QCKA protocol of Ref. [30]. In a realistic situation, the mathematical constraints required by the perfect modulated asymmetric QCKA protocol ( Eq. (15) in Appendix A) may not be satisfied, leading to completely insecure key rates. In this situation, the quantitative bounds that connect the deviation from the mathematical constraint to the security of the SNS protocol need to be introduced, thus providing the secure key rate when the constraint is violated; see Appendix A in detail. Without a loss of generality, the modulation intensity $\nu _b$ is considered to be inaccurate. When the light intensity does not satisfy the constraint [30], the density matrix $\rho ^{11}_z$ in the $Z$ basis is not equal to the density matrix $\rho ^{11}_x$ in the $X$ basis. Therefore, we can no longer assume that the phase error rate $e_{11}^{z}$ in the $Z$ basis is equal to the bit error rate $e_{11}^{x}$ in the $X$ basis. The relationship between the two error rates requires the introduction of fidelity, which is shown in the specific form in Appendix A.
For the finite-size regime, we set the failure parameters $\varepsilon _{\textrm {cor}}$, $\varepsilon '$, $\hat {\varepsilon }$, $\varepsilon _e$, $\varepsilon _\beta$, and $\varepsilon _{\rm PA}$ as the same $\epsilon$. We have $\varepsilon _0+\varepsilon _1=15\epsilon$ because we use the Chernoff bound [63,64] 15 times to estimate $s_{0\nu _b}^{z}$, $s_{11}^{z}$, and the bit error rate in the $X$ basis. We define the distance between Alice and Charlie as $L_{a}$, and the distance between Bob and Charlie as $L_{b}$. Thus, the total distance between Alice and Bob is $L= L_{a}+ L_{b}$. In the asymmetric QCKA protocol simulation described in Refs. [30], we set the two asymmetric cases to $L_{b}- L_{a}=50~km$ and $L_{b}- L_{a}=100~km$. A genetic algorithm is applied to search for the best parameters. Figure 3 and Fig. 4 plot the secure key rates of the scenario when the data size is $N=10^{12}$ in the two different asymmetric channels. Some experimental parameters were set as listed in Table 2. The misalignment angle in the $X$ basis of asymmetric QCKA is $\sigma =5^{\circ }$, and the security bound is $\varepsilon _{\textrm {asy-QCKA}}=26 \varepsilon$ in the finite-size cases. It was observed that the key rate of the asymmetric QCKA protocol declined rapidly as this deviation level increased. When the parameters, including the light intensity, are perfectly modulated, the secret key rate of the asymmetric QCKA protocol is slightly lower than that of the post-matching QCKA protocol. However, it is challenging to control every parameter according to the constraints and without deviation. As the parameters fail to meet the ideal criterion, we only consider the situation in which the light intensity $\nu _b$ cannot be perfectly prepared for simplification. As the constraint in Eq. (15) shows, any one of the six parameters can be represented by the rest five. That only the modulation intensity $\nu _b$ is considered to be inaccurate is without a loss of generality. The key rate and transmission length of the asymmetric QCKA are clearly inferior to those of the PMQCKA when there is a deviation of more than 1% in the preparation of light intensity $\nu _b$. In the practical realization of a protocol, a 1% deviation in the preparation of light intensity is common. For example, when the light intensity $\nu$ prepared by user Bob changes from 0.010 to 0.0101, the preparation deviation reaches 1%. This preparation deviation further reduces the key rate with its increase, even resulting in a secure key rate of zero.
4.2 Post-matching QCKA simulation results of the finite-key asymptotic case
When simulating the post-matching QCKA protocol in finite-key asymptotic conditions, we have $\varepsilon _0+\varepsilon _1=12\epsilon$ because we use the Chernoff bound [63,64] 12 times to estimate $s_{0\nu _b}^{z}$, $s_{11}^{z}$, and the bit error rate on the $X$ basis. The corresponding security bound is $\varepsilon _{\textrm {TP}}=23\varepsilon$. Appendix B.1 shows the detailed formulas for simulating the post-matching QCKA protocol. As described in the four-intensity decoy-state post-matching QCKA protocol, Alice chooses a random phase $\theta _{a}^{i}\;\in [0,2\pi )$ and a random classical bit $r_{a}^{i}\in \{0, 1\}$ at each time bin $i\in \{1,2,\ldots,N\}$. Subsequently, she prepares a weak coherent pulse $| {e^{\textbf {i}(\theta _{a}^{i}+r_{a}^{i}\pi )}\sqrt {k_{a}^{i}}} \rangle$ with probability $p_{k_a}$, where $k_a^{i}\in \{\mu _a, \nu _a, \mathbf {o}_{a}, \hat {\mathbf {o}}_{a}\}$. The intensities satisfy the relationship $\mu _a>\omega _a>\nu _a>\mathbf {o}_{a} =\hat {\mathbf {o}}_{a} = 0$, Similarly, Bob prepares a phase-randomized weak coherent pulse. Valid events on the $Z$ basis consist of $\{\mu _a \mathbf {o}_{a}, \mathbf {o}_{b}\mu _b\}$, $\{\mu _a\mathbf {o}_{a}, \mu _b\mathbf {o}_{b}\}$, $\{\mathbf {o}_{a}\mu _a, \mathbf {o}_{b}\mu _b\}$, and $\{\mathbf {o}_{a}\mu _a, \mu _b\mathbf {o}_{b}\}$. The valid events on $X$ basis are $\{\nu _a^{i}\nu _a^{j},\nu _b^{i}\nu _b^{j}\}$ that satisfy $\theta ^{i(j)} \in \{-\delta,\delta \}\cup \{\pi -\delta,\pi +\delta \}$ at time $\left |\theta ^{i} -\theta ^{j}\right |= 0$ or $\pi$. The detection events $\{o_a, \nu _b\}$, $\{\nu _a, o_b\}$, $\{o_a, \omega _b\}$, $\{\omega _a, o_b\}$, $\{\hat {\mathbf {o}}_a, \mu _b\}$, $\{\mu _a, \hat {\mathbf {o}}_b\}$, $\{\hat {\mathbf {o}}_a,o_b\}$, and $\{\mathbf {o}_a, \hat {\mathbf {o}}_b\}$ are used later for decoy analysis. We compared the performance of the post-matching QCKA protocol using the decoy-state method with the performance of the asymmetric QCKA protocol of [30] using the decoy-state method.
The distance between Alice and Charlie is $L_{a}$ and the distance between Bob and Charlie is $L_{b}$. The total distance between Alice and Bob is denoted by $L= L_{a}+ L_{b}$. In our protocol simulation, we set the two asymmetric cases to $L_{b}- L_{a}=50$ and $L_{b}- L_{a}=100$. We used a genetic algorithm to search for the source parameters $\mu _a$, $\nu _a$, $p_{\mu _a}$, $p_{\nu _a}$, $p_{\mathbf {o_a}}$, $\mu _b$, $\nu _b$, $p_{\mu _b}$, $p_{\nu _b}$, and $p_{\mathbf {o_b}}$, and the probability parameters: probability of choosing the Z basis between Alice and Charlie $t_a$, probability of choosing the Z basis between Bob and Charlie $t_b$, and probability of postselected phase matching $p_{pm}(=\frac {2\delta }{\pi })$.
In Fig. 2, Fig. 3, and Fig. 4, it is observed that our post-matching QCKA protocol has a slight advantage in terms of key rate when the constraints of the symmetric or asymmetric QCKA protocol in Ref. [30] are perfectly satisfied for the 0km, 50km, and 100 km distance gaps between $L_{BC}$ and $L_{AC}$. However, when the optical intensity modulation of the asymmetric QCKA protocol deviates slightly from the constraint, the key rate and transmission distance significantly decrease. As for post-matching QCKA protocol, the dashed black line (which represents the key rate of the post-matching QCKA in the case of $10\%$ preparation deviations of the light intensity $\nu _b$) shows that even $10\%$ preparation deviations of the light intensity $\nu _b$ affects the key rate slightly. In the case of a 50 km distance gap, when the optical intensity $\nu _b$ deviates from the constraint by $1\%$, the transmission distance of the asymmetric QCKA protocol decreases by $17.1\%$. When the deviation from the constraint is $3\%$, the transmission distance of the asymmetric QCKA protocol decreases by $30.0\%$. When this deviation is $10\%$, the transmission distance of the asymmetric QCKA protocol decreases by $46.4\%$. In the real environment of protocol implementation and the construction of quantum networks, the percentage of cases in which light-intensity modulation deviates from the target value is not low. Therefore, the post-matching QCKA protocol without any restrictions has a significant advantage over the asymmetric QCKA protocol during real protocol implementation. As shown in Fig. 5, we simulated the key rates of post-matching QCKA protocol with different data volume to indicate the practicability of the proposed protocol.
5. Conclusion
In this work, we propose a post-matching QCKA protocol that shows higher key rate generation and stronger robustness than any other present protocol. The agreement process and the security proof of our study are presented in detail. To further analyze the advantages of our protocol, we turn the imperfect modulation in the present asymmetric QCKA protocol into an information leakage problem and quantify the security of the asymmetric QCKA protocol with the deviation of the constraints. The performance of the post-matching QCKA and asymmetric QCKA protocols in [30] using the decoy-state method with different intensities shows that the three-intensity protocol of our post-matching QCKA can achieve a better key rate and longer transmission distance than the asymmetric QCKA whenever it is in line with or nonconforms to the constraints. Our protocol has important practical advantages: high misalignment error tolerance, long transmission distances, and independent setting of probability and intensity for each user. Thus, it is highly versatile and suitable for most metropolitan networks.
The third part of our protocol (Charlie) randomly selects the measurement basis, resulting in our protocol no longer being a measurement device-independent scheme. However, it must be emphasized that our protocol can be directly implemented using currently available twin-field QKD devices. The post-matching QCKA protocol is able to reduce the intrinsic phase error rate floor, contributing to a greater communication distance. Because the noninterference mode is employed to extract the final key, our protocol can achieve a better key rate through combination with advanced single-photon source technology. There are practical applications for the asymmetric tripartite quantum communication case in this study. In addition, extending our efficient protocol design to include more than three parties is worthwhile. Our work serves the infrastructure of quantum cryptographic network large-scale deployment.
Appendix A. Analysis details of asymmetric QCKA
In the asymmetric QCKA protocol, for the time window in which both Alice and Bob choose the $Z$ basis, Alice prepares and sends the phase-randomized coherent state $| {\mu _a} \rangle$ with probability $t_a$ to encode bit value $1$, and Bob sends the phase-randomized coherent state $| {\mu _b} \rangle$ with probability $t_b$ to encode bit value $0$ (Alice sends the vacuum state with probability $1-t_a$ to encode bit value $0$, and Bob sends the vacuum state with probability $1-t_b$ to encode bit value $1$). During the key extraction, Alice and Bob keep only the joint single photon state $| {01} \rangle _{ab}$ or $| {10} \rangle _{ab}$. The density matrix of the joint single photon states in the $Z$ basis is
For the time window where both Alice and Bob select the $X$ basis, Alice and Bob both prepare and send the weak coherent states $| {\nu _a} \rangle,~ | {\nu _b} \rangle$ with phase randomization. After the postselection phase-matching process, the density matrix of the joint single photon state under the $X$ basis is
To use the bit error rate $e_{11}^{x}$ of the $X$ basis to estimate the phase error rate $e_{ph}^{z}$ of the $Z$ basis, the requirement $\rho ^{1}_x=\rho ^{1}_z$ needs to be satisfied. The requirement for the density matrix can be converted to the constraint for the light intensity and the modulation probability:
However, in the experimental implementation stage, the precise modulation of the light intensity is difficult. When Alice and Bob fail to modulate the light intensity parameter precisely according to the constraint, the imbalance of the quantum coin $\Delta$, defined as [65,66], needs to be introduced to estimate the upper bound of the $Z$ basis phase error rate
Appendix B. Post-matching QCKA protocol
For estimating the secret key rate by Eq. (1), we need to calculate the corresponding parameters. In the following description, the expected value of $x$, the number of $\{k_a,~k_b\}$ and the number and error number of events $\{k_a^{i}k_a^{j}\}~(\{k_b^{i}k_b^{j}\})$ after postmatching are denoted as $x^{*}$, $x_{k_ak_b}$ and $n_{k_a^{i}k_a^{j},~k_b^{i}k_b^{j}}$ ($m_{k_a^{i}k_a^{j},~k_b^{i}k_b^{j}}$), respectively.
B.1. Gain, correct number and error number
Define the phase difference between Alice and Bob as $\theta = \theta _a- \theta _b +\phi _{ab}$. When they send intensity $k_a$ and $k_b$ with phase difference $\theta$, the gain corresponding to only one detector ($L$ or $R$) clicking is
In the $Z$ basis, the valid events after post-matching can be divided into two types, i.e., the correct events (corresponding to $\{\mu _a \mathbf {o}_{a},\mathbf {o}_{b}\mu _b\}$, $\{\mathbf {o}_{a}\mu _a,\mu _b \mathbf {o}_{b}\}$) and the incorrect events (corresponding to $\{\mu _a\mathbf {o}_{a},\mu _b\mathbf {o}_{b}\}$, $\{\mathbf {o}_{a}\mu _a,\mathbf {o}_{b}\mu _b\}$ and the wrong detection of $\{\mu _a \mathbf {o}_{a},\mathbf {o}_{b}\mu _b\}$, $\{\mathbf {o}_{a}\mu _a,\mu _b \mathbf {o}_{b}\}$). The corresponding numbers are denoted as $n_C^{z}$ and $n_E^{z}$, respectively.
The overall number of events is
We can obtain the error number as:
In the $X$ basis, the overall number of “effective” events is
In the $X$ basis, the overall error count can be given as
B.2. Number of single photon pairs and phase error rate
1. $\underline {s}_{11}^{z}$. $s_{11}^{z}$ is the $Z$ basis number of successful detection events where Alice and Bob each emit a single photon in a total of two time bins. Define $z_{10}$ ($z_{01}$) as the number of events where Alice (Bob) emit a single photon and Bob (Alice) emits a vacuum state in $\{\mu _a,\mathbf {o}_b\}$ ($\{\mathbf {o}_a,\mu _b\}$) event. The lower bounds of their expected values are $\underline {z}_{10}^{*}= N p_{\mu _a} p_{\mathbf {o}_{b}} \mu _{a}e^{-\mu _a} \underline {y^{*}_{10}}$ and $\underline {z}^{*}_{01} = N p_{\mathbf {o}_{a}} p_{\mu _b} \mu _{b} e^{-\mu _b} \underline {y^{*}_{01}}$, respectively. $\underline {y}_{10}^{*}$ and $\underline {y}_{01}^{*}$ are the yields corresponding to $\underline {z}_{10}^{*}$ and $\underline {z}^{*}_{01}$, respectively. They can be estimated using the decoy-state method:
2. $\underline {s}_{0\mu _b}^{z}$. $s_{0\mu _b}^{z}$ represents the number of events, where in the $Z$ basis, the state of Alice is a zero-photon state and the total intensity of Bob’s pulses is $\mu _b$ in the two matched time bins. Define $z_{00}$ ($z_{0\mu _b}$) as the count of detection events where the state sent by Alice collapses to the vacuum state in the $\{\mu _a,\mathbf {o}_b\}$ ($\{\mu _a,\mu _b\}$) event. We set the lower bound of their expected values as $\underline {z}_{00}^{*}(={ p_{\mu _a} p_{\mathbf {o}_b}e^{-\mu _a}\underline {x}_{o o}^{d*}}/{p_{o_ao_b}^{d}})$ and $~\underline {z}_{0\mu _b}^{*}=({p_{\mu _a} p_{\mu _b}e^{-\mu _a}\underline {x}_{\mathbf {o}_{a}\mu _b}^{*}}/{p_{\mathbf {o}_{a}}p_{\mu _b}})$, respectively. Here, we employed the relation of the expected value $\underline {x}_{\mathbf {o}_{a}\mu _b}^{*}={ p_{\mathbf {o}_{a}} \underline {x}_{\hat {\mathbf {o}}_{a}\mu _b}^{*}}/{ p_{\hat {\mathbf {o}}_{a}}}$, and $~\underline {x}_{\mathbf {o}_{a}\mathbf {o}_b}^{*}={ p_{\mathbf {o}_{a}} p_{\mathbf {o}_b}\underline {x}_{o o}^{d*}}/{p_{oo}^{d}}$. The lower bound of $s_{0\mu _b}^{z*}$ can be written as
3. $\underline {s}_{11}^{x}$. All valid events in the $X$ basis can be grouped according to the phase difference $\theta ~(\in \{-\delta,\delta \}\cup \{\pi -\delta,\pi +\delta \})$. The corresponding number in the $\{k_a,~k_b\}$ event is denoted as $x_{k_ak_b}^{\theta }$. In the post-matching step, two time bins are matched if they have the same phase difference $\theta$. We suppose that the global phase difference $\theta$ is a randomly and uniformly distributed value. Considering the angle of misalignment in the $X$ basis $\sigma$, the expected number of single-photon pairs can be given by
4. $\underline {t}_{11}^{x}$. For single-photon pairs, the expected value of the phase error rate in the $Z$ basis equals the expected value of the bit error rate in the $X$ basis. Therefore, we first calculate the number of errors of single-photon pairs in the $X$ basis ${t_{11}^{x}}$. The upper bound expected value of ${t_{11}^{x}}$ can be given by
5. $\overline {\phi }_{11}^{z}$. Finally, for a failure probability $\varepsilon$, the upper bound of the phase error rate $\phi _{11}^{z}$ can be obtained:
Funding
Natural Science Foundation of Jiangsu Province (BK20211145); Fundamental Research Funds for the Central Universities (020414380182); Key Research and Development Program of Nanjing Jiangbei New Aera (ZDYD20210101); Program for Innovative Talents and Entrepreneurs in Jiangsu (JSSCRC2021484).
Disclosures
The authors declare no conflicts of interest.
Data availability
The data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.
References
1. S. Bose, V. Vedral, and P. L. Knight, “Multiparticle generalization of entanglement swapping,” Phys. Rev. A 57(2), 822–829 (1998). [CrossRef]
2. A. Cabello, “Multiparty key distribution and secret sharing based on entanglement swapping,” arXiv: quant-ph/0009025 (2000).
3. K. Chen and H.-K. Lo, “Multi-partite quantum cryptographic protocols with noisy ghz states,” Quantum Inf. & Comput. 7(8), 689–715 (2007). [CrossRef]
4. R. Matsumoto, “Multiparty quantum-key-distribution protocol without use of entanglement,” Phys. Rev. A 76(6), 062316 (2007). [CrossRef]
5. C. H. Bennett and G. Brassard, in Proc. IEEE Int. Conf. on Computers, Systems and Signal Processing, (1984), p. 175.
6. A. K. Ekert, “Quantum cryptography based on bell’s theorem,” Phys. Rev. Lett. 67(6), 661–663 (1991). [CrossRef]
7. H.-K. Lo and H. F. Chau, “Unconditional security of quantum key distribution over arbitrarily long distances,” Science 283(5410), 2050–2056 (1999). [CrossRef]
8. P. W. Shor and J. Preskill, “Simple proof of security of the bb84 quantum key distribution protocol,” Phys. Rev. Lett. 85(2), 441–444 (2000). [CrossRef]
9. C. H. Bennett and G. Brassard, “Quantum cryptography: Public key distribution and coin tossing,” Theor. Comput. Sci. 560, 7–11 (2014). [CrossRef]
10. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301–1350 (2009). [CrossRef]
11. C. Weedbrook, S. Pirandola, R. García-Patrón, N. J. Cerf, T. C. Ralph, J. H. Shapiro, and S. Lloyd, “Gaussian quantum information,” Rev. Mod. Phys. 84(2), 621–669 (2012). [CrossRef]
12. F. Xu, X. Ma, Q. Zhang, H.-K. Lo, and J.-W. Pan, “Secure quantum key distribution with realistic devices,” Rev. Mod. Phys. 92(2), 025002 (2020). [CrossRef]
13. S. Pirandola, U. L. Andersen, L. Banchi, M. Berta, D. Bunandar, R. Colbeck, D. Englund, T. Gehring, C. Lupo, C. Ottaviani, J. L. Pereira, M. Razavi, J. S. Shaari, M. Tomamichel, V. C. Usenko, G. Vallone, P. Villoresi, and P. Wallden, “Advances in quantum cryptography,” Adv. Opt. Photonics 12(4), 1012–1236 (2020). [CrossRef]
14. F. Grasselli, H. Kampermann, and D. Bruß, “Conference key agreement with single-photon interference,” New J. Phys. 21(12), 123002 (2019). [CrossRef]
15. C. E. Shannon, “Communication theory of secrecy systems,” Bell Syst. Tech. J. 28(4), 656–715 (1949). [CrossRef]
16. Y. Fu, H. L. Yin, T. Y. Chen, and Z. B. Chen, “Long-distance measurement-device-independent multiparty quantum communication,” Phys. Rev. Lett. 114(9), 090501 (2015). [CrossRef]
17. R. Chen, W. Bao, C. Zhou, H. Li, Y. Wang, and H. Bao, “Biased decoy-state measurement-device-independent quantum cryptographic conferencing with finite resources,” Opt. Express 24(6), 6594–6605 (2016). [CrossRef]
18. J. Ribeiro, G. Murta, and S. Wehner, “Fully device-independent conference key agreement,” Phys. Rev. A 97(2), 022307 (2018). [CrossRef]
19. T. Holz, H. Kampermann, and D. Bruß, “Genuine multipartite bell inequality for device-independent conference key agreement,” Phys. Rev. Res. 2(2), 023251 (2020). [CrossRef]
20. F. Grasselli, H. Kampermann, and D. Bruß, “Finite-key effects in multipartite quantum key distribution protocols,” New J. Phys. 20(11), 113014 (2018). [CrossRef]
21. Y. Wu, J. Zhou, X. Gong, Y. Guo, Z.-M. Zhang, and G. He, “Continuous-variable measurement-device-independent multipartite quantum communication,” Phys. Rev. A 93(2), 022325 (2016). [CrossRef]
22. C. Ottaviani, C. Lupo, R. Laurenza, and S. Pirandola, “Modular network for high-rate quantum conferencing,” Commun. Phys. 2(1), 118 (2019). [CrossRef]
23. X.-Y. Cao, J. Gu, Y.-S. Lu, H.-L. Yin, and Z.-B. Chen, “Coherent one-way quantum conference key agreement based on twin field,” New J. Phys. 23(4), 043002 (2021). [CrossRef]
24. W.-F. Cao, Y.-Z. Zhen, Y.-L. Zheng, S. Zhao, F. Xu, L. Li, Z.-B. Chen, N.-L. Liu, and K. Chen, “Open-destination measurement-device-independent quantum key distribution network,” Entropy 22(10), 1083 (2020). [CrossRef]
25. G. Murta, F. Grasselli, H. Kampermann, and D. Bruß, “Quantum conference key agreement: A review,” Adv. Quantum Technol. 3(11), 2000025 (2020). [CrossRef]
26. M. Proietti, J. Ho, F. Grasselli, P. Barrow, M. Malik, and A. Fedrizzi, “Experimental quantum conference key agreement,” Sci. Adv. 7(23), eabe0395 (2021). [CrossRef]
27. K. Chen and H.-K. Lo, “Conference key agreement and quantum sharing of classical secrets with noisy ghz states,” in Proceedings. International Symposium on Information Theory, 2005. ISIT 2005., (2005), pp. 1607–1611.
28. X.-Y. Cao, Y.-S. Lu, Z. Li, J. Gu, H.-L. Yin, and Z.-B. Chen, “High key rate quantum conference key agreement with unconditional security,” IEEE Access 9, 128870–128876 (2021). [CrossRef]
29. S. Zhao, P. Zeng, W.-F. Cao, X.-Y. Xu, Y.-Z. Zhen, X. Ma, L. Li, N.-L. Liu, and K. Chen, “Phase-matching quantum cryptographic conferencing,” Phys. Rev. Appl. 14(2), 024010 (2020). [CrossRef]
30. Z. Li, X.-Y. Cao, C.-L. Li, C.-X. Weng, J. Gu, H.-L. Yin, and Z.-B. Chen, “Finite-key analysis for quantum conference key agreement with asymmetric channels,” Quantum Sci. Technol. 6(4), 045019 (2021). [CrossRef]
31. D. M. Greenberger, M. A. Horne, and A. Zeilinger, “Going beyond bell’s theorem,” in Bell’s theorem, quantum theory and conceptions of the universe, (Springer, 1989), pp. 69–72.
32. N. D. Mermin, “Extreme quantum entanglement in a superposition of macroscopically distinct states,” Phys. Rev. Lett. 65(15), 1838–1840 (1990). [CrossRef]
33. X.-B. Wang, “Beating the photon-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. 94(23), 230503 (2005). [CrossRef]
34. H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. 94(23), 230504 (2005). [CrossRef]
35. H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108(13), 130503 (2012). [CrossRef]
36. H.-L. Yin, W.-F. Cao, Y. Fu, Y.-L. Tang, Y. Liu, T.-Y. Chen, and Z.-B. Chen, “Long-distance measurement-device-independent quantum key distribution with coherent-state superpositions,” Opt. Lett. 39(18), 5451–5454 (2014). [CrossRef]
37. Y.-H. Zhou, Z.-W. Yu, and X.-B. Wang, “Making the decoy-state measurement-device-independent quantum key distribution practically useful,” Phys. Rev. A 93(4), 042324 (2016). [CrossRef]
38. H.-L. Yin, T.-Y. Chen, Z.-W. Yu, H. Liu, L.-X. You, Y.-H. Zhou, S.-J. Chen, Y. Mao, M.-Q. Huang, W.-J. Zhang, H. Chen, M. J. Li, D. Nolan, F. Zhou, X. Jiang, Z. Wang, Q. Zhang, X.-B. Wang, and J.-W. Pan, “Measurement-device-independent quantum key distribution over a 404 km optical fiber,” Phys. Rev. Lett. 117(19), 190501 (2016). [CrossRef]
39. J. Lin and N. Lütkenhaus, “Simple security analysis of phase-matching measurement-device-independent quantum key distribution,” Phys. Rev. A 98(4), 042332 (2018). [CrossRef]
40. Z.-X. Cui, W. Zhong, L. Zhou, and Y.-B. Sheng, “Measurement-device-independent quantum key distribution with hyper-encoding,” Sci. China Physics, Mech. & Astron. 62(11), 110311 (2019). [CrossRef]
41. H. Xu, Z.-W. Yu, C. Jiang, X.-L. Hu, and X.-B. Wang, “Sending-or-not-sending twin-field quantum key distribution: Breaking the direct transmission key rate,” Phys. Rev. A 101(4), 042330 (2020). [CrossRef]
42. Y.-A. Chen, Q. Zhang, T.-Y. Chen, et al., “An integrated space-to-ground quantum communication network over 4, 600 kilometres,” Nature 589(7841), 214–219 (2021). [CrossRef]
43. L.-C. Kwek, L. Cao, W. Luo, Y. Wang, S. Sun, X. Wang, and A. Q. Liu, “Chip-based quantum key distribution,” AAPPS Bull. 31(1), 15 (2021). [CrossRef]
44. G.-Z. Tang, C.-Y. Li, and M. Wang, “Polarization discriminated time-bin phase-encoding measurement-device-independent quantum key distribution,” Quantum Eng. 3(4), e79 (2021). [CrossRef]
45. X.-f. Wang, X.-j. Sun, Y.-x. Liu, W. Wang, B.-x. Kan, P. Dong, and L.-l. Zhao, “Transmission of photonic polarization states from geosynchronous earth orbit satellite to the ground,” Quantum Eng. 3(3), e73 (2021). [CrossRef]
46. M. Lucamarini, Z. L. Yuan, J. F. Dynes, and A. J. Shields, “Overcoming the rate–distance limit of quantum key distribution without quantum repeaters,” Nature 557(7705), 400–403 (2018). [CrossRef]
47. X. Ma, P. Zeng, and H. Zhou, “Phase-matching quantum key distribution,” Phys. Rev. X 8(3), 031043 (2018). [CrossRef]
48. X.-B. Wang, Z.-W. Yu, and X.-L. Hu, “Twin-field quantum key distribution with large misalignment error,” Phys. Rev. A 98(6), 062323 (2018). [CrossRef]
49. H.-L. Yin and Y. Fu, “Measurement-device-independent twin-field quantum key distribution,” Sci. Rep. 9(1), 3045 (2019). [CrossRef]
50. C. Cui, Z.-Q. Yin, R. Wang, W. Chen, S. Wang, G.-C. Guo, and Z.-F. Han, “Twin-field quantum key distribution without phase postselection,” Phys. Rev. Appl. 11(3), 034053 (2019). [CrossRef]
51. M. Curty, K. Azuma, and H.-K. Lo, “Simple security proof of twin-field type quantum key distribution protocol,” npj Quantum Inf. 5(1), 64 (2019). [CrossRef]
52. H.-L. Yin and Z.-B. Chen, “Coherent-state-based twin-field quantum key distribution,” Sci. Rep. 9(1), 14918 (2019). [CrossRef]
53. X.-L. Hu, C. Jiang, Z.-W. Yu, and X.-B. Wang, “Sending-or-not-sending twin-field protocol for quantum key distribution with asymmetric source parameters,” Phys. Rev. A 100(6), 062337 (2019). [CrossRef]
54. C. Jiang, Z.-W. Yu, X.-L. Hu, and X.-B. Wang, “Unconditional security of sending or not sending twin-field quantum key distribution with finite pulses,” Phys. Rev. Appl. 12(2), 024061 (2019). [CrossRef]
55. K. Maeda, T. Sasaki, and M. Koashi, “Repeaterless quantum key distribution with efficient finite-key analysis overcoming the rate-distance limit,” Nat. Commun. 10(1), 3140 (2019). [CrossRef]
56. H.-L. Yin and Z.-B. Chen, “Finite-key analysis for twin-field quantum key distribution with composable security,” Sci. Rep. 9(1), 17113 (2019). [CrossRef]
57. P. Zeng, W. Wu, and X. Ma, “Symmetry-protected privacy: beating the rate-distance linear bound over a noisy channel,” Phys. Rev. Appl. 13(6), 064013 (2020). [CrossRef]
58. G. Currás-Lorenzo, Á. Navarrete, K. Azuma, G. Kato, M. Curty, and M. Razavi, “Tight finite-key security for twin-field quantum key distribution,” npj Quantum Inf. 7(1), 22 (2021). [CrossRef]
59. B.-H. Li, Y.-M. Xie, Z. Li, C.-X. Weng, C.-L. Li, H.-L. Yin, and Z.-B. Chen, “Long-distance twin-field quantum key distribution with entangled sources,” Opt. Lett. 46(22), 5529–5532 (2021). [CrossRef]
60. Y.-M. Xie, C.-X. Weng, Y.-S. Lu, Y. Fu, Y. Wang, H.-L. Yin, and Z.-B. Chen, “Scalable high-rate twin-field quantum key distribution networks without constraint of probability and intensity,” arXiv preprint arXiv:2112.11165 (2021).
61. S. Pirandola, R. Laurenza, C. Ottaviani, and L. Banchi, “Fundamental limits of repeaterless quantum communications,” Nat. Commun. 8(1), 15043 (2017). [CrossRef]
62. M. Curty, F. Xu, W. Cui, C. C. W. Lim, K. Tamaki, and H.-K. Lo, “Finite-key analysis for measurement-device-independent quantum key distribution,” Nat. Commun. 5(1), 3732 (2014). [CrossRef]
63. H. Chernoff, “A measure of asymptotic efficiency for tests of a hypothesis based on the sum of observations,” Ann. Math. Stat. 23(4), 493–507 (1952). [CrossRef]
64. H.-L. Yin, M.-G. Zhou, J. Gu, Y.-M. Xie, Y.-S. Lu, and Z.-B. Chen, “Tight security bounds for decoy-state quantum key distribution,” Sci. Rep. 10(1), 14312 (2020). [CrossRef]
65. H.-K. Lo and J. Preskill, “Security of quantum key distribution using weak coherent states with nonrandom phases,” Quantum Inf. Comput. 7(5-6), 431–458 (2007). [CrossRef]
66. M. Koashi, “Simple security proof of quantum key distribution based on complementarity,” New J. Phys. 11(4), 045018 (2009). [CrossRef]