Abstract
The roundrobindifferentialphaseshift (RRDPS) quantum key distribution (QKD) protocol has attracted intensive study due to its distinct security characteristics; e.g., information leakage is bounded without learning the error rate of key bits. Nevertheless, its practicality and performance are still not satisfactory. Here, by observing the phase randomization of the encoding states and its connection with eavesdropper’s attack, we develop an improved bound on information leakage. Interestingly, our theory is especially useful for implementations with short trains of pulses, and running without monitoring signal disturbance is still available. As a result, the practicality and performance of RRDPS are improved. Furthermore, we realize a proofofprinciple experiment with up to 140 km of fiber, which has been the longest achievable distance of RRDPS until now, whereas the original theory predicted that no secret key could be generated in our experiment. Our results will help in bringing practical RRDPS closer to practical implementations.
Introduction
Unlike publickey cryptography, whose security relies on unproven mathematical assumptions, quantum key distribution (QKD)^{1,2} can informationtheoretically distribute secret key bits between distant peers (such as Alice and Bob). According to quantum mechanics, any eavesdropping on a quantum channel will inevitably introduce signal disturbance, which implies that Alice and Bob can bound the information leakage for the eavesdropper (Eve) by collecting the error rate of their raw key bits or some other parameters reflecting the signal disturbance. For the wellknown BB84^{1} and measurementdeviceindependent (MDI)^{3} QKD with decoy states^{4,5,6}, the error rate and counting yields are used to evaluate Eve’s information. In coherentoneway (COW)^{7,8} and differentialphaseshift (DPS)^{9,10} protocols, the visibility of interference plays an essential role in monitoring information leakage. Deviceindependent (DI)^{11,12,13} QKD relies on monitoring the violation of Bell inequalities. MDIQKD and DIQKD feature a high security level in practice, while COW and DPS have compact and simple implementation. There has been great progress on experimental QKD, such as longdistance QKD implementations^{8,14,15}, high key rate systems^{16,17,18,19} and demonstrations of QKD networks^{20,21,22,23}. Nevertheless, signal disturbance monitoring is indispensable for almost all these QKD protocols and implementations.
Surprisingly, the recently proposed roundrobindifferentialphaseshift (RRDPS)^{24} protocol is an exception. In the RRDPS protocol, Alice prepares a series of pulse trains, each consisting of L weak coherent pulses. The pulses are individually modulated to random phases out of 0 and π, and every Lpulse train can be handled as a packet. Upon receiving these packets, Bob measures the phase shift between the mth pulse and the (m + r)th pulse of each packet, where r is randomly chosen from [1, L − 1] for each packet and m + r ⩽ L. Through a simple and comprehensive security proof^{24}, it has been noted that Eve’s information on raw key bits I_{AE} is no larger than h_{2}(N/(L − 1)), where N is the photonnumber of a packet. The main merit of the RRDPS protocol is that the estimation of I_{AE} does not depend on the error rate of key bits, and thus can be treated as a constant experimentally, which implies that signal disturbance monitoring can be removed during the RRDPS protocol.
There are several reasons for the strong interest in RRDPS. In theory, the result sheds new light on how intrinsic randomness of quantum mechanics can be related to secure key distribution. In practice, the removal of signal disturbance monitoring means that we do not need to consider the statistical fluctuations in the monitoring error rate and some other parameters, so a better tolerance of finitesizedkey effects is expected^{24}. In particular, the finitesizedkey effects must be carefully considered in practice, since the fluctuations induced by environmental disturbance will lead to inaccurate statistical results or much more consumption for sampling. From the point of view of QKD engineering, the postprocessing of QKD can be simplified too, since the random sampling and classical authenticated communications necessary in monitoring signal disturbance are not needed. Furthermore, according to the formula \(I_{{\mathrm{A}}E}\leqslant h_2\left( {N{\mathrm{/}}(L  1)} \right)\), it is obvious that the information leakage will be deeply suppressed, and a positive key rate under a higher error rate is expected when L becomes larger, which is the reason why, at the present stage, large L is important. It is worth noting that multidimensional QKD protocols^{25} usually have higher tolerance of error rate; in particular, the recently proposed Chau15 protocol^{26} can tolerate an error rate of up to 50% in principle, but these protocols must run with signal disturbance monitoring.
There have been several successful demonstrations of RRDPS with passive interferometers^{27,28} and actively selectable components^{29,30}. The longest achieved distance is ~90 km^{30}. Despite these experimental successes, it is still a great challenge to realize a practical measurement system with a large L value. In addition, it should be noted that large L values result in lower secret key rates per pulse. Therefore, an improved estimate of I_{AE} would be very useful, especially if it could allow operation with few pulses. In addition, although the upper bound of I_{AE} given in ref. ^{24} does not depend on the error rate, it is still not fully clear how Eve’s attack introduces error bits and if it is possible to use the error rate in RRDPS to improve its performance. To address these issues, we report an improved theoretical bound on I_{AE}. Interestingly, error rate can also be considered in our method to estimate I_{AE} in an even tighter way. Through numerical simulation, we show that with our theory, the performance of the reallife RRDPS implementation can be improved. Even the RRDPS with relatively small L, e.g., L = 8, can outperform commonly used BB84 with decoy states when interferometer misalignment is severe. It is also remarkable that the RRDPS protocol with L = 3, which is not permitted in the original RRDPS protocol, can generate secret keys according to our analysis. Finally, we verify our theory through a proofofprinciple experiment with L = 3, which can run at a distance of 30 km without signal disturbance monitoring and decoy states. In addition, a demonstration at 140 km is also realized with monitoring signal disturbance and decoy states.
Results
New bound for Eve’s information
The original security proof given in ref. ^{24} is simple and elegant but does not consider Eve’s optimal attack and corresponding information leakage. Our basic idea is to directly construct Eve’s collective attack to each packet and calculate the maximal information acquired by Eve. Considering that the quantum de Finetti theorem^{31,32,33} holds when the pulses are grouped by packets in RRDPS, the results also then cover general coherent attacks. However, even in case of collective attack, it is not easy to perform theoretical analysis, since the dimension of Alice’s encoding state depends on L and may be very large. For simplicity, we first consider the case in which each packet contains only one photon. Alice randomly prepares the singlephoton state \(\left \psi \right\rangle = \mathop {\sum}\nolimits_{m = 1}^L (  1)^{k_m}\left m \right\rangle\), where k_{ m } ∈ {0, 1} is Alice’s raw key bit and \(\left m \right\rangle\) (m ∈ {1, .., L}) indicates that this singlephoton is in the mth timebin. Eve’s general collective attack can be given by \(U_{{\mathrm{Eve}}}{\kern 1pt} \left m \right\rangle \left {e_{{\mathrm{initial}}}} \right\rangle = \mathop {\sum}\nolimits_{n = 1}^L c_{mn}\left n \right\rangle \left {e_{mn}} \right\rangle\), where the quantum state of Eve’s ancilla \(\left {e_{mn}} \right\rangle\) corresponds to Eve transforming \(\left m \right\rangle\) to \(\left n \right\rangle\) and sending \(\left n \right\rangle\) to Bob. In principle, Eve’s ancilla has L^{2} different states and thus is difficult to work with. We develop a method to simplify Eve’s quantum state and bound her information effectively. The essence of our method is to introduce phase randomization, which was not considered in previous works. Concretely, consider the case in which Bob has measured the incoming singlephoton with basis \(\left a \right\rangle \pm \left b \right\rangle\) successfully and announced (a, b) publicly. Eve then aims to guess k_{ a } + k_{ b }. For any m ≠ a, b the phase \(\left( {  1} \right)^{k_m}\) is completely random to Eve, which implies that some mixed components \(\left {c_{ma}} \right^2\left {e_{ma}} \right\rangle \left\langle {e_{ma}} \right + \left {c_{mb}} \right^2\left {e_{mb}} \right\rangle \left\langle {e_{mb}} \right\) (m ≠ a, b) will emerge in the density matrix of Eve. These mixed components do not give Eve any information and can thus be ignored to simplify the proof. Accordingly, we find that \(I_{{\mathrm{A}}E}\leqslant {\mathrm max}_{0\leqslant x\leqslant 1}\varphi \left( {(L  1)x,1  x} \right){\mathrm{/}}(L  1)\), where \(\varphi (x,y) =  x\,{\mathrm{log}}_2\,x  y\,{\mathrm{log}}_2\,y + (x + y){\mathrm{log}}_2(x + y)\). In addition, x can be related to the error rate E, so this bound works for implementations both with and without monitoring signal disturbance. One can refer to Supplementary Note 1 for the detailed security proof.
It would be very useful to extend the security proof from the singlephoton to the Nphoton case. Nevertheless, due to the complexity of the Nphoton quantum state, it is difficult to depict and estimate the upper bound of Eve’s information for the general Nphoton case. Our technique is based on grouping the Nphoton state into different summations with different numbers of phases and introduce phase randomization between them. Here, we sketch our method for the oddN photonnumbers case. Such an oddN (N ⩽ L − 1) photons quantum state must have the form \(\left \psi \right\rangle = \mathop {\sum}\nolimits_{t = 1}^{N/2 + 1/2} (  1)^{k_{m_1} + ... + k_{m_{2t  1}}}\left {m_1m_2...m_{2t  1}} \right\rangle _{{\mathrm{odd}}}\), in which \(\left {m_1m_2...m_{2t  1}} \right\rangle _{{\mathrm{odd}}}\) means a superposition of quantum states in which the photonnumbers in timebins m_{1}m_{2}...m_{2t−1} must be odd, while the photonnumbers in all other timebins must be even. The form of \(\left {m_1m_2...m_{2t  1}} \right\rangle _{{\mathrm{odd}}}\) depends on the values of N and L. For example, assuming N = 3 and L = 5, nonnormalized state \(\left 1 \right\rangle _{{\mathrm{odd}}} \buildrel \Delta \over = \sqrt 3 \left 1 \right\rangle \left( {\left 2 \right\rangle \left 2 \right\rangle + \left 3 \right\rangle \left 3 \right\rangle + \left 4 \right\rangle \left 4 \right\rangle + \left 5 \right\rangle \left 5 \right\rangle } \right)\) + \(\left 1 \right\rangle \left 1 \right\rangle \left 1 \right\rangle\), where \(\left 1 \right\rangle \left 2 \right\rangle \left 2 \right\rangle\) means that there is one photon in the first timebin and two photons in the second timebin, while \(\left 1 \right\rangle \left 1 \right\rangle \left 1 \right\rangle\) indicates that all three photons occupy the first timebin (see Supplementary Note 3 for the threephoton case). It is then straightforward to redefine the collective attack with the new basis \(\left {m_1m_2...m_{2t  1}} \right\rangle _{{\mathrm{odd}}}\): \(U_{{\mathrm{Eve}}}{\kern 1pt} \left {m_1m_2...m_{2t  1}} \right\rangle _{{\mathrm{odd}}}\left {e_{{\mathrm{initial}}}} \right\rangle\) = \(\mathop {\sum}\nolimits_{n = 1}^L c_{m_1m_2...m_{2t  1}n}\left n \right\rangle \left {e_{m_1m_2...m_{2t  1}n}} \right\rangle\), where the quantum state of Eve’s ancilla \(\left {e_{m_1m_2...m_{2t  1}n}} \right\rangle\) corresponds to Eve transforming \(\left {m_1m_2...m_{2t  1}} \right\rangle _{{\mathrm{odd}}}\) to singlephoton state \(\left n \right\rangle\) and sending \(\left n \right\rangle\) to Bob. After Bob measures the incoming singlephoton with basis \(\left a \right\rangle \pm \left b \right\rangle\) and announces (a, b) publicly, Eve will try to guess k_{ a } + k_{ b }. Due to the potential phase randomization between different summations, Eve can acquire some information only from two types of “twodimensional” terms such as \(U_{\mathrm{Eve}}(  1)^{k_{m_1} + k_{m_2} + ... + k_{m_{2t  1}}}\left(\right. (  1)^{k_a} {m_1m_2..m_{2t  1}a} \rangle _{\mathrm{odd}}\) + \({(  1)^{k_b} {m_1m_2...m_{2t  1}b} \rangle _{{\mathrm{odd}}}} \left.\right) {e_{{\mathrm{initial}}}} \rangle\) and \(U_{{\mathrm{Eve}}}(\! \! 1)^{k_{m_1} + k_{m_2} + ... + k_{m_{2t  1}}}\left( {\left {m_1m_2...m_{2t  1}} \right\rangle _{{\mathrm{odd}}}} \right.\) + \({(  1)^{k_a + k_b}\left \right.{m_1m_2...m_{2t  1}ab} \rangle _{{\mathrm{odd}}}} \left.\right)\left\right. {e_{{\mathrm{initial}}}} \rangle\) (m_{1}, m_{2}, ..., m_{2t−1} ≠ a, b). Summing over the upper bounds of Eve’s information on all these “twodimensional” terms, we obtain the final formula to estimate Eve’s information. The examples for twophoton and fourphoton cases are given in Supplementary Notes 2 and 4, respectively. The detailed proof for general cases can be found in Supplementary Notes 5–7. The results are summarized by the following theorem and its corollary.
Theorem. For the RRDPS protocol with Lpulse packet, where each packet contains N photons (L ⩾ N + 1), Eve’s information can be bounded by
where \(\varphi (x,y) =  x\,{\mathrm{log}}_2\,x  y\,{\mathrm{log}}_2\,y + (x + y){\mathrm{log}}_2(x + y)\), nonnegative real parameters x_{i} satisfying \(\mathop {\sum}\nolimits_{i = 1}^{N + 1} x_i = 1\). Moreover, if the error rate of raw key bits is E, these parameters x_{ i } (i ∈ {1, 2, ..., N + 1}) must satisfy the constraint
and,
Corollary. If the photonnumber L ⩽ N − 2, I_{AE} < 1 always holds.
Based on this theorem, the upper bound of I_{AE} is generalized to find the maximum value of a given function under a constraint defined by E. If we ignore this constraint, we obtain \(I_{{\mathrm{AE}}}^{\mathrm{U}}\) without monitoring signal disturbance. Alternatively, if we retain this constraint, a tighter estimation may be achieved. It is remarkable that searching such a maximum value can be effective and concise through a numerical method, since its function is convex. A different, less tight bound improvement was recently reported in ref. ^{34}.
Potential improvements made by our theory
For a QKD protocol, the mutual information between Alice and Bob is given by I_{AB} = 1 − h_{2}(E). Thus, there is a maximum value E_{max} of error rate E, which satisfies \(I_{{\mathrm{AB}}} = I_{{\mathrm{AE}}}^{\mathrm{U}}\), when E = E_{max}. Obviously, if \(E\geqslant E_{{\mathrm{max}}}\) holds, I_{AB} will be no larger than \(I_{{\mathrm{AE}}}^{\mathrm{U}}\), and no secret key bits can be generated. Thus, E_{max} is the maximum value of tolerable error rate of a QKD protocol. We first compare E_{max} of RRDPS between the original method and our new formulae. In Table 1, we list the results for the cases in which a singlephoton source is equipped. One can see that our formulae can increase E_{max}, especially when L is small. It is remarkable to note that for the case L = 3, with our formulae E_{max} can be up to 5%, while the original RRDPS protocol cannot generate secure key bits at all. More importantly, the notable difference between columns two and three in Table 1 implies that our theory leads to increased E_{max} compared to the original RRDPS even when signal disturbance monitoring is still turned off.
The most important step is to evaluate the secret key rate and achievable distance of RRDPS through simulations. Here, we assume the pulse width is constant for different values of L and the dark counting rate of the singlephoton detector (SPD) is set to be d = 10^{−6} per pulse, which is typical and practical. Another important parameter used in the simulations is the interferometer misalignment e_{mis}. In a phasecoding system, the error rate mainly stems from apparatus imperfections, such as interferometer misalignment and dark counts of SPD. The interferometer misalignment e_{mis} indicates the probability that an incoming photon hits an erroneous SPD due to interferometer misalignment. Actually, e_{mis} depends on the visibility V of optical interference, and e_{mis} = (1 − V)/2. In an ideal interferometer with V = 1, two optical pulses with relative phases 0 and π always hit different SPDs. Thus, one can deduce the relative phase, i.e., key bit in the phase coding system, by observing which SPD clicks. However, due to the limited precision of interferometer fabrication or the environmental disturbance, e.g., the drift between the lengths of the short arm and long arm of the interferometer, V may be lowered, and higher e_{mis} is introduced.
Although e_{mis} in most reported QKD experiments can be kept small, i.e., \(e_{{\mathrm{mis}}}\leqslant 5\%\), it is still important to evaluate the performance of RRDPS in the high e_{mis} region. There are two reasons for this. First, reducing e_{mis} requires complex techniques, such as active feedback^{35} and interferometer fabrication with high precision. In addition, active feedback techniques, such as phasereference alignments and polarization controls, may be ineffective and even invalid in fastchanging environments. Highprecision interferometers, on the other hand, are more challenging in RRDPS, since interferometers with variable delays must be matched well. To improve the robustness of the QKD system in various environments and alleviate its dependence on these techniques, QKD protocols inherently feasible in high e_{mis} scenarios are highly desirable. Second, the use of other highdimensional degrees of freedom, e.g., orbital angular momentum (OAM) of photons, rather than timebin, is a potential way to improve the key rate of RRDPS, but typically, e_{mis} in QKD based on OAM can be greater than 10%^{36,37}. Hence, simulations of RRDPS with large e_{mis} are relevant for future study. We here report the simulation results. Details of how we model the QKD systems and perform the simulations are presented in the methods section.
For ease of understanding, we first study the tolerance of channel loss when a singlephoton source is equipped. Under a given e_{mis}, secure key bits can be generated only when the channel loss is smaller than a value loss_{max}, which is understood as the maximum value of tolerable channel loss. The loss_{max} values under different e_{mis} are listed in Table 2. For RRDPS, the value of L is optimized to maximize loss_{max}. We can see that with the help of formula (1), the loss_{max} of RRDPS becomes much larger, and L can be lowered, compared to the original RRDPS. When e_{mis} ⩾ 0.08, the improved RRDPS can outperform BB84 in terms of tolerable channel loss.
Next, we consider a more realistic scenario in which a weak coherent source is used. The secret key rates R per pulse versus total losses for L = 8, L = 16 and L = 32 are simulated. Figure 1 (e_{mis} = 0.015) and Fig. 2 (e_{mis} = 0.15) are both simulated without using signal disturbance parameters. From them, we can see that with the help of the proposed method, the secret key rate and achievable distance of RRDPS systems are both evidently increased, especially for small L cases. To further investigate the performance of our improved RRDPS under high e_{mis}, the secret key rates versus e_{mis} under typical channel losses are depicted in Fig. 3, from which we can see that RRDPS outperforms BB84 with decoy states when e_{mis} is greater than 10%.
We also analyzed experimental data from previous experiments to show the improvement of key rate. In the experiment of RRDPS with L = 65 reported in ref. ^{29}, the secret key rate for a 95 km fiber channel can be increased from 5 × 10^{−8} to 1.4 × 10^{−6} per pulse (see methods section for details).
These simulations confirm the prominent advantages of our theory over the original RRDPS. Compared with BB84 with decoy states, the proposed RRDPS is inherently feasible under a high e_{mis} region, which is meaningful to alleviate its dependence on implementation techniques, such as active phase compensations and interferometer fabrication with high precision. In addition, the proposed RRDPS can still run without monitoring signal disturbance, so its unique advantages on the tolerance of finitesizedkey effects and postprocessing convenience over conventional QKD protocols are maintained.
Proofofprinciple experiment
Based on the above theoretical results, RRDPS requires that L ⩾ 3. This would represent the simplest RRDPS experimental implementation up to date. Here, we describe a proofofprinciple experiment with L = 3 to verify our theory.
Our implementation is shown in Fig. 4, and it is similar to the ones employed in refs ^{28,29}. At Alice’s site, a pulse train with a repetition rate of 1 GHz is generated by modulating a 1550.12 nm continuous wave (CW) laser using the first LiNbO_{3} intensity modulator (IM_{1}). Every 3 pulses (L = 3) is defined as one packet. The second intensity modulator (IM_{2}) is employed to implement the decoy states method, by which each packet is randomly modulated into signal, decoy and vacuum packets. The first phase modulator (PM_{1}) adds phase −π/2 or π/2 on each pulse to encode the key bits, and the second phase modulator (PM_{2}) adds a random global phase on each packet. The encoded pulse train is then launched into a variable attenuator (VA) so that the average photonnumber per pulse can be adjusted.
At Bob’s site, the passive scheme based on a 1 × 2 beam splitter (BS) is used to implement a highspeed and lowloss decoding measurement. Since L = 3 and the time interval between adjacent pulses is 1 ns, there are only two unbalanced Faraday–Michelson interferometers (FMIs) with 1 and 2 ns temporal delays. One 50/50 BS and two Faraday mirrors (FMs) constitute an FMI, and a threeport optical circulator is added before the BS to export the other interference result. Each output of these two unbalanced FMIs is led to an SPD. Finally, the detection events are recorded by a timetodigital convertor (TDC), which records the timetagged and whichdetector information.
The passive implementation scheme and small values of L make our RRDPS system very practical. The passive approach allows high time efficiency and internal transmittance of Bob’s optical components, and four SPDs used to detect the L = 3 packet are acceptable. The 1 × 2 BS amounts to randomly choosing between 1 and 2 ns delay FMIs. In contrast to active schemes^{29}, the passive choice between different delay measurements has no speed limits, and the time interval between each two packets to achieve a low error rate is no longer necessary. The average insertion loss (IL) of the 1 and 2 ns delay FMIs is only approximate 0.80 dB, in which the IL of the optical circulator is also included. These two FMIs are placed in two small ABS plastic cases to isolate them from the environment, and heating plates are used to keep the temperature of FMIs above room temperature. Thus, we could actively and independently compensate for the phase shifts of 1 and 2 ns delay FMIs and keep the phase of the unbalance interferometer stable. Owing to 45° Faraday mirrors, these FMIs are insensitive to polarization variations and feature extinction ratios of approximately 23.5 dB.
In addition, SPDs based on InGaAs/InP avalanche photodiodes (APD) are employed to detect photons from 1 and 2 ns delay FMIs, which makes the RRDPS system more practical. These four SPDs are working with Peltier cooling and operated in gated Geiger mode with the sinewave filtering method^{38}. The detection efficiencies of the four SPDs are approximately 20.4% with a dark count rate of 1.25 × 10^{−6} per gate and an afterpulse probability of 1.02%. Here, the insertion loss of the optical circular from BS (of FMI) to SPD is included in the detection efficiency of SPD.
We tested the L = 3 RRDPS system with standard telecom fiber channels at distances of 30, 50, 100, and 140 km. At a distance of 30 km, the system was running without monitoring signal disturbance and decoy states, while the mean photonnumber per pulse was set to be 0.005. At the other distances, our RRDPS system cannot generate secret key bits without decoy states due to the contribution of multiphoton events, so decoy states must be introduced. The decoy states method was implemented by setting the photonnumbers per pulse of the signal, decoy, and “vacuum” packets with values of 0.13, 0.03, and 0.0003, respectively. These values of mean photonnumber are optimal to maximize the key rate according to the simulations. The experimental results are listed in Table 3, where the error rates of key bits and yields per packet are directly obtained experimentally. When decoy states are employed, we use formulae given in ref. ^{39} to calculate the yield and error rate for a singlephoton packet. The secret key rates R_{1} and R_{2} are then calculated according to Eq. (1) without and with the error rate, respectively (see methods section for detailed information).
In our L = 3 RRDPS experiment without monitoring and decoy states, the transmission distance could reach 30 km. When decoy states are employed, 140 km is reached with InGaAs/InP SPDs, while the maximum transmission distance of the similar L = 5 RRDPS experimental system is less than 50 km with superconducting SPDs^{28}. Thus, we have successfully verified the feasibility of RRDPS with the smallest L = 3, which is impossible based on the original theory.
Discussion
We reported on an alternative theory to estimate Eve’s information on raw key bits I_{AE}. The essence behind our method is that the potential phase randomization can be utilized for the security analysis of RRDPS. The advantage is that I_{AE} can be bounded more tightly than before, especially when L is small. Our results can be used for scenarios both without and with monitoring signal disturbance.
We compared RRDPS with the commonly used BB84 protocol. Although the secret key rate and achievable distance of RRDPS still seem to be inferior to BB84 with decoy states in some typical scenarios, the proposed RRDPS has its particular advantage of postprocessing convenience. Moreover, when interferometer misalignment is severe, RRDPS can outperform BB84 significantly. To verify our theory, a proofofprinciple experiment with L = 3 is demonstrated here.
There are still several points that should be addressed in the future. In ref. ^{40}, it has been proved that the original bound \(I_{{\mathrm{AE}}}\leqslant h_2\left( {n{\mathrm{/}}(L  1)} \right)\) holds with inaccurate phase coding. Our technique depends on the phase randomization, which requires that Alice’s phase coding must be 0 or π randomly. Therefore, analyzing the relation between phase coding inaccuracy and the upper bound of I_{AE} quantitatively is necessary. Another issue is how to countermeasure the potential attacks due to device imperfections. For example, the blinding attack^{41} must be carefully considered in the practical RRDPS systems.
Note added. While preparing the paper, we became aware that similar topics are discussed in other theoretical works^{42,43}.
Methods
Simulation
We use Wolfram Mathematica 10.3 to run the numerical simulations.
The transmission efficiency of the channel is η = 10^{−loss/10}, and loss is just the attenuation (dB) of the channel. Here, we assume that loss stems from the channel while the photonnumberresolving SPDs have 100% efficiency and dark counting rate d = 10^{−6} per pulse. When Bob decides to set the delay value as r ∈ {1, ..., L − 1}, both of his SPDs will open L − r timewindows to detect the incoming signal. Bob retains only the events in which a singlephoton click occurs among these L − r timewindows. The models of the simulations are given below.
We first simulate RRDPS with a singlephoton source. Imagining that the delay value is r and both SPDs open one timewindow to detect the incoming singlephoton, a single click obviously occurs with the probability (L − r)η/L + (1 − (L − r)η/L)2d(1 − d). The first item represents the probability that the singlephoton is not absorbed by the channel or lost due to the noninterfering events in unbalanced Mach–Zehnder interferometers^{44,45}. The second item means a dark count occurs, while the singlephoton is absorbed by the channel or lost due to the noninterfering events in interferometers. Considering that Bob actually opens L − r timewindows and only retains the case in which there is only one click among these L − r timewindows, the probability that Bob obtains one raw key bit per packet is given by
The error rate of the key bit generated by a singlephoton packet with delay value r is
where e_{mis} represents the probability that the incoming photon clicks the erroneous SPD due to interferometer misalignment. Accordingly, the mean yield of a singlephoton packet is \(Y = \mathop {\sum}\nolimits_{r = 1}^{L  1} Y_r{\mathrm{/}}(L  1)\), and its mean error rate is simulated by \(EY = \mathop {\sum}\nolimits_{r = 1}^{L  1} E_rY_r{\mathrm{/}}(L  1)\). The secret key rate per pulse is then given by \(RL = Y\left( {1  h_2(E)  I_{{\mathrm{AE}}}^{\mathrm{U}}} \right)\), where h_{2} is the information entropy function.
For comparison, we also simulate phasecoding BB84 with a singlephoton source here. In a typical phasecoding BB84 system, each encoding state consists of two optical pulses and thus is quite similar to RRDPS with L = 2. We then have for phasecoding BB84 its yield per “one pair of pulses” and error rate given by
and
respectively, and its secret key rate per pulse is R = Y(1 − 2h_{2}(E))/2.
With a weak coherent source, the method for simulating RRDPS is present here. Assuming the mean photonnumber of each pulse emitted by Alice is μ, the mean photonnumber per pulse will be attenuated to ημ due to channel loss. When Bob’s delay value is r, his two SPDs open L − r timewindows to detect L − r + 1 weak coherent pulses with mean photonnumber ημ. Recall the loss due to the noninterfering events in unbalanced Mach–Zehnder interferometers^{44,45}; Bob actually attempts to observe the singlephoton from L − r weak coherent pulses with mean photonnumber ημ. For ease of simulation, we assume Bob’s SPD can resolve the photonnumber perfectly (in practice, one can use the number of doubleclicks of threshold SPDs to effectively estimate the number of times Bob receives a multiphoton packet, and then the amount of “tagged” key bits generated by multiphoton receiving events can be upper bounded and further eliminated by privacy amplification^{28}.). There are then only two possibilities for observing a singlephoton click. First, there exists exist only one photon among these L − r weak coherent pulses to click Bob’s SPD. The corresponding probability is proportional to e^{−(L−r)ημ}(L − r)ημ. Second, there is no photon among these pulses, but Bob’s SPD clicks due to dark counting. The corresponding probability is then proportional to e^{−(L−r)ημ}. Summing over the two possibilities and recalling that Bob retains only the case in which there is only one click among these L − r timewindows, we have
and the overall counting rate \(Q = \mathop {\sum}\nolimits_{r = 1}^{L  1} Q_r{\mathrm{/}}(L  1)\). The error rate E can be simulated by
In the case without monitoring signal disturbance and decoy states, the secret key rate R per pulse is given by
where \(e_{{\mathrm{src}}} = 1  \mathop {\sum}\nolimits_{n = 0}^{v_{{\mathrm{th}}}} e^{  L\mu }(L\mu )^n{\mathrm{/}}n!\) is the probability that the photonnumber of a packet is greater than ν_{th}. In our method, \(I_{{\mathrm{AE}}}^{\mathrm{U}}\) is calculated by Eq. (1) setting the photonnumber N = v_{th} and ignoring constraint Eqs. (2) and (3). In the original method, \(I_{{\mathrm{AE}}}^{\mathrm{U}} = h_2\left( {v_{{\mathrm{th}}}{\mathrm{/}}(L  1)} \right)\). μ and v_{th} should be optimized to maximize R.
For comparison, we also simulate phasecoding BB84 with a weak coherent source here. Note we assume that infinite decoy states are employed in this case. Similar to the method of obtaining Eqs. (10) and (11) in ref. ^{39}, we have for phasecoding BB84 its yield per “one pair of pulses” and error rate given by
and
respectively, where n is the photonnumber of the encoding state. Summing over all possible photonnumbers n, its mean yield and error rate are given by \(Q = \mathop {\sum}\nolimits_{n\geqslant 0} e^{  2\mu }(2\mu )^nY_n{\mathrm{/}}n!\) and \(EQ = \mathop {\sum}\nolimits_{n\geqslant 0} e^{  2\mu }(2\mu )^nE_nY_n{\mathrm{/}}n!\), respectively, where μ is the mean photonnumber per pulse. Its secret key rate is
In an experiment of RRDPS with L = 65 given in ref. ^{29}, there is a set of experimental observations: the mean photonnumber s = 0.037 per pulse, yield Q_{s} = 8.435 × 10^{−4} per packet and error rate E = 0.058. By setting v_{th} = 10, the secret key rate is R_{1} = (Q_{s}(1 − 1.1h_{2}(E)) − e_{src} − (Q_{s} − e_{src})h_{2}(v_{th}/64))/L = 5 × 10^{−8}. With the same parameters and finding \(I_{{\mathrm{AE}}}^{\mathrm{U}} = 0.513\) for 10photon, \(R_2 = \left( {Q_{\mathrm{s}}\left( {1  1.1h_2(E)} \right)  e_{{\mathrm{src}}}} \right.\) − \(\left. {\left( {Q_{\mathrm{s}}  e_{{\mathrm{src}}}} \right)I_{{\mathrm{A}}E}^{\mathrm{U}}} \right){\mathrm{/}}L = 1.44 \times 10^{  6}\).
Key rate for the experiment
Here, we describe the methods for obtaining the secret key rates in Table 3.
At 30 km, the system was running without monitoring and decoy states. Its secret key rate R is then calculated by \(RL = Q_{\mathrm{s}}\left( {1  h_2(E)} \right)  e_{{\mathrm{s}}rc}  \left( {Q_{\mathrm{s}}  e_{{\mathrm{src}}}} \right)I_{{\mathrm{AE}}}^{\mathrm{U}}\), where e_{src} = 1 − e^{−Lμ} − Lμe^{−Lμ}, μ = 0.005, and \(I_{{\mathrm{AE}}}^{\mathrm{U}}\) is calculated by formula (1).
At the other distances, decoy states were employed. The photonnumbers per pulse of signal, decoy, and “vacuum” packets are given the values s = 0.13, d = 0.03, and v = 0.0003, respectively. In the experiment, we directly observe the yields Q_{s}, Q_{d} and Q_{v} for signal, decoy and “vacuum” packets, respectively. The error rates E_{s} (E_{d}) for key bits generated from signal (decoy) packets are also observed experimentally. Referring to ref. ^{39}, we can estimate the yield Y_{1} for singlephoton packets and the error rate E_{1} for key bits generated from singlephoton packets by the following:
As a proofofprinciple experiment, the secret key rates R_{1} and R_{2} in Table 3 are not obtained by actually performing postprocessing steps. Instead, they are calculated by \(R = \left( {Lse^{  Ls}Y_1\left( {1  I_{{\mathrm{AE}}}^{\mathrm{U}}} \right)  Q_{\mathrm{s}}h_2\left( {E_{\mathrm{s}}} \right)} \right){\mathrm{/}}L\). Here, to obtain R_{1}, we calculate \(I_{{\mathrm{AE}}}^{\mathrm{U}}\) with Eq. (1), while ignoring constraint Eqs. (2) and (3). To R_{2}, this constraint with E = E_{1} is used.
Code availability
Source codes of the plots are available from the corresponding authors on request.
Data availability
The data that support the findings of this study are available from the corresponding authors on request.
Additional information
Publisher's note: Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
References
 1.
Bennett, C. H. & Brassard, G. in Proceedings of IEEE International Conference on Computers Systems and Signal Processing 175–179 (Bangalore, India, 1984).
 2.
Ekert, A. K. Quantum cryptography based on Bell’s theorem. Phys. Rev. Lett. 67, 661 (1991).
 3.
Lo, H.K. et al. Measurementdeviceindependent quantum key distribution. Phys. Rev. Lett. 108, 130503 (2005).
 4.
Hwang, W.Y. Quantum key distribution with high loss: toward global secure communication. Phys. Rev. Lett. 91, 057901 (2003).
 5.
Wang, X.B. Beating the photonnumbersplitting attack in practical quantum cryptography. Phys. Rev. Lett. 94, 230503 (2005).
 6.
Lo, H.K., Ma, X. & Chen, K. Decoy state quantum key distribution. Phys. Rev. Lett. 94, 230504 (2005).
 7.
Stucki, D. et al. Fast and simple oneway quantum key distribution. Appl. Phys. Lett. 87, 194108 (2005).
 8.
Korzh, B. et al. Provably secure and practical quantum key distribution over 307 km of optical fibre. Nat. Photon. 9, 163–168 (2015).
 9.
Inoue, K., Brunner, N. & Yamamoto, Y. Differential phase shift quantum key distribution. Phys. Rev. Lett. 89, 037902 (2002).
 10.
Moroder, T. et al. Security of distributedphasereference quantum key distribution. Phys. Rev. Lett. 109, 260501 (2012).
 11.
Acin, A. et al. Deviceindependent security of quantum cryptography against collective attacks. Phys. Rev. Lett. 98, 230501 (2007).
 12.
Pironio, S. et al. Deviceindependent quantum key distribution secure against collective attacks. New J. Phys. 11, 045021 (2009).
 13.
Lim, C. C. W. et al. Deviceindependent quantum key distribution with local belltest. Phys. Rev. X 3, 031006 (2013).
 14.
Yin, H.L. et al. Measurementdeviceindependent quantum key distribution over a 404 km optical fiber. Phys. Rev. Lett. 117, 190501 (2016).
 15.
Frohlich, B. et al. Longdistance quantum key distribution secure against coherent attacks. Optica 4, 163 (2017).
 16.
Dixon, A. R. et al. Gigahertz decoy quantum key distribution with 1 Mbit/s secure key rate. Opt. Express 16, 18790 (2008).
 17.
Zhang, Q. et al. Megabits secure key rate quantum key distribution. New J. Phys. 11, 045010 (2009).
 18.
Patel, K. A. et al. Quantum key distribution for 10 Gb/s dense wavelength division multiplexing networks. Appl. Phys. Lett. 104, 051123 (2014).
 19.
Comandar, L. C. et al. Quantum key distribution without detector vulnerabilities using optically seeded lasers. Nat. Photon. 10, 312–315 (2016).
 20.
Peev, M. et al. The SECOQC quantum key distribution network in Vienna. New. J. Phys. 11, 075001 (2009).
 21.
Sasaki, M. et al. Field test of quantum key distribution in the Tokyo QKD Network. Opt. Express 19, 10387 (2011).
 22.
Fröhlich, B. et al. A quantum access network. Nature 501, 69 (2013).
 23.
Tang, Y.L. et al. Measurementdeviceindependent quantum key distribution over untrustful metropolitan network. Phys. Rev. X 6, 011024 (2016).
 24.
Sasaki, T., Yamamoto, Y. & Koashi, M. Practical quantum key distribution protocol without monitoring signal disturbance. Nature 509, 475 (2014).
 25.
Cerf, N. J. et al. Security of quantum key distribution using dlevel systems. Phys. Rev. Lett. 88, 127902 (2002).
 26.
Chau., H. F. Quantum key distribution using qudits that each encode one bit of raw key. Phys. Rev. A 92, 062324 (2015).
 27.
Guan, J.Y. et al. Experimental passive roundrobin differential phaseshift quantum key distribution. Phys. Rev. Lett. 114, 180502 (2015).
 28.
Takesue, H. et al. Experimental quantum key distribution without monitoring signal disturbance. Nat. Photon. 9, 827–831 (2015).
 29.
Wang, S. et al. Experimental demonstration of a quantum key distribution without signal disturbance monitoring. Nat. Photon. 9, 832–836 (2015).
 30.
Li, Y.H. et al. Experimental roundrobin differential phaseshift quantum key distribution. Phys. Rev. A 93, 030302 (2016).
 31.
Caves., C. M., Fuchs, C. A. & Schack, R. Unknown quantum states: the quantum de Finetti representation. J. Math. Phys. 43, 4527 (2002).
 32.
Fuchs, C. A., Schack, R. & Scudo, P. F. De Finetti representation theorem for quantumprocess tomography. Phys. Rev. A 69, 062305 (2016).
 33.
Christandl, M., König, R. & Renner, R. Postselection technique for quantum channels with applications to quantum cryptography. Phys. Rev. Lett. 102, 020504 (2009).
 34.
Zhang, Z. et al. Practical roundrobin differentialphaseshift quantum key distribution. New J. Phys. 19, 033013 (2017).
 35.
Dynes, J. F. et al. Stability of high bit rate quantum key distribution on installed fiber. Opt. Express 15, 16339 (2011).
 36.
Krenn, M. et al. Twisted photon entanglement through turbulent air across Vienna. Proc. Natl Acad. Sci. USA 112, 14197 (2015).
 37.
Sit, A. et al. Highdimensional intracity quantum cryptography with structured photons. Optica 4, 1006 (2017).
 38.
Walenta, N. et al. Sine gating detector with simple filtering for lownoise infrared single photon detection at room temperature. J. Appl. Phys. 112, 063106 (2012).
 39.
Ma, X. et al. Practical decoy state for quantum key distribution. Phys. Rev. A 72, 012326 (2005).
 40.
Mizutani, A., Imoto, N. & Tamaki, K. Robustness of the roundrobin differentialphaseshift quantumkeydistribution protocol against source flaws. Phys. Rev. A 92, 060303 (2015).
 41.
Lydersen, L. et al. Hacking commercial quantum cryptography systems by tailored bright illumination. Nat. Photon. 4, 686 (2015).
 42.
Hatakeyama, Y. et al. Differentialphaseshift quantumkeydistribution protocol with a small number of random delays. Phys. Rev. A 95, 042301 (2017).
 43.
Sasaki, T. & Koashi, M. A security proof of the roundrobin differential phase shift quantum key distribution protocol based on the signal disturbance. Quantum Sci. Technol. 2, 024006 (2017).
 44.
Bennett, C. H. Quantum cryptography using any two nonorthogonal states. Phys. Rev. Lett. 68, 3121 (1992).
 45.
Gisin, N. et al. Quantum cryptography. Rev. Mod. Phys. 74, 145 (2002).
Acknowledgements
We would like to thank Prof. Xiongfeng Ma, Dr Xiao Yuan, and Dr Zhu Cao for helpful discussions. This work has been supported by the National Key Research And Development Program of China (Grant Nos. 2016YFA0302600 and 2016YFA0301702), the National Natural Science Foundation of China (Grant Nos. 61775207, 61475148, 61627820, 61622506, 61575183, and 61675189), the “Strategic Priority Research Program(B)” of the Chinese Academy of Sciences (Grant No. XDB01030100).
Author information
Affiliations
CAS Key Laboratory of Quantum Information, University of Science and Technology of China, Hefei, 230026, China
 ZhenQiang Yin
 , Shuang Wang
 , Wei Chen
 , YunGuang Han
 , Rong Wang
 , GuangCan Guo
 & ZhengFu Han
Synergetic Innovation Center of Quantum Information & Quantum Physics, University of Science and Technology of China, Hefei, Anhui, 230026, China
 ZhenQiang Yin
 , Shuang Wang
 , Wei Chen
 , YunGuang Han
 , Rong Wang
 , GuangCan Guo
 & ZhengFu Han
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing, 100878, China
 ZhenQiang Yin
 , Shuang Wang
 , Wei Chen
 , YunGuang Han
 , Rong Wang
 , GuangCan Guo
 & ZhengFu Han
Authors
Search for ZhenQiang Yin in:
Search for Shuang Wang in:
Search for Wei Chen in:
Search for YunGuang Han in:
Search for Rong Wang in:
Search for GuangCan Guo in:
Search for ZhengFu Han in:
Contributions
Z.Q.Y., S.W., W.C., G.C.G., and Z.F.H. conceived the basic idea of the security proof and designed the experiments. Z.Q.Y. finished the details of the security proof. S.W. designed the variabledelay interferometer. W.C. designed the control and detection parts of the system. Z.Q.Y., Y.G.H., and R.W. designed the simulations. Z.Q.Y. and S.W. wrote the paper.
Competing interests
The authors declare no competing financial interests.
Corresponding authors
Correspondence to Shuang Wang or Wei Chen.
Electronic supplementary material
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Further reading

Measurementdeviceindependent quantum secret sharing and quantum conference based on Gaussian cluster state
Science China Information Sciences (2019)

Chau–Wang–Wong17 scheme is experimentally more feasible than the sixstate scheme
Quantum Information Processing (2019)

Improving the Secure Key Rate and Error Tolerance of the InterferometerBased TimeFrequency Encoding QKD System
International Journal of Theoretical Physics (2019)
Comments
By submitting a comment you agree to abide by our Terms and Community Guidelines. If you find something abusive or that does not comply with our terms or guidelines please flag it as inappropriate.