Multi-mode plug-and-play dual-phase-modulated continuous-variable quantum key distribution

Abstract

We propose a multi-mode plug-and-play dual-phase-modulated continuous-variable (CV) quantum key distribution (QKD) protocol where Bob prepares independent and identically distributed dual-phase-modulated coherent states in multiple independent modes and Alice uses a conventional noisy, coherent detector to perform homodyne detection. Benefiting from the plug-and-play configuration, our protocol waives the necessity of propagation of a local oscillator (LO) between trusted parties and generates a real local LO for coherent detection. Therefore, the proposed protocol can effectively against the LO-aimed attacks. Moreover, we obtain enhancement in signal-to-noise ratio thanks to multi-mode coherent states. Simulation results show the performance of our protocol outperforms that of the single-mode plug-and-play dual-phase-modulated CV-QKD protocol. In addition, the performance of the proposed scheme is enhanced with the increased signal modes. Furthermore, we take the finite-size effect and composable security into consideration and thus obtain more practical results than those achieved in the asymptotic limit.

Appendices

Appendix A: Calculation of asymptotic secret key rate of multi-mode plug-and-play DPMCS protocol

We now perform the calculation of asymptotic secret key rate of our multi-mode plug-and-play DPMCS protocol. In the case of reverse reconciliation, the asymptotic secret key rate under collective attack is given by

$$\begin{aligned} K^{n}_{asy}=\beta I^{n}(A:B)-\chi (A:E), \end{aligned}$$

(8)

where \(I^{n}(A:B)=\frac{1}{2}\mathrm{log}_{2}(1+\mathrm{SNR}_{n})\) represents the mutual information between Alice and Bob and \(\mathrm{SNR}_{n}\) has been analyzed in Eq. (6), \(\chi (A:E)\) represents the maximum information available to Eve on Alice’s key, and \(\beta \) represents the efficiency of the reconciliation algorithm.

The channel transmittance is described as \(T=10^{\frac{-\gamma d}{10}}\) under the assumption that the quantum channel between Alice and Bob is telecom fiber, parameters \(\gamma \) and d stand for an attenuation coefficient and the fiber length in kilometers, respectively.

In order to estimate \(\chi (A:E)\), the realistic noise model is adopted where Eve cannot control the loss inside Alice’s system, and the detector noise from Alice can be deemed to be trusted [9], which has been utilized widely in CV-QKD experiments [19, 21, 48]. Based on this model, \(\chi (A:E)\) can be given by

$$\begin{aligned} \chi (A:E)=\sum ^{2}_{i=1}G(\frac{\lambda _{i}-1}{2})-\sum ^{5}_{i=3}G(\frac{\lambda _{i}-1}{2}), \end{aligned}$$

(9)

where \(G(x)=(x+1)\mathrm{log}_{2}(x+1)-x\mathrm{log}_{2}x\).

$$\begin{aligned} \lambda ^{2}_{1,2}=\frac{1}{2}[\varDelta \pm \sqrt{\varDelta ^{2}-4D}], \end{aligned}$$

(10)

where

$$\begin{aligned} \varDelta&=V^{2}(1-2T)+2T+T^{2}(V+\chi _{\mathrm{line}})^{2}, \nonumber \\ D&=T^{2}(V\chi _{\mathrm{line}}+1)^{2}. \end{aligned}$$

(11)

$$\begin{aligned} \lambda ^{2}_{3,4}&=\frac{1}{2}[A \pm \sqrt{A^{2}-4B}], \end{aligned}$$

(12)

where

$$\begin{aligned} A&=\frac{1}{T(V+\chi _{\mathrm{tot}})}[\varDelta \chi _{\mathrm{hom}}+V\sqrt{D}+T(V+\chi _{\mathrm{line}})],\nonumber \\ B&=\frac{\sqrt{D}V+D\chi _{\mathrm{hom}}}{T(V+\chi _{\mathrm{tot}})}, \end{aligned}$$

(13)

$$\begin{aligned} \lambda _{5}&=1. \end{aligned}$$

(14)

Appendix B: Finite-size secret key rate of multi-mode plug-and-play DPMCS protocol

For the proposed multi-mode plug-and-play DPMCS protocol, the finite-size secret key rate is given by

$$\begin{aligned} K^{n}_{fini}=\frac{m}{M}[\beta I^{n}(A:B)-\chi _{\epsilon _{\mathrm{PE}}}(A:E)-\varDelta (m)] \end{aligned}$$

(15)

where \(\beta \) and \(I^{n}(A:B)\) have been defined above. m represents the number of signals which is utilized to share key between Alice and Bob and M represents the total exchanged signals. Then, the remained signals \(h=M-m\) is utilized to perform parameter estimation. \(\epsilon _{\mathrm{PE}}\) denotes the failure probability of parameter estimation. Parameter \(\varDelta (m)\) is related to the security of the privacy amplification, which is given by

$$\begin{aligned} \varDelta (m)=(2\mathrm{dim}\varPi _{A}+3)\sqrt{\frac{\mathrm{log}_{2}(2/\bar{\epsilon })}{m}}+\frac{2}{m}\mathrm{log}_{2}(1/\epsilon _{\mathrm{PA}}), \end{aligned}$$

(16)

where \(\bar{\epsilon }\) stands for the smoothing parameter, \(\epsilon _{\mathrm{PA}}\) stands for the failure probability of privacy amplification, and the Hilbert space corresponding to the Alice’s raw key is represented by \(\mathrm{dim}\varPi _{A}\). Here, \(\mathrm{dim}\varPi _{A}\) is set to be 2 due to that the raw key is usually encoded on binary bits.

Note that it is necessary to compute \(\chi _{\epsilon _{\mathrm{PE}}}(A:E)\) in parameter estimation procedure with the help of the covariance matrix \(\varXi _{\epsilon _{\mathrm{PE}}}\). This covariance matrix can minimize the finite-size secret key rate with a probability of \(1-\epsilon _{\mathrm{PE}}\). By using h couples of correlated variables \((x_{j},y_{j})_{j=1\ldots h}\), we can calculate the covariance matrix \(\varXi _{\epsilon _{\mathrm{PE}}}\). Consequently, we need to sample h couples of correlated variables \((x_{j},y_{j})_{j=1\ldots h}\) and use a normal model for these correlated variables to link Alice’s and Bob’s data, which is given by

$$\begin{aligned} y=\delta x+z, \end{aligned}$$

(17)

where \(\delta =\sqrt{T}\) and z follows a centered normal distribution with variance \(\omega ^{2}=1+T\xi _{t}\). Then, the covariance matrix \(\varXi _{\epsilon _{\mathrm{PE}}}\) can be expressed as

$$\begin{aligned} \varXi _{\epsilon _{\mathrm{PE}}}=\left( \begin{array}{cc} (V_{B}+1)I_{2} &{} \delta _{\mathrm{min}}Z\sigma _{z} \\ \delta _{\mathrm{min}}Z\sigma _{z}&{} (\delta ^{2}_{\mathrm{min}}V_{B}+\omega ^{2}_{\mathrm{max}})I_{2}\\ \end{array} \right) , \end{aligned}$$

(18)

where \(\delta _{\mathrm{min}}\) and \(\omega ^{2}_{\mathrm{max}}\) represent the minimum of \(\delta \) and maximum of \(\omega ^{2}\) compatible with sampled couples except with probability \(\epsilon _{\mathrm{PE}}/2\), and \(Z=\sqrt{V^{2}_{B}+2V_{B}}\). Then, the Maximum-likelihood estimators \(\hat{\delta }\) and \(\hat{\omega }^{2}\) are, respectively, given by

$$\begin{aligned} \hat{\delta }=\frac{\sum ^{h}_{j=1}x_{j}y_{j}}{\sum ^{h}_{j=1}x^{2}_{j}} \quad and \quad \hat{\omega }^{2}=\frac{1}{h}\sum ^{h}_{j=1}(y_{j}-\hat{\delta }x_{j})^{2}. \end{aligned}$$

(19)

Besides, \(\hat{\delta }\) and \(\hat{\omega }^{2}\) follow the distributions

$$\begin{aligned} \hat{\delta }\sim N(\delta ,\frac{\omega ^{2}}{\sum ^{h}_{j=1}x^{2}_{j}}) \quad and \quad \frac{h\hat{\omega }^{2}}{\omega ^{2}}\sim \chi ^{2}(h-1), \end{aligned}$$

(20)

which indicates that \(\hat{\delta }\) and \(\hat{\omega }^{2}\) are independent for each other. Because parameters \(\delta \) and \(\omega ^{2}\) shown in Eq. (20) are true values, we can write the expressions of \(\hat{\delta }\) and \(\hat{\omega }^{2}\), which are

$$\begin{aligned} \begin{aligned} \delta _{\mathrm{min}}&\approx \hat{\delta }-z_{\epsilon _{\mathrm{PE}}/2}\sqrt{\frac{\hat{\omega }^{2}}{hV_{B}}}, \\ \omega ^{2}_{\mathrm{max}}&\approx \hat{\omega }^{2}+z_{\epsilon _{\mathrm{PE}}/2} \frac{\sqrt{2} \hat{\omega }^{2}}{\sqrt{h}}, \end{aligned} \end{aligned}$$

(21)

where \(z_{\epsilon _{\mathrm{PE}}/2}\) is such that \(1-erf(z_{\epsilon _{\mathrm{PE}}/2}/\sqrt{2})/2=\epsilon _{\mathrm{PE}}/2\), and \(erf(x)=\frac{2}{\sqrt{\pi }}\int ^{x}_{0}e^{-t^{2}}dt\) represents error function. Based on the expected values of \(\hat{\delta }\) and \(\hat{\omega }^{2}\), which are given by \(E[\hat{\delta }]=\sqrt{T}\) and \(E[\hat{\omega }^{2}]=1+T\xi _{t}\), \(\hat{\delta }\) and \(\hat{\omega }^{2}\) are expressed as

$$\begin{aligned} \begin{aligned} \delta _{\mathrm{min}}&\approx \sqrt{T}-z_{\epsilon _{\mathrm{PE}}/2}\sqrt{\frac{1+T\xi _{t}}{hV_{B}}}, \\ \omega ^{2}_{\mathrm{max}}&\approx 1+T\xi _{t}+z_{\epsilon _{\mathrm{PE}}/2} \frac{\sqrt{2}(1+T\xi _{t})}{\sqrt{h}}. \end{aligned} \end{aligned}$$

(22)

It is noteworthy that we can choose the optimal value of the error probabilities as

$$\begin{aligned} \bar{\epsilon }=\epsilon _{\mathrm{PE}}=\epsilon _{\mathrm{PA}}=10^{-10}. \end{aligned}$$

(23)

Therefore, we can obtain the finite-size secret key rate of multi-mode plug-and-play DPMCS protocol by utilizing the derived bound \(\delta _{\mathrm{min}}\) and \(\omega ^{2}_{\mathrm{max}}\).

Appendix C: Multi-mode plug-and-play DPMCS protocol in composable security

Here, we calculate the secret key rate of the proposed multi-mode plug-and-play DPMCS protocol in composable security framework. According to Ref. [13], the proposed multi-mode plug-and-play DPMCS protocol is \(\epsilon \)-secure against collective attacks if \(\epsilon =2\epsilon _{sm}+\bar{\epsilon }+\epsilon _{\mathrm{PE}}/\epsilon +\epsilon _{\mathrm{cor}}/\epsilon +\epsilon _{\mathrm{ent}}/\epsilon \) and if the length of final key m is chosen such that

$$\begin{aligned} m\le 2M \hat{H}_{\mathrm{MLE}}(U)-MF(\varTheta ^{\mathrm{max}}_{a}, \varTheta ^{\mathrm{max}}_{b}, \varTheta ^{\mathrm{max}}_{c})-\mathrm{leak}_{\mathrm{EC}}-\varDelta _{\mathrm{AEP}}-\varDelta _{\mathrm{ent}}-2\mathrm{log}\frac{1}{2\bar{\epsilon }}, \end{aligned}$$

(24)

where \(\hat{H}_{\mathrm{MLE}}(U)\) represents the empiric entropy of U, \(F(\varTheta ^{\mathrm{max}}_{a}, \varTheta ^{\mathrm{max}}_{b}, \varTheta ^{\mathrm{max}}_{c})\) stands for the function computing the Holevo information between Eve and Alice, and

$$\begin{aligned}&\varDelta _{\mathrm{AEP}}=\sqrt{2m}[(d_{0}+1)^{2}+4(d_{0}+1)\mathrm{log}_{2}(2/\epsilon ^{2}_{sm})+2\mathrm{log}_{2}(2/\epsilon ^{2}\epsilon _{sm})]+4\epsilon _{sm}d_{0}/\epsilon , \end{aligned}$$

(25)

$$\begin{aligned}&\varDelta _{\mathrm{ent}}=\mathrm{log}_{2}(1/\epsilon )+\sqrt{4m \mathrm{log}^{2}_{2}(2m)\mathrm{log}(2/\epsilon _{sm})}. \end{aligned}$$

(26)

In the following, we analyze the secret key rate of the multi-mode plug-and-play DPMCS protocol in composable security framework. The following model is taken advantage of for the error correction

$$\begin{aligned} \beta I^{n}(A:B)=2\hat{H}_{\mathrm{MLE}}(U)-\frac{1}{2m}\mathrm{leak}_{\mathrm{EC}}, \end{aligned}$$

(27)

where \(\beta \) represents reconciliation efficiency and \(I^{n}(A:B)\) stands for the mutual information between Alice and Bob in multi-mode plug-and-play DPMCS protocol. For our protocol, we have

$$\begin{aligned} I^{n}(A:B)&=\frac{1}{2}\mathrm{log}_{2}(1+\mathrm{SNR}_{n}) \end{aligned}$$

(28)

$$\begin{aligned}&=\frac{1}{2}\mathrm{log}_{2}\left[ 1+\frac{V_{B}}{1+\chi _{\mathrm{tot}}/n+(\psi +\xi )(n-1)/n}\right] . \end{aligned}$$

(29)

What is more, the robustness of our protocol is chosen \(\epsilon _{\mathrm{rob}}\le 10^{-2}\), which can be achieved when the probability of parameter estimation is at least 0.99. Based on this, the values of random variables ||X||, ||Y|| and \(\langle X,Y\rangle \) satisfy the following restraints

$$\begin{aligned} ||X||^{2}&\le 2m (V_{B}+1)+3\sqrt{4m (V_{B}+1)}, \end{aligned}$$

(30)

$$\begin{aligned} ||Y||^{2}&\le 2m (V^{n}_{A}+1)+3\sqrt{4m (V^{n}_{A}+1)},\end{aligned}$$

(31)

$$\begin{aligned} \langle X,Y\rangle&\ge 2m C^{n}_{BA}-3\sqrt{m(V_{B}-1)(\eta T \chi _{\mathrm{tot}}/n+1)}, \end{aligned}$$

(32)

where \(C^{n}_{BA}\) represents the correlation between Bob’s and Alice’s data after channel in our protocol. Using these bound, we can achieve

$$\begin{aligned} \varTheta ^{\mathrm{max}}_{a}&=\frac{1}{M}[1+2\sqrt{\frac{\mathrm{log}(36/\epsilon _{\mathrm{PE}})}{m}}]||X||^{2}-1,\end{aligned}$$

(33)

$$\begin{aligned} \varTheta ^{\mathrm{max}}_{b}&=\frac{1}{M}[1+2\sqrt{\frac{\mathrm{log}(36/\epsilon _{\mathrm{PE}})}{m}}]||Y||^{2}-1,\end{aligned}$$

(34)

$$\begin{aligned} \varTheta ^{\mathrm{max}}_{c}&=\frac{1}{M}\langle X,Y\rangle -5\sqrt{\frac{\mathrm{log}(8/\epsilon _{\mathrm{PE}})}{m^{3}}}(||X||^{2}+||Y||^{2}). \end{aligned}$$

(35)

Finally, the secret key rate of our protocol can be calculated in composable security framework as follows:

$$\begin{aligned} K^{n}_{comp}=(1-\epsilon _{\mathrm{rob}})[\beta I^{n}(A:B)-F(\varTheta ^{\mathrm{max}}_{a}, \varTheta ^{\mathrm{max}}_{b}, \varTheta ^{\mathrm{max}}_{c})-\frac{1}{M}(\varDelta _{\mathrm{AEP}}+\varDelta _{\mathrm{ent}}+2\mathrm{log}_{2} \frac{1}{2\bar{\epsilon }})]. \end{aligned}$$

(36)

It is worth mentioning that the parameters shown above are set

$$\begin{aligned} \epsilon _{sm}=\bar{\epsilon }=10^{-21}, \epsilon _{\mathrm{PE}}=\epsilon _{\mathrm{cor}}=\epsilon _{\mathrm{ent}}=10^{-41} \end{aligned}$$

(37)

in order to be \(\epsilon \) secure against collective attacks with \(\epsilon =10^{-20}\).