- freely available
- re-usable

*Entropy*
**2015**,
*17*(7),
4547-4562;
doi:10.3390/e17074547

^{1}

^{2}

^{3}

^{4}

^{5}

^{*}

## Abstract

**:**We propose a method to improve the performance of two entanglement-based continuous-variable quantum key distribution protocols using noiseless linear amplifiers. The two entanglement-based schemes consist of an entanglement distribution protocol with an untrusted source and an entanglement swapping protocol with an untrusted relay. Simulation results show that the noiseless linear amplifiers can improve the performance of these two protocols, in terms of maximal transmission distances, when we consider small amounts of entanglement, as typical in realistic setups.

## 1. Introduction

Quantum key distribution (QKD) [1,2] is the most practical application in the field of quantum information and enables two distant parties, Alice and Bob, to establish a secret key through insecure quantum and classical channels. The continuous-variable version of quantum key distribution (CV-QKD) [3–5], an alternative to single-photon-based QKD, has attracted much attention in the past few years [5,6], mainly because it does not require single-photon sources or detectors. The Gaussian-modulated CV-QKD protocols based on coherent states [7–9] have been experimentally demonstrated [6,10–12] and have been shown to be secure against arbitrary attacks in the asymptotic [13] and finite-size regimes [14]. Two-way protocols [15–18] and thermal-state protocols [19–21] have been also designed.

However, there still exists a gap between the theoretical security analyses and the practical implementations. Such real-life implementations of CV-QKD systems may contain overlooked imperfections, which might not have been accounted for in the theoretical security proofs, and may provide security loopholes. Recently, various attacks have been proposed and closed, such as wavelength attacks [22–24], calibration attacks [25] and local oscillator fluctuation attacks [26]. One approach to overcome device imperfections is by characterizing the whole practical system and to consider all of the existing loopholes. Although some potential loopholes have been discovered and then closed using this approach, it is difficult to find all of the loopholes in practical CV-QKD systems, because the number of loopholes is theoretically infinite.

Another approach is by establishing a full device-independent CV-QKD protocol like its discrete-variable counterpart [27], which is based on the violation of a Bell inequality [28]. Recently, there has been work to build various device-independent CV-QKD protocols, including schemes which are both one-sided [29] and fully device independent [30]. The goal of full device-independent QKD is the removal of the requirement that Alice and Bob need to trust their devices.

In this paper, we consider two kinds of entanglement-based CV-QKD protocols in untrusted scenarios: an entanglement distribution protocol with an untrusted source and an entanglement swapping protocol with an untrusted relay. The latter protocol is inspired by [31] and corresponds to the entanglement-based version of the CV-QKD protocols described in [32–35]. In particular, we consider a symmetric formulation where the two legitimate partners both modify their data during the classical data post-processing stage.

To improve the maximal transmission distances of these two schemes, we consider the use of two noiseless linear amplifiers (NLAs) [36], one at Alice’s side and one at Bob’s side. We show that the practical example of the CV-QKD protocol with an untrusted source, i.e., the entanglement-in-the-middle protocol [37], improves by placing two NLAs at the output of the quantum channel at both Alice’s and Bob’s side. Additionally, the maximal transmission distances of the untrusted relay scheme are also improved using this same method. Previously, a similar method had only been analysed for the case of the one-way CV-QKD protocol [38–40]. These improvements are found in the regime of small entanglement, which is typical in realistic implementations. It is also found that placing only one NLA at the non-reconciliation side (Alice’s side for reverse reconciliation and Bob’s side for direct reconciliation) has a greater improvement than placing it at the opposite side.

This paper is organized as follows. In Section 2, we introduce the two entanglement-based CV-QKD protocols. In Section 3, we show that we can improve the performance of these protocols by using NLAs. Our conclusions are drawn in Section 4.

## 2. Entanglement-Based CV-QKD Protocols

In this section, we begin by describing the two entanglement-based CV-QKD protocols: entanglement-based protocols with an untrusted source and entanglement-based protocol with an untrusted relay, which can also be thought of as entanglement distribution and entanglement swapping protocols, respectively. We then outline the secret key rates for these protocols in the presence of collective Gaussian attacks.

#### 2.1. Entanglement Distribution: Entanglement-Based Protocols with an Untrusted Source

The schematic of the entanglement-based CV-QKD protocol with an untrusted source is illustrated in Figure 1 and can be described as follows:

Step 1: The untrusted third party, Charlie, initially prepares an entangled source. He sends one mode A

_{1}to Alice through Channel 1 and sends the other mode B_{1}to Bob through Channel 2, where Eve may perform her attack.Step 2: Alice and Bob perform either a homodyne (switching) (Hom) or a heterodyne (no switching) (Het) measurement on the received modes A

_{2}and B_{2}. Once Alice and Bob have collected a sufficiently large set of correlated data, they proceed with classical data post-processing, namely error reconciliation and privacy amplification. The reconciliation can be performed in one of two ways: either direct reconciliation (DR) [7] or reverse reconciliation (RR) [8].

Since the untrusted Charlie could be completely controlled by the eavesdropper, the original source
${\rho}_{{A}_{1}{B}_{1}}^{(n)}$ (where n denotes the number of quantum signals exchanged during the protocol) is not important to Alice and Bob. What matters is the final state
${\rho}_{{A}_{2}{B}_{2}}^{(n)}$ before their measurements. Here, we assume that the final state
${\rho}_{{A}_{2}{B}_{2}}^{(n)}$ is a ‘collective source’ to simplify the problem, which means Alice and Bob get the same quantum state
${\rho}_{{A}_{2}{B}_{2}}$ each time, so that
${\rho}_{{A}_{2}{B}_{2}}^{(n)}={\rho}_{{A}_{2}{B}_{2}}^{\otimes n}$. The asymptotic secret key rates K_{DR} for direct reconciliation and K_{RR} for reverse reconciliation are given by [41]:

_{E|x}and ρ

_{E|y}are the corresponding state of Eve’s ancillas and ${\rho}_{E}={\displaystyle {\sum}_{x}p(x){\rho}_{E|x}}$ and ${\rho}_{E}={\displaystyle {\sum}_{y}p(y){\rho}_{E|y}}$ are Eve’s average states for DR and RR, respectively. Unless both Alice and Bob performed heterodyne measurements, they first apply a sifting process, where they compare the chosen measurement quadrature $(\widehat{x}\phantom{\rule{0.2em}{0ex}}\text{or}\phantom{\rule{0.2em}{0ex}}\widehat{\rho})$ and only keep the data for which the quadratures match. Here, we use x and y to represent Alice’s and Bob’s measurement results, respectively, for both homodyne and heterodyne measurements.

Note that these secret key rates could be modified to take finite-size effects into consideration. For simplicity, here we only consider the asymptotic secret key rates, i.e., achieved in the limit of infinite rounds of the protocol. Firstly, Eve is able to purify the whole system
${\rho}_{{A}_{2}{B}_{2}}$ to maximize her information, i.e., we have
$S({\rho}_{E})=S({\rho}_{{A}_{2}{B}_{2}})$. Secondly, after Alice’s projective measurement resulting in x, the system
${\rho}_{{A}_{2}E}$ is pure, so that S (E|x) = S (B_{2}|x) for DR and S (E|y) = S (A_{2}|y) for RR. Thus, χ (A : E) and χ (B : E) become:

In practical experiments, we calculate the covariance matrix ${\gamma}_{{A}_{2}{B}_{2}}$ of correlated variables from randomly-chosen samples of measurement data. According to the optimality of collective Gaussian attacks [43,44], we therefore assume that the final state ${\rho}_{{A}_{2}{B}_{2}}$, shared by Alice and Bob, is Gaussian to minimize the final secret key rates. If the entangled source is Gaussian, one can show that there exists a Gaussian channel mapping the initial state to the final state: this means that there exists a Gaussian attack that is optimal [43,44]. If the entangled source is non-Gaussian, it is an open question whether the optimal attack is Gaussian or not. However, whether Eve’s attack is Gaussian or not, we can always bound the information available to Eve by assuming the final state is Gaussian.

Thus, the entropies $S({\rho}_{{A}_{2}{B}_{2}})$, ${\sum}_{x}p(x)S({\rho}_{{B}_{2}|x})$ and ${\sum}_{y}p(y)S({\rho}_{{A}_{2}|y})$ can be calculated using the covariance matrices ${\gamma}_{{A}_{2}{B}_{2}}$ characterizing the state ${\rho}_{{A}_{2}{B}_{2}}$, ${\gamma}_{{B}_{2}|x}$ characterizing the state ${\rho}_{{B}_{2}|x}$ and ${\gamma}_{{A}_{2}|y}$ characterizing the state ${\rho}_{{A}_{2}|y}$. The Holevo quantities become:

_{2}(x+1)−x log

_{2}x, λ

_{1,2}are the symplectic eigenvalues of the covariance matrix ${\gamma}_{{A}_{2}{B}_{2}}$ and λ

_{3}, λ

_{4}are the symplectic eigenvalues of the covariance matrices ${\gamma}_{{B}_{2}|x}$ and ${\gamma}_{{A}_{2}|y}$ [5].

In particular, a practical example of the CV-QKD protocol with an untrusted source is the entanglement-in-the-middle protocol [37], in which the source is assumed to be a two-mode squeezed vacuum state. The latter numerical simulations are also based on this specific example.

#### 2.2. Entanglement Swapping: Entanglement-Based Protocol with an Untrusted Relay

The schematic of the entanglement-based CV-QKD protocol with an untrusted relay is shown in Figure 2a. This is inspired by the scheme of [31] and represents a modified entanglement-based version of the CV-QKD protocols proposed by [32–35]. It can be described as follows:

Step 1: Alice and Bob both generate an Einstein–Podolsky–Rosen (EPR), states EPR

_{1}and EPR_{2}, respectively, with variances V_{A}and V_{B}and they keep modes A_{2}and B_{2}at their respective sides. Then, they send their other modes A_{1}and B_{1}to the untrusted third party (Charlie) through two different quantum channels with lengths L_{AC}and L_{BC}.Step 2: Charlie combines the received two modes ${{A}^{\prime}}_{1}$ and ${{B}^{\prime}}_{1}$ onto a beam splitter (50:50), where we label output modes of the beam splitter as C and D. Charlie then measures the x-quadrature of mode C and the p-quadrature of mode D using homodyne detectors and publicly announces the measurement results x

_{C}, p_{D}to Alice and Bob through classical channels. After the measurements of modes C and D, the two initially independent modes A_{2}and B_{2}get entangled if channel noise is not too strong.Step 3: Bob displaces the mode B

_{2}to B_{3}by the operation $\widehat{D}(\beta )$and gets ${\widehat{\rho}}_{{B}_{3}}=\widehat{D}(\beta ){\widehat{\rho}}_{{B}_{2}}{\widehat{D}}^{\u2020}(\beta )$, where ${\widehat{\rho}}_{B}$ represents the density matrix of mode B, β = g (X_{C}+ iP_{D}), $\widehat{D}(\beta )={e}^{\beta}{}^{{\xe2}^{\u2020}-\beta \ast \xe2}$ (â^{†}and â are the creation and annihilation operators, respectively), and g represents the gain of the displacement. Then Bob measures the mode B_{3}to get the final data {x_{B}, p_{B}} using heterodyne detection. Alice also measures the mode A_{2}to get the final data {x_{A}, p_{A}}, again using heterodyne detection.Step 4: Once Alice and Bob have collected a sufficiently large set of correlated data, they use an authenticated public channel to do parameter estimation from a randomly-chosen sample of final data from {x

_{A}, p_{A}} and {x_{B}, p_{B}}. Then, Alice and Bob proceed with classical data post-processing to distil a secret key. The reconciliation can also be done in two ways: either DR or RR.

Note that we can put the displacement operator at each side rather than placing it only at Bob’s side, which now makes the protocol symmetric (see Figure 2b). This symmetry allows the CV-QKD protocol with an untrusted relay to have a similar structure with the entanglement-in-the-middle protocol. In this modified protocol, Alice and Bob displace the modes A_{2} and B_{2} by the operators D (α_{1}) and D (α_{2}), resulting in
${\rho}_{A}{}_{{}_{3}}=D({\alpha}_{1}){\rho}_{A}{}_{{}_{2}}{D}^{\u2020}({\alpha}_{1})$ and
${\rho}_{B}{}_{{}_{3}}=D({\alpha}_{2}){\rho}_{B}{}_{{}_{2}}{D}^{\u2020}({\alpha}_{2})$, where α_{1} = −g_{A} (X_{C} − iP_{D})/2, α_{2} = g_{B} (X_{C} + iP_{D})/2, and g_{A}, g_{B} represents the gain of the displacements at Alice’s and Bob’s side, respectively.

Note that these protocols can completely defeat side-channel attacks provided that Alice and Bob use quantum memories in their private spaces, which is discussed in detail in [31]. From this point of view, this makes the CV-QKD protocol with an untrusted relay more secure. The secret key rate for these protocols against a collective attack is similar to Equation (1) and can be found in [32,33] in detail. See [34] for an unconditional security analysis against the most general coherent attacks.

## 3. Improvement Using Noiseless Linear Amplifiers

In this section, we place two noiseless linear amplifiers (NLAs), one at each of Alice’s and Bob’s side, to improve the performance of the two entanglement-based CV-QKD protocols. We begin by introducing the NLA.

#### 3.1. Noiseless Linear Amplifier

For Gaussian states, an NLA can, in principle, probabilistically increase the signal-to-noise ratio by increasing the mean values of the quadratures while keeping their variances at the initial level [38,45–48]. The amplification can be described by an operator $\widehat{C}={g}^{\widehat{n}}$, where $\widehat{n}$ is the number operator in the Fock basis. Such an operator maps |α〉 into |gα〉 with a success probability P, i.e.,

In a practical experiment, the covariance matrix before passing through two NLAs takes the form γ, which is used to calculate the final secret key rates ( ${\gamma}_{{A}_{2}{B}_{2}}$ for the entanglement distribution protocols (see Figure 1) and ${\gamma}_{{A}_{3}{B}_{3}}$ for the entanglement swapping protocols (see Figure 2b)). Typically, γ can be described by the normal form:

_{n}is the n × n identity matrix, and σ

_{z}= diag (1, −1).

We then exploit the relationship between the covariance matrix γ and the density matrix $\widehat{\rho}$ in the Fock state basis [39]. The Husimi Q-function of the two-mode state can be described as:

_{n})

^{−1}Thus, we can find:

_{jk,lm}= ρ

_{jk,lm}/ρ

_{00,00}[49]. Then, the matrix Γ after the two NLAs becomes:

_{1}and g

_{2}are the gains of the NLAs at Alice’s and Bob’s sides (g

_{1}= 1 or g

_{2}= 1 means there is no NLA). Thus, the covariance matrix γ′ after the NLAs can be obtained by:

This covariance matrix is used for the calculation of the final key rates in DR and RR, which are reduced according to the total amplification success probability P_{total} = P_{A}P_{B|A}, where P_{A} is the success probability of Alice’s NLA and P_{B|A} is the success probability of Bob’s NLA given that Alice’s amplification succeeded. Furthermore, considering the trade-off between the fidelity and the success probability of an NLA, a good estimate of the maximal expected success probability for one NLA is given by [50]:

#### 3.2. Entanglement-Based Protocol with an Untrusted Source

Using the previous method, we can derive the final covariance matrix ${\gamma}_{{A}_{3}{B}_{3}}$ to calculate the secret key rate. As shown in Figure 3, we consider a specific example of an entanglement-based protocol with an untrusted source: the EPR in the middle scheme [37]. This security analysis and latter numerical simulations of this scheme are based on the two independent entangling cloner attacks. This is the most common example of a collective Gaussian attack [51]. Alice and Bob both add an NLA before their detectors, which here are assumed to be perfect for simplicity [38,45,46].

We can look for equivalent parameters of an EPR state sent through two lossy and noisy Gaussian channels. The covariance matrix
${{\gamma}^{\prime}}_{AB}(\lambda ,{T}_{1},{\epsilon}_{1},{g}_{1},{T}_{2},{\epsilon}_{2},{g}_{2})$ of the amplified state with an EPR parameter λ passing through two channels of transmittance T_{1}, T_{2}, and excess noise ε_{1}, ε_{2} followed by two gain efficiencies g_{1}, g_{2}, is equal to the covariance matrix
${\gamma}_{AB}(\varsigma ,{\eta}_{1},{\epsilon}_{1}^{g},{g}_{1}=1,{\eta}_{2},{\epsilon}_{2}^{g},{g}_{2}=1)$ of an equivalent system with an EPR parameter ς, sent through two channels with parameters η_{1},
${\epsilon}_{1}^{g}$ and η_{2},
${\epsilon}_{2}^{g}$, without using NLAs. These parameters are given by:

These could be treated as physical parameters of an equivalent system if they satisfy the following physical constraints:

As shown in Equation (12), λ only affects parameter ς, and η_{1},
${\epsilon}_{1}^{g}$, η_{2} and
${\epsilon}_{2}^{g}$ do not depend on λ. Thus, the first condition is always satisfied if λ is below a limiting value, given by:

The last two conditions are satisfied if the excess noise ε is smaller than two and if the gain of the two NLAs is smaller than a maximum value, which depends on the channel parameters T and ε:

Using the previous results, we consider the performance of the CV-QKD protocols with EPR in the middle by placing two NLAs, one at each output of the quantum channels. We calculate the secret key rate K_{DR} as a function of distance d under four situations: without NLAs (g_{1} = 1, g_{2} = 1), with only an NLA at Alice’s side (g_{2} = 1), with only an NLA at Bob’s side (g_{1} = 1) and with two NLAs at both sides. The various parameters are chosen from typical experimental values [6]: we choose V = 1.7, β = 0.948 and ε = 0.002 (where the shot noise variance is normalized to one). The transmittance T = 10^{−}^{ad}^{/10}, where a = 0.2 dB/km is the loss coefficient of the optical fibres and d is the length of the quantum channel. The total success probability of using two NLAs for the CV-QKD protocols with EPR in the middle is
${P}_{\text{total}}=1/\left({g}_{1}^{2{N}_{A}}{g}_{2}^{2{N}_{B|A}}\right)$ where N_{A} = T (V − 1 + ε) + 1, N_{B|A} = T (V′ − 1 + ε) + 1. Here, V′ is the variance of the equivalent EPR when Alice’s amplification succeeds, which is given by V′ = (1 + ς^{2})/(1 − ς^{2}) provided g_{2} = 1.

In our analysis, there are eight protocols that depend on Alice’s and Bob’s measurements (four possibilities) and reconciliation methods (two possibilities, DR or RR). These eight CV-QKD protocols can be divided into four groups whose secret key rate and maximal transmission distance are the same [37]. When we move the entanglement source into Alice’s side, these eight protocols correspond to the entanglement-based version of the eight primary prepare-and-measure CV-QKD protocols, i.e., the protocols where Alice and Bob use homodyne detection corresponding to the protocol of [53]; the protocols where Alice uses heterodyne detection and Bob uses homodyne detection correspond to the protocol of [7,8]; the protocols where Alice uses homodyne detection and Bob uses heterodyne detection correspond to the protocol of [54,55]; the protocols where Alice and Bob use heterodyne detection correspond to the protocol of. [9].

Our simulation results are shown in Figures 4 and 5. We find that the performance of the CV-QKD protocols is improved by placing one NLA at each side and choosing the two gain efficiencies as g_{1} = g_{2} = 1.4. The NLAs enhance the maximal transmission of the protocol, in which Alice is using heterodyne detection and Bob is using homodyne detection with DR, from 17.0 km to 31.6 km. Furthermore, we also find that if we only put an NLA at either Alice’s or Bob’s side, the performance of the protocols can also be improved. For instance, placing an NLA at the non-reconciliation side (Alice’s side for RR protocols and Bob’s side for DR protocols) has a greater improvement than placing it at the other side. This is because when adding an NLA only at one side (suppose it is on Alice’s side), according to Equation (12), the covariance matrix after the application of the NLA has the feature that Alice’s equivalent variance is greater than Bob’s variance. If considering Alice’s part as the reconciliation part, it is similar to the one-way CV-QKD protocol with DR; while, if considering Bob’s part as the reconciliation part, it is similar to the one-way CV-QKD protocol with RR. In one-way protocols, the RR protocol usually has a longer transmission distance than the DR protocol. Therefore, in our protocols, placing an NLA at the non-reconciliation side is better than placing it at the reconciliation side. Obviously, the optimal performance of the protocols is achieved by placing two NLAs at each side. However, if we want to reduce the cost and expense and only have one NLA in the deployment, we need to place it at the correct side to have the greatest improvement.

Furthermore, as proven in [39,40], the physical implementation of the NLA could be replaced by a suitable data post-processing (Gaussian post-selection) after the measurement, although provided that certain conditions are met [52]. Thus, in such cases, we would not need to implement the physical implementation of the NLA, which requires single-photon addition and subtraction, or an auxiliary source of single photons and multiphoton interference [39,40].

#### 3.3. Entanglement-Based Protocol with an Untrusted Relay

The improvement seen in the previous section can also be employed in the modified CV-QKD protocol with an untrusted relay. The modified CV-QKD protocol with an untrusted relay is shown in Figure 6 where we place an NLA at both Alice’s and Bob’s sides. As illustrated in Figure 7a, the modified entanglement-based protocol can increase the maximal transmission distance when we choose V = V_{A} = V_{B} = 1.7, β = 0.948, ε = ε_{1} = ε_{2} =0.002,
${g}_{A}=\sqrt{({V}^{2}-1)/[2{T}_{1}(V+\epsilon )+2(1-{T}_{1})]}$,
${g}_{B}=\sqrt{({V}^{2}-1)/[2{T}_{2}(V+\epsilon )+2(1-{T}_{2})]}$. Under these simulation parameters, the modified entanglement-based protocol in the symmetric case (the distance from Alice to Charlie L_{AC} is equal to the distance from Bob to Charlie L_{BC}) can successfully distribute secret keys under such conditions. Then, using the same method as above, we place an NLA at each side to improve its performance; we find an improvement when we set the two gain efficiencies as g_{1} = g_{2} = 1.8. The NLAs enhance the maximal transmission distance of the protocol from 1.6 km to 5.3 km in the symmetric case.

Furthermore, for DR, we also find that when Charlie’s position is close to Alice, the total maximal transmission distance L_{AB} will increase to a relatively longer distance. Thus, we study the performance of the asymmetric case where L_{AC} ≠ L_{BC}. As illustrated in Figure 7b, the total maximal transmission distance increases when L_{AC} decreases. In the asymmetric case, the performance of the modified CV-QKD protocol is also improved by placing two NLAs, one at each side. The maximal total transmission distance of the modified protocol using two NLAs, with gain efficiencies g_{1} = g_{2} = 1.8, is enhanced from 17.5 km to 25.2 km in the most asymmetric case (i.e., L_{AC} ≈ 0 km). Here ‘0 km’ indicates that the transmission distance from Alice to Charlie is very short but not exactly zero. In fact, even when Charlie is at Alice’s side, there still exists a distance between Alice’s laser and the beamsplitter. Therefore, in the numerical simulation although we assume the channel transmittance is T_{1} = 1, the excess noise ε_{1} still exists, and is ε_{1} = 0.002.

Note that the sources for Alice and Bob are EPR states. Thus, the protocols can remove side-channel attacks, as discussed in [31], which makes the CV-QKD protocol with untrusted relay more secure. Finally, we also find that if we only put an NLA at Alice’s or Bob’s side, the performance of the protocols can also be improved. This is the same conclusion as before: placing an NLA at the non-reconciliation side (Alice’s side for RR protocols and Bob’s side for DR protocols) has a greater improvement than placing it at the other side.

## 4. Conclusion

In this paper, we have discussed how to improve the performance of two entanglement-based continuous-variable QKD protocols using noiseless linear amplifiers. The first scheme was an entanglement distribution protocol: continuous-variable QKD protocols with an untrusted source, where the entangled source is generated by a third party, but may have actually been created or controlled by the eavesdropper. The second scheme was an entanglement swapping protocol: entanglement-based continuous-variable QKD protocol with an untrusted relay.

By inserting two noiseless linear amplifiers, one at each of Alice’s and Bob’s side, simulation results show that the proposed method can increase the maximal transmission distances of both protocols in the experimentally-feasible regime of small entanglement, corresponding to small modulation. In fact, in certain situations, we see a doubling of the allowed secure transmission distances. Furthermore, it is also found that placing only one NLA at the non-reconciliation side (Alice’s side for reverse reconciliation protocols and Bob’s side for direct reconciliation protocols) has a greater improvement than placing it at the other corresponding side.

Future investigations will involve the analysis of the protocols against more general two-mode Gaussian attacks, which are coherent between the two channels connecting the remote parties with the middle source or relay. In fact, as pointed out in [34], the unconditional secret-key rate of the relay-based protocol must be derived in the presence of such attacks, which may outperform the collective one-mode Gaussian attacks (based on the use of independent entangling cloners).

## Acknowledgments

We thank T. C. Ralph, N. Walk, A. Leverrier and M. Gu for valuable discussions. This work was supported in part by the National Basic Research Program of China (973 Program) under Grants 2012CB315605, in part by the National Science Fund for Distinguished Young Scholars of China (Grant No. 61225003), and in part by the Fund of State Key Laboratory of Information Photonics and Optical Communications. Stefano Pirandola would like to thank Engineering and Physical Sciences Research Council (EPSRC) and the Leverhulme Trust for support.

## Author Contributions

Yichen Zhang: conception and design of the study, accomplishing formula derivation and numerical simulations, drafting the article. Zhengyu Li: conception and design of the study, accomplishing formula derivation, checking numerical simulations. Christian Weedbrook: conception of the study, review of relevant literature, critical revision of the manuscript. Kevin Marshall: checking formula derivation, critical revision of the manuscript. Stefano Pirandola: review of relevant literature, critical revision of the manuscript. Song Yu: review of relevant literature, critical revision of the manuscript. Hong Guo: review of relevant literature, critical revision of the manuscript. All authors have read and approved the final manuscript.

## Conflicts of Interest

The authors declare no conflict of interest.

## References

- Gisin, N.; Ribordy, G.; Tittel, W.; Zbinden, H. Quantum cryptography. Rev. Mod. Phys.
**2002**, 74, 145–195. [Google Scholar] - Scarani, V.; Bechmann-Pasquinucci, H.; Cerf, N.J.; Dušek, M.; Lütkenhaus, N.; Peev, M. The security of practical quantum key distribution. Rev. Mod. Phys.
**2009**, 81, 1301–1350. [Google Scholar] - Braunstein, S.L.; van Loock, P. Quantum information with continuous variables. Rev. Mod. Phys.
**2005**, 77, 513–577. [Google Scholar] - Wang, X.B.; Hiroshima, T.; Tomita, A.; Hayashi, M. Quantum Information with Gaussian States. Phys. Rep.
**2007**, 448, 1–111. [Google Scholar] - Weedbrook, C.; Pirandola, S.; García-Patrón, R.; Cerf, N.J.; Ralph, T.C.; Shapiro, J.H.; Lloyd, S. Gaussian quantum information. Rev. Mod. Phys.
**2012**, 84, 621–669. [Google Scholar] - Jouguet, P. Kunz-Jacques,S.; Leverrier, A.; Grangier, P.; Diamanti, E. Experimental demonstration of long-distance continuous-variable quantum key distribution. Nat. Photon.
**2013**, 7, 378–381. [Google Scholar] - Grosshans, F.; Grangier, P. Continuous variable quantum cryptography using coherent states. Phys. Rev. Lett.
**2002**, 88, 057902. [Google Scholar] - Grosshans, F.; van Assche, G.; Wenger, J.; Brouri, R.; Cerf, N.J.; Grangier, P. Quantum key distribution using gaussian-modulated coherent states. Nature
**2003**, 421, 238–241. [Google Scholar] - Weedbrook, C.; Lance, A.M.; Bowen, W.P.; Symul, T.; Ralph, T.C.; Lam, P.K. Quantum cryptography without switching. Phys. Rev. Lett.
**2004**, 93, 170504. [Google Scholar] - Lance, A.M.; Symul, T.; Sharma, V.; Weedbrook, C.; Ralph, T.C.; Lam, P.K. No-switching quantum key distribution using broadband modulated coherent light. Phys. Rev. Lett.
**2005**, 95, 180503. [Google Scholar] - Lodewyck, J.; Bloch, M.; García-Patrón, R.; Fossier, S.; Karpov, E.; Diamanti, E.; Debuisschert, T.; Cerf, N.J.; Tualle-Brouri, R.; McLaughlin, S.W.; Grangier, P. Quantum key distribution over 25 km with an all-fiber continuous-variable system. Phys. Rev. A
**2007**, 76, 042305. [Google Scholar] - Khan, I.; Wittmann, C.; Jain, N.; Killoran, N.; Lütkenhaus, N.; Marquardt, C.; Leuchs, G. Optimal working points for continuous-variable quantum channels. Phys. Rev. A
**2013**, 88, 010302. [Google Scholar] - Renner, R.; Cirac, J.I. de Finetti representation theorem for infinite-dimensional quantum systems and applications to quantum cryptography. Phys. Rev. Lett.
**2009**, 102, 110504. [Google Scholar] - Leverrier, A.; García-Patrón, R.; Renner, R.; Cerf, N.J. Security of continuous-variable quantum key distribution against general attacks. Phys. Rev. Lett.
**2013**, 110, 030502. [Google Scholar] - Pirandola, S.; Mancini, S.; Lloyd, S.; Braunstein, S.L. Continuous-variable quantum cryptography using two-way quantum communication. Nat. Phys.
**2008**, 4, 726–730. [Google Scholar] - Sun, M.; Peng, X.; Shen, Y.; Guo, H. Security of a new two-way continuous-variable quantum key distribution protocol. Int. J. Quantum Inf.
**2012**, 10, 1250059. [Google Scholar] - Zhang, Y.-C.; Li, Z.; Weedbrook, C.; Yu, S.; Gu, W.; Sun, M.; Peng, X.; Guo, H. Improvement of two-way continuous-variable quantum key distribution using optical amplifiers. J. Phys. B
**2014**, 47, 035501. [Google Scholar] - Weedbrook, C.; Ottaviani, C.; Pirandola, S. Two-way quantum cryptography at different frequencies. Phys. Rev. A
**2014**, 89, 012309. [Google Scholar] - Weedbrook, C.; Pirandola, S.; Lloyd, S.; Ralph, T.C. Quantum Cryptography Approaching the Classical Limit. Phys. Rev. Lett.
**2010**, 105, 110501. [Google Scholar] - Usenko, V.C.; Filip, R. Feasibility of continuous-variable quantum key distribution with noisy coherent states. Phys. Rev. A
**2010**, 81, 022318. [Google Scholar] - Weedbrook, C.; Pirandola, S.; Ralph, T.C. Continuous-Variable Quantum Key Distribution using Thermal States. Phys. Rev. A
**2012**, 86, 022318. [Google Scholar] - Ma, X.-C.; Sun, S.-H.; Jiang, M.-S.; Liang, L.-M. Wavelength attack on practical continuous-variable quantum-key-distribution system with a heterodyne protocol. Phys. Rev. A
**2013**, 87, 052309. [Google Scholar] - Huang, J.-Z.; Weedbrook, C.; Yin, Z.-Q.; Wang, S.; Li, H.-W.; Chen, W.; Guo, G.-C.; Han, Z.-F. Quantum hacking of a continuous-variable quantum-key-distribution system using a wavelength attack. Phys. Rev. A
**2013**, 87, 062329. [Google Scholar] - Huang, J.-Z.; Kunz-Jacques, S.; Jouguet, P.; Weedbrook, C.; Yin, Z.-Q.; Wang, S.; Chen, W.; Guo, G.-C.; Han, Z.-F. Quantum hacking on quantum key distribution using homodyne detection. Phys. Rev. A
**2014**, 89, 032304. [Google Scholar] - Jouguet, P.; Kunz-Jacques, S.; Diamanti, E. Preventing calibration attacks on the local oscillator in continuous-variable quantum key distribution. Phys. Rev. A
**2013**, 87, 062313. [Google Scholar] - Ma, X.-C.; Sun, S.-H.; Jiang, M.-S.; Liang, L.-M. Local oscillator fluctuation opens a loophole for Eve in practical continuous-variable quantum-key-distribution systems. Phys. Rev. A
**2013**, 88, 022339. [Google Scholar] - Acín, A.; Brunner, N.; Gisin, N.; Massar, S.; Pironio, S.; Scarani, V. Device-independent security of quantum cryptography against collective attacks. Phys. Rev. Lett.
**2007**, 98, 230501. [Google Scholar] - Brunner, N.; Cavalcanti, D.; Pironio, S.; Scarani, V.; Wehner, S. Bell nonlocality. Rev. Mod. Phys.
**2014**, 86, 419–478. [Google Scholar] - Walk, N.; Wiseman, H.M.; Ralph, T.C. Continuous variable one-sided device independent quantum key distribution
**2014**, arXiv, 1405.6593. - Marshall, K.; Weedbrook, C. Device-independent quantum cryptography for continuous variables. Phys. Rev. A
**2014**, 90, 042311. [Google Scholar] - Braunstein, S.L.; Pirandola, S. Side-Channel-Free Quantum Key Distribution. Phys. Rev. Lett.
**2012**, 108, 130502. [Google Scholar] - Li, Z.; Zhang, Y.-C.; Xu, F.; Peng, X.; Guo, H. Continuous-variable measurement-device-independent quantum key distribution. Phys. Rev. A
**2014**, 89, 052301. [Google Scholar] - Zhang, Y.-C.; Li, Z.; Yu, S.; Gu, W.; Peng, X.; Guo, H. Continuous-variable measurement-device-independent quantum key distribution using squeezed states. Phys. Rev. A
**2014**, 90, 052325. [Google Scholar] - Pirandola, S.; Ottaviani, C.; Spedalieri, G.; Weedbrook, C.; Braunstein, S.L.; Lloyd, S.; Gehring, T.; Jacobsen, C.S.; Andersen, U.L. High-rate measurement-device-independent quantum cryptography. Nat. Photon.
**2015**, 397–402. [Google Scholar] - Ottaviani, C.; Spedalieri, G.; Braunstein, S.L.; Pirandola, S. Continuous-variable quantum cryptography with an untrusted relay: Detailed security analysis of the symmetric conguration. Phys. Rev. A
**2015**, 91, 022320. [Google Scholar] - Xiang, G.Y.; Ralph, T.C.; Lund, A.P.; Walk, N.; Pryde, G.J. Heralded noiseless linear amplification and distilation of entanglement. Nat. Photon.
**2010**, 4, 316–319. [Google Scholar] - Weedbrook, C. Continuous-variable quantum key distribution with entanglement in the middle. Phys. Rev. A
**2013**, 87, 022308. [Google Scholar] - Blandino, R.; Leverrier, A.; Barbieri, M.; Etesse, J.; Grangier, P.; Tualle-Brouri, R. Improving the maximum transmission distance of continuous-variable quantum key distribution using a noiseless amplifier. Phys. Rev. A
**2012**, 86, 012327. [Google Scholar] - Fiurášek, J.; Cerf, N.J. Gaussian postselection and virtual noiseless amplification in continuous-variable quantum key distribution. Phys. Rev. A
**2012**, 86, 060302. [Google Scholar] - Walk, N.; Ralph, T.C.; Symul, T.; Lam, P.K. Security of continuous-variable quantum cryptography with Gaussian postselection. Phys. Rev. A
**2013**, 87, 020303. [Google Scholar] - Devetak, I.; Winter, A. Distillation of secret key and entanglement from quantum states. Proc. R. Soc. London Ser. A
**2005**, 461, 207–235. [Google Scholar] - Nielsen, M.A.; Chuang, I.L. Quantum Computation and Quantum Communication; Cambridge University Press: Cambridge, UK, 2000. [Google Scholar]
- Navascués, M.; Grosshans, F.; Acín, A. Optimality of gaussian attacks in continuous-variable quantum cryptography. Phys. Rev. Lett.
**2006**, 97, 190502. [Google Scholar] - García-Patrón, R.; Cerf, N.J. Unconditional optimality of gaussian attacks against continuous-variable quantum key distribution. Phys. Rev. Lett.
**2006**, 97, 190503. [Google Scholar] - Xu, B.; Tang, C.; Chen, H.; Zhang, W.; Zhu, F. Improving the maximum transmission distance of four-state continuous-variable quantum key distribution by using a noiseless linear amplifier. Phys. Rev. A
**2013**, 87, 062311. [Google Scholar] - Wang, T.; Yu, S.; Zhang, Y.-C.; Gu, W.; Guo, H. Improving the maximum transmission distance of continuous-variable quantum key distribution with noisy coherent states using a noiseless amplifier. Phys. Lett. A
**2014**, 378, 2808–2812. [Google Scholar] - Walk, N.; Lund, A.P.; Ralph, T.C. Non-deterministic noiseless amplification via non-symplectic phase space transformations. New J. Phys.
**2013**, 15, 073014. [Google Scholar] - Bernu, J.; Armstrong, S.; Symul, T.; Ralph, T.C.; Lam, P.K. Theoretical analysis of an ideal noiseless linear amplifier for Einstein-Podolsky-Rosen entanglement distilation. J. Phys. B
**2014**, 47, 215503. [Google Scholar] - Eisert, J.; Browne, D.E.; Scheel, S.; Plenio, M.B. Distillation of continuous-variable entanglement with optical means. Ann. Phys.
**2004**, 311, 431–458. [Google Scholar] - Pandey, S.; Jiang, Z.; Combes, J.; Caves, C.M. Quantum limits on probabilistic amplifiers. Phys. Rev. A
**2013**, 88, 033852. [Google Scholar] - Pirandola, S.; Braunstein, S.L.; Lloyd, S. Characterization of collective gaussian attacks and security of coherent-state quantum cryptography. Phys. Rev. Lett.
**2008**, 101, 200504. [Google Scholar] - Chrzanowski, H.M.; Walk, N.; Assad, S.M.; Janousek, J.; Hosseini, S.; Ralph, T.C.; Lam, P.K. Measurement-based noiseless linear amplification for quantum communication. Nat. Photon.
**2014**, 8, 333–338. [Google Scholar] - Cerf, N.J.; Levy, M.; van Assche, G. Quantum distribution of Gaussian keys using squeezed states. Phys. Rev. A
**2001**, 63, 052311. [Google Scholar] - García-Patrón, R.; Cerf, N.J. Continuous-Variable Quantum Key Distribution Protocols Over Noisy Channels. Phys. Rev. Lett.
**2009**, 102, 130501. [Google Scholar] - Pirandola, S.; García-Patrón, R.; Braunstein, S.L.; Lloyd, S. Direct and Reverse Secret-Key Capacities of a Quantum Channel. Phys. Rev. Lett.
**2009**, 102, 050503. [Google Scholar]

**Figure 1.**Schematic of the continuous-variable version of quantum key distribution (CV-QKD) protocols with an untrusted source. Both the entangled Gaussian source and the quantum channels are fully controlled by Eve. However, Eve has no access to the apparatuses in Alice’s and Bob’s stations. Alice and Bob can perform either homodyne (Hom) or heterodyne (Het) detection, using either direct or reverse reconciliation.

**Figure 2.**(

**a**) Entanglement-based CV-QKD protocol with an untrusted relay where the displacement operator is placed at Bob’s side. (

**b**) Entanglement-based scheme where the displacement operator is placed at both Alice’s and Bob’s sides.

**Figure 3.**Entanglement-in-the-middle protocol. Equivalent channels and squeezing: an Einstein–Podolsky–Rosen (EPR) state λ sent through two Gaussian channels of transmittance T

_{1}, T

_{2}and excess noise ε

_{1}, ε

_{2}, followed by two successful noiseless linear amplifiers (NLAs), has the same final covariance matrix with a state ς sent through two Gaussian channels of transmittance η

_{1}, η

_{2}and excess noise ${\epsilon}_{1}^{g}$, ${\epsilon}_{2}^{g}$, without two NLAs.

**Figure 4.**Improvement of the CV-QKD protocols with entanglement-in-the-middle. A comparison among the secret key rates for the protocols where (left panel) Alice uses homodyne detection and Bob uses homodyne detection and DR(equivalent to Alice using homodyne detection and Bob using homodyne detection and RR); and (right panel) Alice uses heterodyne detection and Bob uses homodyne detection and DR (equivalent to Alice using homodyne detection and Bob using heterodyne detection and RR), under the following situations: no NLAs (g

_{1}= 1, g

_{2}= 1), using an NLA at Alice’s side (g

_{2}= 1), using an NLA at Bob’s side (g

_{1}= 1) and using two NLAs at both sides. Here, we use the realistic parameters: V = 1.7, β = 0.948, ε = 0.002 and ${P}_{\text{total}}=1/\left({g}_{1}^{2{N}_{A}}{g}_{2}^{2{N}_{B|A}}\right)$.

**Figure 5.**Improvement of the CV-QKD protocols with entanglement-in-the-middle. A comparison among the secret key rates for the protocols where (left panel) Alice uses homodyne detection and Bob uses heterodyne detection and DR (equivalent to Alice using heterodyne detection and Bob using homodyne detection and RR); and (right panel) Alice uses heterodyne detection and Bob uses heterodyne detection and DR (equivalent to Alice using heterodyne detection and Bob using heterodyne detection and RR), under the following situations: no NLAs (g

_{1}= 1, g

_{2}= 1), using an NLA at Alice’s side (g

_{2}= 1), using an NLA at Bob’s side (g

_{1}= 1) and using two NLAs at both sides. Here, we use the realistic parameters: V = 1.7, β = 0.948, ε = 0.002 and ${P}_{\text{total}}=1/\left({g}_{1}^{2{N}_{A}}{g}_{2}^{2{N}_{B|A}}\right)$.

**Figure 6.**Entanglement-based scheme of the modified CV-QKD protocol with an untrusted relay, where a displacement operator D is placed at both Alice’s and Bob’s sides and the two NLAs are placed before the measurement devices.

**Figure 7.**Improvement of the modified CV-QKD protocol with an untrusted relay in (

**a**) the symmetric case (i.e., L

_{AC}= L

_{BC}) and (

**b**) the asymmetric case (i.e., L

_{AC}≠ L

_{BC}). A comparison among the secret key rates in DR under the following situations: no NLAs (g

_{1}= 1, g

_{2}= 1), using an NLA at Alice’s side (g

_{2}= 1), using an NLA at Bob’s side (g

_{1}= 1) and using two NLAs one at each side. Here, we use the realistic parameters: V

_{A}= V

_{B}= 1.7, β = 0.948, ε = 0.002 and ${P}_{\text{total}}=1/\left({g}_{1}^{2{N}_{A}}{g}_{2}^{2{N}_{B|A}}\right)$.

© 2015 by the authors; licensee MDPI, Basel, Switzerland This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution license (http://creativecommons.org/licenses/by/4.0/).