Category Archives: Spotlight article

Story of the month: Quantum key distribution over quantum repeaters with encoding

If we claim the Internet as the greatest invention of the 20th century, which has revolutionized how we communicate every day and turned our lives upside down, today’s stage certainly belongs to quantum Internet, which would deeply change our way of thinking as well. Quantum networks lay the cornerstone of quantum communication and quantum computation systems. Similar to classical networks, it allows for the transmission of quantum information between physically separated quantum processors. An enabling technology for future quantum networks is that of quantum repeaters (QRs).

What is quantum repeater

The direct distribution of quantum states is limited by transmission losses of the channel (usually the optical fiber or free-space, the same as classical world) used. Even under certain optimistic assumptions for the technology evolution, the achievable distances are limited to a few hundred kilometers. Unlike in classical world, where amplifiers can be deployed to boost or regenerate the signals, here, this idea fails due to the fact that quantum states cannot be copied or “amplified” without any disturbance, known as the no-cloning theorem.

QRs were initially proposed to enable quantum information distribution at long distances, relying on the pillar of the quantum palace—entanglement. Using teleportation techniques, one can then send quantum information across the network once some entanglement is shared between users. The main idea behind it is to first distribute and store entanglement between short segments and then to use entanglement swapping (ES) and entanglement distillation (ED) at intermediate stations to establish entanglement over long distances.

Fig. 1: Schematic representation of quantum repeaters.
Fig. 1: Schematic representation of quantum repeaters.

The pioneering works

Theoretically speaking, QRs have gone through a number of development stages. Based on how ES and ED operations are performed, most of them fall into two categories: the probabilistic ones and the deterministic ones. The probabilistic QRs use photonic systems for both distribution and swapping of entanglement. Due to its inherent fragility against loss, after each operation, we have to wait for either good news so that we can move on to the next step or bad news that we have to repeat another trial until succeed, both of which rely on two-way classical communication. You can imagine how this back-and-forth will result in a long coherence time and a low generation rate. However, despite those disadvantages, probabilistic QRs are perhaps the simplest setups that can be implemented in practice. The pioneering work of this type is developed by Duan, Lukin, Cirac and Zoller in 2001, known as DLCZ, where they used atomic ensembles and linear optics to achieve the goal.

Actually, when the concept of QRs was originally introduced by Briegel, Dür, Cirac and Zoller (BDCZ) in 1998, ES and ED operations were designed in a deterministic, but possibly erroneous gate-based way, where they proposed a nested purification protocol to permit efficient quantum communication over distances longer than the attenuation length. However, their model is still based on two-way classical communication for the confirmation of each attempt, which, in effect, turns a deterministic setup to a probabilistic one, suffering similar drawbacks mentioned above.

Quantum repeaters with encoding

The most recent QR proposals totally eliminate the necessities of two-way classical signaling and only use quantum error correction (QEC) to copy with loss and operational errors. They enable us to directly send quantum states across a communication channel hop-by-hop. The key idea resembles the one used in classical communications network, in which message bits are encoded with some redundancy such that at the receiver the original message can be retrieved. Such structures offer an improvement in quantum data rate at the price of requiring much more demanding quantum computational capabilities, which will be further away in terms of an experimental demonstration.

Fig. 2: Schematic representation of the direct transmission of quantum information using encoding.
Fig. 2: Schematic representation of the direct transmission of quantum information using encoding.

What I am working on

In the spirit of having an eye on near-future implementations, my focus is on the transition from probabilistic QRs to deterministic QRs that use quantum error correction techniques only for their ED operations, while entanglement over short links is still established in a probabilistic and heralding way. In such QRs, using a number of bipartite entangled states (yellow lines in Fig. 3(a)), we create a multi-qubit entangled codeword across elementary links (yellow shade in Fig. 3(b)). As we apply the ES operations, this codeword structure will then allow us to correct some of the errors that happen because of imperfections in the employed gates, measurement modules, and/or the initially distributed bipartite states.

Fig. 3: Schematic representation of quantum repeaters with encoding.
Fig. 3: Schematic representation of quantum repeaters with encoding.

In principle, one can choose different code structures to implement such systems. Here, we use the repetition codes to study and develop our methodology. They offer a simple structure, which can make their implementation easier, and still have relevance in systems where one type of error is more dominant than the other. We develop reliable tools which relies on the linearity of the quantum circuits and the transversality of the code employed to manage the complexity of the analysis. Previous work on this subject often relies on various approximations to analyze the system. Here, we try to remain as close as we can to the exact results and only use approximations that are analytically justified and numerically verified. This accurate approach shows that such systems are more resilient to errors than previously thought, which can make their near-future implementation more viable.

Using our methodology, we study the performance of QKD systems run over QRs with three- and five-qubit repetition codes by accounting for various sources of error in the setup. We fully study the effect of different terms, components, and system imperfections on the secret key generation rate of the QKD system, and how one can use the information obtained during entanglement swapping and decoding stages to maximize the rate. We show that, so long as QKD is concerned, error detection features of the code may be even more relevant than its error correction functionalities. We find that the majority of secret key bits come from the portion of the data that corresponds to no detected errors in either the repeater chain or decoder modules (we call it the golden state in Fig. 4).

Fig. 4: Secret fraction as a function of different error parameters.
Fig. 4: Secret fraction as a function of different error parameters.

We further expand our study by proposing two alternative decoder structures that only rely on single-qubit measurements, which not only simplifies the implementation aspects but also, by removing the major source of error from decoding circuits, results in better performance in many practical scenarios. We benchmark the performance of the QKD system that runs on this type of QRs with probabilistic QRs which do not necessarily use any additional distillation techniques, and quantify the regimes of operation, where one class of repeater outperforms the other. We find that for most practical purposes, the simple three-qubit system is our best choice.

Our analysis suggests that extending the reach of trust-free terrestrial QKD links to 1000km is within reach in the near future. If you would like to know more details, click here!

Story of the month: Quantum key distribution – from theory to practice

In a world of exciting technological possibilities, among the most significant are those enabled by quantum physics. Quantum physics is the theory of the microscopic world, it describes particles, atoms and molecules, and it is the underlying foundation of the digital age. For instance, it is thanks to this field of research that we have transistors on which today’s mobile phones and computers are based, and lasers that are used in precision manufacturing. So far, almost all the technologies have exploited quantum physics only indirectly, and now, scientists are moving beyond it; they are working on directly controlling it to build new technologies. These technologies are set to have a profound impact on our society and economy by achieving things that are impossible or unthinkable with the current technologies. For example, they promise ultimately secure communications, ultrafast computation, precise sensing, precise timing information, and so forth.

Quantum communication is one of the most mature branches of quantum technologies, and it has the potential to completely change the field of cryptography. Cryptography is an indispensable technology in many applications where we require information security, such as financial transactions and the transmission of data containing sensitive personal information. Unfortunately, the current cryptographic systems are vulnerable to hacking because their security relies on the difficulty of solving certain mathematical problems, such as the prime factorisation of very large numbers. Problematically, this difficulty is not scientifically proven, it is merely assumed. This means that rapid technological advances or the arrival of new algorithms, including the construction of a large-scale quantum computer and the development of artificial intelligence, can completely compromise the security of our communications. At the moment, these technologies might sound like science fiction and give the impression that they will only become available in a very distant future. Nonetheless, experts estimate that by late 2030’s, there will be quantum computers capable of breaking today’s secure communications. In fact, intelligence agencies are already storing vast amounts of encrypted data in the hope that, in the future, they will be able to decrypt it and access important secret information. Therefore, the time to act is now. We have a unique opportunity to update our current communications systems before it’s too late.

Quantum key distribution

Fortunately, and in contrast to conventional cryptography, quantum cryptography, or more specifically, quantum key distribution (QKD) promises to achieve unconditional security in data communication based on the laws of physics. More specifically, the security of QKD is based on the fact that it is not possible to copy the state of a quantum particle nor learn information about it without modifying it. Thus, information encoded in the state of a quantum particle, such as a photon of light, can be guaranteed to not have been observed if it arrives unperturbed from the sender to the receiver. What’s more, the message transmitted will keep being secret forever irrespectively of the computational power and technologies that a hacker might possess in the future. Thus, QKD offers the strongest possible notion of security, and it often referred to as the Holy Grail of secure communications. In the last two decades, this field has developed significantly; now commercial QKD systems are available and QKD networks, including satellite-based QKD, have been deployed around the world. These tremendous achievements clearly demonstrate the potential of QKD to become a global technology.

If a hacker tries to eavesdrop on the communication channel, the state of the photons will be inevitably altered, causing transmission errors that signal her/his presence to the users.

Nonetheless, before QKD is widely adopted for securing our communications across the world there are a number of open challenges that need to be addressed. Some of these involve technical aspects, such as increasing the communication distance between users, improving the secure communication rate and reducing the costs of practical implementations. On the theoretical front, the most important challenge is to establish implementation security rather than the theoretical security. In theory, QKD has been mathematically shown to be unconditionally secure against any possible hacking attack. In doing so, security proofs typically assume idealised device models that have no noise or imperfections. Unfortunately, in practice, such idealised devices are not available, and by exploiting discrepancies between the properties of ideal devices and those of practical devices hacking may be possible, compromising the security of QKD. In fact, several hacking attacks have been performed on experimental and commercial QKD systems, and they have succeeded. Therefore, to recover the unconditional security offered by QKD, it is crucial to develop security proofs that take into account device imperfections.

Usually, in a QKD protocol, there is a sending device that a sender uses to transmit secret information encoded in the states of photons, and a measurement device, which is possessed by the receiver to receive information. To remove the discrepancy between the idealised and practical devices and guarantee the security of this information, we need to develop better mathematical models that portray the real behaviour of the sending and measurement devices. By doing so, a practical implementation of this protocol is guaranteed to be secure even in the presence of imperfections, as long as they are sufficiently small. An important breakthrough in this direction was the introduction of measurement-device-independent (MDI) QKD. This is a QKD protocol that can offer perfect security even with arbitrarily flawed and completely untrusted detectors. In other words, we no longer need to take into account the imperfections of the measurement devices. Moreover, a variant of this protocol, called twin-field QKD, has been proposed recently, significantly improving its secure communication rate over long distances. Therefore, the missing step towards achieving implementation security is to secure the sending device. During my PhD, I have investigated and contributed to this issue, with the objective of achieving implementation security of QKD.

Securing the sending device

The most common imperfections in the sending device are state preparation flaws (SPFs), leakages of secret information from the user’s devices and correlations between the emitted light pulses. SPFs occur because real devices have a finite precision, hence the information encoded in the states of photons is slightly different from the information the sender wished to transmit. Also, leakages of information happen due to hacking attacks unknown to the users, or due to distortions in the emitted light pulses that depend on the information encoded. Finally, correlations between pulses take place because real devices hold in memory the secret information previously encoded, and inadvertently this information is passed on to the subsequent signals. All these imperfections open the door for a hacker to learn some secret information without being detected by the users.

Source imperfections allow a hacker to learn some secret information without altering the state of the photons, thus compromising the security of the QKD scheme.

Earlier attempts to incorporate source imperfections in security proofs of QKD have often resulted in very low secure communication rates. Recently, however, a loss-tolerant (LT) protocol was proposed, making QKD resistant to SPFs. That is, even when the encoding of the light pulses deviates significantly from the desired one, the secure communication rate is almost the same. Unfortunately, the LT protocol relies on the unrealistic assumption that there are no leakages of information from the users’ devices nor pulse correlations, which is hard to guarantee in practical implementations of QKD.

In a work that I developed with my colleagues, we proposed a formalism to make the LT protocol more general by incorporating information leakages from the user’s devices. In simple terms, we divided the emitted light pulses into a part that resembles perfect pulses emitted from idealised devices and another part that accounts for all the imperfections arising from using the actual devices. This allowed us to prove the security of QKD in the presence of multiple source imperfections.

The last step to secure the source is then to consider correlations between the emitted signals. To model such imperfection mathematically was believed to be the very hard because we need to deal with many pulses rather than a single pulse, which increases the complexity of the problem. For this reason, this imperfection has often been disregarded. Recently, we were able to develop a simple framework to incorporate this imperfection in security proofs of QKD. The key idea is to mathematically model the information encoded in the subsequent pulses as leakage of information. By doing so, we have been able to prove the security of QKD in the presence of pulse correlations between arbitrarily distant pulses. Importantly, this framework is compatible with the formalism that we created to deal with all the other imperfections.

Nonetheless, considering all these imperfections simultaneously inevitably reduces the secure communication rate of QKD. To counteract this effect, we have also proposed a new technique to prove the security of QKD that is more resilient to source imperfections. The main idea is to consider some reference states that are similar to the actual states, and use them as an intermediate step to prove the security of the actual protocol. Interestingly, the reference technique can reproduce previous analyses that deal with source imperfections, including our generalised LT protocol. However, its most striking feature is the easiness to incorporate source imperfections without severely compromising the secure communication rate of QKD.

As mentioned above, to achieve implementation security of QKD we need to take into account all imperfections in the sending and measurement devices. Fortunately, this can now be achieved by employing the security techniques we developed to deal with source imperfections together with an MDI-type QKD protocol, that assumes arbitrarily flawed detectors. In our latest work, using these ideas we have proposed a new protocol that is secure in the presence of any device imperfection. The only requirement is the characterisation of a single parameter that describes the quality of the source. Our protocol is the first QKD scheme proven to be secure in practical implementations. Notwithstanding, there are still theoretical and experimental challenges to finally establish implementation security. For instance, how to experimentally describe the quality of the sending device by a single parameter is still an open question. Moreover further improvements are needed in order to obtain higher secure communication rates and longer communication distances. Importantly, however, we now have a clear path for proving the security of QKD with arbitrarily flawed devices.

Story of the Month: Experimental Twin Field Quantum Key Distribution

The importance of secure digital communications

One aspect of everyday life that has been revolutionised the most in modern times is our ability to communicate easily and nearly instantaneously from and to almost any part of the world. Listing all the aspects of life that have been affected by this revolution woul

d be a challenging task. But, just to mention a few, think about how we communicate with our friends and loved ones, on how we access financial services (ATMs, chip-based credit cards, online bank accounts), and about how we communicate in the work place (emails or direct messaging systems). In all these cases, digital communications have deeply changed the way we behave.

Fig. 1: Expected number of connected devices to the Internet. This chart is obtained from recent reports developed by both Cisco and Ericsson. Figure taken form this article.

A good way to assess our increasing dependence on digital communication tools is by looking at the increase in the number of internet connected devices over the recent years (Fig. 1). Their number has increased dramatically over the last decade, reaching tens of billions.

As for any new technology, these new means of communication

generate new problems and risks. Among the most critical is the difficulty of keeping our digital communications private and confidential. Security is a crucial requirement for many of our communications. And it is for this reasons that over the past 60 years a lot of effort has been put into the development of cryptography, i.e. the set of techniques that allow us to transmit and store information securely. It is thanks to cryptography that nowadays we can have private digital communications.

What is Quantum Key Distribution and why do we need it

Most of today’s digital communications are protected by public-key cryptographic schemes. The security of these is based upon two assumptions: there are certain mathematical problems that are very difficult (or almost impossible) to solve with (1) current day technology and (2) mathematical knowledge. These two assumptions looked extremely strong in late ’70s when public-key cryptography was first introduced, but unfortunately today this is no longer the case. In the mid-90’s it was demonstrated that, among other far-reaching capabilities, a powerful enough quantum computer could easily break the security of the currently deployed public-key cryptography schemes. This is a daunting prospect for the security

of our digital communications, especially given the recent impressive progress towards the construction of quantum computers.

The need for an alternative to the present cryptographic standards stimulated the research for a different approach to cryptography. One possible solution for this problem has been found in Quantum Key Distribution (QKD). The most interesting aspect of QKD is that its security is based upon a very different set of assumptions: the correctness of the law of physics (particularly quantum physics), and on the unflawed physical implementation of the devices used to set up the secure communication. There is a notable advantage with this approach: while advances in technology and limits to the mathematical knowledge are not under our control, the security of QKD is based upon something we have a more direct control of.

Limitations associated to QKD: cost, security and distance

Since its conception in 1984, the research around QKD advanced considerably, and reached remarkable results. We are now at a stage where this technology is practical enough to be implementable in real world scenarios and companies that sell ready-to-use QKD devices to the general public already exist.

Despite the recent progress in QKD development, a few limitations

associated with its implementation remain. The most relevant of which are:

  1. the requirement of specifically designed hardware to perform QKD;
  2. the cost of this hardware;
  3. the security associated with its physical implementation;
  4. the limited distance at which QKD operate run successfully.

Points 1 and 2 can probably be considered technical limitations. There is a lot of research addressing these issues, and much of it focuses on the miniaturisation of QKD devices into small form factors, compatible with scalable fabrication techniques and suitable for mass production. For more information on this argument, see the post by my colleague and fellow QCALL member, Innocenzo De Marco.

Points 3 and 4 are instead of a more fundamental nature.

The security of any QKD implementation relies on a perfect match between the theoretical model describing the system and its physical implementation. Therefore, in order to guarantee the perfect security of a system, two approaches are possible:

  • One is to develop theoretical models that consider all the possible experimental flaws (see the work of my fellow QCALL member Margarida Pereira to get an insight on this type of research).
  • The other one is to remove all the implementation flaws from the QKD device.

One of the most effective ways to implement this second approach happen to be the removal of the detectors from within the secure perimeter of the QKD system. This is the strategy used in Measurement Device Independent (or MDI) QKD protocols. These

types of protocol are considered more secure than the other QKD protocols because they are less prone to implementation security issues.

Fig. 2: Key rate obtained in state of the art QKD experiments, over channel loss. All the points in the graph lie below the thick blue line which is the PLOB bound.

The fourth and final limiting factor of QKD is the maximum distance at which it can operate successfully. This is fundamentally limited by the information carriers used in QKD, which are (in the ideal case) single photons. It can be proved that with the current technology there is a fundamental limit on the maximum key rate that is achievable over a certain channel loss. This limit is often referred as the repeaterless secret key capacity bound (or PLOB bound, from the name of the researchers that discovered it) and scales linearly with the channel loss (Fig. 2). In practice, the maximum distance covered by QKD communications reaches only a few hundreds of kilometres.

The focus of my research is demonstrating that it is possible to increase the maximum attenuation at which QKD can be performed, while maintaining the highest standard of security by removing the detectors from the secure perimeter of the setup.

Twin Field QKD: protocol concepts and advantages

Fig 3:  Simple schematic of the setup for TF-QKD.  Inspired by figure in this article.

At the beginning of 2018 a group of researchers at Toshiba Research

Europe Ltd. published a paper that introduced a novel QKD protocol called Twin Field QKD (or simply TF-QKD). The protocol has several interesting features, the most remarkable of which is that it introduces a viable way to overcome the PLOB bound with currently available technology. This result is very relevant from a practical point of view because it means that there is now a way to extend the maximum transmission distance achievable by QKD.

This result is possible thanks to a different way of encoding and retrieving the information in the quantum carriers used for the protocol. In TF-QKD the information is encoded in the phase of the optical pulses prepared by the two users that want to establish the secure communication, and the secret key is retrieved via a single photon interference measurement made by a user in the middle (see the simple schematic in Fig. 3). Another interesting aspect of TF-QKD is that it is also Measurement Device Independent, which means that it meets the strictest standards of security.

The advantages associated with this new encoding and detection strategy come at a price: TF-QKD introduces a series of new challenges that have to be faced for its implementation. The most difficult of which are:

  1. The generation of twin optical fields from two space-separated laser sources;
  2. The stabilisation of the channel used during the communication. This has to be stabilised to a new level of precision compared to other QKD protocols.

TF-QKD implementation

Fig. 4: Proof of principle TF-QKD experimental setup. Image courtesy of Mariella Minder.

The focus of my research within the QCALL network, has been to demonstrate the experimental feasibility of the TF-QKD protocol. For this purpose, together with my colleagues at Toshiba Research Europe Ltd., I developed the first TF-QKD setup, and proved that the protocol can indeed be used to overcome the PLOB bound.

The setup used for this task is shown in Fig. 4. It is important to notice that in this proof-of-principle experiment we simulated the channel attenuation associated with a long communication channel by means of Variable Optical Attenuators (VOAs, optical devices that set a chosen attenuation over an optical channel). This enabled us to execute the experiment at extremely high channel attenuations, without having to worry too much about the phase fluctuations that would have been introduced by long optical fibers.

The elements of novelty in this setup, compared to other QKD implementations, are the frequency distribution system (represented by the brighter purple box in Fig 4), and the system used for phase stabilisation. More information on these are given below.

The frequency distribution system: Optical Phase-Locked Loop
Schematic of the OPLL setup.
Fig. 5: Schematic of the OPLL setup.

A technique developed in classical optical communications was borrowed for the optical frequency distribution. With this technique, called Optical Phase Locked Loop (or OPLL), it is possible to force two lasers to emit at the same optical frequency. This is done by locking the interference beating between two lasers to a target frequency through a PID controller connected to an actuator. See Fig. 5 for a more detailed schematic of the OPLL implementation in our setup.

The quantum channel stabilisation

Since in TF-QKD the information that the users want to communicate is associated to the phase of optical that they prepare, it is fundamental to keep track of the phase fluctuations between the two users. In this experiment we have accomplished this by stabilizing the phase of the quantum channel to a fixed and known value. To achieve this, some reference pulses were interleaved into the phase encoded pattern, and a phase feedback system was developed. The phase feedback system was composed of a PID controller and a phase modulator.

Results and outlook

With this setup we were able to execute TF-QKD at different channel attenuations.  We performed the protocol at several attenuation levels, spaced roughly by 10 dB, and extracted a secret key that could be used for a secure digital communication. The results of this experiment are shown in Fig. 6 (the points in the plot), alongside the simulation curves. Our experimental results align very well with the values predicted by the simulations.

After its introduction, a lot of interest arose around TF-QKD, and several protocol variants have been proposed since then. The different colours for the points in Fig. 6 represent different TF-QKD protocol variants tested with this experiment. Our experimental setup had the flexibility to implement 3 variants in total: the original TF-QKD protocol (in red in the graph), the Send-Not-Send TF-QKD protocol (blue points in the graph), and the CAL TF-QKD protocol (yellow point in the graph).

It is remarkable that for all these protocols we managed to obtain a positive key rate above the PLOB bound, overcoming experimentally the repeaterless secret capacity bound for the first time ever. We also note that for the original and the SNS protocols we achieved a positive key rate at unprecedentedly high channel attenuations, that would be equivalent to the losses introduced by more than 500 km of ultra-low loss fiber.

Fig 6: Key rate generated by our TF-QKD system art different attenuations, for various TF-QKD variants.

This experiment was the first demonstration of the feasibility of the TF-QKD protocol, and the first experimental evidence that it is possible to overcome the secret key capacity bound with current day technology. This experiment can be considered the first realisation of an effective quantum repeater, as suggested by a recent review on the advances in quantum cryptography.

Mirko Pittaluga

Story of the Month: Quantum Conferencing

Federico works on theoretical progress in multi-party quantum key distribution, also known as quantum conferencing. Have you ever heard about it?

Your data is under threat

In recent times people, as well as institutions, companies and governments, are increasingly concerned about the privacy of their data and are constantly looking for better ways to keep it safe.

One of the instances in which private data becomes vulnerable is when it is transmitted from one party to another one (e.g. a bank and its customer, the secret services and the government,  etc.). In order to keep the data safe, the sender encrypts the data with a secret key -the encryption key- that he/she shares with the receiver, prior to transferring it. The receiver then decrypts the data using the same secret key. A potential eavesdropper cannot learn the data without the encryption key. Hence, the data is secure as far as the key shared by the sender and the receiver through a cryptographic scheme is secret.

Classical Cryptography

Nowadays, the standard cryptographic schemes in use are referred to by quantum physicists in my field as “classical cryptography“. The security of such schemes relies on assumptions on the adversary’s computational capabilities , thus being vulnerable to retroactive attacks. In other words, an adversary could intercept and store the data encrypted by a classical crypto scheme, waiting to have sufficient computational power to decipher it. The recent developments of quantum computers, which promise unprecedented computational power, further increase the vulnerability of classical cryptography.

Quantum key distribution is the cure

QKD scheme

Quantum theory, despite being a threat to current cryptographic schemes, also provides a solution. Indeed,  the mentioned security concerns and the prospect of commercialization boosted major advancements in the field of quantum cryptography and particularly in quantum key distribution (QKD).

A QKD protocol enables two parties, Alice and Bob, to generate a shared secret key by sending quantum systems (typically photons of light) through a quantum channel that can be under the control of the eavesdropper (Eve), and by measuring the systems upon reception. Alice and Bob are also equipped with an authenticated public channel, e.g. a phone call wiretapped by Eve.

By relying on intrinsic properties of quantum theory, QKD can be unconditionally secure regardless of the eavesdropper’s computational capabilities, unlike classical cryptography. This remarkable feature of QKD allows for ever-lasting secure communication and attracted the attention of companies, private institutions and governments.

QKD has been successfully implemented over 400 km of optical fibers and over 1000 km of satellite-to-ground links, and has already reached the market with companies like Toshiba and ID Quantique.

What makes QKD secure?

The unconditional security offered by QKD is based on distinctive quantum features, such as entanglement. When two or more quantum systems are entangled, their properties are strongly interconnected. Indeed, measuring a property on one quantum system immediately determines the measurement outcome of the same property on the other systems. This fact can be used to generate correlated outcomes when different parties perform the same measurement on their entangled quantum systems. The correlated outcomes can then be used as a shared key.

monogamy of entanglement

The key generated in this way is secret thanks to the monogamy of entanglement. According to this peculiar feature of entanglement, if two parties are strongly entangled, a third party shares little entanglement with them. The entangled parties can thus obtain a shared key with their highly correlated measurement outcomes while being sure that the third party -a potential eavesdropper- has little information about it.

Quantum conferencing


The task of QKD can be generalized to more than two parties through a conference key agreement (CKA), where the goal is the establishment of a shared secret key -a conference key– among several parties. The conference key can then be used by one party to securely broadcast a message to the remaining parties.

The CKA could be trivially realized by performing bipartite QKD schemes between pairs of parties and using the established keys to distribute the conference key. Alternatively, one can exploit the correlations arising in multi-partite entangled states and devise a CKA protocol which directly outputs a secret conference key. Such truly multi-partite schemes are a natural application of quantum networks and have been proven to be advantageous in certain network configurations and noise regimes. In this post we focus on the latter type of CKA (the first review on this research topic [“Quantum Conference Key Agreement: A Review”, Murta, Grasselli, Kampermann and Bruss, 2020] is going to be published shortly).

The multiparty BB84 protocol

The BB84 protocol, devised by Bennett and Brassard in 1984, is the first and arguably the most famous of all the QKD protocols. Due to its simplicity, variants of the protocol have been widely implemented and even commercialized.

In our first work in the QCALL network, we generalized the BB84 protocol to a scenario with an arbitrary number of parties “N” willing to share a conference key, obtaining the so called N-BB84 protocol. Based on our work, an upcoming experimental implementation of a four-party BB84 protocol is about to be published [Proietti, Ho, Grasselli, Barrow, Malik, Fedrizzi, 2020].

The security proof of most QKD protocols is initially performed in a simplistic scenario, i.e. when the parties exchange an infinite number of quantum signals (asymptotic scenario). This is, of course, far from reality but it greatly simplifies the proof and gives indication on the protocol’s real-life performance.


A more realistic security proof with a finite number of signals (finite-key scenario), must consider that the measured data in the execution of the protocol is affected by statistical fluctuations. The challenge is to guarantee unconditional security of the distilled secret key despite the statistical fluctuations affecting the data.

In our work, we proved the security of the N-BB84 protocol and of another existing multiparty protocol (the N-six-state protocol) in the finite-key scenario, when the eavesdropper is allowed to perform the most general attack on the quantum channels (coherent attack). We also compared the performances of the two protocols under realistic conditions and showed that the N-BB84 protocol requires a lower number of protocol rounds to produce a non-null secret key.

Achieving longer distances

TF scheme

Most of the early QKD protocols do not rely on any intermediate relay: the parties taking part to the protocol are connected by a single-piece quantum channel.  Such protocols are often called point-to-point schemes.

In spite of the great distances experimentally achieved by point-to-point QKD protocols (see above), their key rates are fundamentally limited. The key rate “r” of a QKD protocol is given by the number of secret key bits per protocol round (in a round one or more parties send a quantum signal) and its value is typically well below 1. Clearly, in any point-to-point QKD scheme the key rate cannot exceed the probability “t” that the signal sent by Alice reaches Bob.

The problem is that most QKD protocols employ photons as information carriers and the probability “t”of a photon traveling the distance “L” separating Alice from Bob decreases exponentially with “L” ! (see figure) Thus, key rates of point-to-point QKD schemes decrease exponentially with the distance, strongly constraining their long-distance applicability.

A solution to this limitation is provided by the recently-developed twin-field (TF) QKD protocol, initially introduced by our QCALL partners in Toshiba. In TF QKD, Alice and Bob prepare weak coherent pulses corresponding to a random bit they picked and send them to a central untrusted relay. The relay combines the pulses, measures them, and announces the measurement outcome.  Based on the outcome, Bob either flips his bit or does nothing, in order to match it with Alice’s. By repeating this procedure at every round, the parties establish a secret key, which cannot be retrieved by the untrusted relay, even with the information of the measurement outcomes.

Being TF-QKD based on single-photon interference events occurring in the untrusted node,  only one photon out of the two sent by Alice and Bob needs to arrive at the central relay at every round.  Thus, the key rate of TF-QKD scales with the probability that one photon covered half of the total channel length (square root of “t”). This implies a square-root improvement  in the performance over point-to-point QKD protocols, allowing to reach longer distances.

TF-QKD is currently the only experimentally implemented protocol with an improved scaling of the key rate versus the distance, making it the new benchmark for far-distance QKD.

contour_plot 3 decoysintensity fluct

With a first and a second publication in collaboration with our QCALL colleagues in Vigo, we investigated the practical performance of the TF QKD protocol proposed by Curty et al. In particular, we optimized its key rate when the distances separating Alice and Bob from the untrusted node differ and showed that the protocol can achieve good key rates even in extremely asymmetric scenarios. We also showed that the protocol is robust against intensity fluctuations affecting the parties’ lasers (figures above).

W state vs NBB84

Inspired by the TF-QKD protocol, we extended its founding idea to the multiparty scenario. We introduced a CKA where N parties simultaneously establish a conference key by relying again on single-photon interference. The protocol, also called “W state protocol”, presents a remarkable improvement in the key rate-vs-distance compared to its point-to-point couterpart, just like TF-QKD (see figure).

Indeed, in the W state protocol just one photon out of the N photons sent by every party needs to arrive at the central relay, while in point-to-point multiparty protocols like the N-BB84 (and N-six-state), each of the N photons must  be successfully transmitted. We proved the security of the W state protocol  in the finite-key regime and for general attacks.

For the security paranoids

QKD offers an exceptional level of security, provided that the assumptions on the devices used for its implementation are experimentally verified. However, the devices could be affected by imperfections difficult to characterize, or, much worse, they could be forged by the eavesdropper in order to learn the secret key. Therefore, it is challenging to ensure that the assumptions on the implementation of a QKD protocol are met in practice.


Fortunately, device-independent (DI) QKD can guarantee the same level of security independently of the actual functioning of the employed devices. In this framework, the devices used by the parties are modeled as black boxes (i.e. completely uncharacterized) producing an output upon receiving an input from the party. The parties collect a series of outputs (with correspondent inputs) by repeating the same procedure for several rounds, making sure that they are distant enough so that no signal can travel from their device to the other’s device. If the collected data cannot be explained by a local deterministic strategy (for which a third party in the middle instructs the devices on the output to produce), the parties conclude that their data exhibits non-local correlations. This means that it was produced by an entangled state shared by Alice and Bob’s devices. Thanks to the monogamy of entanglement, the secrecy of the parties’ correlated outcomes is restored, guaranteeing that the key distilled from the outputs is secret.

We are currently working on a project which aims at devising new and better-performing device-independent multiparty QKD protocols, in short: DICKA. The fundamental principle on which these protocols are based would be the same, just extended to more than two parties.

If you want to know how this will turn out, stay tuned!