Tag Archives: QKD

Story of the Month: Quantum Conferencing

Federico works on theoretical progress in multi-party quantum key distribution, also known as quantum conferencing. Have you ever heard about it?

Your data is under threat

In recent times people, as well as institutions, companies and governments, are increasingly concerned about the privacy of their data and are constantly looking for better ways to keep it safe.

One of the instances in which private data becomes vulnerable is when it is transmitted from one party to another one (e.g. a bank and its customer, the secret services and the government,  etc.). In order to keep the data safe, the sender encrypts the data with a secret key -the encryption key- that he/she shares with the receiver, prior to transferring it. The receiver then decrypts the data using the same secret key. A potential eavesdropper cannot learn the data without the encryption key. Hence, the data is secure as far as the key shared by the sender and the receiver through a cryptographic scheme is secret.

Classical Cryptography

Nowadays, the standard cryptographic schemes in use are referred to by quantum physicists in my field as “classical cryptography“. The security of such schemes relies on assumptions on the adversary’s computational capabilities , thus being vulnerable to retroactive attacks. In other words, an adversary could intercept and store the data encrypted by a classical crypto scheme, waiting to have sufficient computational power to decipher it. The recent developments of quantum computers, which promise unprecedented computational power, further increase the vulnerability of classical cryptography.

Quantum key distribution is the cure

QKD scheme

Quantum theory, despite being a threat to current cryptographic schemes, also provides a solution. Indeed,  the mentioned security concerns and the prospect of commercialization boosted major advancements in the field of quantum cryptography and particularly in quantum key distribution (QKD).

A QKD protocol enables two parties, Alice and Bob, to generate a shared secret key by sending quantum systems (typically photons of light) through a quantum channel that can be under the control of the eavesdropper (Eve), and by measuring the systems upon reception. Alice and Bob are also equipped with an authenticated public channel, e.g. a phone call wiretapped by Eve.

By relying on intrinsic properties of quantum theory, QKD can be unconditionally secure regardless of the eavesdropper’s computational capabilities, unlike classical cryptography. This remarkable feature of QKD allows for ever-lasting secure communication and attracted the attention of companies, private institutions and governments.

QKD has been successfully implemented over 400 km of optical fibers and over 1000 km of satellite-to-ground links, and has already reached the market with companies like Toshiba and ID Quantique.

What makes QKD secure?

The unconditional security offered by QKD is based on distinctive quantum features, such as entanglement. When two or more quantum systems are entangled, their properties are strongly interconnected. Indeed, measuring a property on one quantum system immediately determines the measurement outcome of the same property on the other systems. This fact can be used to generate correlated outcomes when different parties perform the same measurement on their entangled quantum systems. The correlated outcomes can then be used as a shared key.

monogamy of entanglement

The key generated in this way is secret thanks to the monogamy of entanglement. According to this peculiar feature of entanglement, if two parties are strongly entangled, a third party shares little entanglement with them. The entangled parties can thus obtain a shared key with their highly correlated measurement outcomes while being sure that the third party -a potential eavesdropper- has little information about it.

Quantum conferencing


The task of QKD can be generalized to more than two parties through a conference key agreement (CKA), where the goal is the establishment of a shared secret key -a conference key– among several parties. The conference key can then be used by one party to securely broadcast a message to the remaining parties.

The CKA could be trivially realized by performing bipartite QKD schemes between pairs of parties and using the established keys to distribute the conference key. Alternatively, one can exploit the correlations arising in multi-partite entangled states and devise a CKA protocol which directly outputs a secret conference key. Such truly multi-partite schemes are a natural application of quantum networks and have been proven to be advantageous in certain network configurations and noise regimes. In this post we focus on the latter type of CKA (the first review on this research topic [“Quantum Conference Key Agreement: A Review”, Murta, Grasselli, Kampermann and Bruss, 2020] is going to be published shortly).

The multiparty BB84 protocol

The BB84 protocol, devised by Bennett and Brassard in 1984, is the first and arguably the most famous of all the QKD protocols. Due to its simplicity, variants of the protocol have been widely implemented and even commercialized.

In our first work in the QCALL network, we generalized the BB84 protocol to a scenario with an arbitrary number of parties “N” willing to share a conference key, obtaining the so called N-BB84 protocol. Based on our work, an upcoming experimental implementation of a four-party BB84 protocol is about to be published [Proietti, Ho, Grasselli, Barrow, Malik, Fedrizzi, 2020].

The security proof of most QKD protocols is initially performed in a simplistic scenario, i.e. when the parties exchange an infinite number of quantum signals (asymptotic scenario). This is, of course, far from reality but it greatly simplifies the proof and gives indication on the protocol’s real-life performance.


A more realistic security proof with a finite number of signals (finite-key scenario), must consider that the measured data in the execution of the protocol is affected by statistical fluctuations. The challenge is to guarantee unconditional security of the distilled secret key despite the statistical fluctuations affecting the data.

In our work, we proved the security of the N-BB84 protocol and of another existing multiparty protocol (the N-six-state protocol) in the finite-key scenario, when the eavesdropper is allowed to perform the most general attack on the quantum channels (coherent attack). We also compared the performances of the two protocols under realistic conditions and showed that the N-BB84 protocol requires a lower number of protocol rounds to produce a non-null secret key.

Achieving longer distances

TF scheme

Most of the early QKD protocols do not rely on any intermediate relay: the parties taking part to the protocol are connected by a single-piece quantum channel.  Such protocols are often called point-to-point schemes.

In spite of the great distances experimentally achieved by point-to-point QKD protocols (see above), their key rates are fundamentally limited. The key rate “r” of a QKD protocol is given by the number of secret key bits per protocol round (in a round one or more parties send a quantum signal) and its value is typically well below 1. Clearly, in any point-to-point QKD scheme the key rate cannot exceed the probability “t” that the signal sent by Alice reaches Bob.

The problem is that most QKD protocols employ photons as information carriers and the probability “t”of a photon traveling the distance “L” separating Alice from Bob decreases exponentially with “L” ! (see figure) Thus, key rates of point-to-point QKD schemes decrease exponentially with the distance, strongly constraining their long-distance applicability.

A solution to this limitation is provided by the recently-developed twin-field (TF) QKD protocol, initially introduced by our QCALL partners in Toshiba. In TF QKD, Alice and Bob prepare weak coherent pulses corresponding to a random bit they picked and send them to a central untrusted relay. The relay combines the pulses, measures them, and announces the measurement outcome.  Based on the outcome, Bob either flips his bit or does nothing, in order to match it with Alice’s. By repeating this procedure at every round, the parties establish a secret key, which cannot be retrieved by the untrusted relay, even with the information of the measurement outcomes.

Being TF-QKD based on single-photon interference events occurring in the untrusted node,  only one photon out of the two sent by Alice and Bob needs to arrive at the central relay at every round.  Thus, the key rate of TF-QKD scales with the probability that one photon covered half of the total channel length (square root of “t”). This implies a square-root improvement  in the performance over point-to-point QKD protocols, allowing to reach longer distances.

TF-QKD is currently the only experimentally implemented protocol with an improved scaling of the key rate versus the distance, making it the new benchmark for far-distance QKD.

contour_plot 3 decoysintensity fluct

With a first and a second publication in collaboration with our QCALL colleagues in Vigo, we investigated the practical performance of the TF QKD protocol proposed by Curty et al. In particular, we optimized its key rate when the distances separating Alice and Bob from the untrusted node differ and showed that the protocol can achieve good key rates even in extremely asymmetric scenarios. We also showed that the protocol is robust against intensity fluctuations affecting the parties’ lasers (figures above).

W state vs NBB84

Inspired by the TF-QKD protocol, we extended its founding idea to the multiparty scenario. We introduced a CKA where N parties simultaneously establish a conference key by relying again on single-photon interference. The protocol, also called “W state protocol”, presents a remarkable improvement in the key rate-vs-distance compared to its point-to-point couterpart, just like TF-QKD (see figure).

Indeed, in the W state protocol just one photon out of the N photons sent by every party needs to arrive at the central relay, while in point-to-point multiparty protocols like the N-BB84 (and N-six-state), each of the N photons must  be successfully transmitted. We proved the security of the W state protocol  in the finite-key regime and for general attacks.

For the security paranoids

QKD offers an exceptional level of security, provided that the assumptions on the devices used for its implementation are experimentally verified. However, the devices could be affected by imperfections difficult to characterize, or, much worse, they could be forged by the eavesdropper in order to learn the secret key. Therefore, it is challenging to ensure that the assumptions on the implementation of a QKD protocol are met in practice.


Fortunately, device-independent (DI) QKD can guarantee the same level of security independently of the actual functioning of the employed devices. In this framework, the devices used by the parties are modeled as black boxes (i.e. completely uncharacterized) producing an output upon receiving an input from the party. The parties collect a series of outputs (with correspondent inputs) by repeating the same procedure for several rounds, making sure that they are distant enough so that no signal can travel from their device to the other’s device. If the collected data cannot be explained by a local deterministic strategy (for which a third party in the middle instructs the devices on the output to produce), the parties conclude that their data exhibits non-local correlations. This means that it was produced by an entangled state shared by Alice and Bob’s devices. Thanks to the monogamy of entanglement, the secrecy of the parties’ correlated outcomes is restored, guaranteeing that the key distilled from the outputs is secret.

We are currently working on a project which aims at devising new and better-performing device-independent multiparty QKD protocols, in short: DICKA. The fundamental principle on which these protocols are based would be the same, just extended to more than two parties.

If you want to know how this will turn out, stay tuned!


Story of the month: Chip-based technologies for Quantum Communications

The need for Quantum Communications

The rise of quantum computers will break public key cryptography and consequently render obsolete existing secure communication infrastructures our modern society relies upon. This imminent threat prompts development of new counter technologies, and one of the most promising candidates is quantum communication. Quantum physics provides the ideal background to work with, due to the inherent uncertainty of quantum properties. Such uncertainty is crucial to generate randomness, which is the main ingredient of secure communications.

Quantum Key Distribution

Quantum Key Distribution (QKD) is one of the several ideas which exploit quantum randomness. Generating an encryption key, shared between two parties and unknown to any attackers, is the goal of the different QKD protocols. The security of the generated key is guaranteed by the laws of quantum physics: an eavesdropper can not do better than just guess the encryption key, no matter their computational power.

The BB84 protocol was the very first QKD protocol, introducing for the first time the idea of using the quantum states of photons to distribute a key between two parties. After that, a myriad of new protocols were proposed, each with their own advantages and disadvantages. The underlying concept, however, remains unchanged: one of the two parties, Alice, sends the other, Bob, a random sequence of bits encoded in a quantum property of a train of photons (polarisation, phase, time); an eavesdropper intercepting the signal inevitably disturbs the quantum state and, consequently, introduces noise at the receiving end that will highlight the presence of eavesdropping.

Since that first proposal in 1984, QKD has attracted a great deal of interest in the scientific community. Its experimental implementations have improved substantially: the communication distance has risen from a mere 32cm in free space in the very first QKD experiment, to 421km of optical fibre in a recent demonstration. This impressive distance can even be extended much further with the newly discovered TF-QKD protocol (which will be covered in the next story of the month).

QKD has gained popularity outside academia as well, with companies like QCALL partners Toshiba and ID Quantique developing their own QKD systems.

QKD Systems
QKD systems developed by Toshiba (left) and ID Quantique (right).

Chip-based QKD

Large-scale deployment of QKD systems is yet to become a reality. One of the obstacles is that existing QKD equipment is space and power consuming, and very expensive.

To mitigate these constraints and ease the QKD path to market, it is necessary to miniaturise and mass-produce the QKD devices. This is the main focus of QCALL project #1, aiming at the development of integrated photonic devices for Quantum Communications.

Integrated Photonics

Photonic Integrated Circuits (PICs) are already a widespread technology in classical communications. They have the capability of embedding a plethora of optical components on a very small form factor device.

An InP chip with lasers, modulators and output waveguides. Such elements integrated on a chip sit on the top of a fingertip, whereas they would result in a 40 to 50 times bigger setup using ordinary components.

In addition to this, mass production of photonic chips is significantly cheaper than assembling from discreet, bulky components, thanks to generic integration technology and multi-project wafers: like with electronic printed circuit boards, the foundries release a set of basic building blocks, which their clients will assemble to make their own circuits. This way, all components can be grown and processed on a wafer monolithically, i.e. in a single run: this allows for multiple circuits to be implemented at the same time, drastically lowering development and production costs for both the foundry and their clients.

Chip-based quantum communications

Integrated photonics seems the natural choice for nxet’generation Quantum Communications devices since their performance is well established in classical communications.

Among the building blocks needed for a QKD transmitter, there are lasers, waveguide couplers, phase modulators and photodiodes. All these can easily be implemented on a chip, and indeed there are several examples of chip-based devices implementing QKD protocols.

Our goal at Toshiba is to make smaller, cheaper and more efficient QKD devices based on photonic integration.

Chip-based quantum communications at Toshiba

Chip-based Quantum Random Number Generator

In order to correctly implement any QKD protocol, a prerequisite is that the initial bit sequence, sent from Alice to Bob, has to be truly random, otherwise an eavesdropper could exploit correlations among the bits to guess the bit sequence.

Generating true randomness is difficult and even fundamentally impossible by only classical means. The deterministic laws of electrodynamics always deliver a predictable outcome, in principle. However, the outcome becomes different in quantum physics. In our Quantum Random Number Generator (QRNG), we generate pulses from two independent laser and have them interfere on a beam splitter. The spontaneous emission process triggering the lasing action is of quantum nature. This guarantees that the phase of the optical pulses emitted by the lasers is inherently random. Hence, when the two pulses interfere, their interference amplitude is not predictable and we can use it to extract random numbers.

Layout of our Quantum Random Number Generator chip
Layout of our Quantum Random Number Generator chip. DC: Direct Current; RF: Radio Frequency; VOA: Variable Optical Attenuator; MMI: Multi-Mode Interferometer; PD: Photodiode.

The novelty of our QRNG, as shown in this JOSA B paper, is in its plug-and-play format: as soon as it is assembled, it is ready to be used. All the optical components (the two lasers and a photodiode to detect the interfering pulses) are embedded onto a 6x2mm photonic chip, which is then connected to bespoke electronics. This is composed of an analog-to-digital converter reading the analog signal of the photodiode, and an FPGA that will post-process the data by removing any remaining information that an adversary can use. As an additional check, we ran the NIST test suite on subsets of our generated numbers, and observed that they passed all 17 tests. The output string of random numbers can then be used as input for the QKD modules.

A modulator-free quantum key distribution transmitter chip

The random key obtained from the QRNG is fed into a QKD transmitter. The transmitter chip developed by Toshiba removes the need for power-hungry phase modulators by the use of  Master-Slave paired lasers. The information is encoded in the phase difference between pulses from the Slave laser, and can then be decoded by a receiving interferometer.

The working principle of the transmitter is based on combining the well-known phenomena of direct phase modulation and optical injection locking, both techniques already in use in classical optical communications. The idea of combining them for Quantum Communications was first introduced by Toshiba in 2016.

Direct phase modulation, as the name suggests, exploits the fact that the phase of a laser’s output is directly related to its driving signal: modulating such electrical current allows direct control over the phase of light emitted by a laser.

Direct phase modulation
Direct phase modulation

Optical injection locking is a phenomenon where one laser, namely the Master, injects light into a second, Slave, laser. This will cause the light from the Master to trigger emission from the Slave laser: light emitted from the Slave will then be “locked” to the same properties, in particular the same phase, as the injected light.

Optical Injection Locking
Optical Injection Locking

Combining these two techniques, we can then generate pulses from the Slave laser that will feature the phase we want to encode by modulating the Master.

Modulation for the DPS (left) and BB84 (right) protocols
Modulation for the DPS (left) and BB84 (right) protocols

This removes the need for phase modulators, which are extremely power consuming, while still allowing us to encode all the relevant information in our photons.

Implementing this setup into a photonic chip results in a versatile, compact QKD transmitter. Our QKD chip was tested in an experiment that is described in this npj Quantum Information paper.

QKD Chip
Layout of the Toshiba QKD transmitter. DFB: Distributed Feed-Back laser; MMI: Multi-Mode Interferometer; TOPS: Thermo-Optical Phase Shifter; VOA: Variable Optical Attenuator; PD: Photodiode; SSC: Spot-Size Converter;

The simple layout of our device allows us to achieve results in line with state-of-the-art bulk implementations for both the BB84 and the DPS protocol.

Results QKD chip
Performance of our QKD chip for the DPS (left) and BB84 (right) protocols. The blue lines represent QBER, the green lines represent the raw counts from the detectors, the red lines represent the secure key rates. The fibre length assumes an equivalent loss of 0.2 dB/km. The yellow markers indicate points obtained on a real fibre link.

This shows that our devices are suitable for being implemented into QKD systems. The small form factor and the lower cost associated with the generic integration process, combined with the lack of phase modulators, make our QKD chips a candidate for large-scale implementation of Quantum Communication systems.