Category Archives: Spotlight article

Story of the Month: Experimental Twin Field Quantum Key Distribution

The importance of secure digital communications

One aspect of everyday life that has been revolutionised the most in modern times is our ability to communicate easily and nearly instantaneously from and to almost any part of the world. Listing all the aspects of life that have been affected by this revolution would be a challenging task. But, just to mention a few, think about how we communicate with our friends and loved ones, on how we access financial services (ATMs, chip-based credit cards, online bank accounts), and about how we communicate in the work place (emails or direct messaging systems). In all these cases, digital communications have deeply changed the way we behave.

Fig. 1: Expected number of connected devices to the Internet. This chart is obtained from recent reports developed by both Cisco and Ericsson. Figure taken form this article.

A good way to assess our increasing dependence on digital communication tools is by looking at the increase in the number of internet connected devices over the recent years (Fig. 1). Their number has increased dramatically over the last decade, reaching tens of billions.

As for any new technology, these new means of communication generate new problems and risks. Among the most critical is the difficulty of keeping our digital communications private and confidential. Security is a crucial requirement for many of our communications. And it is for this reasons that over the past 60 years a lot of effort has been put into the development of cryptography, i.e. the set of techniques that allow us to transmit and store information securely. It is thanks to cryptography that nowadays we can have private digital communications.

What is Quantum Key Distribution and why do we need it

Most of today’s digital communications are protected by public-key cryptographic schemes. The security of these is based upon two assumptions: there are certain mathematical problems that are very difficult (or almost impossible) to solve with (1) current day technology and (2) mathematical knowledge. These two assumptions looked extremely strong in late ’70s when public-key cryptography was first introduced, but unfortunately today this is no longer the case. In the mid-90’s it was demonstrated that, among other far-reaching capabilities, a powerful enough quantum computer could easily break the security of the currently deployed public-key cryptography schemes. This is a daunting prospect for the security of our digital communications, especially given the recent impressive progress towards the construction of quantum computers.

The need for an alternative to the present cryptographic standards stimulated the research for a different approach to cryptography. One possible solution for this problem has been found in Quantum Key Distribution (QKD). The most interesting aspect of QKD is that its security is based upon a very different set of assumptions: the correctness of the law of physics (particularly quantum physics), and on the unflawed physical implementation of the devices used to set up the secure communication. There is a notable advantage with this approach: while advances in technology and limits to the mathematical knowledge are not under our control, the security of QKD is based upon something we have a more direct control of.

Limitations associated to QKD: cost, security and distance

Since its conception in 1984, the research around QKD advanced considerably, and reached remarkable results. We are now at a stage where this technology is practical enough to be implementable in real world scenarios and companies that sell ready-to-use QKD devices to the general public already exist.

Despite the recent progress in QKD development, a few limitations associated with its implementation remain. The most relevant of which are:

  1. the requirement of specifically designed hardware to perform QKD;
  2. the cost of this hardware;
  3. the security associated with its physical implementation;
  4. the limited distance at which QKD operate run successfully.

Points 1 and 2 can probably be considered technical limitations. There is a lot of research addressing these issues, and much of it focuses on the miniaturisation of QKD devices into small form factors, compatible with scalable fabrication techniques and suitable for mass production. For more information on this argument, see the post by my colleague and fellow QCALL member, Innocenzo De Marco.

Points 3 and 4 are instead of a more fundamental nature.

The security of any QKD implementation relies on a perfect match between the theoretical model describing the system and its physical implementation. Therefore, in order to guarantee the perfect security of a system, two approaches are possible:

  • One is to develop theoretical models that consider all the possible experimental flaws (see the work of my fellow QCALL member Margarida Pereira to get an insight on this type of research).
  • The other one is to remove all the implementation flaws from the QKD device.

One of the most effective ways to implement this second approach happen to be the removal of the detectors from within the secure perimeter of the QKD system. This is the strategy used in Measurement Device Independent (or MDI) QKD protocols. These types of protocol are considered more secure than the other QKD protocols because they are less prone to implementation security issues.

Fig. 2: Key rate obtained in state of the art QKD experiments, over channel loss. All the points in the graph lie below the thick blue line which is the PLOB bound.

The fourth and final limiting factor of QKD is the maximum distance at which it can operate successfully. This is fundamentally limited by the information carriers used in QKD, which are (in the ideal case) single photons. It can be proved that with the current technology there is a fundamental limit on the maximum key rate that is achievable over a certain channel loss. This limit is often referred as the repeaterless secret key capacity bound (or PLOB bound, from the name of the researchers that discovered it) and scales linearly with the channel loss (Fig. 2). In practice, the maximum distance covered by QKD communications reaches only a few hundreds of kilometres.

The focus of my research is demonstrating that it is possible to increase the maximum attenuation at which QKD can be performed, while maintaining the highest standard of security by removing the detectors from the secure perimeter of the setup.

Twin Field QKD: protocol concepts and advantages

Fig. 3: Simple schematic of the setup for TF-QKD

At the beginning of 2018 a group of researchers at Toshiba Research Europe Ltd. published a paper that introduced a novel QKD protocol called Twin Field QKD (or simply TF-QKD). The protocol has several interesting features, the most remarkable of which is that it introduces a viable way to overcome the PLOB bound with currently available technology. This result is very relevant from a practical point of view because it means that there is now a way to extend the maximum transmission distance achievable by QKD.

This result is possible thanks to a different way of encoding and retrieving the information in the quantum carriers used for the protocol. In TF-QKD the information is encoded in the phase of the optical pulses prepared by the two users that want to establish the secure communication, and the secret key is retrieved via a single photon interference measurement made by a user in the middle (see the simple schematic in Fig. 3). Another interesting aspect of TF-QKD is that it is also Measurement Device Independent, which means that it meets the strictest standards of security.

The advantages associated with this new encoding and detection strategy come at a price: TF-QKD introduces a series of new challenges that have to be faced for its implementation. The most difficult of which are:

  1. The generation of twin optical fields from two space-separated laser sources;
  2. The stabilisation of the channel used during the communication. This has to be stabilised to a new level of precision compared to other QKD protocols.

TF-QKD implementation

Fig. 4: Proof of principle TF-QKD experimental setup. Image courtesy of Mariella Minder.

The focus of my research within the QCALL network, has been to demonstrate the experimental feasibility of the TF-QKD protocol. For this purpose, together with my colleagues at Toshiba Research Europe Ltd., I developed the first TF-QKD setup, and proved that the protocol can indeed be used to overcome the PLOB bound.

The setup used for this task is shown in Fig. 4. It is important to notice that in this proof-of-principle experiment we simulated the channel attenuation associated with a long communication channel by means of Variable Optical Attenuators (VOAs, optical devices that set a chosen attenuation over an optical channel). This enabled us to execute the experiment at extremely high channel attenuations, without having to worry too much about the phase fluctuations that would have been introduced by long optical fibers.

The elements of novelty in this setup, compared to other QKD implementations, are the frequency distribution system (represented by the brighter purple box in Fig 4), and the system used for phase stabilisation. More information on these are given below.

The frequency distribution system: Optical Phase-Locked Loop
Schematic of the OPLL setup.
Fig. 5: Schematic of the OPLL setup.

A technique developed in classical optical communications was borrowed for the optical frequency distribution. With this technique, called Optical Phase Locked Loop (or OPLL), it is possible to force two lasers to emit at the same optical frequency. This is done by locking the interference beating between two lasers to a target frequency through a PID controller connected to an actuator. See Fig. 5 for a more detailed schematic of the OPLL implementation in our setup.

The quantum channel stabilisation

Since in TF-QKD the information that the users want to communicate is associated to the phase of optical that they prepare, it is fundamental to keep track of the phase fluctuations between the two users. In this experiment we have accomplished this by stabilizing the phase of the quantum channel to a fixed and known value. To achieve this, some reference pulses were interleaved into the phase encoded pattern, and a phase feedback system was developed. The phase feedback system was composed of a PID controller and a phase modulator.

Results and outlook

With this setup we were able to execute TF-QKD at different channel attenuations.  We performed the protocol at several attenuation levels, spaced roughly by 10 dB, and extracted a secret key that could be used for a secure digital communication. The results of this experiment are shown in Fig. 6 (the points in the plot), alongside the simulation curves. Our experimental results align very well with the values predicted by the simulations.

After its introduction, a lot of interest arose around TF-QKD, and several protocol variants have been proposed since then. The different colours for the points in Fig. 6 represent different TF-QKD protocol variants tested with this experiment. Our experimental setup had the flexibility to implement 3 variants in total: the original TF-QKD protocol (in red in the graph), the Send-Not-Send TF-QKD protocol (blue points in the graph), and the CAL TF-QKD protocol (yellow point in the graph).

It is remarkable that for all these protocols we managed to obtain a positive key rate above the PLOB bound, overcoming experimentally the repeaterless secret capacity bound for the first time ever. We also note that for the original and the SNS protocols we achieved a positive key rate at unprecedentedly high channel attenuations, that would be equivalent to the losses introduced by more than 500 km of ultra-low loss fiber.

Fig 6: Key rate generated by our TF-QKD system art different attenuations, for various TF-QKD variants.

This experiment was the first demonstration of the feasibility of the TF-QKD protocol, and the first experimental evidence that it is possible to overcome the secret key capacity bound with current day technology. This experiment can be considered the first realisation of an effective quantum repeater, as suggested by a recent review on the advances in quantum cryptography.

Story of the Month: Quantum Conferencing

Federico works on theoretical progress in multi-party quantum key distribution, also known as quantum conferencing. Have you ever heard about it?

Your data is under threat

In recent times people, as well as institutions, companies and governments, are increasingly concerned about the privacy of their data and are constantly looking for better ways to keep it safe.

One of the instances in which private data becomes vulnerable is when it is transmitted from one party to another one (e.g. a bank and its customer, the secret services and the government,  etc.). In order to keep the data safe, the sender encrypts the data with a secret key -the encryption key- that he/she shares with the receiver, prior to transferring it. The receiver then decrypts the data using the same secret key. A potential eavesdropper cannot learn the data without the encryption key. Hence, the data is secure as far as the key shared by the sender and the receiver through a cryptographic scheme is secret.

Classical Cryptography

Nowadays, the standard cryptographic schemes in use are referred to by quantum physicists in my field as “classical cryptography“. The security of such schemes relies on assumptions on the adversary’s computational capabilities , thus being vulnerable to retroactive attacks. In other words, an adversary could intercept and store the data encrypted by a classical crypto scheme, waiting to have sufficient computational power to decipher it. The recent developments of quantum computers, which promise unprecedented computational power, further increase the vulnerability of classical cryptography.

Quantum key distribution is the cure

QKD scheme

Quantum theory, despite being a threat to current cryptographic schemes, also provides a solution. Indeed,  the mentioned security concerns and the prospect of commercialization boosted major advancements in the field of quantum cryptography and particularly in quantum key distribution (QKD).

A QKD protocol enables two parties, Alice and Bob, to generate a shared secret key by sending quantum systems (typically photons of light) through a quantum channel that can be under the control of the eavesdropper (Eve), and by measuring the systems upon reception. Alice and Bob are also equipped with an authenticated public channel, e.g. a phone call wiretapped by Eve.

By relying on intrinsic properties of quantum theory, QKD can be unconditionally secure regardless of the eavesdropper’s computational capabilities, unlike classical cryptography. This remarkable feature of QKD allows for ever-lasting secure communication and attracted the attention of companies, private institutions and governments.

QKD has been successfully implemented over 400 km of optical fibers and over 1000 km of satellite-to-ground links, and has already reached the market with companies like Toshiba and ID Quantique.

What makes QKD secure?

The unconditional security offered by QKD is based on distinctive quantum features, such as entanglement. When two or more quantum systems are entangled, their properties are strongly interconnected. Indeed, measuring a property on one quantum system immediately determines the measurement outcome of the same property on the other systems. This fact can be used to generate correlated outcomes when different parties perform the same measurement on their entangled quantum systems. The correlated outcomes can then be used as a shared key.

monogamy of entanglement

The key generated in this way is secret thanks to the monogamy of entanglement. According to this peculiar feature of entanglement, if two parties are strongly entangled, a third party shares little entanglement with them. The entangled parties can thus obtain a shared key with their highly correlated measurement outcomes while being sure that the third party -a potential eavesdropper- has little information about it.

Quantum conferencing


The task of QKD can be generalized to more than two parties through a conference key agreement (CKA), where the goal is the establishment of a shared secret key -a conference key– among several parties. The conference key can then be used by one party to securely broadcast a message to the remaining parties.

The CKA could be trivially realized by performing bipartite QKD schemes between pairs of parties and using the established keys to distribute the conference key. Alternatively, one can exploit the correlations arising in multi-partite entangled states and devise a CKA protocol which directly outputs a secret conference key. Such truly multi-partite schemes are a natural application of quantum networks and have been proven to be advantageous in certain network configurations and noise regimes. In this post we focus on the latter type of CKA (the first review on this research topic [“Quantum Conference Key Agreement: A Review”, Murta, Grasselli, Kampermann and Bruss, 2020] is going to be published shortly).

The multiparty BB84 protocol

The BB84 protocol, devised by Bennett and Brassard in 1984, is the first and arguably the most famous of all the QKD protocols. Due to its simplicity, variants of the protocol have been widely implemented and even commercialized.

In our first work in the QCALL network, we generalized the BB84 protocol to a scenario with an arbitrary number of parties “N” willing to share a conference key, obtaining the so called N-BB84 protocol. Based on our work, an upcoming experimental implementation of a four-party BB84 protocol is about to be published [Proietti, Ho, Grasselli, Barrow, Malik, Fedrizzi, 2020].

The security proof of most QKD protocols is initially performed in a simplistic scenario, i.e. when the parties exchange an infinite number of quantum signals (asymptotic scenario). This is, of course, far from reality but it greatly simplifies the proof and gives indication on the protocol’s real-life performance.


A more realistic security proof with a finite number of signals (finite-key scenario), must consider that the measured data in the execution of the protocol is affected by statistical fluctuations. The challenge is to guarantee unconditional security of the distilled secret key despite the statistical fluctuations affecting the data.

In our work, we proved the security of the N-BB84 protocol and of another existing multiparty protocol (the N-six-state protocol) in the finite-key scenario, when the eavesdropper is allowed to perform the most general attack on the quantum channels (coherent attack). We also compared the performances of the two protocols under realistic conditions and showed that the N-BB84 protocol requires a lower number of protocol rounds to produce a non-null secret key.

Achieving longer distances

TF scheme

Most of the early QKD protocols do not rely on any intermediate relay: the parties taking part to the protocol are connected by a single-piece quantum channel.  Such protocols are often called point-to-point schemes.

In spite of the great distances experimentally achieved by point-to-point QKD protocols (see above), their key rates are fundamentally limited. The key rate “r” of a QKD protocol is given by the number of secret key bits per protocol round (in a round one or more parties send a quantum signal) and its value is typically well below 1. Clearly, in any point-to-point QKD scheme the key rate cannot exceed the probability “t” that the signal sent by Alice reaches Bob.

The problem is that most QKD protocols employ photons as information carriers and the probability “t”of a photon traveling the distance “L” separating Alice from Bob decreases exponentially with “L” ! (see figure) Thus, key rates of point-to-point QKD schemes decrease exponentially with the distance, strongly constraining their long-distance applicability.

A solution to this limitation is provided by the recently-developed twin-field (TF) QKD protocol, initially introduced by our QCALL partners in Toshiba. In TF QKD, Alice and Bob prepare weak coherent pulses corresponding to a random bit they picked and send them to a central untrusted relay. The relay combines the pulses, measures them, and announces the measurement outcome.  Based on the outcome, Bob either flips his bit or does nothing, in order to match it with Alice’s. By repeating this procedure at every round, the parties establish a secret key, which cannot be retrieved by the untrusted relay, even with the information of the measurement outcomes.

Being TF-QKD based on single-photon interference events occurring in the untrusted node,  only one photon out of the two sent by Alice and Bob needs to arrive at the central relay at every round.  Thus, the key rate of TF-QKD scales with the probability that one photon covered half of the total channel length (square root of “t”). This implies a square-root improvement  in the performance over point-to-point QKD protocols, allowing to reach longer distances.

TF-QKD is currently the only experimentally implemented protocol with an improved scaling of the key rate versus the distance, making it the new benchmark for far-distance QKD.

contour_plot 3 decoysintensity fluct

With a first and a second publication in collaboration with our QCALL colleagues in Vigo, we investigated the practical performance of the TF QKD protocol proposed by Curty et al. In particular, we optimized its key rate when the distances separating Alice and Bob from the untrusted node differ and showed that the protocol can achieve good key rates even in extremely asymmetric scenarios. We also showed that the protocol is robust against intensity fluctuations affecting the parties’ lasers (figures above).

W state vs NBB84

Inspired by the TF-QKD protocol, we extended its founding idea to the multiparty scenario. We introduced a CKA where N parties simultaneously establish a conference key by relying again on single-photon interference. The protocol, also called “W state protocol”, presents a remarkable improvement in the key rate-vs-distance compared to its point-to-point couterpart, just like TF-QKD (see figure).

Indeed, in the W state protocol just one photon out of the N photons sent by every party needs to arrive at the central relay, while in point-to-point multiparty protocols like the N-BB84 (and N-six-state), each of the N photons must  be successfully transmitted. We proved the security of the W state protocol  in the finite-key regime and for general attacks.

For the security paranoids

QKD offers an exceptional level of security, provided that the assumptions on the devices used for its implementation are experimentally verified. However, the devices could be affected by imperfections difficult to characterize, or, much worse, they could be forged by the eavesdropper in order to learn the secret key. Therefore, it is challenging to ensure that the assumptions on the implementation of a QKD protocol are met in practice.


Fortunately, device-independent (DI) QKD can guarantee the same level of security independently of the actual functioning of the employed devices. In this framework, the devices used by the parties are modeled as black boxes (i.e. completely uncharacterized) producing an output upon receiving an input from the party. The parties collect a series of outputs (with correspondent inputs) by repeating the same procedure for several rounds, making sure that they are distant enough so that no signal can travel from their device to the other’s device. If the collected data cannot be explained by a local deterministic strategy (for which a third party in the middle instructs the devices on the output to produce), the parties conclude that their data exhibits non-local correlations. This means that it was produced by an entangled state shared by Alice and Bob’s devices. Thanks to the monogamy of entanglement, the secrecy of the parties’ correlated outcomes is restored, guaranteeing that the key distilled from the outputs is secret.

We are currently working on a project which aims at devising new and better-performing device-independent multiparty QKD protocols, in short: DICKA. The fundamental principle on which these protocols are based would be the same, just extended to more than two parties.

If you want to know how this will turn out, stay tuned!


Highlights From the QCALL ESR Conference 2019

Now that the dust has been settled from our first QCALL ESR conference and everyone is back to their own works and projects, it’s time to wrap up and process the highlights of this fantastic event.

The conference was held at a beautiful and tranquil seaside hotel in Mondello, south Italy. While the UK was already prepared to enter into the cool autumn in September, Sicily still enjoyed the pleasant sunshine and a vibrant summer atmosphere. This conference attracted about 50 participants from different countries, including PhDs, postdoc researchers and engineers from the industry.

It featured a diverse array of research on quantum communication, with 5 well-known invited speakers and 26 contributed speakers introducing their latest research works. The five plenary sessions covered topics ranging from entanglement-based QComms and quantum repeaters to implementation security of QKD, satellite QKD, as well as component technologies such as quantum random number generators and detectors, etc. There was also a poster session on Monday afternoon. It was a wonderful opportunity for learning, networking and collaboration.

1 23 4

Another highlight was the industry session which featured talks from five companies working in quantum communication area: Ryan Parker (BT), Helmut Griesser (ADVA), John Prisco (Quantum XChange), Andrew Shields (Toshiba Research Europe Ltd) and Felix Bussieres (ID Quantique SA). Their talks incited a better perspective on how the field is expanding outside academia. During the followed-up panel session, lots of interesting and more practical questions were asked to our speakers, offering insights and advices to those who are planning on transforming from academia to industry in their future.

5 6

The social highlight of the week was an excursion at the Natural Reserve “Lo Zingaro” which boasts a gorgeous stretch of unspoilt coastline, crystal blue waters and the mountain chain. It’s a lovely spot for hiking and then diving into the water. That night, we had the Gala dinner at the spectacular  waterfront restaurant “Alle Terrazze”, with its panoramic view and the company of bright moonlight. Lots of time to talk and share ideas!

7 8

Many thanks to the organising committee (Innocenzo De Marco, Mirko Pittaluga, Andrew Shields, Mohsen Razavi) for arranging such an amazing event. We really enjoyed it!

Looking forward to our QCALL Final Network Symposium in Paris in 2020!


Story of the month: Chip-based technologies for Quantum Communications

The need for Quantum Communications

The rise of quantum computers will break public key cryptography and consequently render obsolete existing secure communication infrastructures our modern society relies upon. This imminent threat prompts development of new counter technologies, and one of the most promising candidates is quantum communication. Quantum physics provides the ideal background to work with, due to the inherent uncertainty of quantum properties. Such uncertainty is crucial to generate randomness, which is the main ingredient of secure communications.

Quantum Key Distribution

Quantum Key Distribution (QKD) is one of the several ideas which exploit quantum randomness. Generating an encryption key, shared between two parties and unknown to any attackers, is the goal of the different QKD protocols. The security of the generated key is guaranteed by the laws of quantum physics: an eavesdropper can not do better than just guess the encryption key, no matter their computational power.

The BB84 protocol was the very first QKD protocol, introducing for the first time the idea of using the quantum states of photons to distribute a key between two parties. After that, a myriad of new protocols were proposed, each with their own advantages and disadvantages. The underlying concept, however, remains unchanged: one of the two parties, Alice, sends the other, Bob, a random sequence of bits encoded in a quantum property of a train of photons (polarisation, phase, time); an eavesdropper intercepting the signal inevitably disturbs the quantum state and, consequently, introduces noise at the receiving end that will highlight the presence of eavesdropping.

Since that first proposal in 1984, QKD has attracted a great deal of interest in the scientific community. Its experimental implementations have improved substantially: the communication distance has risen from a mere 32cm in free space in the very first QKD experiment, to 421km of optical fibre in a recent demonstration. This impressive distance can even be extended much further with the newly discovered TF-QKD protocol (which will be covered in the next story of the month).

QKD has gained popularity outside academia as well, with companies like QCALL partners Toshiba and ID Quantique developing their own QKD systems.

QKD Systems
QKD systems developed by Toshiba (left) and ID Quantique (right).

Chip-based QKD

Large-scale deployment of QKD systems is yet to become a reality. One of the obstacles is that existing QKD equipment is space and power consuming, and very expensive.

To mitigate these constraints and ease the QKD path to market, it is necessary to miniaturise and mass-produce the QKD devices. This is the main focus of QCALL project #1, aiming at the development of integrated photonic devices for Quantum Communications.

Integrated Photonics

Photonic Integrated Circuits (PICs) are already a widespread technology in classical communications. They have the capability of embedding a plethora of optical components on a very small form factor device.

An InP chip with lasers, modulators and output waveguides. Such elements integrated on a chip sit on the top of a fingertip, whereas they would result in a 40 to 50 times bigger setup using ordinary components.

In addition to this, mass production of photonic chips is significantly cheaper than assembling from discreet, bulky components, thanks to generic integration technology and multi-project wafers: like with electronic printed circuit boards, the foundries release a set of basic building blocks, which their clients will assemble to make their own circuits. This way, all components can be grown and processed on a wafer monolithically, i.e. in a single run: this allows for multiple circuits to be implemented at the same time, drastically lowering development and production costs for both the foundry and their clients.

Chip-based quantum communications

Integrated photonics seems the natural choice for nxet’generation Quantum Communications devices since their performance is well established in classical communications.

Among the building blocks needed for a QKD transmitter, there are lasers, waveguide couplers, phase modulators and photodiodes. All these can easily be implemented on a chip, and indeed there are several examples of chip-based devices implementing QKD protocols.

Our goal at Toshiba is to make smaller, cheaper and more efficient QKD devices based on photonic integration.

Chip-based quantum communications at Toshiba

Chip-based Quantum Random Number Generator

In order to correctly implement any QKD protocol, a prerequisite is that the initial bit sequence, sent from Alice to Bob, has to be truly random, otherwise an eavesdropper could exploit correlations among the bits to guess the bit sequence.

Generating true randomness is difficult and even fundamentally impossible by only classical means. The deterministic laws of electrodynamics always deliver a predictable outcome, in principle. However, the outcome becomes different in quantum physics. In our Quantum Random Number Generator (QRNG), we generate pulses from two independent laser and have them interfere on a beam splitter. The spontaneous emission process triggering the lasing action is of quantum nature. This guarantees that the phase of the optical pulses emitted by the lasers is inherently random. Hence, when the two pulses interfere, their interference amplitude is not predictable and we can use it to extract random numbers.

Layout of our Quantum Random Number Generator chip
Layout of our Quantum Random Number Generator chip. DC: Direct Current; RF: Radio Frequency; VOA: Variable Optical Attenuator; MMI: Multi-Mode Interferometer; PD: Photodiode.

The novelty of our QRNG, as shown in this JOSA B paper, is in its plug-and-play format: as soon as it is assembled, it is ready to be used. All the optical components (the two lasers and a photodiode to detect the interfering pulses) are embedded onto a 6x2mm photonic chip, which is then connected to bespoke electronics. This is composed of an analog-to-digital converter reading the analog signal of the photodiode, and an FPGA that will post-process the data by removing any remaining information that an adversary can use. As an additional check, we ran the NIST test suite on subsets of our generated numbers, and observed that they passed all 17 tests. The output string of random numbers can then be used as input for the QKD modules.

A modulator-free quantum key distribution transmitter chip

The random key obtained from the QRNG is fed into a QKD transmitter. The transmitter chip developed by Toshiba removes the need for power-hungry phase modulators by the use of  Master-Slave paired lasers. The information is encoded in the phase difference between pulses from the Slave laser, and can then be decoded by a receiving interferometer.

The working principle of the transmitter is based on combining the well-known phenomena of direct phase modulation and optical injection locking, both techniques already in use in classical optical communications. The idea of combining them for Quantum Communications was first introduced by Toshiba in 2016.

Direct phase modulation, as the name suggests, exploits the fact that the phase of a laser’s output is directly related to its driving signal: modulating such electrical current allows direct control over the phase of light emitted by a laser.

Direct phase modulation
Direct phase modulation

Optical injection locking is a phenomenon where one laser, namely the Master, injects light into a second, Slave, laser. This will cause the light from the Master to trigger emission from the Slave laser: light emitted from the Slave will then be “locked” to the same properties, in particular the same phase, as the injected light.

Optical Injection Locking
Optical Injection Locking

Combining these two techniques, we can then generate pulses from the Slave laser that will feature the phase we want to encode by modulating the Master.

Modulation for the DPS (left) and BB84 (right) protocols
Modulation for the DPS (left) and BB84 (right) protocols

This removes the need for phase modulators, which are extremely power consuming, while still allowing us to encode all the relevant information in our photons.

Implementing this setup into a photonic chip results in a versatile, compact QKD transmitter. Our QKD chip was tested in an experiment that is described in this npj Quantum Information paper.

QKD Chip
Layout of the Toshiba QKD transmitter. DFB: Distributed Feed-Back laser; MMI: Multi-Mode Interferometer; TOPS: Thermo-Optical Phase Shifter; VOA: Variable Optical Attenuator; PD: Photodiode; SSC: Spot-Size Converter;

The simple layout of our device allows us to achieve results in line with state-of-the-art bulk implementations for both the BB84 and the DPS protocol.

Results QKD chip
Performance of our QKD chip for the DPS (left) and BB84 (right) protocols. The blue lines represent QBER, the green lines represent the raw counts from the detectors, the red lines represent the secure key rates. The fibre length assumes an equivalent loss of 0.2 dB/km. The yellow markers indicate points obtained on a real fibre link.

This shows that our devices are suitable for being implemented into QKD systems. The small form factor and the lower cost associated with the generic integration process, combined with the lack of phase modulators, make our QKD chips a candidate for large-scale implementation of Quantum Communication systems.