Tag Archives: QKD

Story of the month: Overcoming the limitations of quantum key distribution protocols


As we live in the era of internet, online shopping/banking, it is basically an everyday task to enter our passwords and credit card data on different websites. The encryption (so that a malicious third party cannot infer our actual data) of this sensitive data that we send throughout the internet is based on the fact that some mathematical problems are extremely difficult to tackle with our current computers. Specifically, it is practically impossible to factorize very large numbers. However, in the other direction, if a factor is known then it is really easy to determine its cofactor. This asymmetry in the difficulties can be converted into the most widely used public key cryptosystems, which is called RSA, after its inventors.

The natural (quite disturbing) question arises whether this kind of cryptosystem is going to stay secure in the future knowing how fast technology is advancing. It is even scarier if one considers the progress on the development of quantum computers. With quantum computers the task of factorizing large numbers becomes exponentially faster with the so-called Shor’s algorithm.

Solution: Quantum key distribution (QKD)

In 1984, with the appearance of the famous BB84 protocol, it became clear that quantum mechanics can be used to fight against the threat that comes with future quantum computers. With encoding information into quantum systems and performing quantum mesurements on them can in principle be used to create a secret key between two distant parties (usually called Alice and Bob). This method is called quantum key distibution (QKD), which can achieve an identical, random and secret bit string (consting of 0-s and 1-s) between Alice and Bob via the most fundamental laws of quantum physics thus security is no longer based on computational assumptions (opposed to RSA). This resource then can later be used to encrypt the messages with the so-called one-time-pad (OTP), that is, Alice adds the key to her message (also consisting of 0-s and 1-s) bitwise modulo 2 (which basically means that 1+1=0). Thus Bob can decrypt the encrypted message by adding the same key bitwise to the encrypted message.

The security is based on the no-cloning theorem, stating that it is impossible for an eavesdropper to make perfect copies of arbitrary quantum states. Note that for classical bits copying is possible, therefore this is an apparent advantage that quantum mechanics offers.

Some difficulties of QKD: Repeaterless bound and source imperfections

The idea of QKD is relatively simple and elegant but in order to be a mature technology that can be deployed world-wide for everyday use, it has to overcome some limitations. In my research I try to come up with solutions in order to improve the performance of different QKD protocols, or at least to identify their limitations. The performance of a QKD protocol is characterized by its secret key rate, that is the number of secret key bits a certain protocol can generate per transmitted signal.

Repeaterless bound

One important theoretical limitation on the performance of point-to-point (when the parties are directly connected via a quantum channel that can be for example an optical fiber, or even free space) QKD protocols is the so-called repeaterless bound. This bound for the achievable secret key rate is exponentially decreasing with the distance for long distances as it can be seen in Figure 1 (note the logarithmic scaling). This is caused by the fact that the probability that a photon survives travelling through the optical fiber connecting the parties decreases exponentially with the length of the fiber, this probability is called channel loss. As this is a very stringent limitation, it has to be overcome if long distances have to be covered by point-to-point QKD and one desires to have a reasonable secret key rate.

Figure 1. The repeaterless bound
Figure 1. The repeaterless bound

It is clear that intermediate nodes (repeater stations) between the parties have to be introduced to go beyond the repeaterless bound so that the photons do not have to cover the full distance between the parties (but only the half of it) to be useful for generating a secret key bit. If the channel loss corresponding to an optical fiber of length L is t then the channel loss for the half of the fiber is the square root of t.

The most recent solution to surpass the repeaterless bound is the so-called twin-field QKD (for more information see the spotlight article by ESR Mirko Pittaluga).

In my research, however, I focused on other types of approaches in order to overcome the repeaterless bound. The first one is a kind of adaptive QKD protocol, that is schematically depicted in Figure 2. The main point here is that the key generation process (denoted by BM in Figure 2) is only performed between successfully arriving photons (sccessful arrival is checked by the QND module), therefore, the key rate increases as every key generation trial is between actual signals that reached the middle station C. Otherwise it would be possible that a photon is lost on one side, which is not sufficient for establishing correlation between the parties.

Figure 2. The schematic layout of the adaptive QKD protocol. Figure taken from !paper!
Figure 2. The schematic layout of the adaptive QKD protocol. Figure taken from this paper.

For the original proposal in Figure 2, idealized devices were assumed (e.g., perfect single-photon sources) and the authors showed that it is possible to overcome the repeaterless bound with this protocol.

In our work, we calculated the secret key rate of the original protocol if the idealized single-photon sources are substituted by the practical (and widely available) parametric down-conversion (PDC) sources (which sometimes emit two or more photons pairs). We found that with PDC sources the protocol is no longer capable of overcoming the repeaterless bound. Thus the performance is very sensitive to the imperfections of the devices.

In, we investigated the performance of the protocol depicted in Figure 3, which is very similar to the protocol from Figure 2, but it is without QND modules and instead so-called quantum memories (QM) are applied in order to overcome the repeaterless bound. The QMs are able to store a quantum signal, therefore a quantum signal on one side can patiently wait until the signal from the other side successfully arrives and then a BM module carries out secret key generation. The working principle is the same as before, making sure that the key generation is only performed between actual signals.

Figure 3. Schematic layout of the Quantum memory assisted protocol.
Figure 3. Schematic layout of the Quantum memory assisted protocol.

We characterized the necessary experimental parameters for the protocol to beat the repeaterless bound as a function of the applied QM pairs. The most important parameter of the devices is the dephasing time constant of the QMs, which describes how fast the stored quantum state changes over time (so higher quality memories have higher dephasing time constant as this depahsing leads to errors). We found that the requirement for the dephasing time constant of the QMs can be relaxed significantly if the number of QM pairs increases. But even with a lots of memory pairs it is far from trivial to overcome the repeaterless bound with current technology using this QM based protocol.

Source imperfections

The ideal information carriers for QKD protocols would be single-photons as a single-photon is a quantum mechanical object that cannot be copied due to the no-cloning theorem, however, in practice it is really challenging to implement on-demand perfect single-photon sources. Therefore, in the lab, the desired single-photon sources are approximated by dim laser pulses, but sometimes these pulses contain more than one photon. Whenever this happens, the information is not encoded only into a single entity but it is inherently duplicated so an eavesdropper Eve (who is only limited by the laws of quantum physics) can take one photon out of the two or more photons and keep it to herself thus she will have the same information carrier as Bob so the security of the protocol is compromised. This is called the infamous photon number splitting (PNS) attack. This means that additional techniques have to be applied to avoid the possibility of such an attack.

A simple protocol to fight against the PNS attack is the coherent-one-way (COW) protocol since it encodes the information coherently between different laser pulses and at the receiving end Bob checks that such coherence is kept. The PNS attack breaks this coherence, so the COW protocol should be able to detect it. Long distance experiments and even commercialized products have appeared based on this scheme.  We show that, despite of its popularity, the COW scheme is not robust against other type of attacks.

Here, we designed an attack against the COW scheme, proving that all implementations of this protocol reported so far in the scientific literature are actually insecure. The attack is based on a technique called unambiguous state discrimination (USD). With USD it is possible to discriminate the different quantum signals (that Alice sends) without misidentifying them. This comes at the cost of sometimes obtaining an inconclusive result. If Eve applies this strategy in a clever way, she can remain undetected for the parties (she will not break the coherence between the signals) since she never makes a mistake in identifying the states. In this attack she measures all the quantum signals coming from Alice to Bob and based on her measurement results she prepares new signals that she sends to Bob.

The evaluation of our attack appears in Figure 4, where one can see that the attack can provide better values for both of the monitored quantities (quantum bit error rate and the visibility that describes how the adjacent coherent laser pulses by Alice interfere with each other) than what can be achieved in the actual experiment, which makes it insecure.

Figure 4. The stars represent the values achieved in the experiment, the curves represent the performance of our attack.The two different lines correspond to the two different intensity settings that Alice uses. The smaller gain values basically mean longer distances.
Figure 4. The stars represent the values achieved in the experiment, the curves represent the performance of our attack.The two different lines correspond to the two different intensity settings that Alice uses. The smaller gain values basically mean longer distances.

The most important consequence of our attack is that we showed that the secret key rate of the COW protocol is proportional to at most the square of the channel loss between the parties so its performance is much worse than what had been thought before.


We have seen that improving the performance of QKD protocols is an important task towards building a global quantum communication infrastructure for communications, which could be the remedy for the threat on the secrecy of our communications by future quantum computers. But at the same time it is a challenging task due to, for example, the difficulties attributed to theoretical limitations like the repeaterless bound or to the fact that the real-life devices used in an implementation are always imperfect. We have also seen that the popular COW protocol is not an appropriate candidate for long distance QKD.

Story of the month: Free-space Quantum Key Distribution

The art of communication


Ever made a call over the internet, sent an email, or transferred money to another account? The information age has revolutionized many aspects of our lives. With the introduction and expansion of computers and networks in the mid-20th century, a new world of possibilities is brought into perspective, and innovations expanded and eased the life of every one of us. This happened not only because of the fast growth of the global networks and miniaturizing computers, but also, we owe it to the advances in another field, cryptography. Transmitting information is not enough if that information contains sensitive data such as personal info, bank, health, etc. Data that needs to be known only by certain people or organizations.

Cryptography is a set of techniques that allows us to transmit data faithfully and securely between two or more parties in the presence of adversaries. Current cryptographic schemes, which are known as classical cryptography, are proved to be effective and efficient and their resilience against attacks performed with the most powerful computers is guaranteed. However, we are on the verge of the next technological breakthrough. Quantum computers, powered by peculiarities in quantum mechanics, can in fact demolish the current cryptographic techniques as they are very powerful and faster in performing certain tasks. Quantum computers are not ready yet, but this issue has brought much attention and scientists are preparing for the post-quantum era.

One approach, allowed by the laws of quantum mechanics, is called quantum cryptography. In this short article, I am going to introduce new progress in realizing and implementing quantum cryptographical systems.

Classical vs. Quantum Cryptography

Cryptography is a set of techniques and mathematical algorithms to encrypt data, prior to storing or transmission, such that its content is safe against unwanted access. These techniques are mostly evolved based on computational hardness assumptions. In simple words, these mathematical algorithms are very hard, but not impossible, to be reversed without having access to extra information about the encrypted data. This makes trying an attack, in a reasonable time, impractical and pointless. This being said, the security stems from this type of algorithms highly depends on computational power.

Quantum cryptography, on the other hand, is an information-theoretic secure scheme. It means an adversary cannot break the encryption and access to data no matter how powerful he is. However, the practical realization of quantum cryptography in communication, known as quantum key distribution (QKD), capable of supporting the vast amount of data we are transmitting every second is a hard task.

Why is it hard to do Quantum Key Distribution?

The difference between classical and quantum cryptography roots in the logic and idea behind them. In classical cryptography, data is encrypted at the transmitter and decryption happens upon receiving the data. This allows transmitting the encrypted information at arbitrary power. Imagine classical cryptography as a radio station with the only difference that the message broadcasted in every direction is encrypted. While it can be collected by anyone, only he who has access to the encryption key can decrypt it and actually read the data. Furthermore, to cover longer distances, it is only required to increase the signal power, or amplifies it on the way to the receiver, to overcome the loss that happens in transmission. For this, the distance does not pose a serious limitation on the rate at which data transmission can be done.

In quantum key distribution, on the other hand, information is encoded in the single quanta of light, called photons and the channel is called quantum channel. In order to prevent revealing the information by an adversary or tampering with the data, the intensity of signals is extremely low, and in the regime that laws of quantum mechanics hold. In this regime, quantum mechanics ensures the security of communication.

Transmission of such weak signals is challenging. Optical fibers that are common in classical communications is the first candidate for the quantum channel. Unfortunately, optical fibers suffer from loss which limits their practical application. QKD was successfully performed in a distance over 400 km, however, the rate is not yet sufficient for daily applications. The achievable rate is mainly limited by the loss and noise in the transmission line, the quantum channel, which leads to the loss of photons.

Free-space Quantum Communication

The barrier on the attainable rate in QKD put by loss in optical fibers can be overcome using the free-space channel as the quantum channel. In this case, photons are sent through free-space to the receiver. The main advantage of the free-space channel is the lower loss values that photons experience in free-space, although exploiting this type of channel for QKD introduces new challenges. Free-space QKD, and in particular, ground-satellite-ground channels opens the room to perform QKD in intercontinental distances, something that is not possible over fiber optics. QKD was performed between two ground stations establishing a free-space channel as well as ground-to-satellite in more than 1000 km. In our group, we are focused on performing QKD over free-space as well as fiber optics. We aimed to tackle the loss issue by establishing a free-space channel and realizing QKD over it. This work is the first integration of QKD and silicon-photonics, a highly promising approach in going towards compact, light, and low-power-consuming devices. The stability of the system and noise reduce the efficiency of a QKD system. In our group, we demonstrated a series of new techniques and performed a field-trial to put our system to test in a real-world situation.

Quantum key distribution is one of the first commercialized quantum technologies, yet, there is still much to do. The future global network is envisaged a world-wide coverage of quantum secure channels and to reach that goal, many obstacles need to be overcome.

Story of the month: Quantum key distribution over quantum repeaters with encoding

If we claim the Internet as the greatest invention of the 20th century, which has revolutionized how we communicate every day and turned our lives upside down, today’s stage certainly belongs to quantum Internet, which would deeply change our way of thinking as well. Quantum networks lay the cornerstone of quantum communication and quantum computation systems. Similar to classical networks, it allows for the transmission of quantum information between physically separated quantum processors. An enabling technology for future quantum networks is that of quantum repeaters (QRs).

What is quantum repeater

The direct distribution of quantum states is limited by transmission losses of the channel (usually the optical fiber or free-space, the same as classical world) used. Even under certain optimistic assumptions for the technology evolution, the achievable distances are limited to a few hundred kilometers. Unlike in classical world, where amplifiers can be deployed to boost or regenerate the signals, here, this idea fails due to the fact that quantum states cannot be copied or “amplified” without any disturbance, known as the no-cloning theorem.

QRs were initially proposed to enable quantum information distribution at long distances, relying on the pillar of the quantum palace—entanglement. Using teleportation techniques, one can then send quantum information across the network once some entanglement is shared between users. The main idea behind it is to first distribute and store entanglement between short segments and then to use entanglement swapping (ES) and entanglement distillation (ED) at intermediate stations to establish entanglement over long distances.

Fig. 1: Schematic representation of quantum repeaters.
Fig. 1: Schematic representation of quantum repeaters.

The pioneering works

Theoretically speaking, QRs have gone through a number of development stages. Based on how ES and ED operations are performed, most of them fall into two categories: the probabilistic ones and the deterministic ones. The probabilistic QRs use photonic systems for both distribution and swapping of entanglement. Due to its inherent fragility against loss, after each operation, we have to wait for either good news so that we can move on to the next step or bad news that we have to repeat another trial until succeed, both of which rely on two-way classical communication. You can imagine how this back-and-forth will result in a long coherence time and a low generation rate. However, despite those disadvantages, probabilistic QRs are perhaps the simplest setups that can be implemented in practice. The pioneering work of this type is developed by Duan, Lukin, Cirac and Zoller in 2001, known as DLCZ, where they used atomic ensembles and linear optics to achieve the goal.

Actually, when the concept of QRs was originally introduced by Briegel, Dür, Cirac and Zoller (BDCZ) in 1998, ES and ED operations were designed in a deterministic, but possibly erroneous gate-based way, where they proposed a nested purification protocol to permit efficient quantum communication over distances longer than the attenuation length. However, their model is still based on two-way classical communication for the confirmation of each attempt, which, in effect, turns a deterministic setup to a probabilistic one, suffering similar drawbacks mentioned above.

Quantum repeaters with encoding

The most recent QR proposals totally eliminate the necessities of two-way classical signaling and only use quantum error correction (QEC) to copy with loss and operational errors. They enable us to directly send quantum states across a communication channel hop-by-hop. The key idea resembles the one used in classical communications network, in which message bits are encoded with some redundancy such that at the receiver the original message can be retrieved. Such structures offer an improvement in quantum data rate at the price of requiring much more demanding quantum computational capabilities, which will be further away in terms of an experimental demonstration.

Fig. 2: Schematic representation of the direct transmission of quantum information using encoding.
Fig. 2: Schematic representation of the direct transmission of quantum information using encoding.

What I am working on

In the spirit of having an eye on near-future implementations, my focus is on the transition from probabilistic QRs to deterministic QRs that use quantum error correction techniques only for their ED operations, while entanglement over short links is still established in a probabilistic and heralding way. In such QRs, using a number of bipartite entangled states (yellow lines in Fig. 3(a)), we create a multi-qubit entangled codeword across elementary links (yellow shade in Fig. 3(b)). As we apply the ES operations, this codeword structure will then allow us to correct some of the errors that happen because of imperfections in the employed gates, measurement modules, and/or the initially distributed bipartite states.

Fig. 3: Schematic representation of quantum repeaters with encoding.
Fig. 3: Schematic representation of quantum repeaters with encoding.

In principle, one can choose different code structures to implement such systems. Here, we use the repetition codes to study and develop our methodology. They offer a simple structure, which can make their implementation easier, and still have relevance in systems where one type of error is more dominant than the other. We develop reliable tools which relies on the linearity of the quantum circuits and the transversality of the code employed to manage the complexity of the analysis. Previous work on this subject often relies on various approximations to analyze the system. Here, we try to remain as close as we can to the exact results and only use approximations that are analytically justified and numerically verified. This accurate approach shows that such systems are more resilient to errors than previously thought, which can make their near-future implementation more viable.

Using our methodology, we study the performance of QKD systems run over QRs with three- and five-qubit repetition codes by accounting for various sources of error in the setup. We fully study the effect of different terms, components, and system imperfections on the secret key generation rate of the QKD system, and how one can use the information obtained during entanglement swapping and decoding stages to maximize the rate. We show that, so long as QKD is concerned, error detection features of the code may be even more relevant than its error correction functionalities. We find that the majority of secret key bits come from the portion of the data that corresponds to no detected errors in either the repeater chain or decoder modules (we call it the golden state in Fig. 4).

Fig. 4: Secret fraction as a function of different error parameters.
Fig. 4: Secret fraction as a function of different error parameters.

We further expand our study by proposing two alternative decoder structures that only rely on single-qubit measurements, which not only simplifies the implementation aspects but also, by removing the major source of error from decoding circuits, results in better performance in many practical scenarios. We benchmark the performance of the QKD system that runs on this type of QRs with probabilistic QRs which do not necessarily use any additional distillation techniques, and quantify the regimes of operation, where one class of repeater outperforms the other. We find that for most practical purposes, the simple three-qubit system is our best choice.

Our analysis suggests that extending the reach of trust-free terrestrial QKD links to 1000km is within reach in the near future. If you would like to know more details, click here!

Story of the month: Quantum key distribution – from theory to practice

In a world of exciting technological possibilities, among the most significant are those enabled by quantum physics. Quantum physics is the theory of the microscopic world, it describes particles, atoms and molecules, and it is the underlying foundation of the digital age. For instance, it is thanks to this field of research that we have transistors on which today’s mobile phones and computers are based, and lasers that are used in precision manufacturing. So far, almost all the technologies have exploited quantum physics only indirectly, and now, scientists are moving beyond it; they are working on directly controlling it to build new technologies. These technologies are set to have a profound impact on our society and economy by achieving things that are impossible or unthinkable with the current technologies. For example, they promise ultimately secure communications, ultrafast computation, precise sensing, precise timing information, and so forth.

Quantum communication is one of the most mature branches of quantum technologies, and it has the potential to completely change the field of cryptography. Cryptography is an indispensable technology in many applications where we require information security, such as financial transactions and the transmission of data containing sensitive personal information. Unfortunately, the current cryptographic systems are vulnerable to hacking because their security relies on the difficulty of solving certain mathematical problems, such as the prime factorisation of very large numbers. Problematically, this difficulty is not scientifically proven, it is merely assumed. This means that rapid technological advances or the arrival of new algorithms, including the construction of a large-scale quantum computer and the development of artificial intelligence, can completely compromise the security of our communications. At the moment, these technologies might sound like science fiction and give the impression that they will only become available in a very distant future. Nonetheless, experts estimate that by late 2030’s, there will be quantum computers capable of breaking today’s secure communications. In fact, intelligence agencies are already storing vast amounts of encrypted data in the hope that, in the future, they will be able to decrypt it and access important secret information. Therefore, the time to act is now. We have a unique opportunity to update our current communications systems before it’s too late.

Quantum key distribution

Fortunately, and in contrast to conventional cryptography, quantum cryptography, or more specifically, quantum key distribution (QKD) promises to achieve unconditional security in data communication based on the laws of physics. More specifically, the security of QKD is based on the fact that it is not possible to copy the state of a quantum particle nor learn information about it without modifying it. Thus, information encoded in the state of a quantum particle, such as a photon of light, can be guaranteed to not have been observed if it arrives unperturbed from the sender to the receiver. What’s more, the message transmitted will keep being secret forever irrespectively of the computational power and technologies that a hacker might possess in the future. Thus, QKD offers the strongest possible notion of security, and it often referred to as the Holy Grail of secure communications. In the last two decades, this field has developed significantly; now commercial QKD systems are available and QKD networks, including satellite-based QKD, have been deployed around the world. These tremendous achievements clearly demonstrate the potential of QKD to become a global technology.

If a hacker tries to eavesdrop on the communication channel, the state of the photons will be inevitably altered, causing transmission errors that signal her/his presence to the users.

Nonetheless, before QKD is widely adopted for securing our communications across the world there are a number of open challenges that need to be addressed. Some of these involve technical aspects, such as increasing the communication distance between users, improving the secure communication rate and reducing the costs of practical implementations. On the theoretical front, the most important challenge is to establish implementation security rather than the theoretical security. In theory, QKD has been mathematically shown to be unconditionally secure against any possible hacking attack. In doing so, security proofs typically assume idealised device models that have no noise or imperfections. Unfortunately, in practice, such idealised devices are not available, and by exploiting discrepancies between the properties of ideal devices and those of practical devices hacking may be possible, compromising the security of QKD. In fact, several hacking attacks have been performed on experimental and commercial QKD systems, and they have succeeded. Therefore, to recover the unconditional security offered by QKD, it is crucial to develop security proofs that take into account device imperfections.

Usually, in a QKD protocol, there is a sending device that a sender uses to transmit secret information encoded in the states of photons, and a measurement device, which is possessed by the receiver to receive information. To remove the discrepancy between the idealised and practical devices and guarantee the security of this information, we need to develop better mathematical models that portray the real behaviour of the sending and measurement devices. By doing so, a practical implementation of this protocol is guaranteed to be secure even in the presence of imperfections, as long as they are sufficiently small. An important breakthrough in this direction was the introduction of measurement-device-independent (MDI) QKD. This is a QKD protocol that can offer perfect security even with arbitrarily flawed and completely untrusted detectors. In other words, we no longer need to take into account the imperfections of the measurement devices. Moreover, a variant of this protocol, called twin-field QKD, has been proposed recently, significantly improving its secure communication rate over long distances. Therefore, the missing step towards achieving implementation security is to secure the sending device. During my PhD, I have investigated and contributed to this issue, with the objective of achieving implementation security of QKD.

Securing the sending device

The most common imperfections in the sending device are state preparation flaws (SPFs), leakages of secret information from the user’s devices and correlations between the emitted light pulses. SPFs occur because real devices have a finite precision, hence the information encoded in the states of photons is slightly different from the information the sender wished to transmit. Also, leakages of information happen due to hacking attacks unknown to the users, or due to distortions in the emitted light pulses that depend on the information encoded. Finally, correlations between pulses take place because real devices hold in memory the secret information previously encoded, and inadvertently this information is passed on to the subsequent signals. All these imperfections open the door for a hacker to learn some secret information without being detected by the users.

Source imperfections allow a hacker to learn some secret information without altering the state of the photons, thus compromising the security of the QKD scheme.

Earlier attempts to incorporate source imperfections in security proofs of QKD have often resulted in very low secure communication rates. Recently, however, a loss-tolerant (LT) protocol was proposed, making QKD resistant to SPFs. That is, even when the encoding of the light pulses deviates significantly from the desired one, the secure communication rate is almost the same. Unfortunately, the LT protocol relies on the unrealistic assumption that there are no leakages of information from the users’ devices nor pulse correlations, which is hard to guarantee in practical implementations of QKD.

In a work that I developed with my colleagues, we proposed a formalism to make the LT protocol more general by incorporating information leakages from the user’s devices. In simple terms, we divided the emitted light pulses into a part that resembles perfect pulses emitted from idealised devices and another part that accounts for all the imperfections arising from using the actual devices. This allowed us to prove the security of QKD in the presence of multiple source imperfections.

The last step to secure the source is then to consider correlations between the emitted signals. To model such imperfection mathematically was believed to be the very hard because we need to deal with many pulses rather than a single pulse, which increases the complexity of the problem. For this reason, this imperfection has often been disregarded. Recently, we were able to develop a simple framework to incorporate this imperfection in security proofs of QKD. The key idea is to mathematically model the information encoded in the subsequent pulses as leakage of information. By doing so, we have been able to prove the security of QKD in the presence of pulse correlations between arbitrarily distant pulses. Importantly, this framework is compatible with the formalism that we created to deal with all the other imperfections.

Nonetheless, considering all these imperfections simultaneously inevitably reduces the secure communication rate of QKD. To counteract this effect, we have also proposed a new technique to prove the security of QKD that is more resilient to source imperfections. The main idea is to consider some reference states that are similar to the actual states, and use them as an intermediate step to prove the security of the actual protocol. Interestingly, the reference technique can reproduce previous analyses that deal with source imperfections, including our generalised LT protocol. However, its most striking feature is the easiness to incorporate source imperfections without severely compromising the secure communication rate of QKD.

As mentioned above, to achieve implementation security of QKD we need to take into account all imperfections in the sending and measurement devices. Fortunately, this can now be achieved by employing the security techniques we developed to deal with source imperfections together with an MDI-type QKD protocol, that assumes arbitrarily flawed detectors. In our latest work, using these ideas we have proposed a new protocol that is secure in the presence of any device imperfection. The only requirement is the characterisation of a single parameter that describes the quality of the source. Our protocol is the first QKD scheme proven to be secure in practical implementations. Notwithstanding, there are still theoretical and experimental challenges to finally establish implementation security. For instance, how to experimentally describe the quality of the sending device by a single parameter is still an open question. Moreover further improvements are needed in order to obtain higher secure communication rates and longer communication distances. Importantly, however, we now have a clear path for proving the security of QKD with arbitrarily flawed devices.

Story of the Month: Quantum Conferencing

Federico works on theoretical progress in multi-party quantum key distribution, also known as quantum conferencing. Have you ever heard about it?

Your data is under threat

In recent times people, as well as institutions, companies and governments, are increasingly concerned about the privacy of their data and are constantly looking for better ways to keep it safe.

One of the instances in which private data becomes vulnerable is when it is transmitted from one party to another one (e.g. a bank and its customer, the secret services and the government,  etc.). In order to keep the data safe, the sender encrypts the data with a secret key -the encryption key- that he/she shares with the receiver, prior to transferring it. The receiver then decrypts the data using the same secret key. A potential eavesdropper cannot learn the data without the encryption key. Hence, the data is secure as far as the key shared by the sender and the receiver through a cryptographic scheme is secret.

Classical Cryptography

Nowadays, the standard cryptographic schemes in use are referred to by quantum physicists in my field as “classical cryptography“. The security of such schemes relies on assumptions on the adversary’s computational capabilities , thus being vulnerable to retroactive attacks. In other words, an adversary could intercept and store the data encrypted by a classical crypto scheme, waiting to have sufficient computational power to decipher it. The recent developments of quantum computers, which promise unprecedented computational power, further increase the vulnerability of classical cryptography.

Quantum key distribution is the cure

QKD scheme

Quantum theory, despite being a threat to current cryptographic schemes, also provides a solution. Indeed,  the mentioned security concerns and the prospect of commercialization boosted major advancements in the field of quantum cryptography and particularly in quantum key distribution (QKD).

A QKD protocol enables two parties, Alice and Bob, to generate a shared secret key by sending quantum systems (typically photons of light) through a quantum channel that can be under the control of the eavesdropper (Eve), and by measuring the systems upon reception. Alice and Bob are also equipped with an authenticated public channel, e.g. a phone call wiretapped by Eve.

By relying on intrinsic properties of quantum theory, QKD can be unconditionally secure regardless of the eavesdropper’s computational capabilities, unlike classical cryptography. This remarkable feature of QKD allows for ever-lasting secure communication and attracted the attention of companies, private institutions and governments.

QKD has been successfully implemented over 400 km of optical fibers and over 1000 km of satellite-to-ground links, and has already reached the market with companies like Toshiba and ID Quantique.

What makes QKD secure?

The unconditional security offered by QKD is based on distinctive quantum features, such as entanglement. When two or more quantum systems are entangled, their properties are strongly interconnected. Indeed, measuring a property on one quantum system immediately determines the measurement outcome of the same property on the other systems. This fact can be used to generate correlated outcomes when different parties perform the same measurement on their entangled quantum systems. The correlated outcomes can then be used as a shared key.

monogamy of entanglement

The key generated in this way is secret thanks to the monogamy of entanglement. According to this peculiar feature of entanglement, if two parties are strongly entangled, a third party shares little entanglement with them. The entangled parties can thus obtain a shared key with their highly correlated measurement outcomes while being sure that the third party -a potential eavesdropper- has little information about it.

Quantum conferencing


The task of QKD can be generalized to more than two parties through a conference key agreement (CKA), where the goal is the establishment of a shared secret key -a conference key– among several parties. The conference key can then be used by one party to securely broadcast a message to the remaining parties.

The CKA could be trivially realized by performing bipartite QKD schemes between pairs of parties and using the established keys to distribute the conference key. Alternatively, one can exploit the correlations arising in multi-partite entangled states and devise a CKA protocol which directly outputs a secret conference key. Such truly multi-partite schemes are a natural application of quantum networks and have been proven to be advantageous in certain network configurations and noise regimes. In this post we focus on the latter type of CKA (the first review on this research topic [“Quantum Conference Key Agreement: A Review”, Murta, Grasselli, Kampermann and Bruss, 2020] is going to be published shortly).

The multiparty BB84 protocol

The BB84 protocol, devised by Bennett and Brassard in 1984, is the first and arguably the most famous of all the QKD protocols. Due to its simplicity, variants of the protocol have been widely implemented and even commercialized.

In our first work in the QCALL network, we generalized the BB84 protocol to a scenario with an arbitrary number of parties “N” willing to share a conference key, obtaining the so called N-BB84 protocol. Based on our work, an upcoming experimental implementation of a four-party BB84 protocol is about to be published [Proietti, Ho, Grasselli, Barrow, Malik, Fedrizzi, 2020].

The security proof of most QKD protocols is initially performed in a simplistic scenario, i.e. when the parties exchange an infinite number of quantum signals (asymptotic scenario). This is, of course, far from reality but it greatly simplifies the proof and gives indication on the protocol’s real-life performance.


A more realistic security proof with a finite number of signals (finite-key scenario), must consider that the measured data in the execution of the protocol is affected by statistical fluctuations. The challenge is to guarantee unconditional security of the distilled secret key despite the statistical fluctuations affecting the data.

In our work, we proved the security of the N-BB84 protocol and of another existing multiparty protocol (the N-six-state protocol) in the finite-key scenario, when the eavesdropper is allowed to perform the most general attack on the quantum channels (coherent attack). We also compared the performances of the two protocols under realistic conditions and showed that the N-BB84 protocol requires a lower number of protocol rounds to produce a non-null secret key.

Achieving longer distances

TF scheme

Most of the early QKD protocols do not rely on any intermediate relay: the parties taking part to the protocol are connected by a single-piece quantum channel.  Such protocols are often called point-to-point schemes.

In spite of the great distances experimentally achieved by point-to-point QKD protocols (see above), their key rates are fundamentally limited. The key rate “r” of a QKD protocol is given by the number of secret key bits per protocol round (in a round one or more parties send a quantum signal) and its value is typically well below 1. Clearly, in any point-to-point QKD scheme the key rate cannot exceed the probability “t” that the signal sent by Alice reaches Bob.

The problem is that most QKD protocols employ photons as information carriers and the probability “t”of a photon traveling the distance “L” separating Alice from Bob decreases exponentially with “L” ! (see figure) Thus, key rates of point-to-point QKD schemes decrease exponentially with the distance, strongly constraining their long-distance applicability.

A solution to this limitation is provided by the recently-developed twin-field (TF) QKD protocol, initially introduced by our QCALL partners in Toshiba. In TF QKD, Alice and Bob prepare weak coherent pulses corresponding to a random bit they picked and send them to a central untrusted relay. The relay combines the pulses, measures them, and announces the measurement outcome.  Based on the outcome, Bob either flips his bit or does nothing, in order to match it with Alice’s. By repeating this procedure at every round, the parties establish a secret key, which cannot be retrieved by the untrusted relay, even with the information of the measurement outcomes.

Being TF-QKD based on single-photon interference events occurring in the untrusted node,  only one photon out of the two sent by Alice and Bob needs to arrive at the central relay at every round.  Thus, the key rate of TF-QKD scales with the probability that one photon covered half of the total channel length (square root of “t”). This implies a square-root improvement  in the performance over point-to-point QKD protocols, allowing to reach longer distances.

TF-QKD is currently the only experimentally implemented protocol with an improved scaling of the key rate versus the distance, making it the new benchmark for far-distance QKD.

contour_plot 3 decoysintensity fluct

With a first and a second publication in collaboration with our QCALL colleagues in Vigo, we investigated the practical performance of the TF QKD protocol proposed by Curty et al. In particular, we optimized its key rate when the distances separating Alice and Bob from the untrusted node differ and showed that the protocol can achieve good key rates even in extremely asymmetric scenarios. We also showed that the protocol is robust against intensity fluctuations affecting the parties’ lasers (figures above).

W state vs NBB84

Inspired by the TF-QKD protocol, we extended its founding idea to the multiparty scenario. We introduced a CKA where N parties simultaneously establish a conference key by relying again on single-photon interference. The protocol, also called “W state protocol”, presents a remarkable improvement in the key rate-vs-distance compared to its point-to-point couterpart, just like TF-QKD (see figure).

Indeed, in the W state protocol just one photon out of the N photons sent by every party needs to arrive at the central relay, while in point-to-point multiparty protocols like the N-BB84 (and N-six-state), each of the N photons must  be successfully transmitted. We proved the security of the W state protocol  in the finite-key regime and for general attacks.

For the security paranoids

QKD offers an exceptional level of security, provided that the assumptions on the devices used for its implementation are experimentally verified. However, the devices could be affected by imperfections difficult to characterize, or, much worse, they could be forged by the eavesdropper in order to learn the secret key. Therefore, it is challenging to ensure that the assumptions on the implementation of a QKD protocol are met in practice.


Fortunately, device-independent (DI) QKD can guarantee the same level of security independently of the actual functioning of the employed devices. In this framework, the devices used by the parties are modeled as black boxes (i.e. completely uncharacterized) producing an output upon receiving an input from the party. The parties collect a series of outputs (with correspondent inputs) by repeating the same procedure for several rounds, making sure that they are distant enough so that no signal can travel from their device to the other’s device. If the collected data cannot be explained by a local deterministic strategy (for which a third party in the middle instructs the devices on the output to produce), the parties conclude that their data exhibits non-local correlations. This means that it was produced by an entangled state shared by Alice and Bob’s devices. Thanks to the monogamy of entanglement, the secrecy of the parties’ correlated outcomes is restored, guaranteeing that the key distilled from the outputs is secret.

We are currently working on a project which aims at devising new and better-performing device-independent multiparty QKD protocols, in short: DICKA. The fundamental principle on which these protocols are based would be the same, just extended to more than two parties.

If you want to know how this will turn out, stay tuned!