Feasibility of 300 km Quantum Key Distribution with Entangled States

A significant limitation of practical quantum key distribution (QKD) setups is currently their limited operational range. It has recently been emphasized (X. Ma, C.-H. F. Fung, and H.-K. Lo., Phys. Rev. A, 76:012307, 2007) that entanglement-based QKD systems can tolerate higher channel losses than systems based on weak coherent laser pulses (WCP), in particular when the source is located symmetrically between the two communicating parties, Alice and Bob. In the work presented here, we experimentally study this important advantage by implementing different entanglement-based QKD setups on a 144~km free-space link between the two Canary Islands of La Palma and Tenerife. We established three different configurations where the entangled photon source was placed at Alice's location, asymmetrically between Alice and Bob and symmetrically in the middle between Alice and Bob, respectively. The resulting quantum channel attenuations of 35~dB, 58~dB and 71~dB, respectively, significantly exceed the limit for WCP systems. This confirms that QKD over distances of 300~km and even more is feasible with entangled state sources placed in the middle between Alice and Bob.


Introduction
Quantum cryptography, which promises to solve the problem of secure key distribution for the encryption of messages, is the most mature technical application in the field of quantum information and quantum communication. Current QKD architectures can be broadly categorized into systems based either on weak coherent laser pulses (WCP) [2,3,4,5], on continuous variables [6,7,8,9,10] or on entanglement [11,12,13]. On the commercial market, WCP systems have been available for a while [14,15]. Most recently a QKD network was successfully demonstrated in Vienna (Peev et al. in the same issue), including a fully automatic entanglement-based QKD system, operating reliably with installed telecom fibers (Treiber et al. in the same issue [16]).
An important benchmark for a QKD system is the secure key rate that can be achieved for a given quantum channel attenuation. Due to absorptive losses in the communication channels and detector imperfections, the distance/attenuation over which a secure key can still be generated is limited for all QKD systems. The experimental method which presently offers the best performance in high loss regimes are symmetric entanglement-based systems. This was recently shown by X-F. Ma et al. [1], where the authors conclude that state-of-the-art pulsed entanglement based QKD systems with the source placed symmetrically in the middle between the receivers can cover up to twice as much attenuation as WCP systems. In their particular example, the maximal attenuation was evaluated to be an astonishing 70 dB (in the case of optimized mean photon number in the limit of an infinite number of key bits) when using experimental parameters as in [17]. Comparatively, a WCP system based on the same parameters can cover only up to 35 dB attenuation.
The quantum channels in a future global quantum communication networks will mostly consist of optical fibers which are already widely installed. As an alternative, free-space connections will allow to quickly build up connections between parties with direct line-of-sight [18,19,20,21,22,23,17,24,25]. Additionally, orbital free-space links, e.g. satellite-to-ground links or inter-satellite links, will allow the efficient global interconnection of regional quantum networks [26,27]. The attenuation expected for a single link ground connection from a satellite is at least 30 dB, and its feasibility has been shown in first ground-based tests [5,17]. In the more demanding two-link satellite scenario, QKD systems will have to cope with 60 dB attenuation.
In this work, we experimentally test the performance of entanglement-based QKD in an attenuation range from 35 dB to 70 dB over a distance of 144 km. We demonstrate the feasibility of entanglement-based QKD in loss regimes, where secure communication is no longer possible using WCP systems. With respect to the channel symmetry, we show that the obtained secure key rates confirm the predicted advantage of the symmetric scenario over commonly used asymmetric systems and we compare our results with the theoretical model by X.-F. Ma et al. [1].

Entanglement-based QKD
The most commonly used entanglement-based QKD scheme is the BBM92 protocol [12], where it was shown to be equivalent to the original BB84 scheme [28] under ideal conditions: Ideally, a source generates polarization entangled photons in the state where |H (|V ) denotes horizontal (vertical) polarization. The photons in modes a and b are sent through quantum channels to the two communicating parties, Alice and Bob. Both perform measurements on the incoming photons in one out of two randomly chosen, complementary bases. Let's assume that they chose between the |H, V -basis and the |P, M -basis, with |P = 1 √ 2 (|H + |V ) and |M = 1 √ 2 (|H − |V ). Alice and Bob individually record their measurement outcomes, including the information about the measurement basis. Assigning the binary value "0" to the results |H and |P and the value "1" to the results |V and |M , each of the observers obtains a completely random bit string, the raw key. The sifted key is gained after basis reconciliation, where the raw key is reduced by the basis reconciliation factor of 2. This is due to the fact that Alice and Bob discard those events where they have accidentally chosen different bases. Since the quantum state (1) received by Alice and Bob was entangled, the retained measurement outcomes are perfectly anti-correlated, i.e. Alice's and Bob's sifted keys are perfectly inverse to each other. This key is then further used to encode a message which can be transmitted over a public channel.
The security against an eavesdropper, Eve, is guaranteed by the laws of quantum mechanics. Any attempt by Eve to gain information on the transmitted qubits will inevitably reduce the entanglement and introduce errors in the sifted key. The quantum bit error ratio (QBER) q is constantly monitored by Alice and Bob by comparing small parts of their keys. As long as the QBER stays below a certain value, classical error correction and privacy amplification protocols can be used to distill an unconditional secure key.
In real-world QKD experiments, errors will most probably be caused by imperfections in the setup rather than by Eve. However, for unconditional security, all errors need to be treated as if coming from an attempted eavesdropping attack. The next section is devoted to a theoretical analysis how the various imperfections affect the QBER and in consequence limit the achievable secure key rate.

Theoretical error model
In practical QKD setups, most errors will actually originate from experimental imperfections, e.g. non-perfect entanglement and higher order photon emissions at the source, noisy quantum channels, imperfect polarization analyzers and photon detectors. A direct estimate of the expected QBER in a quantum optics QKD experiment can be obtained by measuring the total quantum correlation visibility V tot , which has a simple relation to q: and can be obtained from the maxima, N max , and minima, N min , of the observed coincidences: Given that all these parameters are experimentally accessible, one can model the performance of a QKD system. First, a finite coincidence time window τ c , limited by the timing resolution of the detection apparatus, results in a certain probability to accidentally detect two uncorrelated photons in coincidence, which do not belong to the same pair. Second, the statistical nature of the down-conversion process inherently generates multi-photon emissions within the coherence time of the photons. This also results in uncorrelated detection events at Alice and Bob. Furthermore, the finite coincidence time window leads to uncorrelated accidental coincidences from background light and intrinsic detector dark counts. In addition, imperfections and misalignment in the setup (source, polarization analysis, etc.) introduce systematic errors. In the following, the errors from uncorrelated detection events are characterized by the accidentals visibility V acc and the systematic errors by the system visibility V sys . The total correlation visibility is given by The effect of these error sources on the secure key rate are analyzed analytically within a model devised by X.-F. Ma et al. [1], which assumes pulsed operation of the SPDC source. The input parameters for the model are the photon-pair generation rate at the source, the ratio between the coincidence and single rates at Alice and Bob including detector efficiencies and the system visibility V sys . The model yields an error probability and a secure key gain per pump pulse as a function of total two-photon attenuation in a QKD experiment. A lower bound for the final secure bit rate per pulse R is then calculated using Koashi and Preskill's security analysis [29] via Here, P c is the coincidence detection probability between Alice and Bob per pump pulse, 1 2 is the basis reconciliation factor and H 2 is the binary entropy function The correction factor f (q) accounts for the fact that practical error-reconciliation protocols in general do not perform ideally at the Shannon limit. Instead of assuming f (q) ≈ 1, we used realistic values for the applied bidirectional error correction protocol CASCADE [30]. Furthermore, for our case of a cw-type SPDC source, the model was adapted to yield a probability per coincidence time window instead of a probability per pump pulse. We want to remark that other error-reconciliation protocols (e.g. WINNOW [31]) promise to perform more efficiently, and it will be the subject of future investigation whether it might carry advantages also for our specific experimental environment.
Note that Equation (4) gives the final secure key rate in the limit of infinite key lengths. However, in a practical implementation the secure key is obtained via error correction and privacy amplification on a finite key, which will further reduce the secure key rate to some extend (see [1,32] for more details). For simplicity, we will restrict the analysis of our experiments to the infinite bounds.

Description of the experiments and results
We implemented three different experimental QKD scenarios (see Figure 1). In all three experiments, one photon of an entangled pair was sent to Bob via a 144 km freespace link, established between the islands of La Palma and Tenerife. The first and the second experiment were both asymmetrical with respect to the different channel losses for Alice and Bob. In the first experiment the SPDC source was placed at Alice (source at Alice) and one photon of an entangled pair was measured directly at the source. In the second experiment (source asymmetric in between Alice and Bob), Alice's photon was sent through a 6 km single-mode fiber before it was analyzed. In the third scenario both photons were sent via the 144 km free-space link to a common receiver where they were split up and analyzed separately. This can be seen as an effective realization of the source in the middle scheme, since we have equal channel losses for Alice's and Bob's photons.
To get an overview about the different scenarios and the corresponding results, please refer to Table 1. A detailed discussion will be given in the next sections.

Scenario
Attn   Table 1. A summary of the parameters for the three different experimental scenarios and the corresponding results, i.e., the total two-photon attenuation, the locally detected coincidence rate, the total visibility V tot , the quantum bit error ratio QBER and the finally obtained secure key rate. Figure 1. An illustration of the three setups used for the entanglement-based quantum key distribution experiments. The entangled photon source (PDC source) generates entangled photon pairs that were sent via optical fibers and free-space optical links to Alice and Bob, respectively. There they were analyzed and detected, using four avalanche photo detectors D A,T , D A,R , D B,T and D B,T . a) Alice's photon was analyzed directly at the source after 1 meter of optical fiber and Bob's photon was sent through a 144 km free-space channel. The total two-photon attenuation was 35 dB. b) Alice's photon is now sent through a 6 km fiber, resulting in a total twophoton loss of 58 dB. In the scenarios a) and b) each analyzer module consisted of a polarizing beam splitter cube (PBS) and an electro optical modulator (EOM) to switch between the complementary bases. The EOMs were triggered by independent quantum random number generator. c) Both photons were sent through the 144 km free-space channel to one common receiver. There they were split up with a 50/50 beam splitter (BS) and guided to Alice and Bob, who could adjust their analyzing bases, using a half wave plate (HWP) and a PBS.

Source at Alice
The experimental situation is depicted in Figure 1a. The SPDC source [33] was located in La Palma and generated photon pairs in the entangled state (1). The photons in modes a and b were coupled into single-mode fibers, Alice's photon in mode a was analyzed and detected locally after only 1 meter of single-mode fiber, while the photon in mode b was sent through a 144 km free-space channel to Tenerife. There it was collected by the 1 meter diameter telescope of the optical ground station (OGS) operated by the European Space Agency ESA and analyzed by Bob.
Each polarization analyzer consisted of an electro optical modulator (EOM), a polarizing beam splitter (PBS) and two single-photon avalanche diodes. Triggering the EOMs by independent quantum random number generators, the analyzer modules randomly switched between the complementary analyzing bases |H, V and |P, M as required for the BBM92 protocol [12]. At Alice and Bob, every detection event (including arrival time, detector channel and EOM setting information) was recorded onto local computer hard disks, using time-tagging units disciplined by the global positioning system (GPS) time standard. Note that using active analyzers which are triggered by a quantum random number generator represents a security advantage over passive QKD systems, because it prevents an eavesdropper from applying certain side-channel attacks [1,34] (e.g. faked states attack) .
In the first scenario implemented, the free-space channel attenuation for photons in mode b was measured to be approximately 32 dB on average (including all optical elements), while only half of the locally measured photons (3 dB) in mode a were lost in Alice's analyzer module. The total two-photon attenuation was therefore 35 dB.
The SPDC source generated entangled photon pairs at an estimated rate of 7 MHz, limited by the peak count rate of Alice's detector system. After single-mode fiber coupling, 550000 coincidences were observed locally, corresponding to a combined coupling and detection efficiency of 28%. The darkcount rate at Alice was 500 Hz while Bob's detectors showed an average of 1200 Hz. For these parameters and a coincidence window of τ c = 1.5 ns, theory predicts an upper bound of V th = 94.1% for the total visibility, which includes the initially measured system visibility V sys = 96% as well as the background and multi-pair emission limited visibility of V acc = 98% . However, the actual visibility of the transmitted entangled state was measured to be V tot = 86.2% on average. The discrepancy to V th was most probably caused by a polarization drift in the fiber connecting the source with the transmitter telescope during the measurements.
The result of a typical measurement is shown in Figure 2. In total, three measurements were performed and sifted keys containing 11024 bits (130 s integration time), 13642 bits (190 s integration time) and 16851 bits (190 s integration time), respectively, were obtained. During a measurement run, the free-space link usually undergoes strong atmospheric turbulence, resulting in a time dependent two-photon attenuation. This is reflected by the time-resolved sifted key rates (see Figure 2). The QBERs for these measurement runs of 6.6%, 7.3% and 6.9%, respectively, were obtained by comparing the sifted keys and are in good agreement with the measured overall visibility. Finally, applying Equation (4) with f (q) ≈ 1.18 yields an averaged secure key rate of approximately 24 bits/s. A comparison of all experimental data points to the theoretically calculated secure key rate as a function of overall link attenuation is shown in Figure 4.

Source asymmetric in between Alice and Bob
The second scenario extends the source at Alice scheme (see section 2.1), such that the photons in mode a were delayed by 29.6 µs in a 6 km long single-mode fiber (see Figure 1b). The attenuation of the fiber was measured to be 17 dB and during this particular measurement series, the free-space link attenuation was 38 dB. Combined with the 3 dB loss in Alice's analyzer, the overall two-photon attenuation was 58 dB. For this experiment, we increased the output of the SPDC source to a pair generation rate of 32 MHz by operating at the maximum available pump laser power of 50 mW. Due to detector saturation, the fiber-coupled and locally detectable pair rate could only be extrapolated to be 2.5 MHz. In this situation, the initial system visibility was V sys = 94%, a slight reduction compared to the 35 dB scenario, caused by the delay fiber. With the same coincidence window (τ c = 1.5 ns) and darkcount rates as in the first experiment (500 Hz at Alice and 1200 Hz at Bob), the theoretic upper bound for this scheme turns out to be V th = 88% and the measured total visibility of the entangled state at the receiver was with V tot = 86.2% coincidentally the same as in the first scenario.
A typical measurement result is depicted in Figure 3. In total, two sifted keys were obtained, containing 1107 bits (580 s integration time) and 1684 bits (880 s integration time). The corresponding QBERs were 6.9% and 6.8%, respectively, and a secure key rate of 0.6 bits/s could be obtained from Equation (4) with f (q) ≈ 1.18. For this scenario both the expected visibility and the key rate agree very well to the model (see Figure 4).  Figure 1b, where the source was arranged asymmetrically between Alice and Bob, resulting in a two-photon attenuation of 58 dB. Accumulating data for approximately 1400 s, an average secure key rate of 0.6 bits/s was obtained.

Source in the middle
The experimental situation for the third, the source in the middle scenario, is depicted in Figure 1c. The entangled photons in mode a and mode b were coupled into single mode fibers, guided to two separate transmitter telescopes and sent through a 144 km freespace channel to one common receiver in Tenerife. The total two-photon attenuation was measured to be about 71 dB (including all optical components). For a detailed description of the setup please refer to [35].
The source produced photon pairs at a rate of 10 MHz from which 3.3 MHz single photons and 1 MHz photon-pairs were detected locally. Both photons were sent via two telescopes over the 144 km free-space links to Tenerife. On average, 0.071 transmitted photon pairs/s could be detected, using a coincidence window of 1.25 ns. Each detector registered a background count rate of 400 Hz. Accumulating data for a total amount of 10800 seconds we measured an averaged visibility of the transmitted entangled state of V tot = 92% (with V sys = 99% and V acc = 94%), which is very close to the theoretic upper bound of V th = 91.7% . Based on these measurements we inferred that a QKD experiment employing a similar setup would have yielded a QBER of approximately 4%. From the coincidence rate and the QBER-dependent performance of the classical key distillation protocols (f (0.04) ≈ 1.16), we estimate that our experiment would have yielded a final secure bit rate of approximately 0.02 bits/s (see Figure 4). However, the implementation of a full QKD experiment was not possible, because only one receiver station and module was available in Tenerife.

Clock synchronization
As an additional feature, our coincidence search algorithm used during the first two experiments could be utilized to synchronize the individual time bases at Alice and Bob within 0.5 ns. For the third experiment such a synchronization was not necessary, because one and the same time-tagging system was used for the measurements.
Coincidence events between Alice and Bob were identified by calculating the crosscorrelation function of the individual time-tagging data sets. A peak in the crosscorrelation function indicated the current time offset ∆t between the time scales of the receiver units. Initially, Alice's and Bob's time bases were both disciplined by the GPS time standard. However, the two individual GPS receivers exhibited a relative drift during a measurement run. By analyzing the data in blocks of adjustable length, our software measured and compensated for this relative drift with 0.5 ns resolution by temporal alignment of the data blocks. The data of the first experiment described were analyzed in blocks of 5 s length, while the data obtained in the second experiment were analyzed in blocks of 30 s length. The corresponding results concerning the relative drift of Alice's and Bob's time bases are depicted in Figure 5.

Conclusion
We experimentally studied entanglement based QKD in three different high-attenuation scenarios on a 144 km free-space link between the two Canary Islands La Palma and Tenerife to verify the symmetry advantage of such an implementation. This involved placing the source directly at Alice, asymmetrically between Alice and Bob, and finally, symmetrically between the two parties. Our results demonstrate that in the symmetric case (source in the middle) secure keys can be generated up to a channel attenuation of 70 dB, a regime in which asymmetric schemes fail. We conclude that entanglement- Figure 4. A comparison of the obtained results with the theoretical model described in the main text. The solid curve (source at Alice) starts at a two-photon attenuation of 3 dB, which corresponds to the fixed loss in Alice's analyzer module. The dashed curve represents the scheme with the source asymmetrically between Alice and Bob, where the attenuation for Alice's fiber channel together with the analyzer module was 20 dB. The dotted-dashed curve is predicted by our model for the source in the middle scheme. The three experimentally obtained secure bit rates are depicted as the square, the circle and the triangle, respectively. It is easy to see that the data point for the source in the middle scenario (triangle) can not be explained by the models for the asymmetric cases. Similarly, the data point of the experiment with the source asymmetrically between Alice and Bob can not be explained by the model for the source at Alice scheme. Thus the advantage of the symmetric scenario is clearly verified by our experimental results. Furthermore, these results also show that our system should be able to generate secure keys at high rates from 10 kbit/s at 15 dB and 100 kbit/s at 3 dB, a range typical for free-space links in metropolitan areas.
based QKD systems are the systems of choice for long distance quantum communication. Compared to the expected link attenuations in a low earth orbit (LEO) satellite to ground scenario of 30 dB, our results show, that entanglement-based systems are suitable for use in either a single-link (source at Alice) or a two-link (source in the middle) scenario. Our results imply that, using similar technology as in our experiment, it should readily be possible to implement QKD over distances of 300 km. This holds also true for fiber-based QKD, as there the attenuation is typically of the order of 0.2 dB/km, Figure 5. This plot shows the relative drift between Alice's and Bob's local timetagging systems that were directly disciplined by the global positioning system. Due to the relative drift (vertical axis of the plot), the offset for the coincidence analysis was adapted by recalculating the cross-correlation. For the three measurements within the source at Alice scheme the recalculation was performed in steps of 5 s (black, red and green curve), while for the two measurements within the source asymmetric in between Alice and Bob scenario it was performed every 30 s (blue and light blue curve).
resulting in similar total attenuations.