Boosting up quantum key distribution by learning statistics of practical single-photon sources

Yoritoshi Adachi¹, Takashi Yamamoto, Masato Koashi and Nobuyuki Imoto

Division of Materials Physics, Department of Materials Engineering Science, Graduate School of Engineering Science, Osaka University, 1-3 Machikaneyama, Toyonaka, Osaka 560-8531, Japan

¹ Author to whom any correspondence should be addressed.

E-mail: adachi@qi.mp.es.osaka-u.ac.jp

Received 27 August 2009
Published 17 November 2009

A single-photon source (SPS), which emits exactly one photon in a well-defined optical mode, has been actively studied with quantum dots [1]–[11], colour centres in diamond [12]–[15], and other systems [16]–[19]. Behind those activities lies the fact that ideal SPSs serve as a useful resource for efficient quantum information processing such as quantum computation [20] and quantum key distribution (QKD) [21]. But imperfections in practical SPSs affect the performance in those applications, especially in QKD [22]–[24] in which very rare emission events could be exploited by a potential eavesdropper Eve. The imperfection that matters most in QKD is the emission of multiple (two or more) photons in a single pulse, which we assume to occur with probability p_multi. Usually the two-photon events are dominant in p_multi, in which case it is related to the normalized second-order correlation g⁽²⁾ by p_multi = μ² g⁽²⁾/2 with μ being the average photon number emitted in a pulse. Since μ~O(1) in practical SPSs, p_multi and g⁽²⁾ are of the same order of magnitude. In the BB84 QKD protocol, which has been proposed by Bennett and Brassard in 1984 [21], whenever the sender Alice emits multiple photons Eve can steal a photon to obtain full information without introducing any error. To make matters worse, we cannot exclude the possibility that Eve may force the receiver Bob to detect a photon preferentially in such a multiphoton emission event. As a result of this photon-number splitting (PNS) attack, the protocol produces no secret key beyond a threshold distance at which Bob's detection rate Q is comparable to p_multi [25]. Unless we accept a significant reduction of the emission probability μ [26], it poses a severe requirement on g⁽²⁾. For example, for an optical channel with a loss of 0.2 dB km^–1 of the typical telecommunication fibre and for Bob's detection apparatus with efficiency 0.01, it is estimated under μ~O(1) that g⁽²⁾~O(10^–6) is needed to reach a communication distance of 200 km. This requisite will be hard to achieve in real experiments, and if at all, it may require sacrificing other performances such as the repetition rate.

To circumvent this problem, one may depart from the BB84 protocol to adopt a different sifting procedure [27] yielding a key even from the multiphoton emission events [28, 29]. Another common direction is to keep the protocol itself and to devise a way to obtain a clue about photon-number dependence of Eve's attack. Our main idea in this paper is to use the correlation between the two output lights from a beam splitter to obtain such a clue [30, 31]. For the BB84 protocol with polarization encoding, this idea is implemented by inserting a non-polarizing beam splitter with a transmittance T and placing a monitoring detector D_M at Alice's side as in figure 1(a). For a standard phase-encoding system based on a double Mach–Zehnder interferometer (DMZI), mere addition of D_M at the open port implements our scheme with T = 1/2, as shown in figure 1(b). If the light incident on D_M is suitably correlated to the number of photons sent toward Bob, we may detect Eve's PNS attacks like the decoy-state idea [32]–[34] and particularly passive decoy-state generation schemes [35]–[37].

In order for the above strategy to work, knowledge of emission statistics for higher photon numbers is essential. As we will show, our scheme can detect the PNS attacks when the higher photon-number tail drops more steeply than a Poissonian distribution, as explained in figure 2. If this sub-Poissonian tendency continues to arbitrary large photon numbers, Eve can no longer force Bob to detect a photon preferentially in a multiphoton emission event. In practice, the characterization of the emission statistics is not complete and will be left with an uncharacterized portion Δ. In the simplest case where Bob detects photons at rate Q with no errors, the key rate G in our scheme is approximated as G = Q–(Δ/C), which should be compared with the rate in the conventional scheme G = Q–p_multi [25]. Here, C is a constant reflecting the degree of the sub-Poissonian tendency. Since Q scales as 10^–αl/10 with distance l, the threshold distance at which G = 0 in our scheme scales as (–log₁₀Δ)–(–log₁₀C) + const, whereas it is (–log₁₀p_multi) + const in the conventional scheme. Therefore, without actually suppressing multiphoton emission p_multi by a factor, we obtain the same improvement merely by reducing the ambiguity Δ in learning the statistics by the same factor.

Figure 2. Our scheme works when the photon-number distribution of the source has a `sub-Poissonian tail,' which has a simple meaning in the usual cases with . In the figure, the distribution is shown as blue bars in logarithmic scale, together with square dots corresponding to a Poissonian distribution {Pn} satisfying . The decrements are denoted by and bn≡log10(Pn/Pn + 1). When the tail of the distribution vanishes more rapidly than the Poissonian distribution, namely, when an–bn≥r for all n≥2 with a positive constant r > 0, our simple scheme can foil the PNS attacks and the multiphoton emission becomes no concern (pmulti is effectively zero). When an–bn≥r is confirmed only up to n = nmax–1 with the residual uncharacterized portion , the detection of the PNS attacks becomes imperfect but our scheme still achieves performance comparable to the use of a source with pmulti = Δ/C, with C being a constant proportional to 1–10–r (shown as red bars for nmax = 5).

From now on, we focus on the case where D_M is a threshold detector with dark count rate d_M and efficiency η_M. The outcome of this detector is binary: when n photons are incident, it produces a click with probability 1–(1–d_M)(1–η_M)ⁿ, and otherwise gives no click. We classify the events to clicked events and non-clicked ones, according to the outcome of D_M.

For the security analysis, it is convenient to describe the correlation between the two outputs of Alice's beam splitter through a set of parameters {γ_n}, defined to be the conditional probability of D_M to produce a click, given that n photons are sent toward Bob. With (η_M, d_M, T) fixed, {γ_n} depend solely on the density operator ρ of the source, which we assume to take the form of . Let us define a characteristic function κ_ρ(t) of the source by

where . Then the conditional probability γ_n(ρ) is conveniently represented using its nth derivative κ_ρ⁽ⁿ⁾(t)≡dⁿκ_ρ(t)/dtⁿ as

where R = 1–T. When {p_n} is Poissonian with mean μ, it follows that κ_ρ(t) = e^–μ(1–t) and hence γ_n(ρ) is independent of n. For d_M  1 and p₁  p₂  p₃  ···, the parameters γ_n(ρ)(n≥1) are approximated by

Hence, roughly speaking, the values of {γ_n(ρ)} represent how slowly the tail of the photon-number distribution vanishes. For example, if γ₁(ρ) > γ_n(ρ) holds for all n≥2, the tail of the distribution vanishes more rapidly compared with the Poissonian distribution with the same ratio p₂/p₁. In this paper, we say such a distribution has a `sub-Poissonian tail.'

In fact, a source with a sub-Poissonian tail is ideal for our present scheme to work. Let

be the overall rate of detection by Bob, where the superscript `c' stands for the clicked events, and `nc' for the non-clicked events. These quantities are actually observed in the protocol. On the other hand, Q is also decomposed as , where Q_n stands for the portion in which Alice has sent out n photons towards Bob (we call it `n-photon' events henceforth). Since D_M clicks with probability γ_n(ρ) in the n-photon events, we should have in the asymptotic limit of a large number of pulses. Then, if Eve substitutes 1-photon events by n-photon events with n≥2, Q^[c] decreases due to the condition γ₁(ρ) > γ_n(ρ)(n≥2) and the attack will be detected. She may try to increase 0-photon events to compensate the decrease in Q^[c], but it will then increase the observed error rate, since if Alice emits no photon, the probability of bit errors is 1/2. Therefore, a source strictly satisfying γ₁(ρ) > γ_n(ρ)(n≥2) allows us to detect PNS attacks in a very simple way.

In practice, it may be hard to find such a source, and it is even harder to prove it by characterizing the photon-number distribution of the source. For this reason, here we relax the condition and consider an approximate version of a source with a sub-Poissonian tail as follows.

Assumption on the source — The density operator ρ_src of a pulse from the source is written as a mixture of two normalized density operators as

where 0≤Δ < 1. With an integer n_max, which may be infinity, ρ_sp is written in the form . There exists Γ satisfying

for 2≤n≤n_max.

Under this assumption, the source emits an arbitrary unknown pulse with a (small) probability Δ, but otherwise the distribution has a sub-Poissonian tail, whose degree is measured by parameter Γ. We expect that a source will satisfy this assumption in the following scenario, for example. A pseudo-SPS with distribution is given, and a sequence of characterization experiments tells us good estimates of probabilities . Then we choose and for n≤n_max. After calculating the values of {γ_n(ρ_sp)} from p₀, p₁,  ..., p_nmax, we take Γ = max{γ_n(ρ_sp)|2≤n≤n_max} and see if γ₁(ρ_sp) > Γ holds. In this example, ρ_uk stands for the uncharacterized portion of the source. We may also use ρ_uk to absorb the higher photon-number part responsible for an unwanted relation γ₁(ρ_sp) < γ_n(ρ_sp).

For a source with Δ > 0, Eve may be able to increase Q^[c] by letting Bob preferably detect the events from ρ_uk. But the amount of increase is obviously no larger than Δ. This increase leaves Eve room for substituting 1-photon events with multiphoton events with rate up to Δ/(γ₁(ρ_sp)–Γ), but no more. Hence, as long as the overall detection rate is higher than this rate, one may still expect to generate a secret key. In the appendix, we confirm this in a rigorous analysis.

Before we give a numerical example showing the improvement in the secure key rate, we discuss the ideal case where Bob has observed no bit errors. In this case, the secure key rate is given by [Q^[c]–ΓQ–Δ(1–Γ)]/(γ₁(ρ_sp)–Γ) (see the appendix). Since Alice uses a pseudo-SPS, the single-photon contribution should be dominant in Bob's detection events, namely, Q^[c]/Q≊γ₁(ρ_sp). Using the fact Γ  1, the key rate is then simplified as Q–Δ/(γ₁(ρ_sp)–Γ), confirming the dependence which we promised in the introductory part with C = γ₁(ρ_sp)–Γ. This means that the key rate is positive as long as Q > Δ/(γ₁(ρ_sp)–Γ), implying that the uncharacterized portion Δ mainly determines the threshold distance at which the key rate vanishes.

We further show that the tendency in the ideal cases discussed above is also qualitatively valid with realistic channels and detectors, for an example of pseudo-SPS, which is modelled as an ideal SPS with a loss and Poissonian background. In figure 3, we have chosen a source with a rather high multiphoton emission rate of 0.086 (g⁽²⁾ = 0.19), which cannot generate secret key at any distance in the conventional scheme. Figure 3 shows the key rates for the same source with varied levels of characterization. For this source with p_n + 1/p_n~10^–1.7, increasing the maximum photon number n_max by one reduces Δ by factor of 10^1.7. The analysis for the ideal case above suggests that this will increase the threshold distance by 17 dB/(0.2 dB km^–1) = 85 km, which agrees with the curves in figure 3 for shorter distances where the error rate is not so high.

Figure 3. Alice's source ρsrc is chosen to be a mixture of a SPS with a loss and Poissonian background. The distribution is given by and for n≥1, with Pn(Poi)≡e–ννn/n!. We set p0(sp) = 0.1, p1(sp) = 0.9, and ν = 0.1, which leads to pmulti = 0.086 and g(2) = 0.19. (Its distribution is plotted as the blue bars in figure 2.) The residual parameters are chosen as follows: ηM = 0.15; dM = 10–6; the error correction efficiency, f = 1.2; loss coefficient of channel, 0.2 dB km–1; error rate of channel, 0.03 (independent of distance). Each of Bob's detectors has the same dark count rate 2.5×10–9 and efficiency 0.01 [41]. (a) nmax = 4, (b) nmax = 5, (c) nmax = 6, (d) nmax = 7, (e) Δ = 0. We see that increasing nmax leads to a constant improvement of the threshold distance, until the overall detection rate drops to the order of Bob's dark count rate. Dashed curve shows the rate in a standard phase-encoding system (without DM) based on a DMZI with an ideal SPS.

Throughout this paper, we only considered the limit of a large number of repetitions and a large final key, in which errors in estimating parameters due to statistical fluctuations are negligible. In practice, the key has a finite size and we must take the statistical fluctuations into account. This is beyond the scope of this paper but a few remarks are in order. Although our scheme may appear to involve a lot of parameters, it requires only a few of them to be estimated while actually running the protocol, due to its simplicity. The rest of the parameters, namely, the photon-number statistics of Alice's source, can be characterized off-line, before running the actual protocol. Of course, a care must be taken in this characterization to allow for practical issues such as the stability of the source.

Finally, we discuss the opposite condition of equation (6), γ₁(ρ_sp) < ≤γ_n(ρ_sp) for 2≤n≤n_max. This means a `super-Poissonian tail,' namely, a tendency that if multiple photons appear at one of the two outputs of the beam splitter, then the other one has a larger probability of having photons. For example, the heralded parametric down-conversion (PDC) source shows this tendency, which is ascribed to the thermal photon-number distribution observed in the signal mode of PDC. In this case, γ₁(ρ_sp) is the minimum of {γ_n(ρ_sp)} and any attempt by Eve to block 1-photon events should show up as an increase in the observed value of Q^[c]. Therefore, we can also obtain secure key by using a similar analysis. We found that the rule of thumb for the key rate in this case is again given by G = Q–Δ/C, with C = 1–γ₁(ρ_sp)/.

In conclusion, we have proposed a simple scheme to detect eavesdropping attacks on multiphoton emissions from practical SPSs. In contrast to the conventional scheme in which actual suppression of multiphoton emissions is necessary to avoid such attacks, our scheme requires no suppression as long as the higher photon-number tail of emission probabilities decreases more rapidly than a Poissonian distribution. As an example, we calculated the key rate for a lossy SPS suffering from Poissonian background noise, which is regarded as a bad source in terms of g⁽²⁾. We found that reducing the ambiguity in the characterization of the source improves the key rate, in much the same way as the actual suppression of g⁽²⁾ does in the conventional scheme. It is worth mentioning here that the requisite in our scheme is satisfied by SPSs following a wide range of simple theoretical models: any source with imperfection modelled by loss and Poissonian background satisfies the requisite of sub-Poissonian tail, regardless of the amount of the loss and the background. On the other hand, if the background noise follows a thermal distribution, the source always has a super-Poissonian tail, which also meets our alternative condition discussed above. This also opens up a possibility that we may intentionally increase the fluctuations in the background to meet the requisite. Naturally, our result provides a new perspective on the desired performance of a practical SPS, namely, property of photon-number correlations of orders higher than g⁽²⁾. Recent development in the streak cameras [42] and photon-number-resolving detectors [43]–[45] are helpful in studying such higher order correlations. Therefore, it will be interesting to experimentally characterize them for the SPSs currently under development, as well as to seek plausible theoretical models of high photon-number emissions.

Acknowledgments

We thank Hoi-Kwong Lo for helpful discussions. This work was supported by JSPS Grant-in-Aid for Scientific Research(C) 20540389 and by MEXT Grant-in-Aid for Scientific Research on Innovative Areas 20104003 and 21102008, Global COE Program and Young scientists(B) 20740232. YA is supported by JSPS Research Fellowships for Young Scientists.

Appendix.

Since one can simulate the source ρ_src equivalently by actively switching between the sources ρ_sp and ρ_uk, we are allowed to label each detection event according to which of the source was used. As a result, the overall detection rate Q is decomposed as Q = χ + Q_uk, where χ (used instead of Q_sp for simplifying the notations) is the fraction with the source ρ_sp and Q_uk is with ρ_uk. Using similar decomposition for Q_n, we have

where . The clicked and non-clicked portions are also written as (j = c,nc)

Since χ_n^[c] = γ_n(ρ_sp)χ_n and Q^[c]_uk≤Q_uk, we use equation (6) to have

Eliminating χ_≥2 using equation (A.1) and noting that Q_uk≤Δ, we obtain a bound on χ₁ as

Next, we derive an upper bound on the error rate e₁ for the 1-photon events. Let E^[c] and E^[nc] be the overall error rates for the clicked events and the non-clicked events, respectively, which can be directly estimated in the protocol. Considering the contribution from 0- and 1-photon events, we have, for j = c, nc

Combining with χ_n^[c] = χ_n–χ_n^[nc], we obtain e₁≤(χ₀) with

where γ_n = γ_n(ρ_sp). The allowed range of the parameter χ₀ is determined from the condition (χ₀)≥0.

The secure key generation rate for the clicked events or the non-clicked events is given by the so-called GLLP formula [38]–[40] as

(j = c,nc), where q denotes the protocol efficiency (e.g. q = 1/2 in the standard BB84 protocol because half of the events are discarded by basis mismatch), f≥1 the error correction efficiency, and H₂(x)≡–log₂ x–(1–x) log₂(1–x) the binary entropy function. Noting that Q_n^[j]≥χ_n^[j] and assuming the worst case for the choice of unknown parameter χ₀, we have an expression for achievable key rates as

where γ_n = γ_n(ρ_sp).

When the secure key can be obtained from both events, we can achieve a key rate better than G^[c] + G^[nc] by doing the error correction separately but the privacy amplification jointly. The achievable rate in this case is given by

Thus, the final key rate is given by G = max{G^[both], G^[c], G^[nc]}. In the ideal case where Bob has no bit errors (E^[c] = E^[nc] = 0), we have χ₀ = 0 and the final key rate is given by G/q = ξ(0) = [Q^[c]–ΓQ–Δ(1–Γ)]/(γ₁(ρ_sp)–Γ).

References

[1]

Kim J, Benson O, Kan H and Yamamoto Y 1999 A single-photon turnstile device Nature 397 500–3 
CrossRef

[2]

Michler P et al 2000 A quantum dot single-photon turnstile device Science 290 2282–5 
CrossRefPubMed

[3]

Santori C et al 2002 Indistinguishable photons from a single-photon device Nature 419 594–7 
CrossRefPubMed

[4]

Yuan Z et al 2002 Electrically driven single-photon source Science 295 102–5 
CrossRefPubMed

[5]

Bennett A J et al 2005 High performance single photon sources from photolithographically defined pillar microcavities Opt. Express 13 50–5 
CrossRefPubMed

[6]

Kako S et al 2006 A gallium nitride single-photon source operating at 200 K Nat. Mater. 5 887–92 
CrossRefPubMed

[7]

Zinoni C et al 2006 Time-resolved and antibunching experiments on single quantum dots at 1300 nm Appl. Phys. Lett. 88 131102 
CrossRef

[8]

Strauf S et al 2007 High-frequency single-photon source with polarization control Nat. Photon. 1 704–8 
CrossRef

[9]

Vamivakas A N, Zhao Y, Lu C-Y and Atatüre M 2009 Spin-resolved quantum-dot resonance fluorescence Nat. Phys. 5 198–202 
CrossRef

[10]

Flagg E B et al 2009 Resonantly driven coherent oscillations in a solid-state quantum emitter Nat. Phys. 5 203–7 
CrossRef

[11]

Ates S et al 2009 Indistinguishable photons from the resonance fluorescence of a single quantum dot in a microcavity arXiv:quant-ph:0902.3612
Preprint

[12]

Kurtsiefer C, Mayer S, Zarda P and Weinfurter H 2000 Stable solid-state source of single-photons Phys. Rev. Lett. 85 290–3 
CrossRefPubMed

[13]

Gaebel T et al 2004 Stable single-photon source in the near infrared New J. Phys. 6 98 
IOPscience

[14]

Wu E et al 2007 Room temperature triggered single-photon source in the near infrared New J. Phys. 9 434 
IOPscience

[15]

Simpson D A et al 2009 A highly efficient two level diamond based single photon source Appl. Phys. Lett. 94 203107 
CrossRef

[16]

Keller M et al 2004 Continuous generation of single photons with controlled waveform in an ion-trap cavity system Nature 431 1075–8 
CrossRefPubMed

[17]

McKeever J et al 2004 Deterministic generation of single photons from one atom trapped in a cavity Science 303 1992–4 
CrossRefPubMed

[18]

Barquié B et al 2005 Controlled single-photon emission from a single trapped two-level atom Science 309 454–6 
CrossRefPubMed

[19]

Hijlkema M et al 2007 A single-photon server with just one atom Nat. Phys. 3 253–5 
CrossRef

[20]

Knill E, Laflamme R and Milburn G J 2001 A scheme for efficient quantum computation with linear optics Nature 409 46–52 
CrossRefPubMed

[21]

Bennett C H and Brassard G 1984 Quantum cryptography: public key distribution and coin tossing Proc. IEEE Int. Conf. on Computers, Systems and Signal Processing (Bangalore, India)  IEEE, New Yorkpp 175–9 

[22]

Waks E et al 2002 Secure communication: quantum cryptography with a photon turnstile Nature 420 762 
CrossRefPubMed

[23]

Beveratos A et al 2002 Single photon quantum cryptography Phys. Rev. Lett. 89 187901 
CrossRefPubMed

[24]

Intallura P M et al 2007 Quantum key distribution using a triggered quantum dot source emitting near 1.3 μm Appl. Phys. Lett. 91 161103 
CrossRef

[25]

Brassard G, Lütkenhaus N, Mor T and Sanders B C 2000 Limitations on practical quantum cryptography Phys. Rev. Lett. 85 1330–3 
CrossRefPubMed

[26]

Waks E, Santori C and Yamamoto Y 2002 Security aspects of quantum key distribution with sub-Poisson light Phys. Rev. A 66 042315 
CrossRef

[27]

Scarani V, Acin A, Ribordy G and Gisin N 2004 Quantum cryptography protocols robust against photon number splitting attacks for weak laser pulse implementations Phys. Rev. Lett. 92 057901 
CrossRefPubMed

[28]

Koashi M 2005 Security of quantum key distribution with discrete rotational symmetry arXiv:quant-ph/0507154
Preprint

[29]

Tamaki K and Lo H-K 2006 Unconditionally secure key distillation from multiphotons Phys. Rev. A 73 010302 
CrossRef

[30]

Adachi Y, Yamamoto T, Koashi M and Imoto N 2008 Passive decoy-state quantum cryptography with pseudo-single-photon sources Proc. AQIS'08 8th Asian Conf. on Quantum Information Science (Seoul, Korea)  pp 25–6 

[31]

Curty M, Moroder T, Ma X and Lütkenhaus N 2009 Non-Poissonian statistics from Poissonian light sources with application to passive decoy state quantum key distribution Opt. Lett. 34 3238–40 
CrossRefPubMed

[32]

Hwang W-Y 2003 Quantum key distribution with high loss: toward global secure comunication Phys. Rev. Lett. 91 057901 
CrossRefPubMed

[33]

Lo H-K, Ma X and Chen K 2005 Decoy state quantum key distribution Phys. Rev. Lett. 94 230504 
CrossRefPubMed

[34]

Wang X-B 2005 Beating the photon-number-splitting attack in practical quantum cryptography Phys. Rev. Lett. 94 230503 
CrossRefPubMed

[35]

Mauerer W and Silberhorn C 2007 Quantum key distribution with passive decoy state selection Phys. Rev. A 75 050305 
CrossRef

[36]

Adachi Y, Yamamoto T, Koashi M and Imoto N 2007 Simple and efficient quantum key distribution with parametric down-conversion Phys. Rev. Lett. 99 180503 
CrossRefPubMed

[37]

Ma X and Lo H-K 2008 Quantum key distribution with triggering parametric down-conversion sources New J. Phys. 10 073018 
IOPscience

[38]

Gottesman D, Lo H-K, Lütkenhaus N and Preskill J 2004 Security of quantum key distribution with imperfect devices Quantum. Inf. Comput. 5 325–60 

[39]

Lo H-K 2005 Getting something out of nothing Quantum. Inf. Comput. 5 413–8 

[40]

Koashi M 2006 Efficient quantum key distribution with practical sources and detectors arXiv:quant-ph/0609180
Preprint

[41]

Takesue H et al 2007 Quantum key distribution over a 40-dB channel loss using superconducting single-photon detectors Nat. Photon. 1 343–8 
CrossRef

[42]

Wiersig J et al 2009 Direct observation of correlations between individual photon emission events of a microcavity laser Nature 460 245–9 
CrossRefPubMed

[43]

Kim J S, Takeuchi S, Yamamoto Y and Hogue H H 1999 Multiphoton detection using visible light photon counter Appl. Phys. Lett. 74 902–4 
CrossRef

[44]

Rosenberg D, Lita A E, Miller A J and Nam S W 2005 Noise-free high-efficiency photon-number-resolving detectors Phys. Rev. A 71 061803 
CrossRef

[45]

Kardyna B E, Yuan Z L and Shields A J 2008 An avalanche-photodiode-based photon-number-resolving detector Nat. Photon. 2 425–8 
CrossRef