Complete elimination of information leakage in continuous-variable quantum communication channels

In all lossy communication channels realized to date, information is inevitably leaked to a potential eavesdropper. Here we present a communication protocol that does not allow for any information leakage to a potential eavesdropper in a purely lossy channel. By encoding information into a restricted Gaussian alphabet of squeezed states we show, both theoretically and experimentally, that the Holevo information between the eavesdropper and the intended recipient can be exactly zero in a purely lossy channel while minimized in a noisy channel. This result is of fundamental interest, but might also have practical implications in extending the distance of secure quantum key distribution. A new study demonstrates that information leakage from purely lossy quantum channels can be prevented without the need for data post-processing. Christian Jacobsen and colleagues from the Technical University of Denmark and the Palacky University of Czech Republic have shown that communicating quantum information encoded into the squeezed states of a restricted Gaussian alphabet decouples any potential eavesdropper from the communication. The authors experimentally demonstrate complete elimination of information leakage for photonic continuous-variable quantum-key distribution using squeezed states of light and homodyne detection. Through this scheme, security is achieved without the need of burdensome data post-processing such as privacy amplification – common to standard quantum-key distribution protocols. In the presence of noise, information leakage cannot be entirely eliminated, but can still be efficiently minimised. These findings will be important to future developments in secure quantum communications.

Introduction.-Security in communication is of utmost importance in modern society.It allows for the delivery of information to the intended recipients while preventing unauthorized eavesdroppers from accessing it.Conceptually, it can be treated as a tripartite communication network in which two entities (e.g.Alice and Bob) intend to communicate while a third party -the eavesdropper (known as Eve) -tries to intercept the message.If successful, the interception will generate correlation between all three parties, possibly rendering the communication scheme insecure.To regain security, the correlations between the intended recipient and the interceptor must be suppressed.This can be done by means of data post-processing such as privacy amplification and errorcorrection -a method commonly used to establish security in quantum key distribution (QKD) schemes [1,2].However, privacy amplification is only successful if the information between Alice and Bob is larger than the information between Bob and Eve prior to the implementation of the procedure.
As an alternative to data postprocessing, the information gained by an eavesdropper can be suppressed by using an entanglement-based protocol followed by entanglement distillation or purification [3].Here the two communicating parties seek to share entangled states but due to the interception, the system ends up in a threeparty entangled state which is subsequently reduced into a purified two-party entangled state between Alice and Bob, thereby eliminating the correlations with the eavesdropper.This strategy is however very challenging as it requires non-Gaussian transformations in conventional communication schemes based on Gaussian states encoding [4][5][6].
In this Letter we present a completely different approach for preventing information leakage which is not based on conventional a posteriori error correction or privacy amplification and therefore does not rely on any prior information advantage.Instead of suppressing the information of Eve by privacy amplification or distillation at Bob's station, we propose the reverse scheme of designing the input states and alphabet at Alice's station in such a way that Eve cannot gain any information at any time in a purely lossy channel.We show that by encoding the information into modulated squeezed states of a restricted Gaussian alphabet it is possible to completely and deterministically eliminate the presence of an eavesdropper, corresponding to the realization of a channel with a Holevo information of zero.Our protocol is based on continuous variables (CV) in which quadratures are modulated and measured with homodyne detectors [3,7,8] which is contrasted with discrete variables communication where photon counters are used.We note that no analogue of our proposed scheme for the complete elimination of the Holevo information is known for discrete variables.
Security in QKD.-We consider the elimination of information leakage in the context of QKD.In CV-QKD protocols [9][10][11][12][13][14][15][16][17] the lower bound on the rate of secret key generation in the asymptotic limit of an infinitely long key is given by where I AB is the mutual information between Alice and Bob as defined through the Shannon entropy [18,19], β ∈]0; 1] is the post-processing efficiency, and χ E is the Holevo information which is an upper bound on the information acquired by Eve [20].A secret key can therefore only be generated when βI AB > χ E .In all previously proposed protocols, the Holevo information has been non-zero (even in principle), which in turn has put stringent conditions onto the processed mutual information between Alice and Bob, βI AB .This condition has been experimentally fulfilled by applying state-of-the-art postprocessing protocols [21] with high efficiency and low-noise homodyne detectors [7,[22][23][24][25][26][27].These stringent conditions on Bob's measurements and data processing to enable security can however be largely relaxed by reducing the Holevo information that upper-bounds the information leakage.Minimization of information leakage.-Weconsider a CV QKD protocol where information is encoded solely into a single quadrature (here the amplitude quadrature X) of a Gaussian state, and investigate theoretically under which conditions it is possible to decouple an eavesdropper from the channel.The protocol is initiated by imposing signals, X A , with a Gaussian distribution onto a Gaussian state described by the amplitude quadrature X R .The modulated Gaussian state is then transmitted through a lossy channel with transmission coefficient η and finally measured with a homodyne detector contaminated by trusted electronic noise described by the stochastic variable X N with the quadrature variance V N .
The measured quadrature values will then be given by , where X 0 is the amplitude quadrature of the environmental vacuum mode.Due to the channel losses, Eve receives a mode described by the quadrature The conjugate phase quadrature has to be also measured to estimate the channel between Alice and Bob.
The key can subsequently be established either employing a direct or reverse reconciliation scheme.
The idea of cancelling the information leakage from a quantum channel is shown schematically in Fig. 1a.In the general case the mutual information quantities I AB , I AE and I BE are all non-zero (left scheme).During decoupling the mutual information I BE is cancelled (right scheme), while the remaining mutual information quantities are changed to other, in general non-zero, values.Thus, in a protocol using reverse reconciliation Eve will be completely decoupled from the information flow of the channel.
Classically, the information leakage shown in Fig. 1a is upper bounded by the mutual information uniquely determined by the correlation coefficient , with i = A, B between either Alice and Eve or Bob and Eve.I EA or I EB vanishes only if the correlations X E X A = 0 or X E X B = 0, respectively.The correlation between Alice and Eve (relevant for the direct reconciliation scheme) can never be zero unless the quantum channel is loss and noise free.However, since the correlation between Eve and Bob (relevant for reverse reconciliation) is given by (where V Xi , with i = A, R, 0 are the variances of the respective quadratures), it can be zero.For a purely lossy channel Bob's and Eve's measurement outcomes are completely uncorrelated and thus the mutual information between the parties will be zero [28].This means that independent on the channel losses, the eavesdropper will obtain zero classical information about what Bob has measured, while Alice and Bob can still have non-zero mutual information.In the following we prove that the same conclusion holds true for a quantum mechanical measure, the Holevo information.
In the case of collective attacks and infinite key length the information leakage from the quantum channel is upper bounded by the Holevo information between Eve and Bob.To include the state impurity we consider squeezed states with a variance of the anti-squeezed quadrature given by 1/V X R + ∆V where ∆V is the variance of the associated excess noise.
In this case, the covariance matrix of the state available to Eve is the diagonal 2x2 matrix _E whereas the covariance matrix conditioned on the measurements of Bob similarly reads γ E|B = diag From these expressions it is straigthforward to compute the Holevo information between Bob and Eve, where S E is the von Neumann entropy of Eve's results while S E|B is the entropy of Eve's results conditioned on the results of Bob.For complete elimination of the information leakage to Eve, the Holevo information should be zero, thus S E = S E|B .This requirement is the same as equalizing the symplectic eigenvalues in the covariance matrices γ E and γ E|B due to the Gaussianity of the states.Furthermore, since the Schur complement for homodyne detection leaves all but the first element unchanged when the modulation is applied to a single quadrature [4,29], the condition simplifies to γ 1,1 E = γ 1,1 E|B , where the upperscript i, j denotes the i'th, j'th element of the covariance matrix.This condition can be fulfilled in two different ways: The first approach (V N → ∞) corresponds to the addition of a large amount of noise to the detection process thereby ruining the correlations between Eve and Bob.However, in that decorrelation process, the mutual information between Alice and Bob also vanishes thereby leaving the key rate close to zero.There exists however an optimal amount of noise V N for maximizing the key rate in the presence of channel noise [11].
The second and more interesting approach to the complete elimination of the Holevo information (V X R +V X A = 1) cannot be realized by coherent states (as V X R = 1 renders the alphabet of zero size; V X A = 0) but requires the usage of squeezed states for which V X R < 1.To fulfill the condition, the size of the Gaussian modulation (alphabet) is chosen to be V X A = 1 − V X R , and for very large squeezing degrees (V X R → 0) the secure information rate approaches . This shows that a secret key can in principle be generated for any channel loss and for any efficiency.It is also interesting to note that the elimination of the Holevo information is completely independent on the noise in the anti-squeezed quadrature, that is, it is independent on the impurity of the squeezed states [30].
While proper state modulation can eliminate both the Shannon and the Holevo information between Eve and Bob, it does not eliminate the quantum mutual information between them, defined as S E + S B − S EB .This means that the subsystems E and B remain correlated in the quantum sense despite the fact that the information leakage is terminated.Such quantum mutual information vanishes completely only when no squeezing and no modulation is realized by the sender.Nevertheless, these quantum correlations are not used for the generation of a key for our specific CV QKD protocol [28].
The obtained result is based on the security analysis of Gaussian CV QKD protocols against collective attacks, which has been shown to be valid against the most general coherent attacks in the asymptotic limit [31].The estimation of the lower bound on the key rate is thus performed in the asymptotic regime.In the finite-size regime the lower bound on the key rate is further decreased by the security parameter ∆ [32], which depends on the failure probability of the privacy amplification and speed of convergence of smooth min-entropy to von Neumann entropy [33].In this regime the elimination of information leakage becomes even more important, allowing trusted parties to partly compensate the reduction of the key rate due to finite-size effects, using proper state engineering, which does not affect the implementation-dependent ∆ parameter directly.
Generation of states with no information leakage.-Wenow implement a proof of principle experiment demonstrating the complete elimination of the information to an eavesdropper in a lossy channel.A schematic of the setup is depicted in Fig. 1.
The state is produced experimentally by squeezing an asymmetric thermal state: A bright laser beam at 1064 nm is modulated using an electro-optical modulator that is driven by a function generator.It produces white noise within the detection bandwidth, and forms sidebands on the bright beam.These sidebands (at 4.9 MHz with a bandwidth of 90 kHz) carry the information and corresponds to an asymmetric thermal state.The modulated light beam is subsequently injected into an optical parametric amplifier (OPA) which squeezes, in this case, the amplitude of the light field [34].We note that while modulation and squeezing do not commute, a suitable change in parameters of the processes allows an identical state to be produced if the order is reversed (as is the case in Fig. 1b).Experimentally, the electro-optical modulator introduces loss that would drastically degrade the squeezing, and thus it is placed before the OPA.We drive the OPA with a pump field of 532 nm, thereby producing states that are squeezed by 3 dB below the shot noise level.The final output state is thus a modulated squeezed state where the modulation information is sent to a computer.This alphabet of squeezed states is then injected into the lossy transmission channel.Channel loss is simulated by a beam splitter with controllable transmissions (combining a half-wave plate and a polarizing beam splitter) in which the lost part is measured by Eve using a homodyne detector with an efficiency of 95 %.The remaining part of the state is directed to Bob who also performs a measurement with a homodyne detector, but with an efficiency of 85 %.
At the two homodyne detector stations we measure the conjugate quadratures, X and P , for various modulation depths and channel transmissions.The measured data are electronically down-converted to dc, low-pass filtered and digitized.The raw data sets of Eve and Bob were normalized to shot noise.Alice's data was of arbitrary magnitude relative to the shot noise level so it was consistently normalized to be much larger than shot noise.This keeps the generated covariance matrix physical, but does not change any results of the protocol.Using these data, we reconstruct a 6 × 6 covariance matrix for each realization.This yields a complete characterization of the communication scheme, and thus we can compute the Shannon and Holevo information.The Holevo information is plotted for various modulations and transmissions in Figure 2. Complete elimination of the Holevo information for any of the realized transmissions is clearly visible at the previously established condition, namely for V X A = −3 dB given a 3 dB squeezed state such that V From the covariance matrices we also deduce the secret key rates which are shown in Fig. 3 for two different values of the reconciliation efficiency (β = 0.95 in Fig. 3 (a) and β = 0.75 in Fig. 3 (b) in the asymptotic limit.While the Holevo information is minimized at V X A = −3 dB, the key rate is maximized at a somewhat higher value of the modulation.This is due to the fact that the mutual information between Alice and Bob increases with the modulation depth and therefore the optimization process is a trade-off between minimizing the Holevo information between Eve and Bob and maximizing the mutual information between Alice and Bob.As the post-processing efficiency is lowered the weight of the mutual information with respect to the Holevo information is lowered, and thus we see (Fig. 3) that the maximum moves towards the condition for complete elimination of the Holevo information.The blue (lowest) curves in the two plots are measured for a channel transmission of 9.8 % corresponding to 50 km in a standard optical fiber (0.2 dB/km).
Robustness of the protocol.-Whenthe Holevo information is identical zero, an arbitrarily small amount of mutual information βI AB is sufficient to establish secure communication because the key rate always stays positive.It means that even for a very low post-processing efficiency and/or large electronic noise of Bob's detector, it is in principle always possible to extract a secret key.This is illustrated in Fig. 4 (a) where we plot the postprocessing efficiency for which secure communication can be established as a function of the modulation depth for a protocol with coherent states (dashed line) and 3 dB (V X R = 1/2) squeezed states (solid line).The shaded regions above these lines are associated with secure communication.It is evident that for V X A = 1/2, a secret key can be generated even with a post-processing efficiency arbitrarily close to zero or by using detectors with arbitrarily large electronic noise.We also note that if the communicating parties only exchange a finite number of signals, the security regions of both protocols will be reduced as illustrated by the red and green curves in Fig. 4 (a), calculated from the expressions derived in [32].At one point the limited number of samples will render the coherent state protocol insecure while the squeezed state protocol remains secure.
Extending the analysis to include a channel with untrusted noise, the information leakage to Eve cannot be completely eliminated, but it can be effectively minimized using the same condition on state preparation as for a lossy channel [30].In Fig. 4 (b) we have included a channel noise of 0.035 SNU and it is evident that the squeezed state protocol is superior for any modulation depth.The security region for the coherent state protocol is very small thereby placing high demands on the postprocessing efficiency whereas for the squeezed state protocol these demands can be highly relaxed.
Conclusion.-We have shown theoretically that a properly modulated squeezed state under certain conditions can be used to completely and deterministically decouple an eavesdropper from a purely lossy quantum channel without the use of entanglement distillation.The scheme has been confirmed experimentally using 3 dB squeezed states of light and homodyne detection.The decoupling was shown to be completely independent on the amount of losses in the channel rendering secure key generation a possibility even for low efficiency noisy receiver stations.Moreover, as the protocol was found to be independent on the purity of the squeezed state, the scheme is a promising alternative to the standard coherent state protocol in particular in the regime of noisy detectors and finite size effects.Finally we note that by combining the suggested protocol with the simple Gaussian error correcting scheme of [35] for the removal of non-Markovian excess noise, we believe that the distance for secure communication can be further extended.

FIG. 1 .
FIG. 1. (a)The relationship between the three parties before and after the elimination of information leakage.(b) Scheme of the quantum communication protocol with zero information leakage.A squeezed state is prepared and modulated up to a single shot noise unit, Eve injects vacuum into the channel and both Bob and Eve perform homodyne detections.In the actual experiment the order of the squeezer and the modulator was reversed.

FIG. 3 .
FIG. 3. Key rate versus modulation for various transmissions.The solid black line corresponds a coherent state protocol with 58% transmission while the other lines are the theoretical predictions for the squeezed state protocol for various transmissions.(a) β = 0.95 (b) β = 0.75.

FIG. 4 .
FIG. 4. Comparison between the squeezed and coherent state protocols.The channel transmission is set to 0.1% and for the squeezed state protocol we use a 3 dB squeezed state.The area above the black solid (dashed) lines in both plots represent the secure region for a squeezed (coherent) state protocol.The performance associated with a finite number of samples are represented by the red line for n = 10 10 samples and the green lines for n = 10 11 samples where the solid (dashed) lines represent the squeezed (coherent) state protocols.Note that for n = 10 10 , the coherent state protocol if insecure for any β.(a) Purely lossy channel.(b) Lossy channel with excess noise of 0.035 shot noise units.