## Abstract

Experimental one-way decoy pulse quantum key distribution running continuously for 60 hours is demonstrated over a fiber distance of 20km. We employ a decoy protocol which involves one weak decoy pulse and a vacuum pulse. The obtained secret key rate is on average over 10kbps. This is the highest rate reported using this decoy protocol over this fiber distance and duration.

©2007 Optical Society of America

## 1. Introduction

Quantum key distribution (QKD) involves the secure communication between two remote parties, conventionally named Alice (sender) and Bob (receiver), where the security of the keys is determined by the laws of quantum mechanics rather than the use of strong, one-way mathematical functions to encrypt the keys [1]. Where security is of paramount importance, QKD naturally would be the technique of choice for secret key distribution owing to its unconditionally secure nature. Although since the original proposal [2], there has been a considerable amount of work on QKD, beginning with the first experimental demonstration in 1992 [3], reliable, compact systems with tolerably high enough bit rates compatible with existing telecoms fiber technology are only now starting to emerge [4, 5]. Ideally the QKD setup should be arranged employing a true single photon source to guarantee immunity against the so-called pulse number splitting attacks (PNS)[6, 7] from a potential eavesdropper (Eve). Presently there are a lack of deterministic, reliable and useful single photon sources. Therefore most implementations rely on heavily attenuated lasers as a photon source which emit photon pulses with a Poissonian number distribution. The PNS attack in such a configuration would consist of blocking any true single photons in the quantum channel, removing part of the multi-photon pulses and transmitting the remaining portion to Bob via a lossless channel. In Eve’s best case scenario, Bob’s detection rate is maintained while Bob is oblivious to Eve’s presence. Eve can then determine all or part of the key [7].

A recent proposal [8] circumvents the PNS attack using additional (decoy) pulses sent by Alice. These pulses in general have different pulses intensities compared to the signal pulses and are interleaved randomly with the signal pulses. Bob measures the transmittances of the quantum channel for these different pulse intensities and can then infer tighter bounds on the final secure key by the ability to detect PNS attacks. Under such conditions Eve is powerless to attack the channel using the PNS. Recently a proof of the decoy pulse protocol has been displayed (GLLP)[9] which also includes realistic (if pessimistic) experimental assumptions; Bob’s detectors can be manipulated by Eve and the detectors have finite detection efficiency. A recent experimental bi-directional decoy pulse system has been implemented [10] but (as pointed out by Ref. [10]) a drawback of bi-directional systems are the pulse intensities can indeed be tampered with by Eve unknown to Alice and Bob, thus compromising security. Very recently we showed an extremely promising one-way QKD system employing a single decoy pulse [11]. This system displayed a high key rate of over 5kbps with 25km of optical fiber. For a non-decoy system using much quieter detectors a secure bit rate of just 43bps was achieved over the same length of fiber [12]. This illustrates the power of the decoy pulse method in providing a much more stringent bound on the security of the final key. Even tighter bounds can be achieved using more than one decoy pulse [6]. Theory shows that it is usually enough to limit the number of decoy pulses to two decoy pulses only. The optimal case for the two decoy pulses is for one decoy of which is a lower intensity *ν* than the signal pulse *μ* and another which has an intensity close to zero or “vacuum-like” [13]. The lower bound on the single photon gain,

*Q ^{L}*

_{1}is then given by three transmittances, signal, decoy and vacuum respectively:

*Q*,

_{μ}*Q*and

_{ν}*Y*

_{0}[13, 10]:

where *Q _{ν}^{L}* (

*Y*

^{U}_{0}) are the lower (upper) bounds on the decoy pulse and vacuum transmittances respectively , estimated conservatively as ten standard deviations of

*Q*(

_{ν}*Y*

_{0}) from the measured value ensuring a confidence interval of 1 - 1.5 × 10

^{-23}. The bit errors are assumed to derive from the subset of single photon pulses and the upper bound for the single photon error rate can be written as:

where *ε _{μ}* is the signal error rate and

*Y*

^{L}_{0}is the lower bound on the vacuum transmittance (estimated as as ten standard deviations of

*Y*

_{0}from the measured value). The lower bound on the final secure key rate,

*R*can then be determined by the following expression:

^{L}where *q* = 0.5 for the BB84 protocol, *N _{μ}* is the total number of signal pulses sent by Alice,

*f*(

*x*) is the bi-directional error correction efficiency above the Shannon limit is estimated to be

*f*(

*ε*) ∼ 1.10,

_{μ}*H*

_{2}= -

*x*log

_{2}(

*x*)-(1-

*x*)log

_{2}(1-

*x*) is the binary entropy function and the time

*t*is the duration of the key session. The first term in eq. (3) corresponds to error correction; the second term corresponds to the single photon gain modified by privacy amplification (

*H*

_{2}(

*ε*

^{U}_{1})). Although the weak + vacuum decoy protocol is predicted to have an improved performance over the single decoy pulse protocol, recent implementations [14, 15] show relatively low key generation rates and are limited to local synchronization.

Here we present a one-way weak + vacuum decoy pulse system which has a relatively high secure continuous key rate of more than 10kbps over 20km of fiber length. The key generation rate is stable over the rate time period of 60 hours and the system requires no manual alignment for set-up or during operation.

## 2. QKD experimental setup

We use a one-way fiber optic QKD system with phase encoding as shown in Fig. 1. Two Mach-Zehnder phase encoding interferometers are employed for the phase encoding (Alice; sender) and decoding (Bob; receiver). Alice and Bob have a 20km fiber spool linking them through which the signal (*λ* = 1.55*μ*m) and clock (*λ* = 1.3*μ*m) optical pulses are transmitted. The 1.3*μ*m clock pulse duration is 5ns with a peak intensity of ∼ 5*μ*W; average intensity is ∼ 200nW at Alice. The clock pulse over the entire transmission distance does not overlap the (1.55*μ*m) signal pulses. The signal laser is a distributed feedback type and emits a fixed intensity train of pulses at a repetition rate of 7.143MHz. An intensity modulator is used to produce signal and decoy pulses of differing intensities. The vacuum decoy pulse is produced by omitting trigger pulses to the signal laser. All signal, decoy and vacuum pulses are produced at random times and can have relative occurance probabilities assigned to them. The signal and decoy pulses are attenuated strongly to the single photon level after which a much stronger clock pulse is wavelength division multiplexed with them to provide synchronization between Alice and Bob’s electronics. Customized electronics based on FPGAs were developed in house to drive the QKD optics. An active stabilization technique is employed to ensure continuously running operation. Bob’s detectors are two single photon InGaAs avalanche photodiodes (APDs) cooled to approximately -30*°*C and characterized to have negligible afterpulsing [16]. . Their combined dark count rates are ∼ 1.4 × 10^{-4}. Bob’s detector efficiency ∼ 10% and loss ∼ 2.5dB gives rise to an overall efficiency of 5.62 × 10^{-2}. The weak + vacuum including BB84 protocol was implemented. Numerical simulation to maximize the secure bit rate was performed to yield the optimal intensities of the signal and decoy pulses as *μ* = 0.55 and *ν* = 0.098. Numerical simulation also provided the optimal probabilities of pulses: signal *N _{μ}* = 0.93, decoy pulse

*N*= 0.062 and vacuum pulse

_{ν}*N*

_{0}= 0.016. The session length for each QKD key is selected as 3 × 10

^{6}bits which corresponds to roughly 6 × 10

^{6}detection events by Bob. A total of 3262 sessions were distributed with an average individual session time of ∼ 71 seconds.

## 3. Results

Figure 2(a) shows the experimentally measured transmittances of the signal, decoy and vacuum pulses. The values are stable and constant over the duration of the experiment and agree well with the theoretically predicted transmittance (per pulse): *Q _{μ}* = 0.01270±0.00078,

*Q*= 0.00234±0.00014 where the errors are two standard deviations; for the vacuum transmittance (per pulse),

_{ν}*Y*

_{0}= 1.34±0.20 × 10

^{-4}in good agreement with the measured dark count value of ∼ 1.4 × 10

^{-4}measured prior to the experiment. A small (simultaneous) proportion of fluctuations in

*Q*and

_{μ}*Q*are observed and are attributed to polarization and/or fiber stretcher resets during which photons were temporarily not counted. These obtained transmittances indicates the various optical states had been well prepared and detected. The associated quantum bit error rates of both the signal (

_{ν}*E*) and the non-zero decoy (

_{μ}*E*) are plotted in Fig. 2(b). They are fairly stable and constant. The final secure bit rate is displayed in Fig. 3. A secure bit rate of > 10kbps is observed. The long term drift in the key rate is attributed to long term temperature drift from day through to night (the period is roughly 24 hours) in the laboratory affecting the overall temperature of the 20km fiber spool. In a real world environment the fiber is usually located around 1 meter underground leading to very stable fiber temperatures. This would eliminate this long term drift observed here.

_{ν}The bit rate of > 10kbps is approximately more than two orders of magnitude higher than what can be achieved at a fiber distance of 20km without decoy states [12]. Indeed, if one were to employ more decoy states than the two we use here, there is not that much advantage to be gained. As shown in [13] the secure bit rate as a function of fiber distance for the single pulse and dual decoy pulse protocols varies significantly. However, the weak plus vacuum protocol is close to the asymptotic limit of using an infinite number of decoy states. This can be understood intuitively by the fact that the photon distribution is Poissonian and states with a photon number *N* > 2 have a very small probability of occurring. Hence they will contribute little to the overall photon distribution when the average photon numbers of the signal and decoy states are *μ*,*ν* < 1. Additionally, there are practical problems in using more decoy pulses such as a decrease of duty cycle of signal pulses, greater requirements on Alices’ random number generator and more data processing power needed.

The possibility of nonlinear effects being generated in the fiber due to the clock and signal pulses is negligible on the results of the quantum key distribution. As stated previously, both clock and signal pulses never overlap in time throughout the entire transmission rendering possible mixing effects negligible. Addtionally, any (small) Raman scattering generated by the clock pluse in the fiber was adequately filtered out using an efficient wavelength division multiplexer at Bob. In any case, if the Raman scattering was a problem, the quantum bit error rate would be higher than observed. Finally, the experimentally observed quantum transmittances agrees very well with the predicted transmittances indicating the system performs with the expected losses accurately.

To assess the possibility of a PNS attack on the key distribution, the technique used previously [11] was to monitor the ratio of transmittances *Q _{ν}*/

*Q*. If Eve decides to implement a PNS attack, the ratio

_{μ}*Q*/

_{ν}*Q*will dip below the expected value as preferentially more multi-photon signals would be transmitted to Bob (the transmittance

_{μ}*Q*>

_{μ}*Q*due to

_{ν}*μ*>

*ν*). This is displayed in Fig. 4(a)(ii). No secure bit rate is possible with

*Q*/

_{ν}*Q*< 0.13.

_{μ}Now with an additional vacuum pulse at our disposal we can also check for Eve’s manipulation of the vacuum rates. In keeping with the paranoid assumptions of GLLP [9], we assume Eve can either reduce or increase the vacuum rates. Depicted in Fig. 4(b)(ii) is the simulated effect of changing *Y*
_{0} on the secure bit rate. For the weak plus vacuum protocol implemented here no secure bit rate is possible for *Y*
_{0} > 10^{-3} (solid black line). However, if one were to use a single (non-vacuum) decoy protocol (dotted blue line) no secure bit rate would be possible for *Y*
_{0} > 4.8×10^{-4}. This shows the power of using more than one decoy pulse. Further insight can be gained by examining the formulae for the weak plus vacuum protocol (eq.(1) & eq.(2)). The magnitudes of the single photon gain (privacy amplification) are greater (smaller) respectively by using the weak + vacuum protocol compared to employing the single pulse protocol. This is manifest through a tighter bound on the single photon gain eq. (1) and the single photon error rate eq. (2). The second term in eq. (2) reduces the overall single photon error rate due to the measurement of the vacuum pulses. In the single decoy pulse protocol this term is zero.

Finally we address the issue of the small number of spikes observed in the vacuum counts transmittance (Fig. 2(a)). All classical messages are exchanged on the internet. We believe the spiking is due to increased internet traffic slowing down classical exchange of information between Alice and Bob and thereby affecting synchronization. It affected less than 1% of the entire set of quantum keys exchanged over the 60 hour period. For large numbers of counts (the signal and decoy pulses) this effect is small, but for low numbers of counts (*Y*
_{0}) this effect can be apparent. We are currently working to improve this problem with modifications to the software. However, we note this behaviour does not compromise security as evident from Fig. 4(b)(ii). As can be seen, an increase in *Y*
_{0} overestimates the amount of privacy amplification and results in a shorter key, hence lower final secure key rate. The final secure key rate is underestimated for this small fraction of keys.

## 4. Conclusions

In summary, we have demonstrated practical one-way decoy pulse QKD over 20km of optical fiber. The key generation rate is > 10 kbps on average over 60 hours. This is the highest reported key rate for this distance and duration. We believe the system to be a useful milestone in achieving a continuously operating QKD system. It is envisaged that such a system could be placed in a real-world environment such as a quantum nodal network with fiber links of around a few tens of kilometers of fiber. Such a system would be reliable and effective as a means of distributing quantum keys over a long period of time.

## Acknowledgements

The authors would like to thank the EC for funding under the FP6 Integrated Project SECOQC.

## References and links

**1. **N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, “Quantum cryptography,” Rev. Mod. Phys. **74**, 145–195 (2002). [CrossRef]

**2. **C. H. Bennett and G. Brassard, “Quantum cryptography: public key distribution and coin tossing,” in *Proceedings of the IEEE International Conference on Computers, Systems, and Signal Processing*, (IEEE, New York, 1984), pp. 175179.

**3. **C. H. Bennett, F. Bessette, G. Brassard, L. Savail, and J. Smolin, “Experimental quantum cryptography,” J. Cryp-tol. **5**3–28 (1992).

**4. **D. Stucki, N. Gisin, O. Guinnard, G. Ribordy, and H. Zbinden, “Quantum key distribution over 67km with a plug & play system,” New J. Phys. **4**41.1–41.8 (2002). [CrossRef]

**5. **C. Gobby, Z. L. Yuan, and A. J. Shields, “Quantum key distribution over 122km of standard telecom fiber,” Appl. Phys. Lett. **84**, 3762–3764 (2004). [CrossRef]

**6. **X.-B. Wang, “Beating the photon pulse-number-splitting attack in practical quantum cryptography,” Phys. Rev. Lett. **94**, 230503-1–4 (2005) and
H.-K. Lo, X. Ma, and K. Chen, “Decoy state quantum key distribution,” Phys. Rev. Lett. **94**, 230504-1–4 (2005). [CrossRef] [PubMed]

**7. **G. Brassard, N. Lütkenhaus, T. Mor, and B. C. Sanders, “Limits on practical quantum cryptography,” Phys. Rev. Lett. **85**, 1330–1333 (2000). [CrossRef] [PubMed]

**8. **W.-Y. Hwang, “Quantum key distribution with high loss: toward global secure communication,” Phys. Rev. Lett. **91**, 057901-1–4 (2003). [CrossRef] [PubMed]

**9. **D. Gottesman, H.-K. Lo, N. Lütkenhaus, and J. Preskill, “Security of quantum key distribution with imperfect devices,” Quant. Inf. Comp. **5**, 325–360 (2004).

**10. **Y. Zhao, B. Qi, X. Ma, H.-K. Lo, and L. Qian, “Experimental quantum key distribution with decoy states,” Phys. Rev. Lett. **96**, 070502-1–4 (2006). [CrossRef] [PubMed]

**11. **Z. L. Yuan, A. W. Sharpe, and A. J. Shields, “Unconditionally secure one-way quantum key distribution using decoy pulses,” Appl. Phys. Lett. **90**, 011118-1–3 (2007). [CrossRef]

**12. **C. Gobby, Z. L. Yuan, and A. J. Shields, Elec. Lett. “Unconditionally secure quantum key distribution over 50 km of standard telecom fiber,” Electron. Lett. **40**, 1603–1605 (2004). [CrossRef]

**13. **X. Ma, B. Qi, Y. Zhao, and H.-K. Lo, “Practical decoy state for quantum key distribution,” Phys. Rev. A **72**, 012306-1–15 (2005). [CrossRef]

**14. **C.-Z. Peng, J. Zhang, D. Yang, W.-B. Gao, H.-Xin. Ma, H. Yin, H.-P. Zeng, T. Yang, X.-B. Wang, and J.-W. Pan, “Experimental long-distance decoy-state quantum key distribution based on polarization encoding,” Phys. Rev. Lett. **98**, 010505-1–4 (2007). [CrossRef] [PubMed]

**15. **D. Rosenberg, J. W. Harrington, P. R. Rice, P. A. Hiskett, C. G. Peterson, R. J. Hughes, A. E. Lita , S-W. Nam, and J. E. Nordholt, “Long-distance decoy-State quantum key distribution in optical fiber,” Phys. Rev. Lett. **98**, 010505-1–4 (2007). [CrossRef]

**16. **G. Ribordy, J. D. Gautier, H. Zbinden, and N. Gisin, “Performance of InGaAs/InP avalanche photodiodes as gated-mode photon counters,” Appl. Opt. **37**, 2272 (1998). [CrossRef]

**17. **M. Hayashi, “Upper bounds of eavesdropper’s performances in finite-length code with decoy method,” quant-ph/0702250 (2007).