QKD with source flaws and tight finite-key...

Experimental QKD with source

flaws and tight finite-key analysis

Feihu Xu1, Shihan Sajeed2, Sarah Kaiser2, Zhiyuang Tang3,

Li Qian1, Vadim Makarov2, Hoi-Kwong Lo1,3

1Dept. of Electrical & Computer Engineering, University of Toronto 2Institute for Quantum Computing, University of Waterloo 3Dept. of Physics, University of Toronto

arXiv: 1408.3667 (2014)

QCrypt 2014, Telecom ParisTech, Sep. 2nd (2014)

1

ALICE BOB

Coherent source Imperfect detector

EVE

Why is QKD under attack?

Security proof = Physics + “Theoretical” models!

Quantum hacking experiments

2

Attack Component Target

Time-shift Detector Measurement Y. Zhao et al., Phys. Rev. A 78, 042333 (2008)

Phase-remapping Phase modulator Source F. Xu et al., New J. Phys. 12, 113026 (2010)

Detector blinding Detector Measurement L. Lydersen et al., Nat. Photonics 4, 686 (2010)

Channel calibration Detector Measurement N. Jain et al., Phys. Rev. Lett. 107, 110501 (2011)

Detector deadtime Detector Measurement

H. Weier et al., New J. Phys. 13, 073024 (2011)

Device calibration Local oscilllator Measurement P. Jouguet et al., Phys. Rev. A 87, 062313 (2013)

Laser damaging Detector Measurement A. Bugge et al., Phys. Rev. Lett. 112, 070503 (2014)

MDI-QKD makes QKD Safe Again 29 August 2013 3:00 pm

3

…. physicists have demonstrated how to close a

technological loophole that could have left secrets

open to eavesdroppers …

[See Thur. tutorial for the details on measurement-device-independent QKD]

What’s left for Eve is only the source!

H.-K. Lo, M. Curty and B. Qi, Phys. Rev. Lett. 108, 130503 (2012).

Outline

4

1. Source flaws and loss-tolerant protocol

2. Finite-key analysis and decoy-state method

3. Experimental study

4. Summary

Examples on QKD experiments

5

Question: Are there any security problems in the source?

Problem with previous experiments

6

Previous experiments do not consider source flaws.

• Perfect phase: {0, π/2, π, 3π/2}

• Perfect polarization: {H, D, V, A}

But, in experiment, we have…

• {0±δ0, π/2±δ1, π±δ2, 3π/2±δ3}

• {H±δ’0, D±δ’1, V±δ’2, A±δ’3}

Phase Modulator

Owing to source flaws, key may not be proven secure!

Our major contributions

7

1. We implement the first QKD experiment that considers

source flaws (including modulation flaws).

2. Our decoy implementation achieves tight finite-key security

bounds against general quantum attacks in the universally

composable framework.

QKD with source flaws

8

[GLLP proof: Gottesman, Lo, Lütkenhaus, Preskill, Quant.. Inf. Comput. 5, 325 (2004)]

Problem: the performance becomes bad!

Q1: Does a loss-tolerant protocol exist?

Loss-tolerant protocol

• “qubit assumption”: the four BB84 states remain inside two-dimensional

Hilbert space.

• Eve cannot attack the system by enhancing source flaws through the

channel loss.

• Three states {H, D, V} have the same performance as {H, D, V, A}.

9 [K. Tamaki, M Curty, G. Kato, H.-K. Lo, K. Azuma, arXiv: 1312.3514 (2013)]

Questions in practice?

10

[K. Tamaki et al., arXiv: 1312.3514 (2013)]

1. The finite-key security analysis?

2. The method with finite-number of decoy states?

3. Quantify the source flaws?

4. Verify the qubit assumption?

5. Implement the protocol in experiment?

A1: Finite-key analysis

• Tight security bounds against general attacks, obtained by using

the entropy uncertainty relations to bound the smooth entropies.

11

Based on [Tomamichel, Lim, Gisin, Renner, Nat. Comm., 3, 634, (2012);

Lim, Curty, Walenta, Xu, Zbinden, Phys. Rev. A, 89 022307 (2014)]

Vacuum events

Single-photon events

Phase error rate

Error correction

ε-secret ε-correct

measured in

experiment

Privacy Amplification

estimated by using decoy states chosen by protocol

A2: Three-state QKD with decoy states

• Vacuum events and single-photon events are estimated

following [Ma, Qi, Zhao, Lo, Phys. Rev. A, 72 012326 (2005)]

• Phase error rate using “rejected data analysis”

12

[Barnett, Huttner, Phoenix, J. Mod. Opt. 40, 2501-2513 (1993)]

Basis mismatch counts

Alice only sends {H, D, V}.

13

A3: Verify the qubit assumption

Mode Filter and result

Spatial Single-mode fiber (core diameter =10 um)

Spectral Band pass filter

(say, 15 GHz for 100ps pulse)

Timing Synchronization (Fidelity=1-10-8)

Polarization Polarizer/PBS (Fidelity=1-10-7)

In a phase-encoding system, does Alice prepare a qubit?

A4: Quantify the source flaws

14

Alice

SPD¹

SPD²

Laser

Circulator

BS

PMA

PBS VOA FM

{0, π/2±δ1, π±δ2, 3π/2±δ3}

• ID500: δ < 0.127

• Clavis2: δ < 0.147

Plug&Play system

15

Bob Alice SPD¹

SPD²

Laser

Circulator

BS

PMB

PMA PBS VOA

CD

FM

A5: Our implementation

• Commercial plug&play QKD system (ID500).

• Three-state QKD: PMA = {0, π/2, π}.

• Decoy-state BB84: PMB = {0, π/2, π, 3π/2}.

50 km

http://www.idquantique.com

16

Raw counts for three-state QKD

Z

X0

10

20

30

µν

ω

22.969541

0.694421 0.0481

23.552125

0.710156 0.048213 M

illio

ns

Gain counts

Z

X0

200

400

600

800

µν

ω

597.691

64.583

22.811

640.392

58.926 22.312

Th

ou

sa

nd

s

Error counts

X1|Z

X2|Z0

2

4

6

8

10

12

µν

ω

11.420321

0.349362 0.022125

11.23502

0.328879 0.025088

Mil

lio

ns

Rejected counts • Distance: 50 km telecom fiber

• Total pulses: N=5X1010

• Security: ε=10-10

• Measure the counts instead

of probabilities (called gains).

• Record the rejected counts!

17

Results

Parameter Three-state BB84

Vacuum events 3.22 X 105 3.21 X 105

Single-photon events 1.30 X 107 1.31 X 105

QBER 2.98% 2.89%

Phase error rate 11.49% 6.01%

Key length 2.60 X 106 7.70 X 106

Key rate (per pulse) 5.21 X 10-5 1.54 X 10-4

The security of key generation considers source flaws

and it can be against general attacks by Eve.

18

Numerical simulation

Loss-tolerant to source flaws!

Loss-tolerant

analysis

Parameters: η=5.05%; Pd= 4X10-5; N=5X1010; ε=10-10

Our experiment

Future directions

19

Alice

Laser

Modulator

RNG

Decoy

Bob

Laser

Modulator

RNG

Decoy

BS

PBS PBS

D1H

D1V

D2H

D2V

Measurement

device

• Source flaws in practical MDI-QKD?

• Refined security proof for imperfect fidelity?

• Protect Alice/Bob from leaking unwanted information?

• Source flaws in CV-QKD?

• …

• A QKD implementation should consider the source flaws and

employ a rigorous security analysis.

• Our experiment makes practical QKD loss-tolerant to source

flaws over 50 km telecom fiber.

• Three-state QKD is feasible in practice.

Summary － takeaway message

20

Reference: 1. F. Xu, S. Sajeed, S. Kaiser, Z. Tang, L. Qian, V. Makarov, H.-K. Lo, arXiv:

1408.3667 (2014)

2. K. Tamaki, M Curty, G. Kato, H.-K. Lo, K. Azuma, arXiv: 1312.3514 (2013)

3. C. Lim, M. Curty, N. Walenta, F. Xu, H. Zbinden, Phys. Rev. A, 89 022307

(2014)

Acknowledgement:

NSERC, Connaught Innovation fund, Industry Canada, CRC program.