Boosting up quantum key distribution by learning statistics of practical single photon sources

We propose a simple quantum-key-distribution (QKD) scheme for practical single photon sources (SPSs), which works even with a moderate suppression of the second-order correlation $g^{(2)}$ of the source. The scheme utilizes a passive preparation of a decoy state by monitoring a fraction of the signal via an additional beam splitter and a detector at the sender's side to monitor photon number splitting attacks. We show that the achievable distance increases with the precision with which the sub-Poissonian tendency is confirmed in higher photon number distribution of the source, rather than with actual suppression of the multi-photon emission events. We present an example of the secure key generation rate in the case of a poor SPS with $g^{(2)} = 0.19$, in which no secure key is produced with the conventional QKD scheme, and show that learning the photon-number distribution up to several numbers is sufficient for achieving almost the same achievable distance as that of an ideal SPS.

A single-photon source (SPS), which emits exactly one photon in a well defined optical mode, has been actively studied with quantum dots [1,2,3,4,5,6,7,8,9,10,11], colour centres in diamond [12,13,14,15], and other systems [16,17,18,19]. Behind those activities lies the fact that ideal SPSs serve as a useful resource for efficient quantum information processing such as quantum computation [20] and quantum key distribution (QKD) [21]. But imperfections in practical SPSs affect the performance in those applications, especially in QKD [22,23,24] in which very rare emission events could be exploited by a potential eavesdropper Eve. The imperfection that matters most in QKD is the emission of multiple (two or more) photons in a single pulse, which we assume to occur with probability p multi . Usually the two-photon events are dominant in p multi , in which case it is related to the normalised second-order correlation g (2) by p multi = µ 2 g (2) /2 with µ being the average photon number emitted in a pulse. Since µ ∼ O(1) in practical SPSs, p multi and g (2) are of the same order of magnitude. In the BB84 QKD protocol, which has been proposed by Bennett and Brassard in 1984 [21], whenever the sender Alice emits multiple photons Eve can steal a photon to obtain full information without introducing any error. To make matters worse, we cannot exclude the possibility that Eve may force the receiver Bob to detect a photon preferentially in such a multi-photon emission event. As a result of this photon-number splitting (PNS) attack, the protocol produces no secret key beyond a threshold distance at which Bob's detection rate Q is comparable to p multi [25]. Unless we accept a significant reduction of the emission probability µ [26], it poses a severe requirement on g (2) . For example, for an optical channel with a loss of 0.2 dB/km of the typical telecommunication fibre and for Bob's detection apparatus with efficiency 0.01, it is estimated under µ ∼ O(1) that g (2) ∼ O(10 −6 ) is needed to reach a communication distance of 200 km. This requisite will be hard to achieve in real experiments, and if at all, it may require sacrificing other performances such as the repetition rate.
In order to circumvent this problem, one may depart from the BB84 protocol to adopt a different sifting procedure [27] yielding a key even from the multi-photon emission events [28,29]. Another common direction is to keep the protocol itself and to devise a way to obtain a clue about photon number dependence of Eve's attack. Our main idea in this paper is to use the correlation between the two output lights from a beam splitter to obtain such a clue [30,31]. For the BB84 protocol with polarization encoding, this idea is implemented by inserting a non-polarizing beam splitter with a transmittance T and placing a monitoring detector D M at Alice's side as in Fig. 1 (a). For a standard phase-encoding system based on a double Mach-Zehnder interferometer (DMZI), mere addition of D M at the open port implements our scheme with T = 1/2, as shown in Fig. 1 (b). If the light incident on D M is suitably correlated to the number of photons sent toward Bob, we may detect Eve's PNS attacks like the decoy-state idea [32,33,34] and particularly passive decoy-state generation schemes [35,36,37].
In order for the above strategy to work, knowledge of emission statistics for higher photon numbers is essential. As we will show, our scheme can detect the PNS attacks when the higher photon number tail drops more steeply than a Poissonian distribution,  a, Polarization-encoding BB84 QKD protocol with the proposed modification. The only difference from the conventional system is the addition of a non-polarizing beam splitter to measure a fraction R = 1 − T of the signal with a monitoring detector D M at Alice's side. b, Phase-encoding BB84 QKD protocol based on a DMZI with the proposed modification. Alice uses two 50/50 fibre couplers and a phase modulator, and encodes bit information on the relative phase between two pulses. Bob uses the same setup as Alice's followed by two threshold detectors (D B 's). The only difference from the conventional setup is just the use of a monitoring detector D M at Alice's side.
as explained in Fig. 2. If this sub-Poissonian tendency continues to arbitrary large photon numbers, Eve can no longer force Bob to detect a photon preferentially in a multi-photon emission event. In practice, the characterization of the emission statistics is not complete and will be left with an uncharacterized portion ∆. In the simplest case where Bob detects photons at rate Q with no errors, the key rate G in our scheme is approximated as G = Q − (∆/C), which should be compared with the rate in the conventional scheme G = Q − p multi [25]. Here C is a constant reflecting the degree of the sub-Poissonian tendency. Since Q scales as 10 −αl/10 with distance l, the threshold distance at which G = 0 in our scheme scales as (− log 10 ∆) − (− log 10 C) + const., whereas it is (− log 10 p multi ) + const. in the conventional scheme. Therefore, without actually suppressing multi-photon emission p multi by a factor, we obtain the same improvement merely by reducing the ambiguity ∆ in learning the statistics by the same factor.
From now on, we focus on the case where D M is a threshold detector with dark count rate d M and efficiency η M . The outcome of this detector is binary: When n photons are incident, it produces a click with probability 1 − (1 − d M )(1 − η M ) n , and otherwise gives no click. We classify the events to clicked events and non-clicked ones, according to the outcome of D M .
For the security analysis, it is convenient to describe the correlation between the two outputs of Alice's beam splitter through a set of parameters {γ n }, defined to be the conditional probability of D M to produce a click, given that n photons are sent toward Bob. With (η M , d M , T ) fixed, {γ n } depend solely on the density operator ρ of the source, which we assume to take the form of ρ = ∞ n=0 p n |n n|. Let us define a Our scheme works when the photon number distributionp n of the source has a "sub-Poissonian tail," which has a simple meaning in the usual cases with p 1 ≫p 2 ≫ · · ·. In the figure, the distribution is shown as blue bars in logarithmic scale, together with square dots corresponding to a Poissonian distribution {P n } satisfyingp 2 /p 1 = P 2 /P 1 . The decrements are denoted by a n ≡ log 10 (p n /p n+1 ) and b n ≡ log 10 (P n /P n+1 ). When the tail of the distribution vanishes more rapidly than the Poissonian distribution, namely, when a n − b n ≥ r for all n ≥ 2 with a positive constant r > 0, our simple scheme can foil the PNS attacks and the multi-photon emission becomes no concern (p multi is effectively zero). When a n − b n ≥ r is confirmed only up to n = n max − 1 with the residual uncharacterized portion ∆ ∼ =pn max +1 , the detection of the PNS attacks becomes imperfect but our scheme still achieves performance comparable to the use of a source with p multi = ∆/C, with C being a constant proportional to 1 − 10 −r (shown as red bars for n max = 5). characteristic function κ ρ (t) of the source by wheren ≡ ∞ n=0 n|n n|. Then the conditional probability γ n (ρ) is conveniently represented using its n-th derivative κ where and hence γ n (ρ) is independent of n. For d M ≪ 1 and p 1 ≫ p 2 ≫ p 3 ≫ · · ·, the parameters γ n (ρ)(n ≥ 1) are approximated by Hence, roughly speaking, the values of {γ n (ρ)} represent how slowly the tail of the photon number distribution vanishes. For example, if γ 1 (ρ) > γ n (ρ) holds for all n ≥ 2, the tail of the distribution vanishes more rapidly compared to the Poissonian distribution with the same ratio p 2 /p 1 . In this paper, we say such a distribution has a "sub-Poissonian tail." In fact, a source with a sub-Poissonian tail is ideal for our present scheme to work. Let be the overall rate of detection by Bob, where the superscript c stands for the clicked events, and nc for the non-clicked events. These quantities are actually observed in the protocol. On the other hand, Q is also decomposed as Q = n Q n , where Q n stands for the portion in which Alice has sent out n photons toward Bob (we call it "n-photon" events henceforth). Since D M clicks with probability γ n (ρ) in the n-photon events, we should have Q [c] = n γ n (ρ)Q n in the asymptotic limit of a large number of pulses. Then, if Eve substitutes 1-photon events by n-photon events with n ≥ 2, Q [c] decreases due to the condition γ 1 (ρ) > γ n (ρ) (n ≥ 2) and the attack will be detected. She may try to increase 0-photon events to compensate the decrease in Q [c] , but it will then increase the observed error rate, since if Alice emits no photon, the probability of bit errors is 1/2. Therefore, a source strictly satisfying γ 1 (ρ) > γ n (ρ) (n ≥ 2) allows us to detect PNS attacks in a very simple way.
In practice, it may be hard to find such a source, and it is even harder to prove it by characterizing the photon-number distribution of the source. For this reason, here we relax the condition and consider an approximate version of a source with a sub-Poissonian tail as follows.
Assumption on the source -The density operator ρ src of a pulse from the source is written as a mixture of two normalised density operators as where 0 ≤ ∆ < 1. With an integer n max , which may be infinity, ρ sp is written in the form ρ sp = nmax n=0 p n |n n|. There exists Γ satisfying for 2 ≤ n ≤ n max . Under this assumption, the source emits an arbitrary unknown pulse with a (small) probability ∆, but otherwise the distribution has a sub-Poissonian tail, whose degree is measured by parameter Γ. We expect that a source will satisfy this assumption in the following scenario, for example. A pseudo-single-photon source with distribution {p n } is given, and a sequence of characterization experiments tells us good estimates of probabilitiesp 0 ,p 1 , . . . ,p nmax . Then we choose ∆ = ∞ n=nmax+1p n and p n =p n /(1 − ∆) for n ≤ n max . After calculating the values of {γ n (ρ sp )} from p 0 , p 1 , . . . , p nmax , we take Γ = max{γ n (ρ sp )|2 ≤ n ≤ n max } and see if γ 1 (ρ sp ) > Γ holds. In this example, ρ uk stands for the uncharacterized portion of the source. We may also use ρ uk to absorb the higher photon-number part responsible for an unwanted relation γ 1 (ρ sp ) < γ n (ρ sp ).
For a source with ∆ > 0, Eve may be able to increase Q [c] by letting Bob preferably detect the events from ρ uk . But the amount of the increase is obviously no larger than ∆. This increase leaves Eve a room for substituting 1-photon events with multi-photon events with rate up to ∆/(γ 1 (ρ sp ) − Γ), but no more. Hence, as long as the overall detection rate is higher than this rate, one may still expect to generate a secret key. In Appendix, we confirm this in a rigorous analysis.
Before we give a numerical example showing the improvement in the secure key rate, we discuss the ideal case where Bob has observed no bit errors. In this case, the secure key rate is given by . Since Alice uses a pseudo-single-photon source, the single-photon contribution should be dominant in Bob's detection events, namely, Q [c] /Q ≃ γ 1 (ρ sp ). Using the fact Γ ≪ 1, the key rate is then simplified as Q − ∆/(γ 1 (ρ sp ) − Γ), confirming the dependence which we promised in the introductory part with C = γ 1 (ρ sp ) − Γ. This means that the key rate is positive as long as Q > ∆/(γ 1 (ρ sp ) − Γ), implying that the uncharacterized portion ∆ mainly determines the threshold distance at which the key rate vanishes.
We further show that the tendency in the ideal cases discussed above is also qualitatively valid with realistic channels and detectors, for an example of pseudosingle-photon source which is modelled as an ideal SPS with a loss and Poissonian background. In Fig. 3, we have chosen a source with a rather high multi-photon emission rate of 0.086 (g (2) = 0.19), which cannot generate secret key at any distance in the conventional scheme. Figure 3 shows the key rates for the same source with varied levels of characterization. For this source with p n+1 /p n ∼ 10 −1.7 , increasing the maximum photon number n max by one reduces ∆ by factor of 10 1.7 . The analysis for the ideal case above suggests that this will increase the threshold distance by 17 dB/(0.2 dB/km) = 85 km, which agrees with the curves in Fig. 3 for shorter distances where the error rate is not so high.
Throughout this paper, we only considered the limit of a large number of repetitions and a large final key, in which errors in estimating parameters due to statistical fluctuations are negligible. In practice, the key has a finite size and we must take the statistical fluctuations into account. This is beyond the scope of this paper but a few remarks are in order. Although our scheme may appear to involve a lot of parameters, it requires only a few of them to be estimated while actually running the protocol, due to its simplicity. The rest of the parameters, namely, the photon-number statistics of Alice's source, can be characterized off-line, before running the actual protocol. Of course, a care must be taken in this characterization to allow for practical issues such as the stability of the source.
Finally, we discuss the opposite condition of Eq. (6), γ 1 (ρ sp ) < Υ ≤ γ n (ρ sp ) for 2 ≤ n ≤ n max . This means a "super-Poissonian tail," namely, a tendency that if multiple photons appear at one of the two outputs of the beam splitter, then the other one has a larger probability of having photons. For example, the heralded parametric down-conversion (PDC) source shows this tendency, which is ascribed to the thermal photon-number distribution observed in the signal mode of PDC. In this case, γ 1 (ρ sp ) is the minimum of {γ n (ρ sp )} and any attempt by Eve to block 1-photon events should show up as an increase in the observed value of Q [c] . Therefore we can also obtain secure key by using a similar analysis. We found that the rule of thumb for the key rate in this case is again given by Each of Bob's detectors has the same dark count rate 2.5 × 10 −9 and efficiency 0.01 [41]. a, n max = 4, b, n max = 5, c, n max = 6, d, n max = 7, e, ∆ = 0. We see that increasing n max leads to a constant improvement of the threshold distance, until the overall detection rate drops to the order of Bob's dark count rate. Dashed curve shows the rate in a standard phase-encoding system (without D M ) based on a DMZI with an ideal SPS.
In conclusion, we have proposed a simple scheme to detect eavesdropping attacks on multi-photon emissions from practical single-photon sources. In contrast to the conventional scheme in which actual suppression of multi-photon emissions is necessary to avoid such attacks, our scheme requires no suppression as long as the higher photon-number tail of emission probabilities decreases more rapidly than a Poissonian distribution. As an example, we calculated the key rate for a lossy single-photon source suffering from Poissonian background noise, which is regarded as a bad source in terms of g (2) . We found that reducing the ambiguity in the characterization of the source improves the key rate, in much the same way as the actual suppression of g (2) does in the conventional scheme. It is worth mentioning here that the requisite in our scheme is satisfied by SPSs following a wide range of simple theoretical models: Any source with imperfection modelled by loss and Poissonian background satisfies the requisite of sub-Poissonian tail, regardless of the amount of the loss and the background. On the other hand, if the background noise follows a thermal distribution, the source always has a super-Poissonian tail, which also meets our alternative condition discussed above. This also opens up a possibility that we may intentionally increase the fluctuations in the background to meet the requisite. Naturally, our result provides a new perspective on the desired performance of a practical single-photon source, namely, property of photon number correlations of orders higher than g (2) . Recent development in the streak cameras [42] and photon-number-resolving detectors [43,44,45] are helpful in studying such higher-order correlations. Therefore it will be interesting to experimentally characterize them for the single-photon sources currently under development, as well as to seek plausible theoretical models of high photon-number emissions.
Since one can simulate the source ρ src equivalently by actively switching between the sources ρ sp and ρ uk , we are allowed to label each detection event according to which of the source was used. As a result, the overall detection rate Q is decomposed as Q = χ + Q uk , where χ (used instead of Q sp for simplifying the notations) is the fraction with the source ρ sp , and Q uk is with ρ uk . Using similar decomposition for Q n , we have where χ ≥2 ≡ nmax n=2 χ n . The clicked and non-clicked portions are also written as (j = c, nc) Since χ [c] n = γ n (ρ sp )χ n and Q [c] uk ≤ Q uk , we use Eq. (6) to have Eliminating χ ≥2 using Eq. (A.1) and noting that Q uk ≤ ∆, we obtain a bound on χ 1 as Next, we derive an upper bound on the error rate e 1 for the 1-photon events. Let E [c] and E [nc] be the overall error rates for the clicked events and the non-clicked events, respectively, which can be directly estimated in the protocol. Considering the contribution from 0-and 1-photon events, we have, for j = c, nc, where γ n = γ n (ρ sp ). The allowed range of the parameter χ 0 is determined from the condition ǫ(χ 0 ) ≥ 0. The secure key generation rate for the clicked events or the non-clicked events is given by the so-called GLLP formula [38,39,40] as (A.7) (j = c, nc), where q denotes the protocol efficiency (e.g. q = 1/2 in the standard BB84 protocol because half of the events are discarded by basis mismatch), f ≥ 1 the error correction efficiency, and H 2 (x) ≡ −log 2 x − (1 − x)log 2 (1 − x) the binary entropy function. Noting that Q where γ n = γ n (ρ sp ). When the secure key can be obtained from both events, we can achieve a key rate better than G [c] + G [nc] by doing the error correction separately but the privacy amplification jointly. The achievable rate in this case is given by