# Long-Distance Decoy-State Quantum Key Distribution in Optical Fiber

###### Abstract

The theoretical existence of photon-number-splitting attacks creates a security loophole for most quantum key distribution (QKD) demonstrations that use a highly attenuated laser source. Using ultra-low-noise, high-efficiency transition-edge sensor photo-detectors, we have implemented the first version of a decoy state protocol that incorporates finite statistics without the use of Gaussian approximations in a one-way QKD system, enabling the creation of secure keys immune to photon-number-splitting attacks and highly resistant to Trojan horse attacks over km of optical fiber.

###### pacs:

03.67.Dd, 03.67.Hk, 85.25.OjQuantum key distribution (QKD), which enables users to create a shared key with secrecy guaranteed by the laws of physics roa , is arguably the most advanced application in the growing field of quantum information science. Since the first demonstration in Bennett et al. (1992), the field has advanced sufficiently that commercial systems are now available. Most current QKD implementations use “prepare and measure” protocols that involve the sender (Alice) preparing a single photon in a quantum state and sending it to the receiver (Bob), who then measures the photon. Attempts by an eavesdropper (Eve) to obtain information about the state of the single photon will introduce an error rate in the transmission, which alerts the users to Eve’s presence.

For example, to implement the Bennett-Brassard (BB84) protocol Bennett and Brassard (1984), Alice randomly encodes a single photon with either a or a in one of two conjugate bases and sends the photon to Bob. Bob performs a measurement in one of the two bases, and communicates the time slots for which he obtained detection events. Alice and Bob then create a sifted key by only retaining events where they used the same basis. Ideally, Alice’s sifted bits should be perfectly correlated with Bob’s if Eve did not attack the transmission, but any real system has error rates due to experimental imperfections. Error correction Brassard and Salvail (1994) removes these errors, leaving Alice and Bob with a perfectly correlated key. However, this key is not yet completely secret because, in principle, the errors may have arisen from Eve attacking the system. Therefore, a final step of privacy amplification Bennett et al. (1995) is used to obtain a shorter, secret key about which Eve has negligible information.

The lack of readily available single-photon sources, especially at telecom wavelengths where most fiber-based QKD systems operate, modifies the simple picture outlined above considerably. If the source emits more than one photon, Eve could remove one of the photons and store it until Bob announces his basis choice, at which time she would measure the photon in the correct basis and learn the bit value without introducing any errors. Therefore, in addition to assuming that all errors arise from Eve’s interaction with single photons, it is also necessary to assume that Eve can gain full information about any sifted bits that arose from multi-photon events. To determine the number of sifted bits that were encoded in single photons, it is often assumed that the transmission channel acts as a simple beamsplitter Bennett et al. (1992). However, an eavesdropper with unlimited technological capabilities may modify the channel properties so that this is no longer valid. For instance, she may perform a photon-number-splitting (PNS) attack by replacing the link with a lossless channel, blocking as many single photons at the output of Alice that she can, while keeping the rate of photons that Bob receives constant, and removing one photon from each multiphoton pulse Brassard et al. (2000). Protection against such attacks requires far more privacy amplification than the case where a beamsplitter channel is assumed, and if the rate of multiphotons present at the output of Alice is greater than the rate of detection events recorded by Bob, then Eve could have full knowledge of every sifted bit.

QKD systems often use heavily attenuated laser sources, which results in a Poisson distribution of photon number. The fraction of non-vacuum pulses that contain more than one photon is approximately when the laser is pulsed with a mean photon number . To keep the rate of multiphotons sufficiently low for PNS security, it is necessary to operate with on the order of the channel transmittance , yielding a sifted bit rate that is proportional to Lütkenhaus (2000). As the transmission loss increases and the sifted bit rate decreases, detector dark counts play an increasingly important role, eventually leading to such high error rates that secret key generation is impossible. For fiber QKD, where the channel transmittance drops off exponentially with distance, the requirement of PNS security was until recently thought to severely limit the link length for weak coherent pulse QKD Gobby et al. (2004); Hiskett et al. (2006).

The recent development of decoy state protocols
Hwang (2003); Lo et al. (2005); Wang (2005); Harrington et al. (2005) has drastically improved
the outlook for the security of weak laser based QKD. Decoy-state
QKD allows the users to place a rigorous lower bound on the single
photon channel transmittance, including receiver losses, and
therefore the number of detections at Bob that originated from
single photons. Because no assumptions are made about modifications
to the channel transmittance by an eavesdropper, a PNS attack would
easily be detected. Decoy-state QKD has previously been
demonstrated over link lengths of and km
Zhao et al. (2006a, b), with a suggested maximum PNS-secure range of
about km if InGaAs avalanche photodiodes with the
best-reported parameters for QKD in the literature are used
Ma et al. (2005). However, those experiments employed a two-way
system that has been shown to be susceptible to Trojan horse attacks
Gisin et al. (2002), negating the purpose of QKD to create
unconditionally secure keys. In contrast, the present work was
performed with a one-way system which is much less susceptible to
Trojan horse attacks ^{1}^{1}1It has recently been shown that, due
to finite backscattering of experimental components, an eavesdropper
can obtain some information by probing a one-way system
Gisin et al. (2006), but the technological capabilities needed to perform
such an attack are far greater than would be necessary for a two-way
system.. In this paper, we report on the first experimental
decoy-state QKD demonstration in a one-way QKD system that can
create unconditionally secure quantum key.

The simplest decoy state protocol requires Alice to emit signals whose values are randomly toggled between two values and . For a given signal, Eve does not know whether Alice used or , so she must treat single photon signals from either mean photon number identically. Because the fraction of single photon signals depends on , it is impossible for Eve to perform a PNS attack by simultaneously modifying the channel transmission correctly for more than one value of . By comparing the number of detection events from and transmissions, Alice and Bob are able to place strict bounds on the single photon transmittance of the channel.

A three-level decoy-state protocol ([]) with enables even better characterization of the channel parameters, which can be illustrated as follow. Bob’s count of detection events when Alice sent vacuum () provides an estimate of the background and dark count detection probability, , per clock cycle of the system. From this estimate, they can develop upper and lower bounds on with a user-defined level of confidence , with . The confidence interval calculations in our case were computed numerically as opposed to making a Gaussian approximation, which may be a poor fit far out in the tails of the binomial distribution governing both the transmission and error probabilities. Next, they consider how many detection events Bob received when Alice prepared mean photon number . After subtracting off background, most of the remaining events are from single-photon signals, providing an estimate and confidence levels for the single photon transmittance . Finally, they can utilize the lower bound on to determine the number of the stronger detection events that originated as single photon signals at Alice. While this outline is helpful for gaining intuition, it does not explain the specific values of mean photon numbers that should be chosen for an experiment such as ours.

More generally, the channel analysis is carried out by simultaneously solving for the -photon signal transmittance variables under a set of linear inequalities formed by confidence intervals on the detection probabilities per clock cycle for each Harrington et al. (2005):

The switched interferometer QKD system used in this work was identical to that described in detail elsewhere His ; Hiskett et al. (2006), except for the addition of an amplitude modulator in Alice, which was used to produce the different decoy state signal strengths. As shown in Fig. 1, the system was composed of a phase encoding switched interferometer and low-noise, high efficiency single-photon sensitive superconducting transition-edge sensors (TESs) Irwin (1995); Rosenberg et al. (2005). Synchronization for both Alice and Bob was achieved through the use of a single clock, making the system impractical for use outside the laboratory, but straightforward modifications will yield a system with separate clocks using quantum clock recovery techniques Hughes et al. (2005). A pattern generator pre-loaded with a random bit file provided bit and basis selection for Alice, but in a practical system cryptographically strong random number generators would provide the selection Hughes et al. (2005). These two relatively minor modifications to the system will be implemented in the near future. In contrast to our previous work using TESs in a phase encoded system Rosenberg et al. (2006); His ; Hiskett et al. (2006), in which we used one detector and time-multiplexed the signals at Bob’s phase decoder, here we used two detectors to enable operation at a higher clock rate (2.5 MHz for this experiment). The detectors had fiber-coupled system efficiencies of % and %, which were lowered from the detector value of % by the inclusion of filters to reduce the rate of blackbody radiation reaching the detectors. This imbalance between the two detectors reduces the entropy of the raw key, which must be accounted for during privacy amplification. The background rate of detection events, set by blackbody radiation, was counts per second. The timing jitter of the detectors was ns FWHM, and the thermal recovery time was s. The system transmitted over a km link of dark optical fiber, and shorter distances were obtained by redefining Alice’s enclave to include some length of the optical fiber Hiskett et al. (2006). Redefining the system in this way simply means that Alice has an extra attenuator composed of fiber that lowers the mean photon number exiting her enclave. Therefore, our mapping to shorter distances is completely equivalent to using a shorter length of fiber.

We implemented a decoy-state BB84 protocol using three levels of : a high , a moderate , and a low that approximates the vacuum state. The probabilities of sending , , or were %, % and %, respectively. Near-optimal values and probabilities were obtained by performing simulations to maximize the secret bit rate for various channel parameters. Because of the finite extinction ratio of the amplitude modulator, was not zero but was instead less than % of . Use of a small nonzero value for results in slightly worse bounds on the single photon transmission, and this effect was included in our analysis. The user-defined confidence parameter for each bound was chosen to be , resulting in a final key of which, with probability greater than , Eve knows less than one bit.

After sufficient data were collected, the bits arising from pulses at were sifted, error corrected, and privacy amplified. After sifting, the bits were shuffled to permute the errors and make error correction more efficient. In addition, half of the bits, randomly chosen, were flipped by both Alice and Bob to ensure that the final key had an equal distribution of zeros and ones. Error correction was performed using the modified CASCADE algorithm Sugimoto and Yamazaki (2000), which has an efficiency of 7–13% over the Shannon limit. We performed privacy amplification using Toeplitz matrix universal hash functions Krawczyk (1994) to provide protection against arbitrary basis-independent attacks Gottesman et al. (2004), yielding a total of secret bits:

where is the number of sifted bits, is the calculated lower bound on the number of single photons present in the sifted key, is the calculated upper bound on the single photon error rate, is the efficiency of the error correction protocol relative to the Shannon limit, is the observed error rate for all signals that enter the sifted key, is the fraction of zeros in the sifted key before half the bits were flipped, and is Shannon entropy.

We collected data at two different sets of values of , one selected for transmission at km (corresponding to km of fiber being defined as residing within Alice) and the other for km (corresponding to km of fiber residing within Alice’s enclave). For each data set, timing windows for accepting detected events were chosen to maximize the secret bit rate Rosenberg et al. (2006); His . From the first data set, using mean photon numbers at the exit of Alice’s enclave of [, , ] = [, , ] at km, we created secret bits in 351 s from sifted bits using ns windows. From the second data set, which used mean photon numbers [, , ] at km, we generated a secret bits from sifted bits collected over s with ns windows. The observed error rates at for the two data sets were % and %, consistent with the expected error rate due to interferometer visibility and background counts. The lower bounds on the fraction of sifted bits that originated as single photons were and , compared to and for a beamsplitter channel. The number of secret bits generated is less than the number of non-PNS-secure bits that would have been generated at by assuming a random deletion channel ( and at km and km, respectively), but those numbers assume that Eve is unable to modify the channel properties. Consequently, the secret bits generated using our decoy state protocol are immune to PNS attacks, whereas they would not be PNS secure under the beamsplitter channel assumption.

Even though the values were chosen to be near-optimal for particular link lengths, we can analyze the results over other distances by redefining the system so that Alice’s enclave includes a different amount of the km optical fiber link Hiskett et al. (2006). Figure 2 shows the secret bit rate as a function of transmission distance. For the data set optimized for km, we find that a secret key can be exchanged over 107 km of optical fiber. Considerably longer ranges of – km should be possible in this system by using different values optimized for longer distances.

Because the extent to which the single photon transmittance can be bounded is dependent on the photo-count statistics, acquiring data for longer times will result in not only more secret bits, but also a higher rate of secret bit production. Figure 3 displays the results of a simulation of longer acquisition times. In general, the bound on single photon transmittance does not depend on whether the quantum channel is stationary, but for the simulation we assume that Eve does not vary her attack. For a given confidence parameter, longer acquisition times result in a tighter lower bound on the single photon transmittance and a tighter upper bound on the single photon sifted bit error rate, leading to a higher secret bit rate. For this simulation, we have not adjusted the mean photon numbers used when the data acquisition time is increased; re-optimization of the mean photon numbers for longer times is expected to increase the secret bit rate even further.

By incorporating low-noise transition-edge sensors into a one-way QKD system and implementing a three-level decoy protocol, we were able to generate key secure against PNS attacks and with only very limited susceptibility to Trojan horse attacks over km of optical fiber. This distance far surpasses the previous maximum PNS-secure transmission distance of km that used very weak mean photon numbers rather than the decoy state protocol in essentially the same system Hiskett et al. (2006). In contrast to other work, this demonstration was the first to implement a finite-statistics protocol to bound the channel transmittances without resorting to Gaussian approximations. We used a conservative method to estimate the error rate on single photon signals, but future work may incorporate tighter bounds on the single photon error rate, resulting in higher secret bit rates and longer ranges. System clock rates as much as five times higher are expected to be achieved with improvements in the detector readout electronics, leading to higher secret bit rates. Based on the results of simulations, we expect that this system is capable of PNS-secure decoy-state QKD over – km of optical fiber, and improvements in filtering of the ambient blackbody photons could increase this distance even further to km or more.

Note added: Recently, we became aware of similar work performed elsewhere Peng et al. (2006).

The authors thank DTO and the NIST Quantum Initiative for financial support, Alan Migdall for the loan of an optical switch, and Joe Dempsey and Corning Inc. for loaning the km of single-mode optical fiber.

## References

- (1) Quantum cryptography roadmap, http://qist.lanl.gov.
- Bennett et al. (1992) C. H. Bennett et al., J. Cryptology 5, 3 (1992).
- Bennett and Brassard (1984) C. H. Bennett and G. Brassard, Proc. IEEE Int. Conf. on Computers, Systems, and Signal Processing p. 175 (1984).
- Brassard and Salvail (1994) G. Brassard and L. Salvail, Lecture Notes Comput. Sci. 765, 410 (1994).
- Bennett et al. (1995) C. H. Bennett et al., IEEE Transactions on Information Theory 41, 1915 (1995).
- Brassard et al. (2000) G. Brassard et al., Phys. Rev. Lett. 85, 1330 (2000).
- Lütkenhaus (2000) N. Lütkenhaus, Phys. Rev. A 61, 052304 (2000).
- Gobby et al. (2004) C. Gobby, Z. L. Yuan, and A. J. Shields, Electronics Letters 40, 1603 (2004).
- Hiskett et al. (2006) P. A. Hiskett et al., New Journal of Physics 8, 193 (2006).
- Hwang (2003) W.-Y. Hwang, Phys. Rev. Lett. 91, 057901 (2003).
- Lo et al. (2005) H.-K. Lo, X. Ma, and K. Chen, Phys. Rev. Lett. 94, 230504 (2005).
- Wang (2005) X.-B. Wang, Phys. Rev. Lett. 94, 230503 (2005).
- Harrington et al. (2005) J. W. Harrington et al., (2005), eprint quant-ph/0503002.
- Zhao et al. (2006a) Y. Zhao et al., Phys. Rev. Lett. 96, 070502 (2006a).
- Zhao et al. (2006b) Y. Zhao et al., (2006b), eprint quant-ph/0601168.
- Ma et al. (2005) X. Ma et al., Physical Review A 72, 012326 (2005).
- Gisin et al. (2002) N. Gisin et al., Review of Modern Physics 74 (2002).
- (18) J. W. Harrington et al., unpublished.
- (19) P. Hiskett et al., unpublished.
- Irwin (1995) K. D. Irwin, Appl. Phys. Lett. 66, 1998 (1995).
- Rosenberg et al. (2005) D. Rosenberg et al., Phys. Rev. A 71, 061803(R) (2005).
- Hughes et al. (2005) R. J. Hughes et al., Proceedings of SPIE 5893, 1 (2005).
- Rosenberg et al. (2006) D. Rosenberg et al., Appl. Phys. Lett. 88, 021108 (2006).
- Sugimoto and Yamazaki (2000) T. Sugimoto and K. Yamazaki, IEICE Trans. Fundamentals E83-A, 1987 (2000).
- Krawczyk (1994) H. Krawczyk, Lect. Notes Comp. Sci. 839, 129 (1994).
- Gottesman et al. (2004) D. Gottesman et al., Quantum Information and Computation 4, 325 (2004).
- Peng et al. (2006) C.-Z. Peng et al., (2006), eprint quant-ph/0607129.
- Gisin et al. (2006) N. Gisin et al., Physical Review A 73, 022320 (2006).