Cavity-enabled high-dimensional quantum key distribution

High-dimensional quantum key distribution (QKD) offers the possibility of encoding multiple bits of key on a single entangled photon pair. An experimentally promising approach to realizing this is to use energy–time entanglement. Currently, however, the control of very high-dimensional entangled photons is challenging. We present a simple and experimentally compact approach, which is based on a cavity that allows one to measure two different bases: the time of arrival and another that is approximately mutually unbiased to the arrival time. We quantify the errors in the setup, due both to the approximate nature of the mutually unbiased measurement and as a result of experimental errors. It is shown that the protocol can be adapted using a cut-off so that it is robust against the considered errors, even within the regime of up to 10 bits per photon pair.


Introduction
One of the central insights of quantum information is that quantum mechanics allow for the safe distribution cryptographic keys. This insight has blossomed into the field of quantum key distribution (QKD) [1][2][3][4]. Broadly speaking, there are two main types of QKD protocols: entanglement based schemes [5][6][7][8] and send and receive protocols, which do not make use of entanglement [9,10]. In the former, the security is guaranteed by non-locality, whereas in the latter, the security follows by the virtue of the uncertainty principle.
An essential feature of most QKD protocols is the requirement to measure in two or more bases that are mutually unbiased with respect to one another [11]. For the simplest implementations of QKD, this does not pose a significant problem. For example, it is common in QKD to encode information in the polarization of a photon. In this case, the task of measuring in two mutually unbiased bases (MUBs) can be easily achieved by using two polarizing beam splitters. If information is encoded on different optical degrees of freedom, however, then the task of measuring in two MUBs can be experimentally challenging.
The use of high dimensional states within QKD greatly increases the amount of information that can be encoded on each state. For optical implementations of QKD, this allows one to encode multiple bits of secret key on each photon. For example, it has been shown that under reasonable experimental conditions, one can encode over 10 bits per photon [12], which requires control over in excess of 1000 states. Furthermore, high dimensional states have been shown to be more robust to certain types of noise [13,14]. There are several different photonic degrees of freedom that one can exploit in order to encode multiple bits per photon. One approach is to use the spatial modes of photons generated by spontaneous parametric down conversion. It has been shown, for example, that such photons can be entangled in their orbital angular momentum [15][16][17][18]. The difficulty in coupling orbital angular momentum states into fibers suggests that this approach is best used for free space communication, for which atmospheric effects become important [19].
Another approach is to use the arrival time of a photon. The basic idea is to divide the photonʼs arrival time into discrete time slots or time bins. In principle, if we have M time bins, then we could extract up to M log ( ) entangled in their arrival time, so called energy-time entanglement. These states have already been used within experimental QKD protocols [8,[20][21][22][23][24][25][26][27][28]44]. If such states are to be useful for high-dimensional QKD, then we must be able to measure in a basis that is mutually unbiased with respect to the time of arrival. This is a non-trivial task, however, when the number of time bins is large.
In this paper we present a simple and compact experimental setup for time-bin based high-dimensional QKD protocols. The approach is based on a reconfigured Mach-Zehnder interferometer that acts as a cavity. This setup allows one to project onto a single state that is approximately mutually unbiased to the arrival time. We will show how this can be used within a simple entanglement based QKD protocol. The performance of this protocol is then analysed in the presence of experimental imperfections. A key finding is that the protocol is robust to reasonable experimental errors.
The outline of the paper is as follows. In section 2 we review the problem of implementing a measurement that is mutually unbiased with respect to the time of arrival. The interferometer/cavity based scheme is reviewed in section 3. In section 4 we describe an entanglement based QKD protocol that is based on the cavity. The effects of experimental errors is investigated in section 5. We find that dark counts cause significant errors in the high-dimensional limit. Nevertheless, it is shown that this does not pose a serious problem as one can reduce the effect of such errors by using a simple trick. Finally, we discuss our results in section 6.

Mutually unbiased measurements
Suppose we have a d-level system, in which we will measure in one of two orthonormal bases { } {1, 2, , } [29,30]. From a physical perspective, MUBs extend the notion of complementary observables to systems that are described using finite dimensional Hilbert spaces [31].
MUBs play a pivotal role in the security of QKD. They are used in most proofs of the security of QKD [32][33][34][35][36][37]. In particular, they are used in recent security proofs of QKD using qudits (d-level systems) [14,38,39]. The d-dimensional system that we will investigate is formed from the arrival time of a photon, which is split into a series of discrete intervals or time bins. There are many physical systems that naturally cause a photonʼs arrival time to be time-binned. For example, a photon in a cavity or optical network, where the output has a partially reflecting mirror. The photon would then have a finite chance of being emitted or be forced to take another trip of the cavity before it could be emitted again. One can also consider source of entangled photons that are naturally timebinned. One example is a mode-locked laser that pumps a nonlinear crystal that can produce pairs of down-converted photons [22].
Let n represent the state corresponding to a photon being in the nth time bin. Measuring the photonʼs time of arrival will be equivalent to projecting onto the basis | 〉 n { }. We label the d time slots, and hence also the basis states, from 1 to d. In practice, a timing measurement could have a better resolution than the spacing of each time bin. One could then determine which time bin the photon was in and discard the record of the exact time the photon was detected. Such a measurement procedure is equivalent to projecting onto the basis states | 〉 n { }. If we are to exploit the time of arrival for QKD, then we must also measure within another basis that is mutually unbiased with respect to the basis | 〉 n { }. One such MUB is It can be seen that to us a linear optical network of Franson interferometers [40,41]. This approach requires one to align − d 1 interferometers, which would be challenging even for small values of d. The difficulty in projecting onto the states φ n has led people to consider alternative approaches to securing high dimensional time-binned QKD. One proposed method is to use just a single Franson interferometer [25,42,43]. It has been argued that in an entanglement based protocol, a single pair of Franson interferometers would be sufficient to detect any disturbance of the entanglement. It can be shown, however, that this will only be true if one can perform the experiment with a very high value for the visibility 1 . For example, if one were to encode 10 bits per photon, then to secure half of the bits against an attack with multiple temporal peaks, a visibility greater than 99.8% is required [40].

Realizing MUBs using a cavity
The problem with realizing a measurement in a basis such as (2) is that it requires us to project onto states which are a superposition of d time bins. The optical network outlined in [40] solves this problem by using various delay lines and beam-splitters, so as to allow photon amplitudes in different time slots to interfere. This inevitably increased the complexity of the experimental setup. In particular, the number of interferometers scales exponentially with the number of bits that one can encode on each photon 2 . 1 We must stress that this is only true when one wants to encode a large number of bits per photon, e.g. 10 bits per photon pair. It has been shown that one can encode 3-4 bits per photon pair securely using a Franson interferometer [44]. 2 The number of interferometers scales linearly with the number of time bins, or equivalently, the dimensions of the Hilbert space [41]. The problem is, however, that the number of bits per photon is the log of the number of time bins. This leads to an exponential scaling of the number of interferometer with the number of bits per photons.
An alternative approach is to use a cavity like system. This would allow us to interfere light from different times within the cavity. By carefully designing the cavity, one can use this interference to construct a measurement that is a very good approximation to projecting onto the states φ k . The approach we take is to use the setup described in in [45]. The cavity is essentially a modified Mach-Zehnder interferometer, as shown in figure 1. The two beam-splitters are both chosen to be highly reflective. The phase shifter imparts a phase shift of θ. In addition to this, reflections at the two beam-splitters will also give a phase shift. For a single round trip of the cavity, a photon would pickup a phase shift of ϕ θ π = + . The way this setup works is described in detail in [45]. However, for the sake of completeness, we will give a brief outline 3 . Detecting a photon at D1, within the time slots 1 to d, corresponds to measuring within the time of arrival basis, n { }. We measure within the MUB whenever we detect a photon at D2 within a time slot ⩾ N d. To understand why this is, it helps to consider how the interferometer acts on a single photon input.
Suppose we have the single photon state . Furthermore, suppose we get a click at D2, within the Nth time-bin, where ⩾ N d and that we do not obtain a click at D1. The fact that we do not see photons at D1 is important. In principle there can be interference at BS1 between the amplitude of the incoming photon and the amplitudes already within the cavity. However, the fact that we do not observe photons at D1 means that we are, in effect, post-selecting a photon that has entered the cavity.
One could image that the photon we detected at D2 could have originated from the dth input slot. It would thus have taken − N d round trips of the cavity before exiting and would thus have acquired a phase of  1 ) ] before exiting the cavity. One can extend this argument to see that each of the d time bins could have been the origin of the photon that was detected. As we have no prior knowledge of the emission time of the photon, the detection of the photon in the output time slot N, will thus correspond to projecting onto some superposition of time-bins. A simple calculation shows that detecting a photon at D2, within a time slot N ( ⩾ N d) can be equivalent to projecting onto where T i and R i are the transmission and reflection coefficients for the ith beam-splitter, with i = 1, 2. If we set ϕ π = k d 2 / and make R 1 and R 2 close to one, then this state approximates φ k . However, the closer R 1 and R 2 are to one, the longer we must wait to observe a click at D2. This will effect the count rate; for more details see [45]. The prefactor takes account of the fact that the probability of obtaining a click decreases with time. This is a simple consequence of the fact that we are more likely to detect the photon at earlier times. We thus see that obtaining a click within any time bin, ⩾ N d, corresponds to projecting onto a state that approximates φ k . If we obtain a click at D2 within a time slot that is less than d, then we do not project onto the desired state as all d components have not full entered the cavity.
As we have stated, if we obtain a click at D2, then we shouldnʼt observe a click at D1. We are in essence postselecting on a photon entering the cavity. However, even if all the photon amplitudes enter the cavity, we could still observe a click at D1. One important example is if the single photon state ξ was orthogonal to Γ ϕ ( ) N , then the inference within the cavity should ensure that never register a click at D2, for ⩾ N d.
We have not considered the fact that a cavity cannot preserve the coherence of any state indefinitely. In particular, there will come a time for which the coherence between the photon amplitudes, in different time-bins, is lost. For this reason we impose an upper limit for when a click at D2 will project onto (3). Let ′ N be the last acceptable time slot. The maximum allowed value for ′ N will depend on the choice of the reflectivities [46]. We see that we only project onto (3) whenever we get a click at D2 within the a time bin N, where The value of the total phase shift ϕ can be altered by adjusting the phase shifter. By choosing ϕ π = k d 2 / , we can approximately project onto φ k . It is thus possible to approximately project onto any of the basis states φ One important point about this scheme is that we can only project onto one of the states φ k for a given phase The elements BS1 and BS2 are both highly reflecting beamsplitters and PS is a phase shifter, which imparts a phase shift of θ. The total phase shift for a single round trip is thus ϕ θ π = + . Detection of a photon at D2 corresponds to a security check, while detection at D1 gives the time of arrival information and hence the key bits. 3 Issues such as the effects of spectral filtering of the cavity will not be considered. Instead, one should refer to [45] for a discussion on such matters.
setting. This means that it is not suitable for use within QKD protocols where information is encoded on both of the bases, i.e. n { } and φ { } k . Instead, we could use the time of arrival basis to encode the key bits, while using the other MUB to check for an eavesdropper. In this way, our approach is similar to the alternative protocols using within some security proofs in QKD [32]. Another point to note is that we do not measure each basis equally often. The fact that ≈ R R 1 1 2 implies that we make timing measurements much more often than we make security checks. This is reminiscent of the modified BB84 protocol introduced by Hoi-Kwong Lo et al [47]. QKD protocols with an asymmetry in the bases, tend to more efficient than symmetric protocols in the sense that one losses less data during the sifting stage. The price one pays for this is that to ensure security, we require error rates that are lower than for symmetric protocols [47,48].

Entanglement based QKD protocol
We have outlined how one can measure within two different bases using the experimental setup shown in figure 1. In this section we will explain how this setup can be integrated into a time-bin based QKD protocol. If the QKD protocol is to work correctly, then we will also have to investigate how well the states Γ ϕ ( ) N , approximate the true MUB states φ k .
The setup is compatible with both entanglement based and send and receive protocols. For the sake of definiteness, we shall explain how the experimental setup can be integrated into an entanglement based protocol. This will require both Alice and Bob to each have the interferometer shown in figure 1. The errors within each interferometer will thus be combined. Hence, an entanglement based scenario is a more stringent test of the setup than a send and receive protocol.
Assume that we have two parties, Alice and Bob, that are trying to establish a shared secret key. This will be achieved by Alice generating a two photon entangled state and keeping one of the photons, while sending Bob the other photon. It is important to stress that the source of the entangled photons is under Aliceʼs control. Alice will generate an entangled two photon state of the form We see that the arrival time of the two photons are perfectly correlated, i.e., Alice and Bob should always find photons within the same time bin. This correlation will be used to encode the shared random key bits. The state, ψ , AB can also be expressed in the basis φ k , which gives the result )/ , then he should not obtain a click at D2 within a time bin N, which is ⩾d. The presence of clicks for uncorrelated phase settings indicate that the correlation in (5) has been disturbed. This would, in turn, imply that Eve is intercepting Bobʼs photons. The error can thus be defined as the fraction of clicks at D2, that correspond to uncorrelated phase settings. The full statistics for the MUB can be obtained by Alice and Bob each using d settings for their phase shifter. Provided the error introduced by the approximate nature of the MUB measurement is low, then Alice and Bob could use the setup to implement a secure QKD protocol.
An experimentally simpler approach would be for Alice and Bob to use only two phase settings. This is equivalent to projection onto only two of the basis states φ k . While this would not provide Alice and Bob with the full statistics for the two MUBs, it would still be suffice to check the correlation in equation (5). There are two advantages to this approach. Firstly, the arrangement is simpler that using d settings for the phase shifter and is thus well suited for establishing how well the setup approximately projects onto the states φ k . Secondly, the number of phase settings scales exponentially with the number of bits per photon. For instance, if we wanted to encode up to 10 bits per photon pair, then we would require at least 1024 time-bins and phase settings. Such a large number of different settings requires a large number of experimental runs to acquire a significant amount of data for the security analysis. This problem is compounded by the count rate decreasing for large d, due to the reflectivities needing to be large. For further details on how the count rate varies with d, see [45]. For these stated reasons, we will analyse a protocol that uses only two phase settings. Nevertheless, the results we find can be easily extend to a protocol that uses d settings.
Suppose that Aliceʼs phase settings ϕ A are either 0 or πk d 2 / , then Bobʼs settings will be ϕ = , for the phase settings ϕ A and ϕ B , hence The probability to obtain an error can then be defined as π π π π π π = − + The probability of error is plotted in figure 2 for = R R 1 2 , d = 1024 (10 bits per photon) and k = 512, which corresponds to ϕ = 0 and π. The plot shows that P E decreases as | | R 1,2 are increased. This confirms the intuition that as R 1 and R 2 tend to one, the state (3) becomes a better approximation of the desired state, φ | 〉. This means that by choosing sufficiently large values for R 1 and R 2 , we can make the errors due to the approximate nature of our measurements arbitrarily small. This must be balanced against the fact that the larger R 1 and R 2 are, the greater the time needed to acquire the necessary security data. This tradeoff is important for experimental implementations.
One . The probability of error, P E , depends on the product of R 1 and R 2 . We have some freedom, therefore, in the exact choice of the reflectivities. In figure 2 and in the examples in the next section, we set = R R 1 2 . There could be situations, however, where it is advantageous to allow the reflectivities to be different. For example, R 1 determines the probability to make either a timing measurement or to measure within the other basis. It is useful to be able to modify R 1 without affecting P E . This can be achieved by choosing ≠ R R 1 2 . A further factor to consider is the effect of experimental errors. This is of fundamental importance for all practical QKD schemes. In our case we have the added complications that we have errors even in the absence of experimental noise. It is thus vital that we analyse the robustness of the scheme against experimental imperfections.

The effects of experimental errors
The first effect to consider is the that of misalignment in the path length of the interferometer. If the misalignment is too great, then the interference between the different time bins will be completely lost. If the scheme is to function correctly, then the misalignment must be made small. Nevertheless, a small misalignment will still have an effect on the intended interference. One can model this by assuming that the time bins inside the interferometer are shifted in time by a small amount relative to the incoming modes. This will led to the summation in equation (3)  . The larger the misalignment is, the smaller ξ will be. The effect of a misalignment on the error probability, can thus be thought of as decreasing the coefficients of transmission and reflection.
Another very important source of errors is in the detectors. Real detectors are inefficient and have dark counts and jitter. We will assume that Alice and Bobʼs detectors are identical and share the same imperfections. The effects of statistical jitter will be to change the time bin we detect the photons in. With regards to the timing measurement, jitter will set a limit on the sizes of our time bins. The reason for this is that if we chose a width that is small relative to the detectors response, then this will result in significant errors in the timing measurements. The effects of jitter on the security measurements is not so severe. This is because the protocol does not require us to obtain a click within a specific time bin. Similarly, Alice and Bob do not both need to obtain clicks at D2 within the same time slot. However, if we choose the width of the time bins to be too small, then there can be an effect due to jitter making us think we detect a photon in a time slot ⩾ N d, when it should have been detected in a time bin before d. This would mean that we have not had a chance to observe interference between all of the time bins. The effect of this error is small, however, and can be removed complete by either increasing the width of the time-bins or excluding detection events that occur sufficiently near to the dth time slot. The latter option would result in a slightly decreasing the amount data for the security check.
Suppose that Alice and Bobʼs detectors have an efficiency η, which is less than one. This means that we have a finite probability for not registering photons that are incident on the detectors. Taken in isolation, the effect of detector inefficiencies is just to decrease the probability ϕ ϕ ; the error rate is not increased. In contrast, dark counts will effect the observed error rate. Let q be the probability for Alice and Bob to register a dark count in any given time bin. It is possible for Alice and Bob to both obtain dark counts within the same time bin. These clicks are uncorrelated and can lead to errors. The situation is exacerbated when detector inefficiencies are combined with dark counts. To see why, consider the case where Alice and Bob should both detect photons at D2. The inefficiency of Bobʼs detector means that he might not register a click, but could instead see a dark count at D3.
The effects of the imperfect detectors will thus change the probability of error from that given in equation (8). Using the fact that , we find that the error probability is γ π . We will assume that the error for jitter is either so small that it can be ignored or we disregard clicks in time bins that are sufficiently near to the dth time bin, which changes the probability ϕ ϕ The error probability for 8 and 1024 time bins is plotted in figure 3. In all of the plots we assume that the time bins have a width of 130ps and that the detectors have a dark count rate of 300 counts per second. The probability to see a dark count in any given time bin is thus = × − q 3.9 10 8 . In practice, one would have a threshold for tolerable errors. For the sake of illustration, we can take this threshold to be . An interesting feature of the curves is the appearance of a trade-off with respect to how the errors vary with the reflectivities. Previously, we found that increasing R 1 and R 2 would decrease the errors (see figure 2). When dark counts are included, we find that there becomes a point where increasing the reflectivity will eventually make the errors worse. The position of the minium will depend on both the dark count probability q and the efficiency η. The minimum occurs due to the fact that the longer we wait for a click, the more likely we are to see a dark counts. When the reflectivity is large, the photons will spend longer in the interferometer which increases our chances of getting a dark count. This also explains why the error gets worse as η decreases. When η is small, we will lose photons, which increases the average time we must wait to detect a photon.
The effects of dark counts can be minimized if we decrease the time we wait to see a photon in each experimental run. One way of achieving this is to decrease ′ N . Recall that any photons detected in time-bins after ′ N , are not counted as security events. Decreasing ′ N will thus decrease the error, but at the expense of decreasing the available measurement results. If we are to be sure that an eavesdropper is not intercepting Bobʼs photons, then we require a sufficient number of security events. We thus see that if we decrease ′ N , then we would need to compensate for the loss of data by performing more experimental runs. One can gain further insight into this trade-off by looking at a simple example. Consider the case of d = 1024, η = 0.1, = × − q 3.9 10 8 , i.e. the parameters used in figure 3(b) , the observed error is approximately 1.5%. The cut-off used in figure 3(b) was ′ = N 1200, which lead to an error of less than 1%, when = R 0.92 2 . The decrease in error is accompanied by a decrease in the count rate of approximately 37%.

Conclusion
We have described a compact setup for high-dimensional, time-bin based QKD. This approach offers the promise of encoding multiple key bits on each photon. In particular, entanglement based protocols have been shown to allow for 10 bits to be encoded on each photon pair, under realistic but challenging experimental conditions [12].
The setup was based on a modified Mach-Zehnder interferometer that operated as a cavity. The cavity enables one to implement measurements in two different bases, which were approximately mutually unbiased to each other. We then explained how this could be used within an entanglement based QKD protocol. It was shown that one can encode the key bits within the time of arrival information, while checking for an eavesdropper using the other basis. An important practical point was that we needed only two different phases settings to observe a disturbance in the temporal correlation within an entangled photon pair.
We studied the probability to introduce errors due the approximate nature of the mutually unbiased measurement. It was found that this error could be make arbitrarily low by increasing the reflectivity of the two beam splitters. We also investigated the effects of reasonable errors on the scheme. It was found that presence of dark counts introduce a trade-off in the choice of reflectivity. The effects of dark counts and detector inefficiencies were found to be quite small for a reasonable number of time bins. For larger numbers of time bins, say 1024, then one can decrease the cut-off time for accepted security checks. This will decrease the errors due to dark counts, but at a cost of decreasing the number of valid security events one gets for a given period of time. Crucially, we found that the error could be made as low as 1%. This demonstrates the robustness of the setup to errors.
A key benefit of our protocol is that it is compact and only requires a single interferometer each for Alice and Bob. This contrast sharply with alternative approaches to highdimensional QKD, which would require complicated networks of interferometers. Furthermore, the approach uses mutually unbiased measurements, which ensures that the security can be analysed using existing approaches.