High-dimensional quantum cryptography with twisted light

The power transmission efficiency of the mode sorter's refractive elements is measured to be 85%. Two Holoeye PLUTO phase-only SLMs are used for realizing the holograms for the fan-out element and its corresponding phase-correcting element. In addition, two cylindrical lenses are realized on the SLMs to adjust the aspect ratio of the transformed beams. The diffraction efficiency of each SLM is measured to be approximately $45\%$.

The fiber array consists of 7 multi-mode fibers with 62.5/125 $\mu {\rm m}$ core/cladding diameters and NA = 0.275. We have measured the efficiency of coupling the transformed modes to the fiber array to be approximately 18%. The detection is performed with Perkin-Elmer SPCM-AQRH-14 APDs. The quantum efficiency of the APDs is $\eta =0.65$. The transmission efficiency of the optical link can be calculated as

$$\begin{eqnarray}&&{{T}_{{\rm link}}}=0.85\times {{(0.45)}^{2}}\times 0.18=0.031.\end{eqnarray} \tag{ 3 }$$

Each detector has a typical dark-count rate of $50\;c\;{{{\rm s}}^{-1}}$ and an after-pulsing probability of $0.3\%$.

Figure 3 shows the conditional probability of Bob detecting each mode as a function of the mode sent by Alice. Theoretical values for the case of a system with no errors is shown on the left for comparison. In order to measure the SER more precisely, each row of the matrix is constructed by sending the same symbol many times and detecting all possible outcomes. This scheme eliminates the time consuming procedure of switching among different spatial modes and permits a much more accurate measurement of the error-rate using a large set of sent and received symbols.

Zoom In Zoom Out Reset image size

The mutual information between the sent and received symbols is defined as

$$\begin{eqnarray}&&{{I}_{AB}}=\mathop{\sum }\limits_{i,j}P({{x}_{i}},{{y}_{j}}){{{\rm log} }_{2}}\left[ \frac{P({{x}_{i}},{{y}_{j}})}{P({{x}_{i}})P({{y}_{j}})} \right].\end{eqnarray} \tag{ 4 }$$

Here, x_i is the event of sending symbol i and y_j is the event of detecting symbol j. Assuming a uniform probability for sending N modes and a uniform probability of an error occurring in the detection, the equation (4) can be simplified to [13]

$$\begin{eqnarray}&&{{I}_{AB}}={{{\rm log} }_{2}}(d)+F{{{\rm log} }_{2}}(F)+(1-F){{{\rm log} }_{2}}\left( \frac{1-F}{d-1} \right).\end{eqnarray} \tag{ 5 }$$

Here, $F=1-\delta -\epsilon$ is the probability of correctly detecting each mode. The SER caused by imperfect sorting is denoted by δ and the SER due to the dark counts is shown by . For the case of our experiment, $\delta =0.065$ and $\epsilon =0.04$. The total SER, $1-F$, is directly measured from data as $10.5\%$. We have identified the error from the imperfect sorting, δ, by repeating the experiment in the high-light level and analyzing the results after background subtraction. The error probability can be divided to 2% from stray light, $1.9\%$ from thermally-induced dark counts, and $0.15\%$ from after-pulsing.

Using these numbers, we calculate I_AB as 2.05 bits per photon. For comparison, the ideal value of I_AB for d = 7 modes is equal to ${{{\rm log} }_{2}}(d)=2.8$ bits per photon. Further, the sorting mechanism by itself would result in a value of 2.29 bits per photon in the absence of any background or dark counts. The probability of correctly detecting each mode in the absence of dark counts, also known as the separation efficiency of the mode sorter, is calculated to be slightly more than 93%.

Note that the calculation of mutual information only requires the knowledge of the cross-talk and dark count values. The loss in the optical system reduces the key generation rate of the protocol. However, a uniform loss in the transmission and detection does not change the mutual information between Alice and Bob's sifted keys since the time frames with no photon-detection event are removed in the basis reconciliation procedure.

We consider a cloning-based individual attack. In this situation, the mutual information between the symbols owned by Alice and Eve can be written as [13]

$$\begin{eqnarray}&&{{I}_{AE}}={{{\rm log} }_{2}}(d)+F{{{\rm log} }_{2}}({{F}_{E}})+(1-{{F}_{E}}){{{\rm log} }_{2}}\left( \frac{1-{{F}_{E}}}{d-1} \right).\end{eqnarray} \tag{ 6 }$$

Here, F_E is the fidelity of Eve's cloning machine. The value of Eve's fidelity can be optimized to gain maximum information for any given SER detected by Bob. This quantity is shown to be [13]

$$\begin{eqnarray}&&{{F}_{E}}=\frac{F}{d}+\frac{(d-1)(1-F)}{d}+\frac{2}{d}\sqrt{(d-1)F(1-F)}.\end{eqnarray} \tag{ 7 }$$

For our experiment, F_E = 0.43, resulting in ${{I}_{AE}}=0.35$ bits. For a sufficiently long ensemble of symbols owned by Alice, Bob, and Eve the secure key R is found to be [2, 44]

$$\begin{eqnarray}&&{{R}_{{\rm net}}}={{R}_{{\rm sift}}}[{{I}_{AB}}-{\rm max} ({{I}_{AE}},{{I}_{BE}})],\end{eqnarray} \tag{ 8 }$$

where ${{R}_{{\rm sift}}}$ is the sifted key rate. This rate can be written as a function of the pulse repetition rate ${{f}_{{\rm rep}}}$

$$\begin{eqnarray}&&{{R}_{{\rm sift}}}=\frac{1}{2}{{f}_{{\rm rep}}}\mu {{T}_{{\rm link}}}\eta .\end{eqnarray} \tag{ 9 }$$

For our experiment we have $\mu =0.1$. The DMD used in our system (Texas Instrument DLP3000) is capable of switching between the computer holograms stored in its memory at the speed of 4 kHz. We refer to this mode of operation as burst mode. Burst mode can be used to transmit a short key at ${{f}_{{\rm rep}}}=4$ kHz. The internal memory can only store up to 100 patterns, which limits the applicability of the burst mode for a long key. To generate a long random key, we instead load each hologram onto the DMD using a computer. This task along with the time needed for synchronizing the two computers reduces the raw key generation rate to approximately ${{f}_{{\rm rep}}}=1$ Hz. Using ${{f}_{{\rm rep}}}=4$ kHz for the burst mode, we calculate ${{R}_{{\rm sift}}}=4$ (photons s⁻¹) and ${{R}_{{\rm net}}}=6.8$ (secure bits s⁻¹). Note that this calculation characterizes the operation of the optical system in the presence of 14 detectors for collecting data.

The calculation above can be recast to the alternative form

$$\begin{eqnarray}&&{{R}_{{\rm net}}}={{f}_{{\rm rep}}}{{I}_{{\rm pulse}}}.\end{eqnarray} \tag{ 10 }$$

Here, ${{I}_{{\rm pulse}}}$ is the amount of secure information transmitted per each pulse. For our experiment we infer ${{I}_{{\rm pulse}}}=1.7\times {{10}^{-3}}$ secure bits per pulse.

To quantitatively assess the security of our system, we plot the values for the error bound of an intercept-resend eavesdropping attack, a coherent attack, as well as the SER from our experimental data in figure 4. In an intercept-resend attack, the eavesdropper (Eve) measures the state of the intercepted photon in an arbitrarily selected basis and then resends a photon prepared to be in this same state. In a coherent attack, Eve coherently probes a finite number of qudits in order to gain information about the key [13]. It is evident from this graph that our experimental SER is well below the required bounds for security against both intercept-resend and coherent attacks (figure 4). Unlike intercept-resend attacks, the SER for coherent attacks only depends on system dimension d and is independent of the number of MUBs M [13]. Hence, increasing the number of MUBs beyond 2 results in a drop in the key rate without any gain in security against coherent attacks. Nevertheless, there is a clear increase in the allowed SER for larger system dimensions, demonstrating an advantage for using a high-dimensional encoding scheme for QKD such as that of OAM.

Zoom In Zoom Out Reset image size

Using the SER, we estimate the information gained by Eve to be 0.35 bits per sifted photon for cloning-based individual attacks. It has been argued that cloning-based eavesdropping is the optimal strategy for an individual attack on systems based on qudits [13]. The portion of the key obtained by Eve is removed in the privacy amplification process, leading to a mutual information of 1.7 secure bits per sifted photon in the final key. It should be emphasized that our secure key rate analysis assumes an infinite key, while any experimental realization produces only a finite key [45]. We are working toward a finite key analysis of the security, which will be reported in the future.

In contrast to phase-only SLMs that are limited to a frame rate of 60 Hz, the DMD used in our setup has the ability to rapidly switch between modes at a speed of 4 kHz. This is especially important considering the fact that the speed of generation of spatial modes limits the key generation rate of the system. We measure our raw key generation rate to be 16.4 bits per second (for operation in burst mode). After performing basis reconciliation and privacy amplification for a sufficiently long key, we estimate the secure key rate to be 6.5 bits per second, which is more than 3 orders of magnitude larger than that achieved in previous spatial-mode based protocols [20].

The analysis above considers intercept-resend and cloning based attacks. The PNS attack is yet another possibility when the protocol uses imperfect single-photon sources. In our protocol, weak coherent pulses (WCPs) are used for realizing approximate single photon pulses. For small values of photon-number expectation values, a WCP contains either zero or one photon most of the times. However, the pulse may still contain multiple photons with a non-zero probability. In this situation, Eve can split one photon off of a multi-photon signal, without disturbing the polarization or the spatial structure of the signal [46–48]. Eve can measure her photon after basis reconciliation and obtain complete information without causing any error in the signal.

The PNS attacks pose a more serious threat in the presence of loss. In this situation, Eve can, in principle, replace the lossy channel with a perfect quantum channel and only transmit to Bob the signals of her choice. An inequality has been developed in [49] that serves as a necessary condition for security

$$\begin{eqnarray}&&{{p}_{{\rm detection}}}\gt {{p}_{{\rm multi}}}.\end{eqnarray} \tag{ 11 }$$

Here, ${{p}_{{\rm detection}}}$ is the total probability of detection events for Bob, and ${{p}_{{\rm multi}}}$ is the probability of having a pulse with multi-photons. For a coherent state with an average photon number o f μ, we have $P(n,\mu )=\frac{{{\mu }^{n}}}{n!}{{{\rm e}}^{-\mu }}$, and consequently

$$\begin{eqnarray}&&{{p}_{{\rm multi}}}=\mathop{\sum }\limits_{n=2}^{\infty }P(n,\mu )\approx \frac{{{\mu }^{2}}}{2}.\end{eqnarray} \tag{ 12 }$$

The total probability of detection events can be calculated by considering the signal detection events and the detector dark counts

$$\begin{eqnarray}&&{{p}_{{\rm detection}}}={{p}_{{\rm signal}}}+{{p}_{{\rm dark}}}-{{p}_{{\rm signal}}}{{p}_{{\rm dark}}}\approx {{p}_{{\rm signal}}}+{{p}_{{\rm dark}}}.\end{eqnarray} \tag{ 13 }$$

Using the parameters for our experiments we have ${{p}_{{\rm multi}}}=5\times {{10}^{-3}}$ and ${{p}_{{\rm detection}}}=\mu {{T}_{{\rm link}}}\eta +{{p}_{{\rm dark}}}\simeq 2\times {{10}^{-3}}$. It can be see that ${{p}_{{\rm detection}}}\lt {{p}_{{\rm multi}}}$ and hence security against PNS attacks cannot be guaranteed in our current implementation. We discuss the possible approaches for providing security against PNS attacks in the following section.

The unbiased relation between the two bases, as defined in equation (2), guarantees that detecting a photon in the wrong basis results in a completely random outcome and hence it reveals zero information about the key. In practice, however, the imperfect generation and sorting of the OAM and ANG modes results in variations in the degree of overlap between a pair of modes chosen from the two different bases. Such variations can be noticed in the off-diagonal blocks in the matrix for conditional probability of detection (figure 3). In this situation, the measurement of a photon in the wrong basis can, in principle, reveal some information about the transmitted symbol.

The mutual information between the symbols sent in the OAM basis and detected in the ANG basis can be calculated using equation (4). For our experiment, we have calculated ${{I}_{{\rm OAM}/{\rm ANG}}}=0.036$ bits per photon. Similarly, the mutual information for the case of sending a photon in the ANG basis and detecting it in the OAM basis is calculated to be ${{I}_{{\rm ANG}/{\rm OAM}}}=0.058$ bits per photon. Note that these values are much smaller than ${{I}_{AB}}$ which is equal to 2.05 bits per photon. We have assumed an unbiased relation between the OAM and ANG modes in our security analysis.The small number the quantities ${{I}_{{\rm ANG}/{\rm OAM}}}$ and ${{I}_{{\rm OAM}/{\rm ANG}}}$ calculated above justifies the validity of this approximation. A more complete security analysis needs to take these numbers into account in estimating the information owned by Alice (I_AE). Such an analysis, however, is beyond the scope of current article and should be the subject of future studies.

The secure key rate scales proportionally with the raw key generation rate. Although holography techniques can achieve kHz mode switching rates using DMDs [39], practical QKD would require key rates in the GHz regime. OAM modes can be generated and switched at MHz rates using on-chip resonators [50] and potentially at GHz rates using Q-plates [51]. However, to generate the states in the ANG basis one would need to modulate both the amplitude and phase of the beam, a task that best suits free-space holography. Recently, a method involving static holograms realized on an SLM and an AOM for switching between them achieved a MHz mode-switching rate [52]. Unfortunately, the change in the wavelength caused by the AOM forbids applying this method for QKS since side-channel attacks could be performed based on spectrum.

Alternatively, generation of OAM and ANG modes at a rate of 1 GHz or more can be achieved by illuminating a series of static holograms with beams from multiple lasers. The shaped beams after the holograms can be passively combined using a series of beam splitters. The intensity of each laser beam can then be modulated either by using electro-optic modulators or by switching diode lasers on and off [10].

The key generation rate drops as loss increases. Moreover, high loss in the communication link makes the protocol vulnerable to PNS attacks. The throughput of our detection system can be readily increased by employing high efficiency SLMs, or AR-coated custom refractive elements. This would translate to a six-fold increase in the transmission efficiency in our experiment. Additionally, the amount of loss due to the scattering in the air can be minimized by operating in the near-infrared regime.

Atmospheric turbulence results in degradation of the spatial profile of the modes upon propagation. This results in mixing of the neighboring OAM and ANG modes. The effects of turbulence on OAM modes has been a topic of extensive studies [38, 53, 54]. Common solutions for mitigating the adverse effects of atmospheric turbulence include the use of every other mode for encoding [55] and utilization of adaptive optics systems [56]. Recently, long-haul free-space propagation of OAM modes has been realized using novel detection schemes [24].

Increasing the number of the modes increases the information carried by each single photon and results in a higher secure bit rate. Previously, we have shown that our mode sorter is capable of sorting 25 OAM and ANG modes with an average mutual information of 4.17 bits per detected photons [41]. Consequently, the encoded information per photon can be readily increased by increasing the number of APDs in the experiment. Ultimately, the number of modes supported by the optical link is limited by the sizes of the transmitting and receiving apertures.

A comprehensive security proof for a QKD system should include both the fundamental and practical properties of the physical system. The security analysis presented in this work assumes an infinitely long key. For a finite key, the efficiency of classical post-processing need to be measured and used for a more rigorous calculation of the secure key rate [57]. In addition, our analysis assumes a uniform error-rate and transmission efficiency for all the modes. While our data demonstrates the rationale for this approximation, a more comprehensive analysis needs to include the effects of non-uniform SER and loss in a multi-level QKD system. More research is needed to establish the theoretical framework for security analysis of such systems.

Finally, we have demonstrated security against intercept-resend and cloning-based attacks, while our implementation remains vulnerable to PNS attacks. This limitation can be avoided by either reducing the loss in the system or by employing the decoy-state protocol [58].

In an intercept and intercept attack (also known as denial of service) Eve detects a photon without retransmitting it. Since Alice and Bob disregards the frames with no photons in basis reconciliation, Eve will not have any mutual information with the sifted key and hence there is no loss of security.

In this type of attack Eve detects a photon that falls outside of Bob's apertures in a random basis. She then resends a photon in a state determined by the result of her measurement into the Bob's aperture. The geometry for Bob's and Eve's apertures are shown in figure A1. Note that the ${{R}_{B}},{{R}_{E1}}$ and R_E2 are all bound between zero and infinity and so we are considering the most general case.

Zoom In Zoom Out Reset image size

We demonstrate an OAM mode's optical field at any plane z by $\Psi _{{\rm OAM}}^{\ell }(z)$. The probability for detecting each of the OAM modes by Eve can be written as

$$\begin{eqnarray}&&P_{{\rm OAM}}^{\ell }(z)=\int _{{{R}_{E1}}}^{{{R}_{E2}}}{{\left| \Psi _{{\rm OAM}}^{\ell }(z) \right|}^{2}}r{\rm d}r.\end{eqnarray} \tag{ A.1 }$$

Assuming Alice chooses to send OAM modes randomly with a probability of $1/d$ (where $d=2N+1$ is the total number of modes used), the probability for detecting any OAM mode will be

$$\begin{eqnarray}&&{{P}_{{\rm OAM}}}(z)=\frac{1}{d}\mathop{\sum }\limits_{\ell =-N}^{N}\int _{{{R}_{E1}}}^{{{R}_{E2}}}{{\left| \Psi _{{\rm OAM}}^{\ell }(z) \right|}^{2}}r{\rm d}r.\end{eqnarray} \tag{ A.2 }$$

Similarly, the probability for detecting each of the ANG modes can be written as

$$\begin{eqnarray}&&P_{{\rm ANG}}^{n}(z)=\int _{{{R}_{E1}}}^{{{R}_{E2}}}{{\left| \Psi _{{\rm ANG}}^{n}(z) \right|}^{2}}r{\rm d}r,\end{eqnarray} \tag{ A.3 }$$

and the probability for detecting any ANG mode will be

$$\begin{eqnarray}&&{{P}_{{\rm ANG}}}(z)=\frac{1}{d}\mathop{\sum }\limits_{n=-N}^{N}\int _{{{R}_{E1}}}^{{{R}_{E2}}}{{\left| \Psi _{{\rm ANG}}^{n}(z) \right|}^{2}}r{\rm d}r.\end{eqnarray} \tag{ A.4 }$$

We can simplify equation (A.4) using the definition of the ANG modes

$$\begin{eqnarray}&&\Psi _{{\rm ANG}}^{n}=\frac{1}{\sqrt{d}}\mathop{\sum }\limits_{\ell =-N}^{N}\Psi _{{\rm OAM}}^{\ell }{\rm exp} \left( \frac{{\rm i}2\pi n\ell }{d} \right).\end{eqnarray} \tag{ A.5 }$$

Substituting $\Psi _{{\rm ANG}}^{n}$ we get

$$\begin{eqnarray}\begin{array}{rcl} {{P}_{{\rm ANG}}}(z) & = & \frac{1}{d}\mathop{\sum }\limits_{n=-N}^{N}\int _{{{R}_{E1}}}^{{{R}_{E2}}}{{\left| \frac{1}{\sqrt{d}}\mathop{\sum }\limits_{\ell =-N}^{N}\Psi _{{\rm OAM}}^{\ell }{\rm exp} \left( \frac{{\rm i}2\pi n\ell }{d} \right) \right|}^{2}}r{\rm d}r \\ {} & = & \frac{1}{d}\int _{{{R}_{E1}}}^{{{R}_{E2}}}\mathop{\sum }\limits_{n=-N}^{N}\mathop{\sum }\limits_{\ell =-N}^{N}\mathop{\sum }\limits_{\ell ^{\prime} =-N}^{N}\frac{1}{d}\Psi _{{\rm OAM}}^{\ell }\Psi _{{\rm OAM}}^{*\ell ^{\prime} }{\rm exp} \left[ \frac{{\rm i}2\pi n(\ell -\ell ^{\prime} )}{d} \right]r{\rm d}r \\ {} & = & \frac{1}{d}\int _{{{R}_{E1}}}^{{{R}_{E2}}}\mathop{\sum }\limits_{\ell =-N}^{N}\mathop{\sum }\limits_{\ell ^{\prime} =-N}^{N}\Psi _{{\rm OAM}}^{\ell }\Psi _{{\rm OAM}}^{*\ell ^{\prime} }\mathop{\sum }\limits_{n=-N}^{N}\frac{1}{d}{\rm exp} \left[ \frac{{\rm i}2\pi n(\ell -\ell ^{\prime} )}{d} \right]r{\rm d}r \\ {} & = & \frac{1}{d}\int _{{{R}_{E1}}}^{{{R}_{E2}}}\mathop{\sum }\limits_{\ell =-N}^{N}\mathop{\sum }\limits_{\ell ^{\prime} =-N}^{N}\Psi _{{\rm OAM}}^{\ell }\Psi _{{\rm OAM}}^{*\ell ^{\prime} }{{\delta }_{\ell ,\ell ^{\prime} }}r{\rm d}r \\ {} & = & \frac{1}{d}\int _{{{R}_{E1}}}^{{{R}_{E2}}}\mathop{\sum }\limits_{\ell =-N}^{N}{{\left| \Psi _{{\rm OAM}}^{\ell } \right|}^{2}}r{\rm d}r \\ {} & = & {{P}_{{\rm OAM}}}(z). \\ \end{array}\end{eqnarray} \tag{ A.6 }$$

The above result shows that it is equally probable for Eve to detect a photon from either the OAM basis or the ANG basis using the beam from any range of radii. Consequently, it is impossible for Eve to gain information by detecting a photon from outside of Bob's aperture. Moreover, the result remains valid at any plane z from near field to far field.