One-sided device-independent quantum key distribution for two independent parties

Jun Xin; Xiao-Ming Lu; Xiao-Ming Lu; Xingmin Li; Guolong Li

doi:10.1364/OE.387785

1. Introduction

Information security lies at the heart of our daily life, such as military, finance and government affairs. Quantum cryptography aims to exploit quantum mechanics to establish a secret key between two parties [1,2], conventionally called Alice and Bob, which is also known as quantum key distribution (QKD) [3]. The QKD protocol was first proposed in the seminal work of Bennett and Brassard in 1984 (BB84) [4] for single photons and discrete-variable (DV) measurement. Afterwards, the QKD was extended to continuous-variable (CV) regime [5,6], which owns a promising perspective of being compatible with standard telecommunication technologies, such as unconditional quantum state generation and high-efficiency quantum detection [7].

Remote distribution of secret keys is a challenging task in quantum cryptography [8]. Imagine for instance that there are two distant parties who cannot be connected by direct lines and initially share no secret information, and then how can they possess a secret key. We call this task as quantum key distribution between two independent parties (QKDTP). The possibility of QKDTP was first noted by Braunstein and Pirandola in the DV regime when they studied how to defend the side-channel attack in the QKD protocol [9], and was subsequently developed to the so-called measurement-device-independent QKD (MDI-QKD) protocol [10–16]. Later, MDI-QKD was extended to the CV regime, which can not only be performed by the (entanglement-based) EB scheme [17,18] but also be realized by the prepare-and-measure (P&M) approach [19]. An equivalence between the EB scheme and the P&M approach has been established in the CV MDI scenario [17,18]. As shown in Fig. 1, the main idea of an EB scheme of CV MDI-QKD can be simply described as follows. For two independent parties, Alice and Bob, each of them generates a two-mode squeezed state (EPR): {$\hat {A}_{1}$, $\hat {A}_{2}$} for Alice, and {$\hat {B}_{1}$, $\hat {B}_{2}$} for Bob. Alice and Bob can extract a secret key from their own stations by utilizing the EB QKD protocol [20–27], but cannot share secret information with each other. In order to fulfill the QKD between Alice and Bob, the states $\hat {A}_{1}$ and $\hat {B}_{1}$ are kept within Alice’s and Bob’s own stations whose devices are trusted, while the states $\hat {A}_{2}$ and $\hat {B}_{2}$ are sent through quantum channels to an untrusted intermediary named relay. The relay performs a CV Bell detection on the incoming states by mixing them with a 50:50 beam splitter (BS). With the help of local operator and classical communication (not shown in Fig. 1) [28–30], the relay sends his measurement results to Alice who displaces her retained state $\hat {A}_{1}$, accordingly. After measuring the states $\hat {A}_{1}$ and $\hat {B}_{1}$, Alice and Bob use an authenticated public channel to finish the parameter estimation, information reconciliation and privacy amplification steps [31]. Finally, a secret key can be extracted from Alice and Bob, and therefore QKDTP is realized by the MDI-QKD. However, such an EB MDI-QKD yields the assumption that the devices of both Alice and Bob have to be trusted. In this paper, we utilize the recently developed one-sided device-independent QKD (1sDI-QKD) protocol [32–40] to theoretically demonstrate that QKDTP can also be realized by using entangled states, even if the device of either Alice or Bob is untrusted. See Section 2 for the introduction of the 1sDI-QKD protocol. In our scheme, untrusted party is treated as a black box, and therefore no assumption is made about its measurement. It is this assumption that allows us to prove the security against arbitary attacks of eavesdropper (Eve). In addition, we extend our EB QKDTP scheme to a hybrid version: for two independent parties, one of them uses an entangled state (EB scheme) while the other one employs a Gaussian-modulated coherent state (P&M scheme). With realistic factors such as reconciliation efficiency and transmission losses considered, we theoretically demonstrate the feasibility of our 1sDI QKDTP scheme, which can be implemented by Gaussian states and homodyne measurements.

Fig. 1. Diagrammatic sketch of EB QKDTP scheme. The table summaries the QKD protocols for different cases of QKDTP scheme. The tick and cross symbols denote trusted and untrusted, respectively.

Download Full Size | PDF

This paper is organized as follows. In Section 2,we begin with a brief introduction of the 1sDI-QKD protocol. In Section 3, we introduce how to utilize the 1sDI scheme to realize the EB QKDTP when Alice is trusted while Bob is not. In section 4, we extend our 1sDI QKDTP to a hybrid version by P&M approach. We conclude in Section 5 with a summary.

2. Background of the 1sDI-QKD protocol

All QKD protocols rely for security on several assumptions. For a standard QKD (S-QKD) protocol, the security is guaranteed under the assumption that Alice and Bob have almost perfect control of the state preparations and of the measurement devices. However, this assumption is such weak that the QKD system can be easily hacked [41,42]. In practical implementation, Eve may utilize security loopholes, such as imperfections in the light sources [43,44] and detectors [45–49], to attack the QKD process. One solution to this issue is to make the QKD yield fewer set of assumptions. Device-independent QKD (DI-QKD) protocol treats all the measurement devices as black boxes [50], and therefore no assumption on how the measurements are actually carried out is made. Such a DI-QKD protocol gives Eve the maximal freedom to control over all the experimental devices and its security is only bounded by evaluating Bell-type inequalities [50]. Unfortunately, the DI-QKD protocol is hard to be experimentally realized as it requires the implementation of a detection-loophole-free Bell test [51–55], which needs very high detection efficiency [56]. Therefore, it is natural to ask weather there exists a trade-off scenario between S-QKD and DI-QKD, which involves less assumptions than the former and meanwhile can be easier to be experimentally implemented than the latter. Recently, a special type of QKD protocol with an asymmetric assumption on trusting the measurement devices of Alice and Bob was proposed [32], i.e., measurement device of only one side, either Alice or Bob (but not both), is trusted with a set of characterized quantum operations while the other is treated as a black box [33]. Such an 1sDI-QKD requires much lower detection efficiency compared with the DI-QKD [34], and therefore can be easier to be practically implemented. To date, much efforts have been devoted to the 1sDI-QKD. For examples, the close connection between the 1sDI-QKD and the Einstein-Podolsky-Rosen steering, which is an asymmetric sort of nonlocality, was revealed [33,35–37]. The effect of the finite-key on the security of the 1sDI QKD was analyzed [34,38]. The robustness of the 1sDI-QKD against arbitrary attacks was experimentally assessed with asymptotic [39] and finite [40] keys.

3. EB QKDTP based on 1SDI security

In this section, we introduce how to utilize the 1sDI scheme to realize the EB QKDTP when Alice is trusted while Bob is not.

3.1 Protocol

As shown in Fig. 2, our protocol is described as follows in detail. For two independent parties Alice and Bob where the former is trusted while the latter is not, each of them generates a two-mode squeezed state {$\hat {A}_{1}, \hat {A}_{2}$} and {$\hat {B}_{1}, \hat {B}_{2}$}, which can be given by

(1)$$\begin{aligned}\hat{A}_{1}\!&=\!\cosh{(r)}\hat{a}_{1}\!+\!\sinh{(r)}\hat{a}^{\dagger}_{2}, \ \hat{A}_{2}\!=\!\cosh{(r)}\hat{a}_{2}\!+\!\sinh{(r)}\hat{a}^{\dagger}_{1},\\ \hat{B}_{1}\!&=\!\cosh{(r)}\hat{b}_{1}\!+\!\sinh{(r)}\hat{b}^{\dagger}_{2}, \ \hat{B}_{2}\!=\!\cosh{(r)}\hat{b}_{2}\!+\!\sinh{(r)}\hat{b}^{\dagger}_{1},\\ \end{aligned}$$

where $\hat {a}_{i}$ ($\hat {a}_{i}^{\dagger }$) and $\hat {b}_{i}$ ($\hat {b}_{i}^{\dagger }$) are the annihilation (creation) operators of vacuum states, and $r$ is the squeezing parameter. To build a secure communication between Alice and Bob, they keep the states $\hat {A}_{1}$ and $\hat {B}_{1}$ within their own stations, while sending the other states $\hat {A}_{2}$ and $\hat {B}_{2}$ to an untrusted relay through potentially noisy channels modeled by beam splitters (BSs) with transmittance $\eta _{i}$ and zero excess noise. Here, we assume that $\eta _{i}=10^{-\alpha L_{i}/10}$ with $L_{i}$ being the length of the corresponding noisy channel and $\alpha =0.2$ dB/km ($i=A, B$). This process can be expressed as following,

(2)$$\begin{aligned}\hat{A}'_{2}\!=\!\sqrt{\eta_{A}}\hat{A}_{2}\!+\!\sqrt{1-\eta_{A}}\hat{\nu}_{A}, \ \hat{B}'_{2}\!=\!\sqrt{\eta_{B}}\hat{B}_{2}\!+\!\sqrt{1-\eta_{B}}\hat{\nu}_{B},\\ \end{aligned}$$

where $\hat {A}'_{2}$ and $\hat {B}'_{2}$ are the states output from the noisy channels, $\hat {\nu }_{A}$ and $\hat {\nu }_{B}$ are the annihilation operators of vacuum states. Then, the relay performs a CV Bell detection for the incoming states $\hat {A}'_{2}$ and $\hat {B}'_{2}$ by mixing them with a 50:50 BS. The output states from the BS are measured by two balanced homodyne detections. By controlling the phases of the local oscillators (LOs) of the homodyne detections, the amplitude-sum quadrature $\hat {X}_{A'_{2}}+\hat {X}_{B'_{2}}$ and phase-difference quadrature $\hat {Y}_{A'_{2}}-\hat {Y}_{B'_{2}}$ can be obtained, corresponding to the measurement results $\hat {i}_{1}$ and $\hat {i}_{2}$ of the homodyne detections, respectively. Here, $\hat {X}_{O}=\sqrt {\frac {\hbar }{2}}(\hat {O}^{\dagger }+\hat {O})$ and $\hat {Y}_{O}=i\sqrt {\frac {\hbar }{2}}(\hat {O}^{\dagger }-\hat {O})$ are the amplitude and phase quadratures of the state $\hat {O}$ ($O=A'_{2}, B'_{2}$). Afterwards, the relay broadcasts his measurement results. According to the received data, Alice uses amplitude and phase modulators (AM and PM) to displace her retained state $\hat {A}_{1}$ to become $\hat {A}'_{1}$:

(3)$$\hat{A}'_{1}=\hat{A}_{1}+\xi\hat{i}_{1}+i\xi\hat{i}_{2},$$

where $\xi$ is the adjustable gain of the displacenments. In the real implementation, the measurement of the relay delays the information of the state $\hat {A}_{2}$ (the same for $\hat {B}_{2}$), which will be measured to become $\hat {i}_{1}$ and $\hat {i}_{2}$ in the amplitude and phase modulations. Since the states $\hat {A}_{1}$ and $\hat {A}_{2}$ are generated from an EPR source simultaneously, it can be expected that there will be a time difference between the states $\hat {A}_{1}$ and $\hat {i}_{1}$ ($\hat {i}_{2}$). To compensate this time difference, one can lengthen the optical path of the state $\hat {A}_{1}$ or utilize a quantum memory to store $\hat {A}_{1}$. So far, the above postprocessing step is similar with the entanglement swapping [57–60] which employs the relay as a correlator to create a posteriori correlation between the two states $\hat {A}_{1}$ and $\hat {B}_{1}$ in Alice’s and Bob’s own stations. To extract a secret key from Alice and Bob, the following steps are state measurement, parameter estimation, information reconciliation and privacy amplification. Recall that in our protocol Alice is trusted, while Bob is not whose operations may be tampered by Eve. This asymmetry leads us to tackle the problem by resorting to the recently developed 1sDI-QKD protocol [32–40]. For the state measurement, Alice randomly chooses a couple of noncommuting bases (e.g., amplitude and phase quadratures of her state $\hat {A}'_{1}$) to be measured with a set of characterized quantum operations such as homodyne detection. Bob, on the other hand, is treated as a black box within which any measurement can be made [39]. In this paper, homodyne detection is chosen as an example. In the parameter estimation step, Alice publicly announces a random subset of her measurement results from which the size of the secret key can be estimated [31]. If the secret key is nonzero, Alice then sends the syndrome of her data to Bob via an authenticated channel. Based on the received syndrome, Bob corrects the errors in his data to match Alice’s (information reconciliation step). Finally, Alice and Bob perform privacy amplification to distill the final secure key.

Fig. 2. EB scheme of QKDTP based on 1sDI security.

Download Full Size | PDF

3.2 Security analysis

To demonstrate the feasibility of our scheme, the security of QKDTP should be assessed. Since our EB QKDTP is based on the 1sDI scheme in which Alice is trusted with a set of characterized measurement while Bob is untrusted with no assumption being made about his measurement, we can utilize the uncertainty relation for smooth entropies [32] to demonstrate that our scheme can be unconditionally secure against arbitary attacks in the asymptotic setting [39]. Considering the case where Alice makes an amplitude quadrature measurement, the asymptotic secret key rate is lower bounded by the Devetak-Winter formula [61–63],

(4)$$K\geq \beta I(X_{A'_{1}}:X_{B_{1}})-\chi(X_{A'_{1}}:E).$$

The security of the secret key is guaranteed on the condition that the minimum of $K$ is positive. Here, $\beta <1$ is the reconciliation efficiency. $I(X_{A'_{1}}:X_{B_{1}})$ is the classical mutual information between Alice and Bob, which is given by

(5)$$I(X_{A'_{1}}:X_{B_{1}})=H(X_{A'_{1}})-H(X_{A'_{1}}|X_{B_{1}}).$$

For a Gaussian distribution, $H(X_{A'_{1}})=\log _{2} \sqrt {2\pi eV(X_{A'_{1}})}$ denotes Alice’s Shannon entropy with $V(X_{A'_{1}})=\langle \hat {X}^{2}_{A'_{1}}\rangle -\langle \hat {X}_{A'_{1}}\rangle ^{2}$ being the variance of the variable $\hat {X}_{A'_{1}}$. $H(X_{A'_{1}}|X_{B_{1}})=\log _{2} \sqrt {2\pi eV(X_{A'_{1}}|X_{B_{1}})}$ is Alice’s conditional Shannon entropy given Bob’s measurement outcome $\hat {X}_{B_{1}}$ with $V(X_{A'_{1}}|X_{B_{1}})=V(X_{A'_{1}})-\langle X_{A'_{1}}X_{B_{1}}\rangle ^{2}/V(X_{B_{1}})$. In this way, the classical mutual information $I(X_{A'_{1}}:X_{B_{1}})$ can be rewritten as

(6)$$I(X_{A'_{1}}:X_{B_{1}})=\log_{2}\sqrt{\frac{V(X_{A'_{1}})}{V(X_{A'_{1}}|X_{B_{1}})}}.$$

The second term on the right-hand side of Eq. (4) denotes the amount of key information leaked to Eve. Its maximum is bounded by the Holevo bound [64]:

(7)$$\chi(X_{A'_{1}}:E)\leq S(\rho_{E})-\int dX_{A'_{1}}p(X_{A'_{1}})S(\rho_{E|X_{A'_{1}}}),$$

where $\rho _{E}=\int dX_{A'_{1}}p(X_{A'_{1}})\rho _{E|X_{A'_{1}}}$ is Eve’s reduced state, and $S(\rho _{E})=-Tr(\rho _{E}\log _{2}\rho _{E})$ denotes the von Neumann entropy of $\rho _{E}$. $\rho _{E|X_{A'_{1}}}$ is Eve’s state conditioned on Alice’s measurement outcome $\hat {X}_{A'_{1}}$, and $p(X_{A'_{1}})$ is the probability distribution. Meanwhile, we can also define Alice’s conditional von Neumann entropy from the perspective of Eve as

(8)$$S(X_{A'_{1}}|E)=H(X_{A'_{1}})+\int dX_{A'_{1}}p(X_{A'_{1}})S(\rho_{E|X_{A'_{1}}})-S(\rho_{E}).$$

Combining Eqs. (7) and (8), the information leaked to Eve is upper bounded by

(9)$$\chi(X_{A'_{1}}|E)\leq H(X_{A'_{1}})-S(X_{A'_{1}}|E).$$

By using the recently developed entropic uncertainty relation which bounds Alice’s conditional von Neumann entropy regarding her conjugate quadratures [65–69]:

(10)$$S(X_{A'_{1}}|E)+S(Y_{A'_{1}}|B)\geq \log_{2} 2\pi\hbar,$$

we now have

(11)$$\chi(X_{A'_{1}}|E)\leq H(X_{A'_{1}})+S(Y_{A'_{1}}|B)-\log_{2} 2\pi\hbar.$$

Recalling that $S(Y_{A'_{1}}|B)\leq S(Y_{A'_{1}}|Y_{B})=H(Y_{A'_{1}}|Y_{B})$ (since the measurement cannot decrease the entropy) and substituting it back into Eq. (11), we can rewrite Eve’s information as

(12)$$\chi(X_{A'_{1}}|E)\leq \log_{2} 2\pi e\sqrt{V(X_{A'_{1}})V(Y_{A'_{1}}|Y_{B})}-\log_{2} 2\pi\hbar.$$

In the end, we combine Eqs. (4), (6) and (12), and arrive at the final expression of the secret key rate:

(13)$$K\geq \beta\log_{2} \sqrt{\frac{V(X_{A'_{1}})}{V(X_{A'_{1}}|X_{B_{1}})}}+\log_{2} \frac{2}{e\sqrt{V(X_{A'_{1}})V(Y_{A'_{1}}|Y_{B_{1}})}}.$$

Here, we assume that $\hbar =2$, which corresponds to setting the vacuum noise to be 1. By utilizing the entropic uncertainty relation, we see that the secret key rate is now allowed to be bounded by the relevant observables. All the terms in Eq. (13) can be obtained from homodyne detections and postprocessing procedures.

We first consider the symmetric case that the two noisy channels in Fig. 2 have the same transmission distances, i.e., $L=L_{A}=L_{B}$. Secret key rate $K$ versus transmission distance $L$ is shown in Fig. 3, where the blue, red dashed and green dash-dotted lines correspond to the squeezing parameter $r=0.8, 1.1$ and $1.5$, respectively. Here, it is assumed that the reconciliation efficiency $\beta =0.9$. It is clear that the secret key rate decreases with the increasing of the transmission distance. This is because the lossy channels controlled by Eve introduce vacuum noise into the system. The longer the lossy channels are, the more the secret information will be leaked to Eve. In other words, the lossy channels degrade the secret key rate. In addition, our calculation shows that the security of our EB QKDTP is stilled guaranteed for the transmission distance $L<0.4$ km, even if the squeezing parameter $r=0.8$, demonstrating the feasibility of our scheme. For the asymmetric case, secret key rate $K$ versus $L_{A}$ and $L_{B}$ is plotted in Fig. 4, where it is assumed that the reconciliation efficiency $\beta =0.9$ and the squeezing parameter $r=1.1$. Our results show that when $L_{A}$ increases, the maximal $L_{B}$ decreases and vice versa. Besides, the effects of $L_{A}$ and $L_{B}$ on the secret key rate are different. For example, $K=0.22$ when $L_{A}=3$ km and $L_{B}=0$ km, while $K=0.40$ if permuting $L_{A}$ and $L_{B}$. This difference can be qualitatively explained by the asymmetric property of the 1sDI scheme, which only allows the untrusted party to correct his data in the information reconciliation step. In this case, the direction of the information flow during the reconciliation is one-sided, i.e., from Alice to Bob. Therefore, it can be expected that the transmission distances $L_{A}$ and $L_{B}$ have different effects on the secret key rate. This means that the symmetric case cannot result in an optimal performance for our EB QKDTP scheme.

Fig. 3. Secret key rate $K$ versus transmission distance $L$ in the EB QKDTP based on 1sDI security.

Download Full Size | PDF

Fig. 4. Secret key rate $K$ versus transmission distances $L_{A}$ and $L_{B}$ in the EB QKDTP based on 1sDI security.

Download Full Size | PDF

We have now demonstrated that our EB QKDTP based on 1sDI security is feasible when Alice is trusted while Bob is not. Our scheme can also be adapted to the case that Alice and Bob are permuted due to the symmetric structure of our setup.

4. Extensions

In Sec. 2, we employ the 1sDI scheme to fulfill the EB QKDTP on the condition that Alice is trusted while Bob is not. In our scheme, both Alice and Bob utilize two-mode squeezed states (EB scheme) to establish a secure communication with each other. Besides the squeezed state, it is well known that coherent state, the most practical resource in quantum optics, is another means commonly implemented in the QKD protocol [19,39,70–75], which may provide an equivalent level of security [76]. In the following, we extend our EB scheme of 1sDI QKDTP to a hybrid version. We demonstrate that QKDTP based on 1sDI security is also feasible if Alice uses a Gaussian-modulated coherent state (P&M scheme) and Bob uses a two-mode squeezed state (EB scheme). As shown in Fig. 5, our scheme is described as follows in detail. First, Alice utilizes function generators to draw two random real numbers, $s_{1}$ and $s_{2}$, from Gaussian distributions with zero mean and a variance of $V_{s}$. Alice then prepares a coherent state, and exploits AM and PM to displace its amplitude and phase quadratures by $s_{1}$ and $s_{2}$, respectively. As a result, the variances of the amplitude quadrature $V(X_{A})$ and phase quadrature $V(Y_{A})$ of the output coherent state $\hat {A}$ become $1+V_{s}$. Meanwhile, Bob prepares a two-mode squeezed state {$\hat {B}_{1}, \hat {B}_{2}$}. The state $\hat {B}_{1}$ is kept within Bob’s own station, while the states $\hat {A}$ and $\hat {B}_{2}$ are sent to an untrusted relay through potentially noisy channels to become $\hat {A}'$ and $\hat {B}'_{2}$, similar with the process as has been mentioned in Eq. (2). Then, the relay performs a CV Bell detection for the incoming states by mixing them with a 50:50 BS. The output photocurrents $\hat {i}_{1}$ and $\hat {i}_{2}$ from the Bell detection correspond to the amplitude-sum quadrature $\hat {X}_{A'}+\hat {X}_{B'_{2}}$ and phase-difference quadrature $\hat {Y}_{A'}-\hat {Y}_{B'_{2}}$, respectively. Afterwards, the relay announces his measurement results to all parties through a classical channel, publicly. According to the received data, Alice modifies her data to become $\hat {X}_{A''}=\hat {X}_{A}+\xi \hat {i}_{1}$ and $\hat {Y}_{A''}=\hat {Y}_{A}-\xi \hat {i}_{2}$, respectively. Note that the operation of this modification is performed by postprocessing (not shown in Fig. 5). Recall that in our scheme Alice is trusted while Bob is not.

Fig. 5. Hybrid scheme of QKDTP based on 1sDI security.

Download Full Size | PDF

In order to apply the 1sDI scheme, we treat Bob’s station as a black box within which the state $\hat {B}_{1}$ can be making any measurement (not necessarily a quadrature detection) [39]. After the state measurement, Alice and Bob use an authenticated public channel to finish the parameter estimation, information reconciliation, and privacy amplification steps. Based on the entropic uncertainty relation, the secret key rate depends upon a known observable measured in a trusted station. Following the similar steps as has been described in Sec. 2, it can be derived that the asymptotic key rate is lower bounded by

(14)$$K\!\geq\!\beta\log_{2} \sqrt{\frac{V(X_{A^{\prime\prime}})}{V(X_{A^{\prime\prime}}|X_{B_{1}})}}+\log_{2} \frac{2}{e\sqrt{V(X_{A^{\prime\prime}})V(Y_{A^{\prime\prime}}|Y_{B_{1}})}}.$$

Note that the key rate varies as a function of the variance of the modulation signal $V_{s}$. When $V_{s}\gg 1$, an asymptotic value of $K$ can be obtained [70,73]. In the following discussion, it is assumed that $V_{s}=100$. For the symmetric case where $L=L_{A}=L_{B}$, secret key rate versus transmission distance $L$ is shown in Fig. 6(a), where it is assumed that the reconciliation efficiency $\beta =0.9$, the brown circle, blue solid, red dashed and green dash-dotted lines correspond to the squeezing parameter $r=0.5, 0.8, 1.1$ and $1.5$, respectively. Our calculation shows that the feasibility of our hybrid scheme of 1sDI QKDTP can be guaranteed on the condition that $L_{B}<0.6$ km, even if the squeezing parameter $r=0.5$. If the squeezing parameter $r=1.5$, the maximal transmission distance $L$ can be a relatively longer distance of $5.2$ km. For the asymmetric case, secret key rate $K$ versus $L_{A}$ and $L_{B}$ is plotted in Fig. 6(b), where it is assumed that the reconciliation efficiency $\beta =0.9$ and the squeezing parameter $r=1.1$. Similar with Fig. 4, it can be found that the effects of $L_{A}$ and $L_{B}$ on the secret key rate are asymmetric. The secure communication between Alice and Bob can be guaranteed within a large range of transmission distances. Since the P&M approach is easy to be implemented, our hybrid scheme can reduce the the technological requirements for the state preparations in the 1sDI QKDTP.

Fig. 6. Secret key rate $K$ versus transmission distance in the hybrid scheme of 1sDI QKDTP. (a), symmetric case. (b), asymmetric case.

Download Full Size | PDF

5. Conclusion

QKDTP is a formidable task in quantum cryptography. It allows two independent parties Alice and Bob, who initially share no secret information, to possess a secret key. In this direction, a feasible method is MDI-QKD, in which both Alice and Bob use trusted sources to generate a secret key via an untrusted measurement in a third party named relay. However, the MDI-QKD only works under the assumption that the devices of both Alice and Bob are trusted. In this paper, resorting to the recently developed 1sDI scheme, we have demonstrated that QKDTP can also be realized when the devices of either Alice or Bob is untrusted. Two different cases are considered to fulfill the 1sDI QKDTP: the first one is an EB scheme where both Alice and Bob use entangled states; the second one is a hybrid scheme where Alice uses a Gaussian-modulated coherent state while Bob uses an entangled state. With realistic factors such as reconciliation efficiency and transmission losses considered, we have determined conditions on the extracted secret key to be unconditionally secure against arbitary attacks in the asymptotic setting. Note that the 1sDI QKDTP in this paper is different from the 1sDI-QKD. For the 1sDI QKDTP, the states in Alice’s and Bob’s stations are independent, while for the 1sDI-QKD they are not. Therefore, the working conditions of these two protocols are different. Our work may pave the way for the remote distribution of quantum secret key with unconditional security.

Funding

Zhejiang Provincial Natural Science Foundation of China (LQ19A040008, LQ20A040006, LY18A050003); the National Natural Science Foundation of China (61905054, 61871162, 11805048, 11935012, 11847044).

Disclosures

The authors declare no conflicts of interest.

References

1. N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. 74(1), 145–195 (2002). [CrossRef]

2. V. Scarani, H. Bechmann-Pasquinucci, N. J. Cerf, M. Dušek, N. Lütkenhaus, and M. Peev, “The security of practical quantum key distribution,” Rev. Mod. Phys. 81(3), 1301–1350 (2009). [CrossRef]

3. H.-K. Lo, M. Curty, and K. Tamaki, “Secure quantum key distribution,” Nat. Photonics 8(8), 595–604 (2014). [CrossRef]

4. C. H. Bennett and G. Brassard, “Proceedings of the IEEE International Conference on Computers, Systems and Signal Processing, Bangalore, India,” (IEEE, New York, 1984), p. 175.

5. T. C. Ralph, “Continuous variable quantum cryptography,” Phys. Rev. A 61(1), 010303 (1999). [CrossRef]

6. Y.-M. Li, X.-Y. Wang, Z.-L. Bai, W.-Y. Liu, S.-S. Yang, and K.-C. Peng, “Continuous variable quantum key distribution,” Chin. Phys. B 26(4), 040303 (2017). [CrossRef]

7. C. Weedbrook, S. Pirandola, R. García-Patrón, N. J. Cerf, T. C. Ralph, J. H. Shapiro, and S. Lloyd, “Gaussian quantum information,” Rev. Mod. Phys. 84(2), 621–669 (2012). [CrossRef]

8. A. Cabello, “Quantum key distribution without alternative measurements,” Phys. Rev. A 61(5), 052312 (2000). [CrossRef]

9. S. L. Braunstein and S. Pirandola, “Side-channel-free quantum key distribution,” Phys. Rev. Lett. 108(13), 130502 (2012). [CrossRef]

10. H.-K. Lo, M. Curty, and B. Qi, “Measurement-device-independent quantum key distribution,” Phys. Rev. Lett. 108(13), 130503 (2012). [CrossRef]

11. M. Tomamichel, S. Fehr, J. Kaniewski, and S. Wehner, “A monogamy-of-entanglement game with applications to device-independent quantum cryptography,” New J. Phys. 15(10), 103002 (2013). [CrossRef]

12. Y.-L. Tang, H.-L. Yin, S.-J. Chen, Y. Liu, W.-J. Zhang, X. Jiang, L. Zhang, J. Wang, L.-X. You, J.-Y. Guan, D.-X. Yang, Z. Wang, H. Liang, Z. Zhang, N. Zhou, X. Ma, T.-Y. Chen, Q. Zhang, and J.-W. Pan, “Measurement-device-independent quantum key distribution over 200 km,” Phys. Rev. Lett. 113(19), 190501 (2014). [CrossRef]

13. Y. Fu, H.-L. Yin, T.-Y. Chen, and Z.-B. Chen, “Long-distance measurement-device-independent multiparty quantum communication,” Phys. Rev. Lett. 114(9), 090501 (2015). [CrossRef]

14. L. C. Comandar, M. Lucamarini, B. Fröhlich, J. F. Dynes, A. W. Sharpe, S. W.-B. Tam, Z. L. Yuan, R. V. Penty, and A. J. Shields, “Quantum key distribution without detector vulnerabilities using optically seeded lasers,” Nat. Photonics 10(5), 312–315 (2016). [CrossRef]

15. Y.-H. Zhou, Z.-W. Yu, and X.-B. Wang, “Making the decoy-state measurement-device-independent quantum key distribution practically useful,” Phys. Rev. A 93(4), 042324 (2016). [CrossRef]

16. H.-L. Yin, T.-Y. Chen, Z.-W. Yu, H. Liu, L.-X. You, Y.-H. Zhou, S.-J. Chen, Y. Mao, M.-Q. Huang, W.-J. Zhang, H. Chen, M. J. Li, D. Nolan, F. Zhou, X. Jiang, Z. Wang, Q. Zhang, X.-B. Wang, and J.-W. Pan, “Measurement-device-independent quantum key distribution over a 404 km optical fiber,” Phys. Rev. Lett. 117(19), 190501 (2016). [CrossRef]

17. Z. Li, Y.-C. Zhang, F. Xu, X. Peng, and H. Guo, “Continuous-variable measurement-device-independent quantum key distribution,” Phys. Rev. A 89(5), 052301 (2014). [CrossRef]

18. Y.-C. Zhang, Z. Li, S. Yu, W. Gu, X. Peng, and H. Guo, “Continuous-variable measurement-device-independent quantum key distribution using squeezed states,” Phys. Rev. A 90(5), 052325 (2014). [CrossRef]

19. S. Pirandola, C. Ottaviani, G. Spedalieri, C. Weedbrook, S. L. Braunstein, S. Lloyd, T. Gehring, C. S. Jacobsen, and U. L. Andersen, “High-rate measurement-device-independent quantum cryptography,” Nat. Photonics 9(6), 397–402 (2015). [CrossRef]

20. A. K. Ekert, “Quantum cryptography based on bell’s theorem,” Phys. Rev. Lett. 67(6), 661–663 (1991). [CrossRef]

21. C. H. Bennett, G. Brassard, and N. D. Mermin, “Quantum cryptography without bell’s theorem,” Phys. Rev. Lett. 68(5), 557–559 (1992). [CrossRef]

22. M. Hillery, “Quantum cryptography with squeezed states,” Phys. Rev. A 61(2), 022309 (2000). [CrossRef]

23. T. Jennewein, C. Simon, G. Weihs, H. Weinfurter, and A. Zeilinger, “Quantum cryptography with entangled photons,” Phys. Rev. Lett. 84(20), 4729–4732 (2000). [CrossRef]

24. N. J. Cerf, M. Lévy, and G. V. Assche, “Quantum distribution of gaussian keys using squeezed states,” Phys. Rev. A 63(5), 052311 (2001). [CrossRef]

25. D. Gottesman and J. Preskill, “Secure quantum key distribution using squeezed states,” Phys. Rev. A 63(2), 022309 (2001). [CrossRef]

26. V. C. Usenko, L. Ruppert, and R. Filip, “Entanglement-based continuous-variable quantum key distribution with multimode states and detectors,” Phys. Rev. A 90(6), 062326 (2014). [CrossRef]

27. N. Wang, S. Du, W. Liu, X. Wang, Y. Li, and K. Peng, “Long-distance continuous-variable quantum key distribution with entangled states,” Phys. Rev. Appl. 10(6), 064028 (2018). [CrossRef]

28. A. Furusawa, J. L. Sørensen, S. L. Braunstein, C. A. Fuchs, H. J. Kimble, and E. S. Polzik, “Unconditional quantum teleportation,” Science 282(5389), 706–709 (1998). [CrossRef]

29. S. L. Braunstein and H. J. Kimble, “Teleportation of continuous quantum variables,” Phys. Rev. Lett. 80(4), 869–872 (1998). [CrossRef]

30. H. Yonezawa, T. Aoki, and A. Furusawa, “Demonstration of a quantum teleportation network for continuous variables,” Nature 431(7007), 430–433 (2004). [CrossRef]

31. R. Renner, “Security of quantum key distribution,” Int. J. Quant. Inf. 06(01), 1–127 (2008). [CrossRef]

32. M. Tomamichel and R. Renner, “Uncertainty relation for smooth entropies,” Phys. Rev. Lett. 106(11), 110506 (2011). [CrossRef]

33. C. Branciard, E. G. Cavalcanti, S. P. Walborn, V. Scarani, and H. M. Wiseman, “One-sided device-independent quantum key distribution: Security, feasibility, and the connection with steering,” Phys. Rev. A 85(1), 010301 (2012). [CrossRef]

34. Y. Wang, W.-s. Bao, H.-w. Li, C. Zhou, and Y. Li, “Finite-key analysis for one-sided device-independent quantum key distribution,” Phys. Rev. A 88(5), 052322 (2013). [CrossRef]

35. H.-Z. Bao, W.-S. Bao, Y. Wang, R.-K. Chen, H.-X. Ma, C. Zhou, and H.-W. Li, “Time-energy high-dimensional one-side device-independent quantum key distribution,” Chin. Phys. B 26(5), 050302 (2017). [CrossRef]

36. Y. Xiang, I. Kogias, G. Adesso, and Q. He, “Multipartite gaussian steering: Monogamy constraints and quantum cryptography applications,” Phys. Rev. A 95(1), 010101 (2017). [CrossRef]

37. Y. Xiang, X. Su, L. Mišta, G. Adesso, and Q. He, “Multipartite einstein-podolsky-rosen steering sharing with separable states,” Phys. Rev. A 99(1), 010104 (2019). [CrossRef]

38. M. Tomamichel, C. C. W. Lim, N. Gisin, and R. Renner, “Tight finite-key analysis for quantum cryptography,” Nat. Commun. 3(1), 634 (2012). [CrossRef]

39. N. Walk, S. Hosseini, J. Geng, O. Thearle, J. Y. Haw, S. Armstrong, S. M. Assad, J. Janousek, T. C. Ralph, T. Symul, H. M. Wiseman, and P. K. Lam, “Experimental demonstration of gaussian protocols for one-sided device-independent quantum key distribution,” Optica 3(6), 634 (2016). [CrossRef]

40. T. Gehring, V. Händchen, J. Duhme, F. Furrer, T. Franz, C. Pacher, R. F. Werner, and R. Schnabel, “Implementation of continuous-variable quantum key distribution with composable and one-sided-device-independent security against coherent attacks,” Nat. Commun. 6(1), 8795 (2015). [CrossRef]

41. L. Lydersen, C. Wiechers, C. Wittmann, D. Elser, J. Skaar, and V. Makarov, “Hacking commercial quantum cryptography systems by tailored bright illumination,” Nat. Photonics 4(10), 686–689 (2010). [CrossRef]

42. I. Gerhardt, Q. Liu, A. Lamas-Linares, J. Skaar, C. Kurtsiefer, and V. Makarov, “Full-field implementation of a perfect eavesdropper on a quantum cryptography system,” Nat. Commun. 2(1), 349 (2011). [CrossRef]

43. S. Félix, N. Gisin, A. Stefanov, and H. Zbinden, “Faint laser quantum key distribution: Eavesdropping exploiting multiphoton pulses,” J. Mod. Opt. 48(13), 2009–2021 (2001). [CrossRef]

44. S. Nauerth, M. Fürst, T. Schmitt-Manderbach, H. Weier, and H. Weinfurter, “Information leakage via side channels in freespace bb84 quantum cryptography,” New J. Phys. 11(6), 065001 (2009). [CrossRef]

45. V. Makarov, A. Anisimov, and J. Skaar, “Effects of detector efficiency mismatch on security of quantum cryptosystems,” Phys. Rev. A 74(2), 022313 (2006). [CrossRef]

46. A. Lamas-Linares and C. Kurtsiefer, “Breaking a quantum key distribution system through a timing side channel,” Opt. Express 15(15), 9388–9393 (2007). [CrossRef]

47. Y. Zhao, C.-H. F. Fung, B. Qi, C. Chen, and H.-K. Lo, “Quantum hacking: Experimental demonstration of time-shift attack against practical quantum-key-distribution systems,” Phys. Rev. A 78(4), 042333 (2008). [CrossRef]

48. F. Xu, B. Qi, and H.-K. Lo, “Experimental demonstration of phase-remapping attack in a practical quantum key distribution system,” New J. Phys. 12(11), 113026 (2010). [CrossRef]

49. C. Wiechers, L. Lydersen, C. Wittmann, D. Elser, J. Skaar, C. Marquardt, V. Makarov, and G. Leuchs, “After-gate attack on a quantum cryptosystem,” New J. Phys. 13(1), 013043 (2011). [CrossRef]

50. A. Acín, N. Brunner, N. Gisin, S. Massar, S. Pironio, and V. Scarani, “Device-independent security of quantum cryptography against collective attacks,” Phys. Rev. Lett. 98(23), 230501 (2007). [CrossRef]

51. B. G. Christensen, K. T. McCusker, J. B. Altepeter, B. Calkins, T. Gerrits, A. E. Lita, A. Miller, L. K. Shalm, Y. Zhang, S. W. Nam, N. Brunner, C. C. W. Lim, N. Gisin, and P. G. Kwiat, “Detection-loophole-free test of quantum nonlocality, and applications,” Phys. Rev. Lett. 111(13), 130406 (2013). [CrossRef]

52. M. Giustina, A. Mech, S. Ramelow, B. Wittmann, J. Kofler, J. Beyer, A. Lita, B. Calkins, T. Gerrits, S. W. Nam, R. Ursin, and A. Zeilinger, “Bell violation using entangled photons without the fair-sampling assumption,” Nature 497(7448), 227–230 (2013). [CrossRef]

53. B. Hensen, H. Bernien, A. E. Dréau, A. Reiserer, N. Kalb, M. S. Blok, J. Ruitenberg, R. F. L. Vermeulen, R. N. Schouten, C. Abellán, W. Amaya, V. Pruneri, M. W. Mitchell, M. Markham, D. J. Twitchen, D. Elkouss, S. Wehner, T. H. Taminiau, and R. Hanson, “Loophole-free bell inequality violation using electron spins separated by 1.3 kilometres,” Nature 526(7575), 682–686 (2015). [CrossRef]

54. E. Diamanti, H.-K. Lo, B. Qi, and Z. Yuan, “Practical challenges in quantum key distribution,” npj Quantum Inf. 2(1), 16025 (2016). [CrossRef]

55. W. Rosenfeld, D. Burchardt, R. Garthoff, K. Redeker, N. Ortegel, M. Rau, and H. Weinfurter, “Event-ready bell test using entangled atoms simultaneously closing detection and locality loopholes,” Phys. Rev. Lett. 119(1), 010402 (2017). [CrossRef]

56. S. Pironio, A. Acín, N. Brunner, N. Gisin, S. Massar, and V. Scarani, “Device-independent quantum key distribution secure against collective attacks,” New J. Phys. 11(4), 045021 (2009). [CrossRef]

57. M. Żukowski, A. Zeilinger, M. A. Horne, and A. K. Ekert, “"event-ready-detectors"bell experiment via entanglement swapping,” Phys. Rev. Lett. 71(26), 4287–4290 (1993). [CrossRef]

58. R. E. S. Polkinghorne and T. C. Ralph, “Continuous variable entanglement swapping,” Phys. Rev. Lett. 83(11), 2095–2099 (1999). [CrossRef]

59. X. Jia, X. Su, Q. Pan, J. Gao, C. Xie, and K. Peng, “Experimental demonstration of unconditional entanglement swapping for continuous variables,” Phys. Rev. Lett. 93(25), 250503 (2004). [CrossRef]

60. X. Su, C. Tian, X. Deng, Q. Li, C. Xie, and K. Peng, “Quantum entanglement swapping between two multipartite entangled states,” Phys. Rev. Lett. 117(24), 240503 (2016). [CrossRef]

61. I. Devetak and A. Winter, “Relating quantum privacy and quantum coherence: An operational approach,” Phys. Rev. Lett. 93(8), 080501 (2004). [CrossRef]

62. I. Devetak and A. Winter, “Distillation of secret key and entanglement from quantum states,” Proc. R. Soc. A 461(2053), 207–235 (2005). [CrossRef]

63. R. Renner, N. Gisin, and B. Kraus, “Information-theoretic security proof for quantum-key-distribution protocols,” Phys. Rev. A 72(1), 012332 (2005). [CrossRef]

64. A. S. Holevo, “Some estimates for the amount of information transmittable by a quantum communications channel,” Probl. Peredachi Inf. 9, 3 (1973).

65. J. M. Renes and J.-C. Boileau, “Conjectured strong complementary information tradeoff,” Phys. Rev. Lett. 103(2), 020402 (2009). [CrossRef]

66. M. Berta, M. Christandl, R. Colbeck, J. M. Renes, and R. Renner, “The uncertainty principle in the presence of quantum memory,” Nat. Phys. 6(9), 659–662 (2010). [CrossRef]

67. A. Ferenczi, “Security proof methods for quantum key distribution protocols,” Ph.D. thesis, University of Waterloo (2013).

68. F. Furrer, M. Berta, M. Tomamichel, V. B. Scholz, and M. Christandl, “Position-momentum uncertainty relations in the presence of quantum memory,” J. Math. Phys. 55(12), 122205 (2014). [CrossRef]

69. R. L. Frank and E. H. Lieb, “Extended quantum conditional entropy and quantum uncertainty inequalities,” Commun. Math. Phys. 323(2), 487–495 (2013). [CrossRef]

70. F. Grosshans and P. Grangier, “Continuous variable quantum cryptography using coherent states,” Phys. Rev. Lett. 88(5), 057902 (2002). [CrossRef]

71. F. Grosshans, G. V. Assche, J. Wenger, R. Brouri, N. J. Cerf, and P. Grangier, “Quantum key distribution using gaussian-modulated coherent states,” Nature 421(6920), 238–241 (2003). [CrossRef]

72. S. Iblisdir, G. Van Assche, and N. J. Cerf, “Security of quantum key distribution with coherent states and homodyne detection,” Phys. Rev. Lett. 93(17), 170502 (2004). [CrossRef]

73. C. Weedbrook, A. M. Lance, W. P. Bowen, T. Symul, T. C. Ralph, and P. K. Lam, “Quantum cryptography without switching,” Phys. Rev. Lett. 93(17), 170504 (2004). [CrossRef]

74. A. M. Lance, T. Symul, V. Sharma, C. Weedbrook, T. C. Ralph, and P. K. Lam, “No-switching quantum key distribution using broadband modulated coherent light,” Phys. Rev. Lett. 95(18), 180503 (2005). [CrossRef]

75. C. Weedbrook, A. M. Lance, W. P. Bowen, T. Symul, T. C. Ralph, and P. K. Lam, “Coherent-state quantum key distribution without random basis switching,” Phys. Rev. A 73(2), 022316 (2006). [CrossRef]

76. F. Grosshans, N. J. Cerf, P. Grangier, J. Wenger, and R. Tualle-Brouri, “Virtual entanglement and reconciliation protocols for quantum cryptography with continuous variables,” Quant. Inf. Comp. 3, 535–552 (2003).

One-sided device-independent quantum key distribution for two independent parties

Abstract

1. Introduction

2. Background of the 1sDI-QKD protocol

3. EB QKDTP based on 1SDI security

3.1 Protocol

3.2 Security analysis

4. Extensions

5. Conclusion

Funding

Disclosures

References

Cited By

Figures (6)

Equations (14)

Optics Express