As is known, numerous quantum key distribution (QKD) protocols are available today that guarantee particularly high levels of security at the theoretical level.
For example the so-called BB84 protocol is known, which was described for the first time by C. H. Bennett and G. Brassard in “Quantum cryptography: Public key distribution and coin tossing”, Proc. of the IEEE Int. Conf. on Computers, Systems & Signal Processing, Bangalore, India, Dec. 10-12, 1984, pp. 175-179.
Another example of a quantum key distribution system is shown in FIG. 1; in particular, FIG. 1 shows a quantum key distribution system (indicated by reference numeral 1) of the measurement device independent type (measurement device independent quantum key distribution—MDI-QKD), which for brevity shall be referred to hereinafter as the distribution system 1.
The distribution system 1 includes a first, a second and a third communications device A, B and C.
The first communications device A comprises a first optical source 2, a first polarization modulator 4, a first variable optical attenuator (VOA) 6 and a first polarization state generator 8.
In use, the first optical source 2 generates a plurality of optical pulses, also referred to as first-source pulses, which are received by the first polarization modulator 4, Which in turn is controlled by the first polarization state generator 8. In practice, each first-source-pulse output from the first polarization modulator 4 has a polarization state that depends on the first polarization modulator 4; furthermore, each first-source pulse is then attenuated in a controllable manner by the first variable optical attenuator 6.
The second communications device B comprises a second optical source 12, a second polarization modulator 14, a second variable optical attenuator (VOA) 16 and a second polarization state generator 18.
In use, the second optical source 12 generates a plurality of optical pulses, also referred to as second-source pulses, which are received by the second polarization modulator 14, which in turn is controlled by the second polarization state generator 18. In practice, each second-source pulse output from the second polarization modulator 14 has a polarization state that depends on the second polarization modulator 14; furthermore, each second-source pulse is then attenuated in a controllable manner by the second variable optical attenuator 16.
The first and second source pulses output from the first and second variable optical attenuators 6 and 16, are received by the third communications device C. To that end, the first and second communications devices A and B are optically connected to the third communications device C by, respectively, a first and a second communications channel 20 and 22, also known as quantum channels. Furthermore, a public channel 30 is present between the first, second and third communications devices A, B and C.
The first and second source pulses are weak coherent pulses (WCP) and are respectively generated by the, first and second optical sources 2 and 12, which are formed by corresponding laser diodes.
In greater detail, the first and second polarization state generators 8 and 18 operate randomly and therefore the first and second source pulses are randomly polarization encoded. More in particular, each of the first and second polarization state generators 8 and 18 randomly switches between a first and a second system of polarization bases of the Hilbert space, generally known as the system of rectilinear bases (for brevity, also known as the rectilinear basis) and the system of diagonal bases (for brevity, also known as the diagonal basis). The system of rectilinear bases is formed by the vertical polarization state |V (also known as the vertical basis) and the horizontal polarization state |H (also known as the horizontal basis), while the system of diagonal bases is formed by the +45° and −45° polarization states, also known as the +45° basis and −45° basis.
In practice, each optical pulse emitted by the first and second optical sources 2 and 12 is polarization modulated as a function of the system of bases chosen by the corresponding polarization state generator, as well as by the corresponding bit generated by the latter; furthermore, the corresponding variable optical attenuator sets the average number of photons of each optical pulse.
The first and the second communications channels 20 and 22 are formed, for example, by corresponding fibre optic spans and are such that the first-source pulses and the second-source pulses reach the third communications device C in a substantially synchronized manner.
The third communications device C is able to perform a so-called Bell measurement on the received photons and publicly announce the results of the measurement. In other words, the third communications device C is a Bell state analyzer (BSA). To that end, as shown in FIG. 2, the third communications device C comprises a first, a second and a third optical beam splitter 31, 32 and 34.
The first optical beam splitter 31 is of the non-polarizing type and also of the so-called 50/50 type; in addition, the first optical beam splitter 31 has two inputs and is able to receive pulse pairs, each pulse pair being formed by a respective first-source pulse, received on a first input, and a respective second-source pulse, received on a second input.
The first optical beam splitter 32 has a first and a second output, which are optically connected to the inputs of the second and third optical beam splitters 32 and 34, respectively, which are of the polarizing beam splitter (PBS) type, each one having a respective pair of outputs. In particular, a first and second output of the second optical beam splitter 32 are optically connected to a first and a second optical detector 40 and 42, respectively, while a first and a second output of the third optical beam splitter 34 are optically connected to a third and a fourth optical detector 44 and 46, respectively. Each one of the first, second, third and fourth optical detectors 40-46 is a so-called single-photon detector, such as a single-photon avalanche photodiode (SPAR) for example.
The polarization states, and in particular the corresponding angles, refer to the optical axes of the second and third optical beam splitters 32 and 34.
That having been said, the. Bell measurements of the third communications device C can be due to single detections of one or more photons that only reach one of the first, second, third and fourth optical detectors 40-46, in which case the Bell measurements are unusable, or coincident detections by two of the first, second, third and fourth optical detectors 40-46, in which case the Bell measurements are used. In this regard, individual detections are unusable because known types of detectors are unable to discriminate the number of photons per unit time; conversely, coincident detections are useful for the purposes of protocol implementation, because each of them indicates a projection of photons on the symmetric or antisymmetric subspace. For these reasons, except where specified otherwise, the term “Bell measurement” generally implies reference to a coincident detection; furthermore, coincident detections are also known as coincidence counts, implying that the detections refer to an observation time window, which can be taken as the unit of time.
Still more particularly, the third communications device C enables discriminating between the Bell states |ψ− and |ψ+, i.e. between the singlet polarization state (|eo−|oe/√{square root over (2)}) and the triplet polarization state (|eo+|oe/√{square root over (2)}). In particular, a coincidence count c1e2o or c2e1o means than the projection took place on the singlet's antisymmetric subspace; furthermore, a coincidence count c1e1o or c2e2o means than the projection took place on the triplet's symmetric subspace. For practical purposes, the Bell state |ψ+ is detected in the case of a coincidence count that involves the first and, fourth optical detectors 40 and 46, or the second and third optical detectors 42 and 44; conversely, the Bell state |ψ− is detected in the case of a coincidence count that involves the first and second optical detectors 40 and 42, or the third and fourth optical detectors 44 and 46. The results of the Bell measurements made by the third communications device C, depending on the polarization states at input of the same communications device, are listed in the table shown in FIG. 3, which refers both to the ideal case of entangled photons and to the real case of weak coherent pulses.
In detail, if the first and second communications devices A and B transmit orthogonal polarizations in the rectilinear basis, the third communications device C detects state |ψ− or |ψ+; in consequence, the first and second communications devices A and B perform a so-called “bit-flip” to correlate their bits, associated with the transmitted polarizations. Conversely, if the first and second communications devices A and B use the diagonal basis, the bit-flip operation is only performed if the third communications device C detects state |ψ−.
In greater detail, the first and second communications devices A and B communicate the systems of bases they use to each other over the public channel 30. In turn, as previously mentioned, the third communications device C communicates the Bell measurements it has obtained to the first and second communications devices A and B over the public channel 30.
In the process of generating the key, the first and second communications devices A and B discard measurements made on signals encoded with discordant polarization states and only keeps measurements made on signals encoded with concordant polarization states; furthermore, the bits kept and obtained with the rectilinear basis are used for the generation of the key, while the bits kept and obtained with the diagonal basis are used, for example, to evaluate the so-called quantum bit error rate (QBER) and the so-called channel gain.
In practice, given a set of bits determined by one of the first and second communications devices A and B, the set of bits obtained with the rectilinear bases and the same polarization states defines a corresponding raw key, also known as a “sifted key”. Furthermore, the raw keys generated by the first and second communications devices A and B should be the mutual negation of each other, and so be equal, apart from the above-mentioned bit-flip process, which is a logical negation process. As this process of logical negation is considered implicit, in the jargon, it is said that, ideally, the raw keys generated, by the first and second communications devices A and B should coincide.
In reality, the two raw keys do not coincide, owing to the non-ideality of the distribution system 1, and also as a result of possible eavesdropping perpetrated by an unauthorized third, party. Therefore, after having generated the raw keys, the first and second communications devices A and B perform two further steps, which result in the generation of a single cryptographic key. These further steps of the BB84 protocol are respectively known as key reconciliation and privacy amplification, and were described for the first time by C. H. Bennett, F. Bessette, G. Brassard, L. Salvail and J. Smolin in “Experimental Quantum Cryptography”, Journal of Cryptology, vol.5, n.1, 1992, pp. 3-28.
In particular, in the key reconciliation step (also known as the error correction step), the first and second communications devices A and B correct the errors present in the two raw keys, so as to generate a reconciled key, identical for both of them.
In detail, in the key reconciliation step, the first and second communications devices A and B exchange information useful for correcting the errors present in the raw keys over the public channel 30, minimizing the information transmitted with respect to each raw key.
At the end of the information reconciliation step, the first and second communications devices A and B have a same reconciled key.
Subsequently, in the privacy amplification step and on the basis of the reconciled key, the first, and second communications devices A and B generate a secure key, which can at last be used by the first and second communications devices A and B, or by the respective users, to initiate a secure communication session, for example via the public channel 30. The described operations are then repeated, periodically for example, to determine new secure keys, for new communication sessions.
In general, the steps of key reconciliation and privacy amplification reduce the efficiency of secure key generation and, in particular, the so-called key generation rate per pulse.
In this regard, the notation Qrectn,m, Qdiagn,m, erectn,m ediagn,m is usually adopted to indicate, respectively, the gains and the QBERs of the signal states sent by the first and second communications devices A and B; according to this notation, n and m indicate the average numbers of photons transmitted respectively by the first and second communications devices A and B, while rect and diag respectively identify the rectilinear basis and the diagonal basis. Independently of the notation, in the case of mutually equal rectilinear polarization states, an error corresponds to detection by the third communications device C of the state |ψ− or |ψ+. Furthermore, ideally, erectn,m is null for all values of n and m; therefore, ideally, the error correction step is unnecessary.
In reality, as previously mentioned, errors do occur, and therefore the steps of error correction and privacy amplification are performed. In particular, the measurements obtained by the third communications device C with diagonal bases are used to determine the characteristics and extent of the privacy amplification operations. In this case, an error corresponds to projection in the singlet state, if the first and second communications devices A and B have generated the same polarization state, or in the triplet state, if the first and second communications devices A and B have generated orthogonal polarization states. Ideally, ediag1,1=0 is found, because, when two identical photons reach the first optical beam splitter 31, the Hong-Ou-Mandel effect ensures that both photons exit on the same output.
In the light of the foregoing, the key generation rate is, ideally, equal to Qrect1,1, in the asymptotic limit of an infinitely long key. In reality, considering the non-idealities, the key generation rate is equal to:R=Qrect1,1[1−H(ediag1,1)]−Qrectf(Erect)H(Erect)where Qrect and Erect respectively, indicate the gain and the QBER when the first and second communications devices A and B both use the rectilinear basis, namely:
            Q      rect        =                  ∑                  n          ,          m                    ⁢                          ⁢              Q        rect                  n          ,          m                      and            E      rect        =                  ∑                  n          ,          m                    ⁢                          ⁢                        Q          rect                      n            ,            m                          ⁢                              e            rect                          n              ,              m                                /                      Q            rect                              while f(Erect)>1 is a function that allows for the inefficiency of the error correction process; finally, H(x)=−xlog(x)−(1−x)−xlog(1−x), which is the binary Shannon entropy function. It has also been implicitly assumed that the so-called decoy states method can be used for determining the values of gain Qrect1,1 and error ediag1,1.
In this regard, hereinafter it is assumed that the first, second, third and fourth optical detectors 40-46 have the same level of noise, or rather that they have the same dark count and the same detection efficiency. It is also assumed that the dark counts are independent of the received optical pulses and also that the first and second communications channels 20 and 22 are formed by corresponding fibre optic spans with attenuation, at the wavelength of the first and second source pulses, of 0.2 dB/km. The following is also assumed:                f(Erect)=1.16;        intrinsic error rate due to misalignment and instability of the distribution system equal to 1.5%;        detection efficiency of the optical detectors and transmittance of optical components equal to 15%;        background counts rate, inclusive of the so-called dark counts and contributions due to so-called stray light, equal to 6.02*10−6.        
That having been said, FIG. 4 shows, with a. broken line, the lower limit of the key generation rate R that characterizes distribution system 1 in the case of weak coherent pulses. In addition, FIG. 4 shown, with an unbroken line, the lower limit of the key generation rate R that characterizes distribution system 1 in the case where the first and second communications devices A and B generate pairs of two-photon entangled states, such as in the case, for example, in which the pairs of photons are generated by spontaneous parametric down conversion (SPDC) of a source interposed between the first and second communications devices A and B. In practice, SPDC sources are still technologically limited at present, and so the effective value of the key generation rate R is less than that shown by the unbroken line in FIG. 4.
For practical purposes, FIG. 4 shows that the key generation rate R that can be obtained in the case of weak coherent pulses is comparable to that obtained through the generation of entangled states. Furthermore, the distribution system 1 can tolerate high optical losses, in the order of 40 dB (corresponding to a distance of approximately 200 km) when the third communications device C is placed in the middle between the first and second communications devices A and B.
Based on what has been described, it is evident how the practical implementation of a cryptographic key distribution scheme entails certain limitations with respect to theory, even in the absence of eavesdropping. In particular, the fact that the signals emitted by the sources are not single-photon states, but weak coherent pulses with an average number of photons typically greater than or equal to 0.1, entails risk for protocol security and a reduction in the key generation rate R and the useful distance for key generation, intended as the sum of the distances of the first and second communications channels 20 and 22. In fact, since some pulses contain multiple photons with a same polarization state, it is possible that a third party who wishes to intercept the cryptographic key could operate without the limitations imposed by the no-cloning theorem, as some pulses contain multiple copies of a same item of information. In particular, a third party, known in the jargon as Eve, could implement a so-called photon number splitting (PNS) attack on the multiphoton pulses. Thus, Eve could block the single-photon pulses and split the multiphoton pulses, keeping a copy for herself and sending the remaining part to the third communications device C. This attack enables Eve to obtain all of the information regarding the part of the key generated with multiphoton pulses, without introducing any polarization disturbance.
In addition, as previously mentioned, further causes that result in a reduction in the key generation rate R or, for the same key generation rate R, in the maximum reachable distance, originate from the non-ideality of the optical detectors, as well as from the difference that exists between the alignment between the first and third communications devices A and C, and the alignment between the second and third communications devices B and C.
The foregoing reasoning regarding the reduction in the key generation rate R also applies to cryptographic key distribution systems in which the optical pulses are phase encoded instead of polarization encoded, as described, for example, in Physical Review A 86, 062319 (2012), “Alternative schemes for measurement-device-independent quantum key distribution”, by Xiongfeng Ma et al., and in Physical Review Letters 108, 130503 .(2012), “Measurement-Device-Independent Quantum Key Distribution”, by Hoi-Kwong Lo et al., or in systems that envisage conversion from phase encoding to polarization encoding.