Finite-Key Analysis for Quantum Key Distribution with Discrete-Phase Randomization

Abstract

Quantum key distribution (QKD) allows two remote parties to share information-theoretic secret keys. Many QKD protocols assume the phase of encoding state can be continuous randomized from 0 to $2\pi$, which, however, may be questionable in the experiment. This is particularly the case in the recently proposed twin-field (TF) QKD, which has received a lot of attention since it can increase the key rate significantly and even beat some theoretical rate-loss limits. As an intuitive solution, one may introduce discrete-phase randomization instead of continuous randomization. However, a security proof for a QKD protocol with discrete-phase randomization in the finite-key region is still missing. Here, we develop a technique based on conjugate measurement and quantum state distinguishment to analyze the security in this case. Our results show that TF-QKD with a reasonable number of discrete random phases, e.g., 8 phases from $\{0,\pi /4,\pi /2,\dots ,7\pi /4\}$, can achieve satisfactory performance. On the other hand, we find the finite-size effects become more notable than before, which implies that more pulses should be emit in this case. More importantly, as a the first proof for TF-QKD with discrete-phase randomization in the finite-key region, our method is also applicable in other QKD protocols.

1. Introduction

Quantum key distribution (QKD) [1,2],one of the most successful and mature applications in quantum information science, allows for two legitimate parties (Alice and Bob) to share information-theoretic secret keys. In theory, its security has been proved [3,4,5], while experiments towards a higher key rate [6] and longer achievable distance [7,8,9,10] have been demonstrated. Still, some large scale QKD networks are emerging [11,12,13,14]. However, owing to the inherent photon-loss in the channel, it meets a vital bottleneck that limits the communication distance and key generation rate. Specifically, some fundamental rate-loss limits [15,16] impose a restriction on any point-to-point QKD without repeaters. More precisely, the key rate R is bounded by the channel transmission probability $\eta$ with the linear PLOB bound $R=-{log}_2(1-\eta )$ [16]. Delightfully, M.Lucamarini et al. made a breakthrough by proposing twin-field (TF) QKD in 2018. The essential idea of TF-QKD is in code mode extracting the key bit from a single-photon click event of the measurement station located in the middle of channel, which happens with a probability proportional to $\sqrt{\eta }$; thus, surpassing the linear PLOB bound becomes possible, and a so-called phase-error rate may be estimated in decoy mode [17,18,19] to monitor security. Driven by this, several TF-type QKD protocols [20,21,22,23,24,25,26] were proposed later to complete security proofs and improve performance. Based on these protocols, experimentalists also made great efforts to realize TF-QKD [27,28,29,30,31,32,33,34,35].

Since TF-QKD inherits measurement-device-independent (MDI)-QKD’s [36] merit that is immune to all side-channel attacks to measurement devices and all measurement-device imperfections [37,38], one does not need to take the detection loopholes into account within the TF-type QKD system. In spite of this, the security issues of the state preparation in TF-QKD must be carefully considered. In practice, the laser source of TF-QKD is usually a continuous source emitting coherent states with a fixed phase. Meanwhile, continuous phase-randomization from 0 to $\pi$ is required in the TF-QKD. More specifically, this continuous phase-randomization is assumed in both the code and test modes in Refs. [21,23,26], or at least in the test mode in Refs. [22,24,39]. To fulfill this requirement, Alice and Bob must randomize the global phase continuously and uniformly. Unluckily, two ways to achieve phase randomization introduce different problems in the experiment. Passive randomization will lead to phase correlations between adjacent pulses [40,41], while active randomization can only randomize the phase over discrete set of values.

To bridge this gap between theory and experiment, two works that analyzed the security of fully discrete-phase randomization TF-QKD protocol have been proposed [42,43,44] in these days. However, a security proof in the finite-key region is still missing. Hence, one natural question is that whether TF-QKD with fully discrete-phase randomization can work well non-asymptotically. This work affirms that it can.

In this paper, we analyze the security of TF-QKD protocol with fully discrete randomization in a finite-key region. Interestingly, our analysis leads to comparable performance with the continuous one. Since taking the discrete phase into account, our results make the TF-QKD more practical and can be applied to the future TF-QKD experiment. More importantly, some techniques proposed here, e.g., Lemma A1 (introduced later), can be utilized to analyze the security of other QKD protocols with discrete-phase randomization.

This work is organized as follows. In Section 2, we give a description of the TF-QKD protocol with fully discrete-phase randomization, and the sketch of the security proof is given in Section 3. Note that the proof is detailed in Appendix A. In Section 4, by the numerical simulation, we show this protocol can still beat the linear PLOB bound [16] and has satisfactory performance. Finally, a conclusion is given in Section 5.

2. Protocol Description

Indeed, the protocol analyzed here has been depicted in Ref. [43]. For ease of understanding, we illustrate the protocol as follows.

Step 1: Alice (Bob) chooses a label from $\{“\mu ”,“0”,“\nu ”\}$ with probabilities $P_{\mu },P_O,P_{\nu }$, according to the label she (he) chooses, she (he) takes one of the following actions:

$“\mu ”$: she (he) randomly picks an integer $l_{A_c}$ ($l_{B_c}$) from $\{0,1,\cdots ,M-1\}$ with equal probability $\frac{1}{M}$ where M is an even integer. This means that the phase 2$\pi$ is divided into M parts. Then, she (he) randomly chooses a key bit $k_a$$\left(k_b\right)$ where $k_a\left(k_b\right)\in \left\{0,1\right\}$. Finally, she (he) sends a pulse with a coherent state $|e^{i(\frac{l_{Ac}}{M}2\pi +\pi k_a)}\sqrt{\mu }\rangle$($|e^{i(\frac{l_{B_c}}{M}2\pi +\pi k_b)}\sqrt{\mu }\rangle$ ).

$“0”$: she (he) sends the vacumm state.

$“\nu ”$: she (he) randomly picks an integer $l_{A_c}$ and $l_{B_c}$ from $\{0,1,\cdots ,M-1\}$ with equal probability $\frac{1}{M}$ where M is an even integer. This means that the phase 2$\pi$ is divided into M parts. Then, she (he) sends a pulse with a coherent state $|e^{i\frac{l_{Ac}}{M}2\pi }\sqrt{\mu }\rangle$($|e^{i\frac{l_{Bc}}{M}2\pi }\sqrt{\mu }\rangle$ ).

The first case is called code mode, while the other cases are decoy mode.

Step 2: Alice and Bob repeat Step 1 in total of $N_{tot}$ times.

Step 3: After receiving $N_{tot}$ pairs of pulses from Alice and Bob, interfering each pair at a beamsplitter and measuring the two outputs with his single photon detectors (SPDs), an honest Eve announces whether or not each measurement is successful. Here, ’successful’ means only one SPD (left SPD or right SPD) clicks in the corresponding measurement, and if so, Eve reports the specific SPD clicked.

Step 4: For those rounds Eve announcing successful click, Alice and Bob announce the intensities they chose as well as the values of $l_{A_c}$ and $l_{B_c}$. Then, Alice and Bob only retain those successful rounds in which the intensities of the coherent state they sent are same while the in-phase ($l_{A_c}=l_{B_c}$) or anti-phase ($|l_{A_c}-l_{B_c}|=M/2$) condition is also met. Let $n_{2\beta }^{+}$($n_{2\beta }^{-}$) be the number of the retained rounds when both Alice and Bob chose the same intensity $\beta$ of the coherent state and the in-phase (anti-phase) is also met. Note that we assume $l_{A_c}=l_{B_c}=0$ always holds in the case of $\beta =0$. Alice and Bob generate their sifted keys from $n_{2\mu }=n_{2\mu }^{+}+n_{2\mu }^{-}$ retained rounds in code mode, thus the length of sifted key bits $n_{bit}=n_{2\mu }$. Note that if it is an in-phase (anti-phase) round with right (left) SPD clicking, Bob may flip his corresponding sifted key bit.

Step 5: With all of the quantities $n_{2\beta }=n_{2\beta }^{+}+n_{2\beta }^{-}$, Alice and Bob use linear programming to obtain an upper bound on the number of phase errors(defined later) $n_{ph}^U$ with a failure probability no more than $\epsilon$; then, they can calculate the upper bound $e_{ph}^U=n_{ph}^U/n_{bit}$.

Step 6: Step 6 consists of error correction and privacy amplification.

Step 6a: Alice sends $H_{EC}$ bits of syndrome information of her sifted key bits to Bob through an authenticated public channel. Then, Bob uses it to correct errors in his sifted keys. Alice and Bob calculate a hash of their error-corrected keys with a random universal hash function and check whether they are equal. If equal, they continue to the next step; otherwise, they abort the protocol.

Step 6b: Alice and Bob apply the privacy amplification to obtain their final secret keys. If the length of their secret key satisfies $l=n_{bit}(1-h\left(e_{ph}^U\right))-H_{EC}-{log}_2\frac{2}{{ϵ}_{cor}}-{log}_2\frac{1}{4{ϵ}_{PA}^2}$ where $h(·)$ denotes the binary Shannon entropy, this protocol must be ${ϵ}_{cor}$-correct and ${ϵ}_{sec}$-secret with ${ϵ}_{sec}=\sqrt{\epsilon }+{ϵ}_{PA}$. Here, ${ϵ}_{cor}$(${ϵ}_{sec}$) represents the protocol is correct (secret) with a failure probability no more than ${ϵ}_{cor}\left({ϵ}_{sec}\right)$. Hence, the total security parameter is ${ϵ}_{tol}$-secure where ${ϵ}_{tol}={ϵ}_{cor}+{ϵ}_{sec}$. It is elaborated thoroughly in the widely-used universally composable security framework [45,46].

3. Security Proof

In this section, we present the security proof of this protocol. The main task of the security proof is to bound the information Eve holds. To accomplish this task, one can calculate a so-called phase-error rate. Firstly, we construct an equivalent virtual protocol, in which Alice and Bob prepare some entangled states between local states and traveling states, but traveling states must have the same density matrices as actual protocol in the channel. The sifted key bits can be seen as the outputs of measurement with Z-basis on local states made by Alice and Bob; then, the so-called phase-error rate is defined as the error rate for the outputs of measurement with the X-basis made by them. According to the complementarity argument [47], the phase-error rate can be used to bound Eve’s information on the sifted keys. In the following, we give the virtual protocol and show how to bound the phase-error rate.

3.1. Equivalent Virtual Protocol

In our virtual protocol, Alice generates secret keys from the code mode in which she prepares the state

$$\begin{array}{c}\hfill {|\psi \rangle }_{\mu ,A_{c}Aa}=\sum _{l=0}^{M-1}\frac{1}{\sqrt{M}}{|l\rangle }_{A_c}(\frac{1}{\sqrt{2}}{(|0\rangle }_A|e^{i\frac{2\pi }{M}l}\sqrt{\mu }{\rangle }_a+{|1\rangle }_A|-e^{i\frac{2\pi }{M}l}\sqrt{\mu }{\rangle }_a\left)\right),\end{array}$$

(1)

where $A_c$ and A are the local quantum systems in Alice’s side, and a is the traveling quantum state Alice sent to Eve. Similarly, Bob prepares ${|\psi \rangle }_{\mu ,B_{c}Bb}$ defined analogously to ${|\psi \rangle }_{\mu ,A_{c}Aa}$. Obviously, Alice (Bob) measures $A\left(B\right)$ with Z-basis to obtain sifted key, i.e., ${|0\rangle }_A$ for bit 0 and ${|1\rangle }_A$ for bit 1. In order to obtain the phase-error rate, they measure $A,B$ in X-basis $\{|+\rangle ,|-\rangle \}$ after Eve’s attack. As for the test mode, we assume Alice prepares the following states

$$\begin{array}{cc}\hfill {|\psi \rangle }_{0,A_{c}Aa}& ={|0\rangle }_{A_c}{|0\rangle }_A{|0\rangle }_a,\hfill \\ \hfill {|\psi \rangle }_{\nu ,A_{c}Aa}& =\sum _{l=0}^{M-1}\frac{1}{\sqrt{M}}{|l\rangle }_{A_c}{|0\rangle }_A|e^{i\frac{2\pi }{M}l}\sqrt{\nu }{\rangle }_a.\hfill \\ \hfill \end{array}$$

(2)

here, the local states of $A_c$ are encoded in photon-number states, and Alice can measure $A_c$’s photon-number to learn the phase of sent states.

Finally, we can describe the process of state preparation above with a single state, namely,

$$\begin{array}{c}\hfill {|\psi \rangle }_{A_s{A}_{c}Aa}=\sqrt{p_{\mu }}{|0\rangle }_{A_s}{|\psi \rangle }_{\mu ,A_{c}Aa}+\sqrt{p_O}{|1\rangle }_{A_s}{|\psi \rangle }_{0,A_{c}Aa}+\sqrt{p_{\nu }}{|2\rangle }_{A_s}{|\psi \rangle }_{\nu ,A_{c}Aa}\end{array}$$

(3)

where Alice’s additional local ancilla $A_s$ is in the photon number states. Similarly, Bob can prepare ${|\psi \rangle }_{B_s{B}_{c}Bb}$ defined analogously to ${|\psi \rangle }_{A_s{A}_{c}Aa}$. Though Alice (Bob) may measure $A_s$($B_s$),$A_c\left(B_c\right)$, and A(B) after or before Eve announcing her measurement results, Alice (Bob) must announce the measurement results after Eve’s announcement then post-select the successful rounds. The following is a detailed illustration of our equivalent virtual protocol.

Step 1:

Alice and Bob prepare a gigantic quantum state $|\mathsf{\Phi }\rangle ={|\varphi \rangle }^{\otimes N_{tot}}={(|\psi \rangle }_{A_s{A}_{c}Aa}\otimes {|\psi \rangle }_{B_s{B}_{c}Bb}{)}^{\otimes N_{tot}}$ and send all subsystems a and b to Eve through an insecure quantum channel.

Step 2:

After performing an arbitrary quantum operation on all subsystems a and b from Alice and Bob, Eve announces whether it has a successful click (only one of her SPDs clicks) or not for each round. For a successful round, Eve continues to announce whether the left SPD clicks or the right SPD clicks. We use $\mathcal{M}$($\overline{\mathcal{M}}$) to denote the set of successful (unsuccessful) rounds.

Step 3:

For those rounds in which Eve announces success, Alice and Bob jointly measure the subsystem $A_c$($B_c$) and $A_s\left(B_s\right)$ in the photon-number basis to learn whether the intensities of the coherent state they send are same or not and whether it is in-phase or anti-phase. Then, they only retain those rounds where in-phase or anti-phase is met, and they choose the same intensities. Let ${\mathcal{M}}_s$ denote the set of those retained rounds, while ${\mathcal{M}}_f$ denotes those rounds that are in $\mathcal{M}$ but not in ${\mathcal{M}}_s$.

Step 4:

For these rounds in ${\mathcal{M}}_s$, Alice (Bob) measures the subsystem $A_c{A}_s$($B_c{B}_s$) in Fock basis to learn the phase and intensity of the coherent states she (he) sent. If the result of $A_s$($B_s$) is in state ${|0\rangle }_{A_s}$(${|0\rangle }_{B_s}$), she (he) measures subsystems A(B) in the Z basis to decide her (his) sifted key, respectively; otherwise, she (he) measures subsystem A(B) in the Z basis but does not incorporate these measurement outcomes in her (his) sifted key.

Step 5 to Step 6:

Let $n_{2\beta }$ be the number of rounds in ${\mathcal{M}}_s$ satisfying that both Alice and Bob chose the intensity $\beta$. With parameters $n_{2\beta }$, perform the same operations as Step 5 to Step 6, respectively, in the actual protocol given in Section 2.

3.2. Estimation of Phase-Error Rate

The essential of security proof is to estimate the upper-bound of the phase-error rate $e_{ph}$ of the sifted keys, i.e., how many same or different outcomes Alice and Bob have if they measure A and B with X-basis hypothetically in the rounds where sifted keys are generated. Specifically, in our protocol, we define the number of the same outcomes they have as $n_{ph}$, i.e., the number of phase-error events. Provided that $e_{ph}=n_{ph}/n_{2\mu }$ is bounded, one can generate the final secret key with an appropriate ${ϵ}_{tol}$ value as given in Step6.b of the actual protocol.

A detailed proof for how to estimate $n_{ph}$ is present in Appendix A. Here, a sketch of this proof is given.

Though analyzing the equivalent protocol, it is proven that if Alice and Bob both chose intensity $\beta$, and in-phase or anti-phase is also met, they actually prepare a mixture ${\tau }_{2\beta }$, which consists of component ${\tau }_{j|2\beta },j=0,1,...,M-1$. Moreover, each phase-error event is a click by some particular components of that mixture ${\tau }_{2\beta }$, i.e., ${\tau }_{j|2\beta },j=0,2,...,M-2$. These results imply that

$$\begin{array}{cc}\hfill n_{2\mu }=& {\sum }_{j=0}^M{n}_{j|2\mu },\\ \hfill n_{2\nu }=& {\sum }_{j=0}^M{n}_{j|2\nu },\\ \hfill n_{ph}=& {\sum }_{j=0,j\in {\mathcal{N}}_0}^{M-2}{n}_{j|2\mu },\end{array}$$

(4)

where $n_{j|2\beta }$ denotes the number of rounds in ${\mathcal{M}}_s$, in which Alice and Bob both chose intensity $\beta$, but ${\tau }_{2\beta }$ is actually ${\tau }_{j|2\beta }$. Meanwhile, ${\mathcal{N}}_0$ is the set of even numbers. Now, the hypothetical value $n_{ph}$ is related to some experimentally observed values. However, just with these equations it is difficult to bound $n_{ph}$ tightly since $n_{j|2\beta }$ cannot be known directly.

On the other hand, both ${\tau }_{j|2\mu }$ and ${\tau }_{j|2\nu }$ are very close to Fock-state $|j\rangle \langle j|$. Accordingly, it is intuitive to consider if there are constraints on the gap between $n_{j|2\mu }$ and $n_{j|2\nu }$. Then, we developed Lemma A1 (see Appendix A for details) to bound the gap between the yields of two distinct quantum states in a non-asymptotic situation. Applying this lemma, we obtained a series of constraints on $n_{j|2\mu }$ and $n_{j|2\nu }$. Finally, combined with Equation (4), an analytical upper bound of $n_{ph}$ (given in the end of the Appendix A) was calculated to find the upper bound of phase-error rate $e_{ph}^U=n_{ph}^U/n_{2\mu }$.

4. Numerical Simulation

In this section, we simulate the final secret key rate with the parameters listed in

Table 1. List of parameters uesd in the numerical simulations. Here, $e_m$ is loss-independent misalignment error rate due to optical imperfect interference, $p_d$ is dark counting probability for each SPD, $\xi$ is fiber loss constant, ${\eta }_d$ denotes detection efficiency of each SPD, f is error-correction inefficiency, and ${ϵ}_{tol}$ denotes the total security coefficient.

${\mathit{e}}_{\mathit{m}}$	${\mathit{p}}_{\mathit{d}}$	$\mathit{\xi }$ (dB/km)	${\mathit{\eta }}_{\mathit{d}}$	f	${\mathit{ϵ}}_{\mathit{tol}}$
0.03	$1\times {10}^{-8}$	0.2	0.3	1.1	$4.6566\times {10}^{-10}$

.

It is reasonable to simulate the experimentally observed values $n_{2\mu }$, $n_{2\nu }$ and $n_0$ with their mean values. Let $Q_{corr|2\beta }$ be the probability of only one click from left (right) SPD when both Alice and Bob prepare coherent states with intensity $\beta$ and a phase difference of 0 ($\pi$), and $Q_{err|2\beta }$ be the probability of only one click from left (right) SPD when both Alice and Bob prepare coherent states with intensity $\beta$ and phase difference of $\pi$ (0). Then, we have

$$\begin{array}{c}\hfill Q_{corr|2\beta }=(1-(1-p_d)e^{-2\eta (1-e_m)\beta })e^{-2\eta e_m\beta }(1-p_d),\\ \hfill Q_{err|2\beta }=(1-(1-p_d)e^{-2\eta e_m\beta })e^{-2\eta (1-e_m)\beta }(1-p_d),\end{array}$$

(5)

where $\eta ={10}^{\frac{-0.2L}{20}}$ and L is the channel distance between Alice and Bob. Accordingly, in the simulation, we assume $n_{2\beta }=N_{tot}{P}_{\beta }^{2}2(Q_{corr|2\beta }+Q_{err|2\beta })/M$ for $\beta =\mu ,\nu$. Note that $n_0=N_{tot}{P}_O^2(Q_{corr|0}+Q_{err|0})$, $n_{bit}=n_{2\mu }$ and $e_{bit}=Q_{err|2\mu }/(Q_{corr|2\mu }+Q_{err|2\mu })$. With these values, setting $M=8$ and the failure probability of estimating phase error $\epsilon =(6M+12){\epsilon }_a=4\times {10}^{-20}$, one can obtain the upper-bound of phase-error rate $e_{ph}^U$ by the linear programming given by (A41) in Appendix A. Moreover, the amount of $H_{EC}$ is $H_{EC}=N_{bit}fh\left(e_{bit}\right)$, ${ϵ}_{cor}=1\times {10}^{-10}$, and ${ϵ}_{PA}=1.6566\times {10}^{-10}$, which leads to a secret key of length $l=n_{bit}(1-h\left(e_{ph}^U\right))-H_{EC}-{log}_2\frac{2}{{ϵ}_{cor}}-{log}_2\frac{1}{4{ϵ}_{PA}^2}$ with ${ϵ}_{sec}={ϵ}_{PA}+\sqrt{\epsilon }$ and the total security parameter ${ϵ}_{tol}={ϵ}_{cor}+{ϵ}_{sec}=4.6566\times {10}^{-10}$.

Finally, we numerically optimize the intensities and corresponding probabilities to maximize l in the cases of the total number of pulses is $N_{tot}=1\times {10}^{17},1\times {10}^{14},1\times {10}^{13},1\times {10}^{12}$. Note that because this numerical problem is very time-comsuming, these intensities and probabilities are not optimized at each distance. Additionally, we use some typical parameters instead. The simulate results ($l/N_{tot}$ v.s. L) are illustrated below.

As Figure 1 shows, we obtain considerable secret key rates when the total number of pulses is ${10}^{12}$, ${10}^{13}$, ${10}^{14}$ or ${10}^{17}$. Through numerical simulations, it is confirmed that TF-QKD with discrete-phase randomization has satisfactory performance. On the other hand, it is verified that finite-size effects become more notable here compared with the original protocol with continuous phase randomization; it seems that one has to prepare ${10}^{17}$ pulses to surpass the PLOB linear bound. This is because the statistical fluctuations in Lemma A1 are proportional to the square root of the total number of emitting pulse $N_{tot}$, which leads to alarge phase-error rate $e_{ph}$ when $n_{bit}$ is not sufficiently large.

5. Conclusions

In real setups of TF-QKD, continuous randomization is usually realized by actively adding a random signal to a phase modulator. On the other hand, random numbers are generated discretely in most schemes. Therefore, TF-QKD with discrete-phase randomization is more practical. It is necessary to analyze the security of TF-QKD with discrete-phase randomization. Based on conjugate measurement, the security proof of a QKD protocol is to estimate the phase-error rate. Then in case of discrete-phase randomization, a critical step is knowing how to bound the gap between yields of two distinct but very close quantum states in a non-asymptotic situation. To achieve this goal, Lemma A1 is developed to find the upper bound of this gap. With the help of Lemma 1, linear programming is proposed to calculate the phase-error rate, and the key length is then straightforward. Through numerical simulations, it is confirmed that TF-QKD with discrete-phase randomization has satisfactory performance. On the other hand, we also find that more pulses should be prepared to alleviate the finite-size effects than previous protocol.

Moreover, it is worth noting that Lemma A1 is quite useful in a variety of scenarios, not just in the security proof of TF-QKD. For instance, if one considers the BB84 with discrete-phase randomization [48], the Lemma A1 can be utilized to bound the yield of single photon state, so then it is not difficult to give a relevant security proof. To summarize, we give the first security proof for TF-QKD with finite discrete-phase randomization in non-asymptotic scenarios. Although the proof is tailored for TF-QKD, the framework of this proof, i.e. Lemma A1, can be adapted in other protocols.