Implementation of Quantum Key Distribution with Composable Security Against Coherent Attacks using Einstein-Podolsky-Rosen Entanglement

Tobias Gehring, 2 Vitus Händchen, Jörg Duhme, Fabian Furrer, Torsten Franz, 5 Christoph Pacher, Reinhard F. Werner, and Roman Schnabel 7, ∗ Max-Planck-Institut für Gravitationsphysik (Albert-Einstein-Institut) and Institut für Gravitationsphysik, Leibniz Universität Hannover, Callinstraße 38, 30167 Hannover, Germany Department of Physics, Technical University of Denmark, Fysikvej, 2800 Kgs. Lyngby, Denmark Institut für Theoretische Physik, Leibniz Universität Hannover, Appelstraße 2, 30167 Hannnover, Germany Department of Physics, Graduate School of Science, University of Tokyo, 7-3-1 Hongo, Bunkyo-ku, Tokyo, Japan, 113-0033 Institut für Fachdidaktik der Naturwissenschaften, Technische Universität Braunschweig, Bienroder Weg 82, 38106 Braunschweig, Germany Digital Safety & Security Department, AIT Austrian Institute of Technology GmbH, 1220 Vienna, Austria Institut für Laserphysik und Zentrum für Optische Quantentechnologien, Universität Hamburg, Luruper Chaussee 149, 22761 Hamburg, Germany

Secret communication over public channels is one of the central pillars in modern information technology. Using arbitrary-attack-proof quantum key distribution 1,2 (aapQKD) this is realized without relying on the hardness of mathematical problems which might be compromised by improvements in algorithms or by future quantum computers 3 . Up to now real world aapQKD systems required single photon preparation and detection 4,5 , as QKD systems using amplitude and phase modulations failed to provide the same security standard [6][7][8][9][10][11] . Here, we present the first implementation of aapQKD without an encoding in single photons, but instead with one in amplitude and phase modulations of an optical field. In a table-top experiment based on Einstein-Podolsky-Rosen entangled light with an unprecedented entanglement strength, we generated about 97 MBit key from 2×10 8 measurements using a novel highly efficient error reconciliation algorithm. This is more than 1 bit per sample in the raw key and, thus, exceeds the theoretical bound for aapQKD protocols using single photons 4 . We furthermore showed that our setup is suitable for urban telecommunication networks reaching a distance of several kilometers between the two communicating parties. Since our concept is compatible with conventional optical communication technology we consider our work to be a major promotion for commercialized aapQKD providing highest security standards.
Today, several companies are commercializing QKD systems 12 and whole QKD networks have been built in field tests 13,14 . These also include aapQKD systems, but all of them use a discrete-variable encoding based on single photons. Experimentally they rely on single photon sources, which might not always produce only a single photon and, hence, have to integrate decoy states which reduce the secure key rate 15,16 . They also rely on single photon detectors suffering from low efficiency and dark counts, and which are particularly vulnerable to side channel attacks 17 . To avoid these problems one can use an encoding in amplitude and phase modulations of a light field 18,19 , whose principles are well established in conventional communication technology. These so-called continuous-variable (CV) QKD protocols are based on homodyne detection in which a strong local oscillator beam is superimposed with a signal field at a balanced beam splitter, and its outputs are detected by PIN photo diodes. Such photo detectors have already been realized with close to 100 % quantum efficiency, bandwidths of more than 1 GHz and low electronic dark noise. 20 While CV QKD systems provide experimental benefits over discrete variable ones, they have the drawback that security proofs are more involved and error reconciliation codes are often less efficient. The security proof is an integral part of any protocol certifying that if certain assumptions are met, security is warranted. So far, the security of only a few CV QKD protocols have been proven under the necessary condition that the key is generated from only a finite number of measurements 21,22 . Among them is for instance the Gaussian modulation protocol for which transmission distances of up to 80 km have recently been demonstrated 11 . But as in all earlier implementations, the security could only be certified against a restricted class of attacks, namely, collective Gaussian attacks in which each signal is attacked independently and identically using a Gaussian operation. Although these attacks are indeed the strongest possible attacks in the limit of an infinite number of communication rounds, it is currently not known whether this is true in a realistic finite length protocol.
Here, we report the first implementation of a complete CV aapQKD system that provides the same high security level as systems using single photons. The security against arbitrary attacks, including any attacks that might be implemented with future technology, was mathematically proven in Ref. 22. The security of the key is guaranteed even under attacks of the eavesdropper on the local oscillator beam. Furthermore the security analysis takes the resolution of the digitalization of the measurement as well as the finite range of the homodyne detectors arXiv:1406.6174v2 [quant-ph] 3 Jul 2014 into account. The classical post-processing is based on direct reconciliation.
Our implemented protocol uses two continuous-wave light fields which were produced by a source at one of the communicating parties (Alice) and whose amplitude and phase modulations (also called quadratures) were mutually entangled 23,24 . The schematic of the experimental setup is illustrated in Fig. 1(a). Two squeezed-light sources 25,26 , each composed of a nonlinear PPKTP crystal and a coupling mirror, were pumped with a bright pump field at 775 nm (yellow) to produce two squeezed vacuum states at the telecommunication wavelength of 1550 nm (red). The two squeezed vacuum fields, both exhibiting a high squeezing of more than 10 dB, were superimposed at a balanced beam splitter with a relative phase of π/2, thus generating Einstein-Podolsky-Rosen entanglement 24 . One of the outputs of the beam splitter was kept by Alice, while the other was sent to the other party (Bob). The technical details of the source, including the locking scheme, were characterized in Ref. 27. Figures 1(b)-(e) show the distribution of measurement outcomes obtained by the two parties measuring either the amplitude (X) or phase (P ) quadrature of their respective light field with balanced homodyne detection. Each measurement outcome is thereby truly random and a result of parametrically amplified zero-point fluctuations. When both parties simultaneously measure either X or P the strong correlations between their outcomes are clearly visible ( Fig. 1 (b) and (e)). If the two parties measure different quadratures instead, the measurement outcomes are uncorrelated ( Fig. 1(c) and (d)). The strength of the correlations of Alice's and Bob's measurement for the same quadratures, which is related to the initial squeezing strength, is a central parameter in our QKD protocol and enters the key length computation directly in the form of an average distance d pe , introduced below.
The precise steps of the QKD protocol are as follows: 22 Preliminaries Alice and Bob use a pre-shared key to authenticate the classical communication channel for post processing 28,29 . Furthermore, Alice and Bob negotiate all parameters needed during the protocol run.
Measurement Phase Both Alice and Bob choose, randomly and independently from each other, a quadrature X or P , which they simultaneously measure by homodyne detection of their light fields. The outcome of this measurement is called a sample. This step is repeated until 2N samples have been obtained.
Sifting Alice and Bob announce their measurement bases and discard all samples measured in different quadratures.
Discretization The continuous spectrum of the measurement outcomes is discretized by the analog-to-digital converter (ADC) used to record the measurement. During the discretization step Alice and Bob map the fine grained discretization of their remaining samples caused by the ADC to a coarser one consisting of consecutive 2 d bins. In the interval [−α, α] a binning with equal length is used, which is complemented by two bins (−∞, −α) and (α, ∞). The parameter α is used to include the finite range of the homodyne detectors into the security proof.
Channel Estimation The secret key length is calculated using the average distance between Alice's and Bob's samples. To estimate it, the two parties randomly choose a common subset of length k from the sifted and discretized data, X pe A and X pe B , respectively, which they communicate over the public classical channel. Using these, they calculate Error Reconciliation Bob corrects the errors in his data to match Alice's using the hybrid error reconciliation algorithm described below. Afterwards, Alice and Bob confirm that the reconciliation was successful.
Calculation of Secret Key Length Using the results from the channel estimation and considering the number of published bits during error reconciliation, Alice and Bob calculate the secret key length according to Ref. 22. If the secret key length is negative, they abort the protocol.
Privacy Amplification Alice and Bob apply a hash function which is randomly chosen from a two-universal family 30 , to their corrected strings to produce the secret key of length .
The key generated by the above protocol is proven to be -secure against arbitrary attacks in Ref. 22, where is the so-called composable security parameter. The security proof makes no assumptions on the attacks and only weak ones on our implementation. It only requires that Alice's measured quadrature angles are exactly X and P and that Alice's station is inaccessible to the eavesdropper. Thus, she can trust her source and knows the probability for measuring a quadrature amplitude value exceeding α. There are no assumptions on Bob's measurement device (one-sided device independent) such that even attacks on his local oscillator are fully covered. Figure 2. Implementation of Alice's and Bob's QKD receivers. Both parties used balanced homodyne detection (BHD) to measure their part of the quadrature entangled state. The measured quadrature phase was controlled by a computer via a fast fiber-coupled electro-optical modulator (EOM). To make sure that Alice and Bob switched between the same orthogonal quadratures, a phase shifter (PS) was employed to compensate slow phase drifts. Optical losses of the transmission channel to Bob were modelled by a variable attenuator consisting of a half-wave plate (λ/2) and a polarizing beam splitter (PBS). PD: Photo Diode.
The implementation of the measurement phase of the protocol requires fast switching between the X and P quadratures in Alice's and Bob's homodyne receivers. Since the relative phase between the local oscillator and the signal field determines the measured quadrature angle, switching has been achieved by a fast fiber-coupled electro-optical modulator, which was used to apply π/2 phase shifts to set the quadrature either to X or P (see Fig. 2). The phase shift applied by the modulator ensured the orthogonality of the two quadratures used in the QKD protocol. To make sure Alice and Bob switched between the same set of quadratures, a piezo attached mirror was employed to compensate for slow drifts. The measurement rate was 100 kHz.
Important for a high key rate is an error reconciliation protocol which has an efficiency close to the Shannon limit. While for discrete variable protocols very efficient binary error correcting codes are available 11 , they have not been available for CV QKD prior to this work. The reason is that the discretized sample values are not uniformly distributed but instead, follow a Gaussian distribution. To solve the problem, we designed a two-phase error reconciliation protocol which can exploit the nonuniform distribution efficiently. First the d 1 least significant bits of each sample are sent to Bob. Since these bits are only very weakly correlated this step works with an efficiency very close to the Shannon limit. In a second step Alice and Bob use a non-binary low density parity check (LDPC) code over the Galois field GF(2 d2 ) to correct the d 2 = d − d 1 most significant bits. d 1 , d 2 , as well as the LDPC code are optimized for each QKD run using the k revealed samples from the channel estimation.   Figure 3 shows the experimental results. First we removed the variable attenuator in the transmission line to Bob and executed the protocol for different sample sizes to show the effect of the finite sample size on the secure key length (Fig. 3 (a)). For each sample size the number of samples k used for channel estimation was optimized before the QKD run to yield maximum key length. The hybrid error reconciliation had a total efficiency of β = 94.6 %, showing that our hybrid scheme achieves an efficiency as high as the reconciliation efficiencies achieved for discrete variables 11 . The theoretical model, which is the solid line in the figure, shows that a secret key can be distilled from 5 × 10 6 samples. Using 2×10 8 samples, however, we achieved a remarkable secret key length of about 97 Mbit, which is about 1.14 bit per sample left in the raw key. Thus, we have more than 1 bit secret key per sample in the raw key which exceeds the theoretical limitation of single photon QKD systems. 4 With the variable attenuator in place, we varied the optical loss of the channel to Bob between 0 % and 15 % (see Figure 3 (b)), which is equivalent to a fiber length of up to 3.5 km when standard telecommunication fibers with an attenuation of 0.2 dB/km are used. By measuring a total of 2×10 8 samples we were still able to achieve a secret key length of about 21 Mbit at an equivalent fiber length of 3.5 km. This value, as well as the secret key sizes at the other attenuation values, were achieved by having a very high overall error reconciliation efficiency between β = 94.3 % and 95.5 %. The theoretical model shown in the figure reveals that even a distance of about 5.5 km between Alice and Bob should be possible, which is already enough to implement CV aapQKD links between parties in, for instance, a city's central business district.
In conclusion, we have for the first time successfully demonstrated a CV QKD setup with security against arbitrary attacks. While in our setup Alice and Bob were located on the same optical table, they could easily be separated and connected by a standard telecommunication fiber. Although our implementation is limited to about 5.5 km due to direct reconciliation, longer distances will be possible with a reverse reconciliation protocol.
Our implementation can be seen as a paradigm change. In the past only the single-photon based QKD systems were secure against arbitrary attacks. With our result, the modulation based (CV) systems have to be accepted as a tantamount approach, however, with important capabilities. Not only higher key rates are possible but also is the implementation less prone to loopholes. Modulation based systems cannot only be operated with standard detector technology, but also with standard light sources which are based on coherent states of light. Up to now a rigorous security proof for an aapQKD system constisting of standard telecommunication devices only is not available, but it would render CV aapQKD systems even more favourable for km-scale local-area networks.

Experimental Details
The measurement rate of our implementation was 100 kHz. For each measurement, both Alice and Bob had to choose randomly between the X and P quadrature. The necessary relative phase shifts of π/2 of the local oscillator with respect to the signal beam were applied to the local oscillator beam by a high-bandwidth fiber-coupled electro-optical phase modulator driven by a digital pattern generator PCI-Express card.
Since not only the orthogonality of the measurements is important but also that Alice and Bob measure the same set of quadratures, we compensated slow phase drifts by a phase shifter made of a piezo attached mirror. The error signal for this locking loop was derived by employing a 82 MHz single sideband from the entanglement generation 27 which was detected by the homodyne detector. By lowpass filtering the demodulated homodyne signal at 10 kHz with a sufficiently high order, the high frequency phase changes from the fibercoupled phase modulator were averaged over. To make the average independent of the chosen sequence of quadratures we used the following scheme. For a choice of the X quadrature, the phase modulator was first set to a phase of π/2 during the first half of the 10 µs interval, and then to 0. For the P quadrature, the phase was first set to 0 and then to π/2. Thus, this scheme made sure that the phase did not stay in one quadrature for longer than 10 µs even in the case where one party chose by chance to measure one quadrature for a while. The measurement was performed synchronously by Alice and Bob in the second half of the interval after 3 µs settling time.
The data acquisition was triggered by the pattern generator and performed by a two channel PCI-Express card at a rate of 256 MHz. The 200 acquired samples per channel were digitally mixed down at 8 MHz, lowpass filtered by a 200-tap finite impulse response filter with a cut-off frequency of 200 kHz and down-sampled to one sample. After the total number of samples were recorded the classical post processing of the QKD protocol was performed.
Alice and Bob both employed a local oscillator with a power of 10 mW, yielding a dark noise clearance of about 18 dB. The pump powers for the two squeezed-light sources were 140 mW and 170 mW, respectively.
The optical attenuation of the variable attenuator used in Fig. 3(b) was measured by determining the strength of the 35.5 MHz phase modulation used to lock one of the squeezedlight sources 27 with Bob's homodyne detector. The error bars in the figure are due to the accuracy of this measurement.
The security of the protocol relies substantially on the use of true random numbers which are needed by Alice and Bob to choose between the X and P quadrature, and to determine a random hash function during privacy amplification. We implemented a quantum random number generator following a scheme of Ref. 31 based on vacuum state measurements performed by a balanced homodyne detector. For this purpose we implemented another balanced homodyne detector with the signal port blocked using an independent 6 mW 1550 nm beam from a fiber-laser as local oscillator. The output of the homodyne detector circuit was anti-alias filtered by a 50 MHz fourth-order Butterworth filter and sampled with a sampling frequency of 256 MHz by a data acquisition card. The data was subsequently mixed down digitally at 8 MHz, lowpass filtered with a 200-tap finite-impulse-response filter with a cutoff frequency of 5 MHz and down-sampled to 2 MHz. The generation of the random numbers from the data stream followed the procedure in Ref. 31.

Classical Post Processing
The main post-processing is performed with the AIT QKD software. For the current protocol the following algorithms are combined: (i) the binning of the synchronized outcomes, (ii) the estimation algorithm for CV QKD, (iii) the reconciliation algorithm for CV QKD, (iv) the confirmation algorithm, and (v) the privacy amplification algorithm. All classical messages during the protocol are authenticated with a message authentication code using a pre shared secret key to select a random function from a set of (almost two-universal) polynomial hash functions.
(i) First, Bob's samples in the P quadrature are multiplied by −1 to account for the anti-correlation. Alice and Bob then discretize their sifted samples into 2 d bins of equal size δ in the interval [−α, α]. The remaining outcomes associated to the intervals (−∞, −α) and (α, ∞) are joined to (−α, −α+δ) and (α − δ, ∞), respectively. The 2 d bins are identified with the key generation alphabet χ kg = {0, 1} d and each bin (symbol) has a unique binary representation of d bits. Alice and Bob obtain the binned sifted samples X sift A ∈ χ N kg and X sift B ∈ χ N kg , respectively. Throughout the experiment we have used a key generation alphabet of size |χ kg | = 2 12 .
(ii) In the estimation module for CV QKD the average distance between Alice's and Bob's binned symbols is estimated. Alice chooses a random index set E ⊂ {1, 2, . . . , N } of size |E| = k for estimation and communicates E together with the corresponding binned symbols X pe A := X sift A (E) to Bob. Bob determines his corresponding binned raw key symbols X pe B := X sift B (E), calculates the mean difference dpe between X pe A and X pe B (see Eq. (1)), and communicates it to Alice. Both parties remove the k estimation samples from their sifted samples to form their raw keys XA := X sift The reconciliation module for CV QKD implements the hybrid reconciliation protocol. As the security analysis assumes direct reconciliation, Bob has to correct his raw key XB to match with Alice's XA to generate a common raw key X. The hybrid reconciliation used to correct Bob's noisy raw key operates directly on the key generation alphabet χ kg . In preparation for the hybrid reconciliation, two additional alphabetsχ andχ are introduced such, that χ kg =χ×χ. Hence, each symbol x ∈ χ kg has a unique decomposition x = (x,x) withx ∈χ andx ∈χ. We take forx the d2 most significant bits of the binary representation of x, and forx the remaining d1 = d − d2 least significant bits of the binary representation of x. We thus decompose the raw keys as X = (X,X), wherê X andX denote the sequence of the d2 most and the d1 least significant bits of each key symbol, respectively. The reconciliation module performs the following steps: (iii-a) Based on the variance of her binned raw key and the samples X pe A and X pe B , Alice determines d1, d2, and the code rate R such that the expected leakage is minimized w.r.t. the entropy in Bob's symbols, and transmits these parameters to Bob.
(iii-b) Then Alice communicatesXA to Bob who reconcileš XB simply by settingXB :=XA. Hence, the errors which are left in Bob's key XB are reduced to the errors inXB. Nonbinary LDPC reconciliation is used to correctXB as described in the next step.
(iii-c) Both Alice and Bob split theirXA andXB into blockŝ X The non-binary belief propagation decoder operates in the probability domain using the multi-dimensional Hadamard transform to speed up the check node operations 32 . Using the syndrome s ( ) and the conditional probabilities mentioned above, this decoder calculates Bob's estimateX

( )
A of Alice's block X

( )
A . To the best of our knowledge our CV QKD protocol is the first that uses a non-binary LDPC code for information reconciliation.
We have constructed parity check matrices of non-binary LDPC codes over Galois fields of order 32, 64, 128, and 256 with code rates R ∈ {0.50, 0.51, . . . , 0.95}. Each LDPC code has a variable-node degree of two, is check-concentrated, and has a block length of 10 5 symbols. We used the progressive edge-growth algorithm 33 to construct binary codes in a first step. Then each edge has been assigned a random non-zero element of the corresponding Galois field. 33 Alice and Bob have access to all non-binary parity check matrices.
(iv) After each block has been corrected, a confirmation step establishes the correctness of the protocol using a family H of (almost) two-universal hash functions with Prob h∈ R H (h(x1) = h(x2)) ≤ c for all x1 = x2. For each block Alice chooses a hash function h randomly from H and communicates her choice to Bob. Alice and Bob apply this hash function to their blocks X ( ) A andX ( ) A and exchange the results. If their results agree the probability that Alice's and Bob's blocks are different is bounded from above by c. If their results disagree their blocks are definitely different, and they discard them.
(v) Finally, Alice and Bob feed the sequence of all confirmed blocks into the privacy amplification module. Given the accumulated leakage LK in bits from the previous protocol steps the secure key length is calculated according to Ref 22 as = (N − k)(log 1 c(δ) − log γ(dpe + µ)) − LK − log 1 , (2) where c(δ) ≈ δ 2 /(2π) and γ is a bound on the correlation between Alice and Bob depending on the measured average distance dpe and statistical fluctuations µ. Alice chooses a hash function randomly from a two-universal hash family and communicates her choice to Bob. Then Alice and Bob both apply this hash function to the reconciled blocks and obtain the -secure key Ksec.