A New Security Proof for Twin-Field Quantum Key Distribution (QKD)

Abstract

Twin-field QKD (TF-QKD) protocols allow for increased key rates over long distances when compared to standard QKD protocols. They are even able to surpass the PLOB bound without the need for quantum repeaters. In this work, we revisit a previous TF-QKD protocol and derive a new, simple, proof of security for it. We also look at several variants of the protocol and investigate their performance, showing some interesting behaviors due to the asymmetric nature of the protocol.

1. Introduction

Quantum key distribution (QKD) allows two parties to establish a shared secret key that is secure even against computationally unbounded adversaries. This is a task that is impossible to achieve using classical communication alone, unless computational assumptions are made on the adversary’s capabilities. However, QKD has several limitations, especially in terms of distance. See [1,2,3] for a general survey on QKD.

In general, the key-rate of a QKD system is severely restricted by the total transmittance of the channel between parties. Several strategies can mitigate this, including trusted node networks [4,5,6] and quantum repeaters [7,8,9]. Quantum network research, in general, is a rapidly growing topic both for QKD [10] and the more general Quantum Internet [11] (the latter of which can support QKD, but also other applications such as distributed computing [12,13,14] and distributed quantum sensing [15,16,17,18]). However, an interesting third alternative for boosting QKD distances are so-called twin-field QKD (TF-QKD) protocols [19,20,21,22,23,24] which can even beat the PLOB bound [25].

Proving security of QKD protocols (TF or otherwise) is an important task, and developing novel proof techniques can be vital for advancing the state of the art (in addition to providing an additional proof of security which, itself, is interesting). Since TF-QKD can already be demonstrated experimentally over long distances [26,27] (even up to over 800 km [28]), it is important to study rigorously the underlying security proofs for these systems as they are applicable using today’s technology. Doing so affords researchers more mathematical tools to handle new protocols, and may even lead to improvements in performance under certain conditions as newer techniques may provide more optimistic security results in some cases (or, more formally, more optimistic bounds on the quantum min entropy between the users and an adversary system).

In this paper, we re-visit a TF-QKD protocol introduced in [19] and develop an entirely new proof of security using methods of quantum sampling as introduced in [29], and sampling-based entropic uncertainty relations [30]. Our proof is fairly simple and can be used potentially for other TF-QKD protocols. In particular, our method might be easily adapted to the sending-not-sending TF protocol [31].

While our new proof does not improve on previously produced key-rates, we feel it is still interesting to develop alternative methods. Indeed, by now numerous proofs of security have been performed for BB84, all leading to the same result; yet different methods can be applied to different protocols later “down the road”, and thus developing alternative techniques is an important area of research in quantum cryptography. We also make two small changes to the original protocol (which our new security proof can handle easily) and show some interesting behaviors of these new protocols, including improved performance. We are not aware of these two variants in the current literature, thereby making them a second contribution of this paper.

2. Preliminaries

We now introduce some notation and other preliminary concepts and technical lemmas that will be important in our work later. Let ${\mathcal{A}}_d=\{0,1,\cdots ,d-1\}$ be a d-dimensional alphabet. Given a word $q\in {\mathcal{A}}_d^N$ and a subset $t\subset \{1,\cdots ,N\}$, we write $q_t$ to denote the substring of q which is indexed by t and $q_{-t}$ to mean the substring indexed by the complement of t. If t is a singleton $t=\left\{i\right\}$, we often simply write $q_i$ to represent the i’th character of q.

Given $\delta >0$ and two real numbers, x and y, we write the following:

$$x{\sim }_{\delta }y\iff |x-y|\le \delta .$$

(1)

Given a word $q\in {\mathcal{A}}_d^N$ and a particular character $a\in {\mathcal{A}}_d$, we write ${\#}_a\left(q\right)$ to denote the number of times a appears in the word q:

$${\#}_a\left(q\right)=\left|\{j:q_j=a\}\right|.$$

(2)

We use ${\#}_{a,b}\left(q\right)$ to denote the number of times a and b appear in q:

$${\#}_{a,b}\left(q\right)=\left|\{j:q_j=a\mathrm{or}{q}_j=b\}\right|.$$

(3)

Let X be a random variable taking value $x_i$, with probability $p_i$. Then, $H\left(X\right)$ denotes the Shannon entropy of X, namely $H\left(X\right)=-{\sum }_i{p}_i{log}_2{p}_i$. All logarithms in the paper are base two, unless otherwise specified. We use $h\left(x\right)$ to denote the binary Shannon entropy, defined as $h\left(x\right)=-x{log}_{2}x-(1-x){log}_2(1-x)$.

A quantum state or density operator is a Hermitian positive semi-definite operator of unit trace, acting on some Hilbert space $\mathcal{H}$. If ${\rho }_{AE}$ acts on ${\mathcal{H}}_A\otimes {\mathcal{H}}_E$, we write ${\rho }_A$ to denote the quantum state resulting from a partial trace over E, namely ${\rho }_A=t{r}_E{\rho }_{AE}$. This notation is similar for states acting on additional Hilbert spaces.

The Bell basis [32,33,34] is spanned by states $\{|{\varphi }_0⟩,\cdots ,|{\varphi }_3⟩\}$:

$$\begin{array}{cc}\hfill |{\varphi }_0⟩& =\frac{1}{\sqrt{2}}(|00⟩+|11⟩)=\frac{1}{\sqrt{2}}(|++⟩+|--⟩)\hfill \\ \hfill |{\varphi }_1⟩& =\frac{1}{\sqrt{2}}(|00⟩-|11⟩)=\frac{1}{\sqrt{2}}(|+-⟩+|-+⟩)\hfill \\ \hfill |{\varphi }_2⟩& =\frac{1}{\sqrt{2}}(|01⟩+|10⟩)=\frac{1}{\sqrt{2}}(|++⟩-|--⟩)\hfill \\ \hfill |{\varphi }_3⟩& =\frac{1}{\sqrt{2}}(|01⟩-|10⟩)=\frac{1}{\sqrt{2}}(|+-⟩-|-+⟩)\hfill \end{array}$$

(4)

where $|+⟩$ and $|-⟩$ are the Hadamard basis states, $|\pm ⟩=\frac{1}{\sqrt{2}}(|0⟩\pm |1⟩)$. Given a word $i\in {\mathcal{A}}_4^N$, we write $|{\varphi }_i⟩$ to denote $|{\varphi }_i⟩=|{\varphi }_{i_1}⟩\otimes \cdots |{\varphi }_{i_N}⟩$.

Given a density operator ${\rho }_A$, we write $H{\left(A\right)}_{\rho }$ to be the von Neumann entropy of ${\rho }_A$ defined as $H{\left(A\right)}_{\rho }=-tr\left({\rho }_A{log}_2{\rho }_A\right)$. The conditional quantum min entropy is defined as follows [35]:

$$H_{\infty }{\left(A\right|E)}_{\rho }=\underset{{\sigma }_E}{sup}max\left\{\lambda \in \mathbb{R}:2^{-\lambda }{I}_A\otimes {\sigma }_E\ge {\rho }_{AE}\right\},$$

(5)

where $A\ge B$ is used to indicate that the operator $A-B$ is positive semi-definite. The smooth conditional min entropy, denoted as $H_{\infty }^{ϵ}{\left(A\right|E)}_{\rho }$, is defined as follows [35]:

$$H_{\infty }^{ϵ}{\left(A\right|E)}_{\rho }=\underset{{\sigma }_{AE}}{sup}{H}_{\infty }{\left(A\right|E)}_{\sigma },$$

(6)

where the supremum is over all density operators ${\sigma }_{AE}$ such that $\left|\left|{\rho }_{AE}-{\sigma }_{AE}\right|\right|\le ϵ$, where $\left|\left|A\right|\right|$ is the trace distance of operator A.

Quantum min entropy is a vital quantity in quantum cryptography as it relates directly to the number of uniform random secret bits one may extract from a quantum state [35]. In particular, given ${\rho }_{AE}$ where the A register is classical and the E register is quantum, privacy amplification may be used to extract a uniform secret bit string. Let ${\sigma }_{KE}$ be the result after applying the privacy amplification process to ${\rho }_{AE}$. Then, it holds the following [35]:

$$\left|\left|{\sigma }_{KE}-\frac{I}{2^{\ell }}\otimes {\sigma }_E\right|\right|\le 2^{-\frac{1}{2}(H_{\infty }^{ϵ}{\left(A\right|E)}_{\rho }-\ell )}+2ϵ={ϵ}_{PA}.$$

(7)

In particular, after privacy amplification, the resulting output is almost a uniform random ℓ-bit string, independent of Eve’s system. To determine a suitable size for ℓ, one only need to measure the min entropy of the state ${\rho }_{AE}$ before privacy amplification. For a given ${ϵ}_{PA}$, the final key is said to be ${ϵ}_{PA}$ secure.

Quantum min entropy has a number of useful properties that we will require later. First, given a state of the form ${\rho }_{AEZ}={\sum }_z{p}_z|z⟩⟨z|\otimes {\rho }_{AE}^{\left(z\right)}$ (i.e., a state classical on Z), the following holds:

$$H_{\infty }{\left(A\right|E)}_{\rho }\ge H_{\infty }{\left(A\right|EZ)}_{\rho }\ge \underset{z}{min}{H}_{\infty }{\left(A\right|E)}_{{\rho }^{\left(z\right)}}.$$

(8)

The following lemma allows us to bound the entropy in a state after performing a certain type of quantum operation on it, if we know the min entropy in a suitable state that is close in trace distance:

Lemma 1

(from [36]). Let ρ and σ be two quantum states and $\mathcal{F}$ be some CPTP map that acts as follows:

$$\begin{array}{cc}\hfill \mathcal{F}\left(\rho \right)& =\sum _x{p}_x|x⟩⟨x|\otimes {\rho }_{AE}^{\left(x\right)}\hfill \\ \hfill \mathcal{F}\left(\sigma \right)& =\sum _x{q}_x|x⟩⟨x|\otimes {\sigma }_{AE}^{\left(x\right)}\hfill \end{array}$$

Then, the following holds:

$$Pr\left(H_{\infty }^{4ϵ+3{ϵ}^{1/3}}{\left(A\right|E)}_{{\rho }^{\left(x\right)}}-H_{\infty }{\left(A\right|E)}_{{\sigma }^{\left(x\right)}}\ge 0\right)\ge 1-2{ϵ}^{1/3},$$

(9)

where the probability is over the outcome x and $ϵ\ge \frac{1}{2}\left|\left|\rho -\sigma \right|\right|$.

Finally, the following lemma allows us to bind the min entropy of a superposition of Bell states (the lemma is found in [37], though its proof uses techniques similar to those in [29,35] for bounding the min entropy of a general superposition state):

Lemma 2

(from [37] based on a proof in [29,35]). Let $Q\in [0,1/2]$ and

$${|\psi ⟩}_{ABE}=\sum _{\begin{array}{c}i\in {\mathcal{A}}_4^N\\ \frac{1}{N}{\#}_{1,3}\left(i\right)\le Q\end{array}}{\alpha }_i{|{\varphi }_i⟩}_{AB}|E_i⟩=\sum _i{\alpha }_i{|{\varphi }_{i_1}⟩}_{A_1{B}_1}{|{\varphi }_{i_2}⟩}_{A_2{B}_2}\cdots {|{\varphi }_{i_N}⟩}_{A_N{B}_N}|E_i⟩,$$

(10)

where recall ${\#}_{1,3}\left(i\right)$ is the number of times 1 and 3 appear in the string i. Let ${\rho }_{AE}$ be the state resulting from taking $|\psi ⟩$, measuring all A particles in the Z basis and then tracing out the B register. Then, the following holds:

$$H_{\infty }{\left(A\right|E)}_{\rho }\ge N\left(1-h\left(Q\right)\right).$$

(11)

Quantum Sampling

Our new proof of security will utilize a quantum sampling framework introduced by Bouman and Fehr in [29]. In this section, we review some of their work that we will need later.

A classical sampling strategy over ${\mathcal{A}}_d^N$ is a triple of algorithms. The first is a process that randomly chooses a subset $t\subset \{1,\cdots ,N\}$ with probability $P_T\left(t\right)$. The second is a guessing function $g:{\mathcal{A}}_d^{*}\to \mathbb{R}$. The third is a target function $r:{\mathcal{A}}_d^{*}\to \mathbb{R}$. The strategy will first choose a random subset and observe $q_t$. Next, a guess is computed $g\left(q_t\right)$; this guess should be $\delta$ close to the value of the target function, but evaluated on the unobserved portion of the string $r\left(q_{-t}\right)$. That is, $g\left(q_t\right){\sim }_{\delta }r\left(q_{-t}\right)$.

Formally, $\delta >0$ and a subset t should be fixed. Then, the set of good words should be defined as follows:

$${\mathcal{G}}_t=\{q\in {\mathcal{A}}_d^N:g\left(q_t\right){\sim }_{\delta }r\left(q_{-t}\right)\}.$$

(12)

Recall, we wrote that $x{\sim }_{\delta }y$ if and only if $|x-y|\le \delta$. A good word is one where the guess is always $\delta$ close to the target for the given subset t. The classical error probability of the sampling strategy is defined simply as follows:

$${ϵ}_{\delta }^{cl}=\underset{q\in {\mathcal{A}}_d^N}{max}P{r}_t\left(q\notin {\mathcal{G}}_t\right).$$

(13)

From this definition, it holds that for any word $q\in {\mathcal{A}}_d^N$, if the sampling strategy is performed on it, the probability that it fails (namely that the guess is not $\delta$ close to the target) is at most ${ϵ}_{\delta }^{cl}$.

The main result from [29] was to extend this to the quantum domain. A classical sampling strategy can be promoted to a quantum one in a natural way: given a quantum state ${|\psi ⟩}_{AE}$ where the A register consists of N qudits, each qudit of dimension d, one chooses a subset t and measures the qudits, indexed by t, in some d dimensional orthonormal basis $\{{|0⟩}^B,\cdots ,{|d-1⟩}^B\}$. This measurement results in a classical outcome $q_t$. Then, according to Bouman and Fehr’s main result, the unmeasured portion behaves like a superposition of words that are $\delta$ close to the guess (with respect to the given target). To formalize this, a basis B is fixed and the following space is considered:

$$\mathrm{span}\left({\mathcal{G}}_t\right)\otimes {\mathcal{H}}_E=\mathrm{span}\left\{{|q⟩}^B:q\in {\mathcal{G}}_t\right\}\otimes {\mathcal{H}}_E.$$

(14)

This subspace is called the ideal subspace; a state within it is called an ideal state. Note that if one is given an ideal state $|{\nu }^t⟩$ (which only makes sense at the moment for a specific subset t according to this definition and thus the superscript index), and if one performs a measurement in the B basis on subset t resulting in outcome $q_t\in {\mathcal{A}}_d^{\left|t\right|}$, the post measured state must collapse to one that is of the following form:

$$|{\nu }_q^t⟩=\sum _{\begin{array}{c}i\in {\mathcal{A}}_4^{N-\left|t\right|}\\ g\left(q_t\right){\sim }_{\delta }r\left(i\right)\end{array}}{\alpha }_i{|i⟩}^B\otimes |E_i⟩.$$

(15)

Namely, it must collapse to a superposition of words that are $\delta$ close to the observed value (with respect to the given guess and target functions). The states may not be necessarily ideal; however, the following theorem says that for any quantum state, one can define a collection of ideal states that are $ϵ$ close in trace distance to the given state.

Theorem 1

(from [29], but re-worded slightly for our application and approach). Let $\delta >0$, B be a d-dimensional orthonormal basis, and ${|\psi ⟩}_{AE}$ be a pure quantum state where the A register consists of N qudits, each qudit of dimension d. It is assumed that the dimension of each system N is known. Given a classical sampling strategy with error probability ${ϵ}_{\delta }^{cl}$, there is a collection of ideal states ${\left\{|{\nu }^t⟩\right\}}_t$, indexed by all subsets t such that $P_T\left(t\right)>0$:

$$|{\nu }^t⟩\in \mathit{span}\left({\mathcal{G}}_t\right)\otimes {\mathcal{H}}_E$$

(16)

Furthermore,

$$\frac{1}{2}\left|\left|\sum _t{P}_T\left(t\right)|t⟩⟨t|\otimes |\psi ⟩⟨\psi |-\sum _t{P}_T\left(t\right)|t⟩⟨t|\otimes |{\nu }^t⟩⟨{\nu }^t|\right|\right|\le \sqrt{{ϵ}_{\delta }^{cl}}.$$

(17)

Note that, the original proof of Theorem 1 assumes Eve’s ancilla is finite dimensional. This is without loss of generality in our proof since we are considering ideal sources.

Before leaving this section, we discuss an important sampling strategy which we will use later. This strategy was analyzed in [37] for Bell states. Given a word $q\in {\mathcal{A}}_4^{n+m}$, a subset of size m is uniformly chosen at random from all m size subsets of $\{1,\cdots ,n+m\}$. The guess and target functions are simply $g\left(x\right)=r\left(x\right)=\frac{1}{\left|x\right|}{\#}_{1,3}\left(x\right)$. This defines the set of good words as follows:

$${\mathcal{G}}_t=\left\{q\in {\mathcal{A}}_4^{n+m}:\frac{1}{m}{\#}_{1,3}\left(q_t\right){\sim }_{\delta }\frac{1}{n}{\#}_{1,3}\left(q_{-t}\right)\right\},$$

(18)

where recall ${\#}_{1,3}\left(q_t\right)$ is the number of 1’s and 3’s in the word $q_t$.

The failure probability of this strategy was proven in [37] as follows:

$${ϵ}_{\delta }^{cl}\le 2exp\left(-{\delta }^2\frac{m(n+m)}{n+m+2}\right).$$

(19)

3. Protocol

We now describe the specific TF-QKD protocol, introduced in [19], which we will be analyzing. A single round of the quantum communication stage consists of the following operations:

• Alice prepares an entangled quantum state of the form:

  $$|{\psi }_a⟩=\sqrt{q}{|0,v⟩}_{Aa}+\sqrt{1-q}{|1,p⟩}_{Aa}$$

  where the A register is a private qubit memory, while the a register consists of a single photon in either the vacuum state ${|v⟩}_a$ or a non-vacuum state ${|p⟩}_a$. This register will be transmitted to a central server. Finally, q is a publicly known parameter chosen by Alice and Bob which will be optimized later.
• Similarly, Bob creates the state:

  $$|{\psi }_b⟩=\sqrt{q}{|1,v⟩}_{Bb}+\sqrt{1-q}{|0,p⟩}_{Bb}.$$
  The A and B registers are kept private, while the a and b registers are sent to a central server.
• The central server routes the incoming $ab$ registers through a 50:50 beam splitter with two detectors, $D_0$ and $D_1$. The outcome of the detectors are reported to Alice and Bob. The possible outcomes are “0” (meaning detector $D_0$ clicked); “1” (meaning detector $D_1$ clicked); “$vac$” (meaning no detector clicked); and “$other$” (meaning any other outcome, such as both detectors clicking).
• If the server reported “$vac$” or “$other$”, Alice and Bob discard this round and their private qubits. If the server reported “1”, Bob applies a Pauli Z gate to his private ancilla, thereby flipping the phase of the ${|1⟩}_B$ state.
• If the server reported either “0” or “1”, Alice and Bob should now hold a Bell state ${|{\varphi }_0^0⟩}_{AB}$. They will measure their private qubits in either the Z or the X basis. Some of the Z and X measurements will be used to test the fidelity of the state; the remaining Z basis states will be used for key distillation.

We note that there is a simple change to the above protocol which turns it into an equivalent prepare-and-measure protocol where Alice and Bob do not need to measure or hold private memories. For more details on that, the reader is referred to the original paper [19].

To see why the above protocol works, consider a single round. At the beginning, Alice and Bob create the joint state:

$$\begin{array}{cc}\hfill |{\psi }_0⟩& =(\sqrt{q}{|0,v⟩}_{Aa}+\sqrt{1-q}{|1,p⟩}_{A,a})\otimes (\sqrt{q}{|1,v⟩}_{Bb}+\sqrt{1-q}{|0,p⟩}_{Bb})\hfill \\ \hfill & \cong q{|0,1,v,v⟩}_{ABab}+\sqrt{q(1-q)}({|0,0,v,p⟩}_{ABab}+{|1,1,p,v⟩}_{ABab})+(1-q){|1,0,p,p⟩}_{ABab}.\hfill \end{array}$$

(20)

At this point, the $ab$ registers are sent through a 50:50 beam splitter. We denote the output modes of the BS as $D_0$ and $D_1$. We simply denote the action of this splitter (up to phase rotation) as follows:

$$\begin{array}{cc}\hfill BS{|v,v⟩}_{ab}& ={|v⟩}_{01}\hfill \\ \hfill BS{|p,v⟩}_{ab}& =\frac{1}{\sqrt{2}}({|D_0⟩}_{01}+{|D_1⟩}_{01})\hfill \\ \hfill BS{|v,p⟩}_{ab}& =\frac{1}{\sqrt{2}}({|D_0⟩}_{01}-{|D_1⟩}_{01})\hfill \\ \hfill BS{|p,p⟩}_{ab}& ={|{\psi }_2⟩}_{01}\hfill \end{array}$$

where ${|{\psi }_2⟩}_{01}$ is the state resulting from the action of the beam splitter upon the receipt of two photons, one from Alice and one from Bob; the exact description of this state is not important for the following discussion.

After applying the BS to Equation (20), but before measuring the output of the BS, the state evolves to (after permuting subspaces) the following:

$$q{|v⟩}_{01}{|01⟩}_{AB}+\sqrt{q(1-q)}\left({|0⟩}_{01}{|{\varphi }_0⟩}_{AB}-{|1⟩}_{01}{|{\varphi }_1⟩}_{AB}\right)+(1-q){|{\psi }_2⟩}_{01}{|10⟩}_{AB}.$$

(21)

At this point, a measurement of the BS output register is performed and the outcome is broadcast. Assuming that $1-q$ is “small”, whenever a “$D_0$” or “$D_1$” is measured, Alice and Bob’s state should collapse to an entangled Bell state; when the outcome is $D_1$, Bob will apply a Pauli Z gate to transform the state $|{\varphi }_1⟩$ to $|{\varphi }_0⟩$. Since $1-q>0$, there will be some error in the multi-photon case, and this is something that users must optimize. Thus, interestingly, for this TF-QKD protocol, even when there is no channel noise and everything is ideal, there will always be some error in Alice and Bob’s raw key, which error correction must later repair.

At this point, we comment that two varieties of the above protocol may be introduced, which we denote as Π$-\mathtt{Zero}$ and Π$-\mathtt{One}$. For Π$-\mathtt{Zero}$, Alice and Bob will only use rounds where the server reports an outcome of $D_0$ (if any other outcome is reported, including $D_1$, that round is discarded); similarly, Π$-\mathtt{One}$ is defined to be the same, but Alice and Bob will only use rounds where the server reports an outcome of $D_1$. The original protocol, where Alice and Bob use rounds where the server reports either $D_0$ or $D_1$, will be denoted Π$-\mathtt{Total}$. While Π$-\mathtt{Zero}$ and Π$-\mathtt{One}$ may discard more rounds, we show later that improvements in key-rates can be found in some instances based on channel statistics. This is due to the asymmetric nature of the protocol (which we discuss in more detail in Section 5.1). We are not aware of these slight modifications being analyzed in prior literature.

Entanglement-Based Version

Instead of analyzing the above protocol, we will instead analyze the following entanglement-based protocol. It is not difficult to see that security of the following entanglement-based version will imply security of the above prepare-and-measure version. The entanglement-based version operates as follows:

• Eve creates a quantum state ${|\psi ⟩}_{ABCE}$, where the A and B portions consist of N qubits each, while the C portion lives in a Hilbert space spanned by orthonormal basis $\mathcal{C}=\left\{|“c”⟩\right\}$ for all $c\in {\{“0”,“1”,“v”,“?”\}}^N$ (here, “v” will denote a vacuum observation and “?” an “other” event). The E portion is arbitrary. Alice and Bob are given the A and B registers, while the C register is sent to a trusted third party Charlie.
• Charlie measures his entire C register in the $\mathcal{C}$ basis, broadcasting the result to all parties. Alice and Bob discard all qubits rounds where the reported outcome was “$vac$” or “?”. Let $N_c$ be the number of remaining systems not discarded.
• Alice and Bob choose a random subset $t\subset \{1,\cdots ,N_c\}$ of size $m_c$ (which may depend on $N_c$), and measure their respective systems, indexed by this subset, in the X basis which they subsequently broadcast to determine the fidelity of their state.
• Alice and Bob measure the remaining systems in the Z basis, leading to their raw key. They then further process this through error correction and privacy amplification as normal.

Entanglement-based versions of Π$-\mathtt{Zero}$ and Π$-\mathtt{One}$ are defined similarly, with only step 2 being changed.

Note that in the entanglement-based version, Bob does not apply a Pauli correction gate, since Eve gets to prepare not only Alice and Bob’s state but also the state that would normally have been output from the BS; it is advantageous for Eve to “simulate” the Pauli correction before sending it to Bob (though she does not have to; however, not doing so would lead to additional X basis noise). It is not difficult to see that security of the entanglement based version above will imply security of the actual TF-QKD protocol. In the next section, we show a new proof of security, deriving an entropy bound for the entanglement-based version, which will subsequently produce a key-rate bound for the TF-QKD protocol.

We note that the protocols above are not novel; they are, at most, very slight variations of protocols from [19]. Π$-\mathtt{Total}$ is identical to prior work in [19], while Π$-\mathtt{Zero}$ and Π$-\mathtt{One}$ are only minor variations of that protocol. As discussed in the introduction, the novelty of our work is in an alternative security proof, derived in the following section.

4. New Security Proof

We now present our new proof of security for the above TF-QKD protocol. Our proof uses the quantum sampling framework of Bouman and Fehr [29] discussed above, along with proof techniques used for sampling-based entropic uncertainty relations [30]. Namely, we prove security of the entanglement-based version which will imply security of the prepare-and-measure version. The main result is shown in the following theorem:

Theorem 2.

Let ${|\psi ⟩}_{ABCE}$ be the state Eve prepares where the A and B portions are N qubits each and the C portion is in a Hilbert space of dimension $4^N$. After Charlie’s measurement of the C register, let $c\in {\{0,1,v,?\}}^N$ be the resulting outcome and ${|{\psi }^c⟩}_{ABE}$ be the post measured state (tracing out the measured C register). Let $N_c$ be the number of signals not discarded, namely $N_c={\#}_{0,1}\left(c\right)$ for Π-Total, $N_c={\#}_0\left(c\right)$ for Π-Zero, and $N_c={\#}_1\left(c\right)$ for Π-One. Alice and Bob will choose a random sample of size $m_c<N_c/2$, measure those qubits in the X basis and determine the relative number of errors in that basis, denoted as $Q_X$. Then, it holds that, except with probability ${ϵ}_{fail}=2{ϵ}^{1/3}$, if the remaining $N_c-m_c$ signals are measured in the Z basis

$$H_{\infty }^{4ϵ+3{ϵ}^{1/3}}\left(A\right|E)\ge (N_c-m_c)(1-h(Q_X+{\delta }_c)),$$

(22)

where

$${\delta }_c=\sqrt{\frac{(N_c+2)ln(2/{ϵ}^2)}{m_c{N}_c}}.$$

(23)

Proof. 

Consider the post-measured state ${|{\psi }^c⟩}_{ABE}$ as discussed in the theorem statement. Without loss of generality, we may write this state as follows:

$${|{\psi }^c⟩}_{ABE}=\sum _{i\in {\mathcal{A}}_4^N}{\alpha }_i|{\varphi }_i⟩|E_i^c⟩.$$

(24)

At this point, Alice and Bob discard certain systems based on the value of c. For instance, whenever $c_j\in \{v,?\}$, they will discard that round; furthermore, if they are running Π$-\mathtt{Zero}$ (respectively Π$-\mathtt{One}$), they will discard rounds when $c_j=1$ (respectively $c_j=0$). This effectively traces out these systems. Let $N_c$ be defined as in the theorem statement and $R_C=N-N_C$ (the number of signals Rejected). It is easy to see that this operation, effectively tracing out certain systems of A and B, yields a mixed state which may be written as follows:

$${\rho }_{ABE}^c=\sum _{r\in {\mathcal{A}}_4^{R_c}}p\left(r\right)P\underset{{|{\psi }^{c,r}⟩}_{ABE}}{\underbrace{\left(\sum _{i\in {\mathcal{A}}_4^{N_c}}{\beta }_{i|r}|{\varphi }_i⟩|E_{i|r}⟩\right)}}=\sum _{r\in {\mathcal{A}}_4^{R_c}}p\left(r\right)|{\psi }^{c,r}⟩{⟨{\psi }^{c,r}|}_{ABE},$$

(25)

where $P\left(|z⟩\right)=|z⟩⟨z|$. The A and B registers of ${|{\psi }^{c,r}⟩}_{ABE}$ are of $N_c$ qubits each.

At this point, Alice and Bob choose a random subset t of size $m_c<N_c/2$ (which may depend on $N_c$) with uniform probability $P_T\left(t\right)$ and measure their respective systems in the X basis, observing the number of errors in this test set. The remaining qubits are measured in the Z basis. Our goal is to compute the min entropy of this final Z basis measurement.

We now switch to ideal states to complete our analysis. Next, r and c are fixed. Then, using Theorem 1, we construct the ideal states $\left\{|{\varphi }^{c,r,t}⟩\right\}$, such that for every $r,c$, the following holds:

$$|{\varphi }^{c,r,t}⟩\in \mathrm{span}\left({\mathcal{G}}_t\right)\otimes {\mathcal{H}}_E=\mathrm{span}\left\{|{\varphi }_i⟩:i\in {\mathcal{A}}_4^{N_c}\mathrm{and}\frac{1}{m_c}{\#}_{1,3}\left(i_t\right){\sim }_{\delta }\frac{1}{n_c}{\#}_{1,3}\left(i_{-t}\right)\right\}\otimes {\mathcal{H}}_E$$

(26)

Also,

$$\frac{1}{2}\left|\left|\sum _t{P}_T\left(t\right)|t⟩⟨t|\otimes |{\psi }^{c,r}⟩⟨{\psi }^{c,r}|-\sum _t{P}_T\left(t\right)|t⟩⟨t|\otimes |{\varphi }^{c,r,t}⟩⟨{\varphi }^{c,r,t}|\right|\right|\le \sqrt{{ϵ}_{\delta }^{cl}}.$$

(27)

Now, using the sampling strategy discussed earlier, with error probability shown in Equation (19), and choosing $\delta$ as in Equation (23), we have $\sqrt{{ϵ}_{\delta }^{cl}}\le ϵ$. The above is true for any r and c; based on the triangle inequality, for every c, we have the following:

$$\begin{array}{cc}\hfill & \frac{1}{2}\left|\left|\sum _{r}p\left(r\right)\sum _t|t⟩⟨t|\otimes |{\psi }^{c,r}⟩⟨{\psi }^{c,r}|-\sum _{r}p\left(r\right)\sum _t|t⟩⟨t|\otimes |{\varphi }^{c,r,t}⟩⟨{\varphi }^{c,r,t}|\right|\right|\hfill \\ \hfill \le & \frac{1}{2}\sum _{r}p\left(r\right)\left|\left|\sum _t{P}_T\left(t\right)|t⟩⟨t|\otimes |{\psi }^{c,r}⟩⟨{\psi }^{c,r}|-\sum _t{P}_T\left(t\right)|t⟩⟨t|\otimes |{\varphi }^{c,r,t}⟩⟨{\varphi }^{c,r,t}|\right|\right|\le ϵ.\hfill \end{array}$$

(28)

Let $X_0=|++⟩⟨++|+|--⟩⟨--|$ be the POVM element measuring Alice and Bob’s qubit in the X basis and reporting the same result (i.e., no error); let $X_1=I-X_0$ be the same, but when Alice and Bob’s outcomes are different (i.e., an X basis error). Note that $X_1|{\varphi }_j⟩=0$ whenever $j=0,2$. Thus, $X_1$ can only be observed if $j=1,3$ (see Equation (4)).

After choosing t and measuring using POVM $\{X_0,X_1\}$, resulting in outcome $q_X\in {\{0,1\}}^{m_c}$, it is clear from Equation (26), that the post-measured state must collapse to one that may be written in the following form:

$$|{\varphi }_{q_X}^{c,r,t}⟩=\sum _{\begin{array}{c}i\in {\mathcal{A}}_4^{m_c}\\ {\#}_{1,3}\left(i\right)={\#}_1\left(q_X\right)\end{array}}p\left(i\right)P\left(\sum _{\begin{array}{c}j\in {\mathcal{A}}_4^{n_c}\\ \frac{1}{n_c}{\#}_{1,3}\left(j\right){\sim }_{\delta }\frac{1}{m_c}{\#}_{1,3}\left(i\right)\end{array}}|{\varphi }_j⟩|{\tilde{E}}_{j|i}⟩\right).$$

(29)

Alice and Bob subsequently measure their remaining particles in the Z basis leading to their raw keys. The resulting density operator is denoted with ${\sigma }_{AE}^{c,r,t}$. Using Lemma 2, along with Equation (8), we have the following:

$$H_{\infty }{\left(A\right|E)}_{{\sigma }^{c,r,t}}\ge n_c\left(1-h\left({\#}_1\left(q_X\right)+{\delta }_c\right)\right).$$

(30)

Lemma 1 and Equation (28) completes the proof. □

The actual key-rate of the TF-QKD protocol then follows immediately and is stated in the corollary below:

Corollary 1.

Let $ϵ>0$ be given. Then, except with probability ${ϵ}_{fail}=2{ϵ}^{1/3}$, if the key-length of the TF-QKD protocol is set to

$$\ell =n_c(1-h(Q_X+{\delta }_c))-{\mathtt{leak}}_{EC}-2{log}_2\frac{1}{ϵ}$$

(31)

where leak_EC is the information leaked during error correction, the final resulting key is ${ϵ}_{PA}$-secure, for ${ϵ}_{PA}=9ϵ+4{ϵ}^{1/3}$.

Proof. 

This follows immediately from Theorem 2 and Equation (7). □

We note that our key-rate above agrees asymptotically with the prior work in [19] for Π$-\mathtt{Total}$ and so our new proof above is simply an alternative method and not one that necessarily obtains higher results.

5. Evaluation

We now evaluate the key-rate assuming a lossy channel with detector mismatches and inefficiencies. In particular, each channel will have a transmittance of $\sqrt{\eta }$. We will assume, for evaluation purposes, that the server is honest, but has faulty devices. Thus, the server will perform the correct measurement; however, the detectors will have a non-zero dark count rate $p_d$ and a non-unit efficiency f. The measurement may also be misaligned in that it may report “0” when it should have, ideally, observed “1”.

To evaluate, we require certain expected values for $N_c$ along with the expected noise. Let $p\left(0\right)$ (respectively $p\left(1\right)$) be the probability that the server sends the message “0” (respectively “1”). Then, the expected value of $N_C$ is simply $N\left(p\right(0)+p(1\left)\right)$, where N is the total number of rounds Alice and Bob perform for the protocol. To find these values under our evaluation setup, we trace the protocol’s execution.

First, consider the joint state created by Alice and Bob:

$$\begin{array}{cc}\hfill & \left(\sqrt{q}{|0,v⟩}_{Aa}+\sqrt{1-q}{|1,p⟩}_{Aa}\right)\otimes \left(\sqrt{q}{|1,v⟩}_{Bb}+\sqrt{1-q}{|0,p⟩}_{Bb}\right)\hfill \\ \hfill \cong & q{|0,1,v,v⟩}_{ABab}+(1-q){|1,0,p,p⟩}_{ABab}+\sqrt{q(1-q)}({|0,0,v,p⟩}_{ABab}+{|1,1,p,v⟩}_{ABab}).\hfill \end{array}$$

(32)

The qubits are sent through a lossy channel which, as in [19]. We model a beamsplitter with transmittance $\sqrt{\eta }$; it is as follows:

$$\begin{array}{cc}\hfill BS|p⟩& =\sqrt{\eta }|p⟩+\sqrt{1-\eta }|\tilde{v}⟩\hfill \\ \hfill BS|v⟩& =|v⟩.\hfill \end{array}$$

Note that we introduced a new state $|\tilde{v}⟩$ to ensure that the above is unitary; however, $|v⟩$ and $|\tilde{v}⟩$ cannot be distinguished by the parties and will look like a vacuum in either case.

The above causes the joint state to evolve into the following:

$$\begin{array}{cc}\hfill & q|01vv⟩+(1-q)|10⟩(\eta |pp⟩+(1-\eta )|\tilde{v}\tilde{v}⟩+\sqrt{\eta (1-\eta )}(|p\tilde{v}⟩+|\tilde{v},p⟩))\hfill \\ \hfill +& \sqrt{q(1-q)}(|00⟩(\sqrt{\eta }|v,p⟩+\sqrt{1-\eta }|v,\tilde{v}⟩)+|11⟩(\sqrt{\eta }|p,v⟩+\sqrt{1-\eta }|\tilde{v},v⟩))\hfill \end{array}$$

(33)

At this point, the system enters the server’s measurement device which, before the actual measurement is performed, we model as a unitary operator C, where for any $x,y\in \{v,\tilde{v}\}$:

$$\begin{array}{cc}\hfill C|x,y⟩& =|x,y⟩\hfill \\ \hfill C|p,x⟩& =(\alpha |D_0⟩+\beta |D_1⟩)|x⟩\hfill \\ \hfill C|x,p⟩& =(\beta |D_0⟩-\alpha |D_1⟩)|x⟩\hfill \\ \hfill C|p,p⟩& =|{\psi }_2⟩\hfill \end{array}$$

Ideally, $\alpha =\beta =1/\sqrt{2}$. Note that the additional $|x⟩$ system in the above definitions are used only to ensure unitarity of C and that the server’s subsequent measurement cannot distinguish between $|v⟩$ and $|\tilde{v}⟩$. Following the application of C, the server will measure the first of the two systems in its control, thereby leading to the reported outcome. Note that, since $|v⟩$ and $|\tilde{v}⟩$ are technically indistinguishable, both observations are reported simply as a “vacuum” by the server.

Applying C to the joint state in Equation (33), but before the actual measurement, yields the following:

$$\begin{array}{cc}\hfill & q|01⟩|vv⟩+(1-q)|10⟩(\eta |{\psi }_2⟩+(1-\eta )|\tilde{v},\tilde{v}⟩\hfill \\ \hfill +& \sqrt{\eta (1-\eta )}([\alpha +\beta ]|D_0,\tilde{v}⟩+[\alpha -\beta ]|D_1,\tilde{v}⟩))\hfill \\ \hfill +& \sqrt{q(1-q)}\left(|00⟩(\sqrt{\eta }(\beta |D_0,v⟩-\alpha |D_1,v⟩)+\sqrt{1-\eta }|v,\tilde{v}⟩)\right)\hfill \\ \hfill +& \sqrt{q(1-q)}\left(|11⟩(\sqrt{\eta }(\alpha |D_0,v⟩+\beta |D_1,v⟩)+\sqrt{1-\eta }|\tilde{v},v⟩)\right)\hfill \end{array}$$

(34)

At this point, the server measures and reports the outcome. This measurement will be affected by dark counts ($p_d$) and the detector efficiency (f). For simplicity in evaluation, we will simply assume that the double-photon outcomes (namely, $|{\psi }_2⟩$) do not interfere, constructively or destructively, with the other terms in the ${|10⟩}_{AB}$ term. We will then simply assume that the probability of observing a $|D_0⟩$ in $|{\psi }_2⟩$ is $p_2^0$ and the probability of observing $|D_1⟩$ is $p_2^1$. It turns out that, since q is large generally, this term does not significantly affect the key-rate and so this assumption does not play a major role in hurting or benefiting the key-rate. From this, we obtain the following:

$$\begin{array}{cc}\hfill p\left(0\right)& =q^2\frac{p_d}{2}+{(1-q)}^2\left({\eta }^2{p}_2^0+{(1-\eta )}^2\frac{p_d}{2}+\eta (1-\eta ){(\alpha +\beta )}^{2}f\right)\hfill \\ \hfill & +q(1-q)\left(\eta {\beta }^{2}f+(1-\eta )\frac{p_d}{2}+\eta {\alpha }^{2}f+(1-\eta )\frac{p_d}{2}\right)\hfill \\ \hfill \\ \hfill & =q^2\frac{p_d}{2}+{(1-q)}^2\left({\eta }^2{p}_2^0+{(1-\eta )}^2\frac{p_d}{2}+\eta (1-\eta ){(\alpha +\beta )}^{2}f\right)\hfill \\ \hfill & +q(1-q)\left(\eta f+(1-\eta )p_d\right)\hfill \end{array}$$

(35)

Similarly, we obtain the following:

$$\begin{array}{cc}\hfill p\left(1\right)& =q^2\frac{p_d}{2}+{(1-q)}^2\left({\eta }^2{p}_2^1+{(1-\eta )}^2\frac{p_d}{2}+\eta (1-\eta ){(\alpha -\beta )}^{2}f\right)\hfill \\ \hfill & +q(1-q)\left(\eta f+(1-\eta )p_d\right)\hfill \end{array}$$

Next, we need the Z basis and X basis noise, conditioned on Alice and Bob not discarding the round, i.e., conditioned on the server sending a non-vacuum message in the Π$-\mathtt{Total}$ protocol case or conditioned on sending either “0” or “1” for the Π$-\mathtt{Zero}$ or Π$-\mathtt{One}$ protocol case. Let $Q_{Z,0}$ be the probability of a Z basis error and the server sending the message “0”. Similarly, define $Q_{Z,1}$, $Q_{X,0}$, and $Q_{X,1}$. From the above equations, the following expressions are easily found:

$$\begin{array}{cc}\hfill Q_{Z,0}& =q^2\frac{p_d}{2}+{(1-q)}^2\left({\eta }^2{p}_2^0+{(1-\eta )}^2\frac{p_d}{2}+\eta (1-\eta )f{(\alpha +\beta )}^2\right)\hfill \end{array}$$

(36)

$$\begin{array}{cc}\hfill Q_{Z,1}& =q^2\frac{p_d}{2}+{(1-q)}^2\left({\eta }^2{p}_2^1+{(1-\eta )}^2\frac{p_d}{2}+\eta (1-\eta )f{(\alpha -\beta )}^2\right)\hfill \end{array}$$

(37)

$$\begin{array}{cc}\hfill Q_{X,0}& =\frac{1}{2}{q}^2\frac{p_d}{2}+\frac{1}{2}{(1-q)}^2({\eta }^2{p}_2^0+{(1-\eta )}^2\frac{p_d}{2}+\eta (1-\eta )f{(\alpha +\beta )}^2)\hfill \\ \hfill & +\frac{1}{2}q(1-q)(\eta {(\beta -\alpha )}^{2}f+(1-\eta )\frac{p_d}{4})\hfill \end{array}$$

(38)

$$\begin{array}{cc}\hfill Q_{X,1}& =\frac{1}{2}{q}^2\frac{p_d}{2}+\frac{1}{2}{(1-q)}^2({\eta }^2{p}_2^0+{(1-\eta )}^2\frac{p_d}{2}+\eta (1-\eta )f{(\alpha -\beta )}^2)\hfill \\ \hfill & +\frac{1}{2}q(1-q)(\eta {(\alpha -\beta )}^{2}f+(1-\eta )\frac{p_d}{4})\hfill \end{array}$$

(39)

From these, the required conditional noise values may be determined for our evaluation scenario.

In our evaluations, we set $q=0.95$, which was found to be roughly the optimal value. We also set $p_2^0=p_2^1$ to be $1/2$. We found no significant affect on the key-rate for other values due to the high value of q and so we simply set this value as $1/2$. For finite key rates, we set $m_c=\sqrt{N_C}$.

To evaluate, we use Corollary 1, setting ${\mathtt{leak}}_{EC}=1.2h(Q+\delta )$, where Q is the Z basis error noise (e.g., $Q=(Q_{Z,0}+Q_{Z,1})/(p\left(0\right)+p1)$ for Π$-\mathtt{Total}$; this is similar for other protocol settings). A graph of the resulting asymptotic key-rates is shown in Figure 1 (comparing to the PLOB bound [25]). The finite key results are shown in Figure 2. Note that our key-rates agree asymptotically to previous results for the Π$-\mathtt{Total}$ version and so we do not compare them to prior works for that setting; for other settings (namely Π$-\mathtt{Zero}$ and Π$-\mathtt{One}$), we are not aware of any security proof, and so there is no comparison beyond comparing to Π$-\mathtt{Total}$.

Figure 1. (left) Asymptotic key-rate of the TF-QKD protocol version Π$-\mathtt{Total}$. Here, $(x,y,z)$ implies $p_d={10}^x$, $\alpha =\sqrt{1/2+y}$ and $f=z$. We also compared it with the PLOB bound [25]. If d is the distance to Alice and Bob, we set $\eta ={10}^{-(d/2)/10}$. (right) Asymptotic key-rate of TF-QKD protocol Π$-\mathtt{Total}$, Π$-\mathtt{Zero}$, and Π$-\mathtt{One}$. Here we set $p_d={10}^{-5}$, $\alpha =\sqrt{3/4}$, and $f=0.8$. Note that our key-rate agrees asymptotically with that from [19] for Π$-\mathtt{Total}$ and so we do not plot a comparison; we are not aware of a key-rate result for Π$-\mathtt{Zero}$ or Π$-\mathtt{One}$. We note that Π$-\mathtt{One}$ can yield strictly higher key-rates and support longer distances.

Figure 2. (left) Key-rate as a function of the number of signals (note that x-axis is log-scale). Here, $p_d={10}^{-8}$, distance is 25 km; $\alpha =\sqrt{3/4}$; and $f=0.8$; (right) Finite key-rate as a function of distance; here, we use the same parameters as in the left figure, but with $N={10}^{15}$. Again, we note that Π$-\mathtt{One}$ can outperform the other two protocol modes of operation.

5.1. A Discussion on the Asymmetric Nature of the Protocol

It is worth taking a closer look as to why Π$-\mathtt{Zero}$ and Π$-\mathtt{One}$ perform differently from the standard version Π$-\mathtt{Total}$. First, consider Equations (36) and (37). Note that, even under ideal conditions of $p_d=0$, $f=1$, and $\alpha =\beta =1/\sqrt{2}$ (which is what would be expected if all devices were perfect and there were simply natural loss $\eta$), for any $\eta >0$, it holds that $Q_{Z,1}<Q_{Z,0}$. Similarly, $Q_{X,1}<Q_{X,0}$. The same inequalities hold for imperfect devices (i.e., when $p_d>0$ and $f<1$). This can be seen more clearly in Figure 3. Thus, anytime the server sends message 0, there is actually a greater chance of error than in the case of message 1. Therefore, under most conditions and under this channel scenario, discarding all messages of 0 actually improves the performance of the system. The users may decide, after measuring the channel statistics, to determine which mode of operation to perform; thus, the users can always optimize their choice of protocol after the quantum data have been transmitted and can therefore always choose the mode that will return the higher number of key-bits. It would be interesting to analyze these three protocols under other channel scenarios, beyond depolarizing. Note that our security proof can handle any channel scenario; however, we chose only depolarization channels for our evaluations in this section.

Figure 3. Showing the total Z basis error rate for Π$-\mathtt{Zero}$ (top), Π$-\mathtt{Total}$ (middle) and Π$-\mathtt{One}$ (bottom). Lower is better as it indicates less raw key error. The asymmetric nature of the protocol causes there to be fewer errors when the server sends message 1. See text for further discussion.

6. Closing Remarks

In this paper, we revisited a TF-QKD protocol introduced in [19] and derived a new proof of security for it. Our new proof uses methods from quantum sampling techniques [29]. While our new proof agrees with prior works and does not show higher key-rates compared to them, we still feel that alternative proof techniques are interesting and important. We also investigated two slight variants of the protocol and showed how they can lead to improved key-rates in some scenarios.

Many interesting future problems remain. It would be fruitful to further explore the two variants and see if additional improvements can be made. Furthermore, a finite key proof using decoy-state methods (using our sampling-based proof approach) would be interesting, especially for Π$-\mathtt{Zero}$ and Π$-\mathtt{One}$. Adapting our proof technique to other TF-QKD protocols would also be very interesting; a particular candidate to start with would be the sending or not-sending (SNS) TF-QKD protocol [31] due to its similar encoding mechanism. Also, it would be interesting to discover whether or not asymmetric protocols (similar to Π$-\mathtt{Zero}$ and Π$-\mathtt{One}$ analyzed in this work) can be defined and shown to be more efficient for such protocols like the SNS TF-QKD mechanism.

Also, leading into more practical device considerations, it is known that for single-photon interference protocols (such as the TF protocol discussed in this paper), there are still challenges with matching the mode of the photon and detector, which ultimately affects the protocol’s performance [38]. Such issues must be considered in future works to address applicability issues of the protocol.