Quantum secure direct communication based on single-photon Bell-state measurement

Security loopholes exploiting the flaws of practical apparatus, especially non-ideal photon detectors, are pressing issues in practical quantum communication. We propose a simple quantum secure direct communication protocol based on single-photon Bell-state measurement and remove side-channel attacks on photon detectors. This quantum communication protocol in principle works in a deterministic way, and it does not require the two-photon interference of photons from independent sources. The single-photon Bell-state measurement with a unity efficiency can be constructed with only linear optics, which significantly simplifies its experimental implementation. Furthermore, we prove that our quantum secure direct communication protocol is immune to general detector-side-channel attacks.


Introduction
Security of communication between distant parties is an indispensable criteria for evaluating the performance of any communication network [1][2][3]. Quantum communication in principle provides unconditional security for exchanging sensitive information over public channels, since its security is based on the distinct characters of quantum mechanics, such as quantum entanglement and quantum no-cloning theorem [4]. Eavesdroppers cannot get any useful information during a quantum communication process without introducing perturbations that inevitably reveal their interception [5]. However, eavesdroppers can exploit security loopholes that are introduced by non-ideal apparatuses and/or channels to attack practical quantum communication [6,7]. Quantum key distribution (QKD) is a useful quantum communication protocol that generates secure keys between separated parties in the presence of eavesdroppers [8]. Subsequently, these keys enable secure communication and authentication. Non-ideal apparatuses, especially single-photon detectors with imperfections, have been exploited to carry out side-channel attacks against practical QKD [9][10][11][12][13][14][15][16][17][18][19], although the QKD is unbreakable in theory.
So far, several approaches have been researched to eliminate these side-channel attacks to recover the security of QKD that is implemented with practical detectors. Device independent QKD, based on the violation of Bell inequality, is proved to be secure and removes all side-channel attacks [20][21][22], and it requires a loophole-free Bell test [23][24][25]. Measurement-device-independent QKD (MDI-QKD) is a relatively simple solution that is based on postselected entanglement to remove all side-channel attacks using practical measurement apparatuses [26][27][28][29][30][31]. It requires the interference of photons from independent single-photon sources that are spatially separated by a long distance. Moreover, the coincidence rate of two single-photon detectors, corresponding to the rate of entanglement generation, is at most 50% using linear optics [32]. Recently, detector-device-independent QKD (DDI-QKD) is introduced to avoid these

Protocol description
The diagram of our QSDC protocol is illustrated in figure 1. To send a private message to a receiver Bob, the sender Alice prepares a sequence of polarization-encoded EPR photon pairs and sends half of each photon pair to Bob that encodes a spatial-mode qubit by introducing a random phase ϕ in two conjugate bases. An exclusive correlation between Alice and Bob can be established by a single-photon BSM on the photon hyper-encoded in two degrees of freedom (DoFs), which can be used to perform security check and then to exchange private information. Specifically, the proposal is carried out in the following processes.
(1) Entanglement distribution: Alice prepares n EPR pairs in the triplet entangled state √ 2 in the polarization DoF, which are denoted as a photon pair sequence [(s 1 , t 1 ), (s 2 , t 2 ), . . . ,(s j , t j ), . . . , (s n , t n )]. Here t denotes a travel photon and s denotes a photon kept in her own node, which can be implemented by quantum memory or optical delay line [53,[55][56][57]. Recently, it has been shown that quantum memory in QSDC can be dispensed with using a suitable coding scheme [67]. For simplicity, we do not go into details here by just using the terminology of quantum memory. The subscript j distinguishes different photon pairs. Then she takes one photon from each photon pair and arranges them into a photon sequence, such as S = [s 1 , s 2 , . . . , s j , . . . , s n ]. The other photon of the corresponding photon pair is arranged in the same order according to the subscribe j, leading to a photon sequence T = [t 1 , t 2 , . . . , t j , . . . , t n ]. Alice sends photon sequence T to the receiver Bob and keeps the other photon sequence S in her node, referred to as stationary qubits below.
(2) Hyper-encoding: upon receiving the photon sequence T, Bob randomly encodes one qubit information on the spatial-mode DoF of each photon, referred to as |ψ t , by sending each photon into a balanced beam splitter (BS) followed by a phase modulator (PM) in one output mode, such as l mode. The PM then introduces a phase ϕ in the l mode, which evolves each photon pair into a state a balanced beam splitter (BS) applies the transformations |u → (|u + |l )/ √ 2 and |l → (|u − |l )/ √ 2; a polarization beam splitter (PBS) transmits (reflects) a photon in the state |0 (|1 ); a half-wave plate (HWP) performing a bit-flip operation on photons passing through it. PM is a phase modulator and introduces a phase shift in the set {0, π/2, π, 3π/2}.
(3) Single-photon BSM: Bob sends photon sequence T to a single-photon BSM device that performs a single-photon BSM of each photon hyperencoded in both the polarization and spatial-mode DoFs. The single-photon Bell states are of the following forms, A simple BSM for a hyperencoded single photon can be deterministically constituted by linear optics and single-photon detectors, shown in figure 1. According to the result of BSM, the communication parties, Alice and Bob, can complete the teleportation of the spatial-mode DoF of each photon t j , and map its state to the corresponding stationary qubit s j belonging to Alice, up to a single-qubit rotation. Now, the state of s j which is determined by the encoding process of Bob and the results of the BSM, shown in table 1.
(4) Random sampling: Alice and Bob now reveal a random sample of n s from stationary qubit list S and estimate the error rate in the quantum channel, and thus in turn Eve's information. In the absence of errors, stationary qubits s j 's are exactly in the same state as that detailed in table 1, when Alice detects stationary qubit s j with the same basis identified by Bob's encoding. Therefore, Alice and Bob conclude that Eve is out of line and the quantum channel is secure. The direct communication protocol continues and the remaining n = n − n s stationary qubits of S sequence forms a new sequenceS. Otherwise, they have to terminate their communication and restart the aforementioned phases.
(6) Faithful decoding: Alice then sends the encoded stationary qubits to Bob. He can decode the message by performing measurement in the same basis as he used for hyper-encoding. At present, classical communication is much less costly than quantum-qubit transmissions, the procedure can be alternatively completed by the following one: Bob publishes his encoding basis for each photon through an authenticated classical channel; Alice performs single-photon measurement on each qubit by using the same basis identified by Bob and publishes the measurement results together with the operations and positions of n t test bits inS. Therefore, Bob can decode the information sent by Alice directly and ascertain the faith of the direct communication by comparing Alice's measurement results with table 1: when they are the same, Alice's information is bit 0, otherwise, Alice's information is bit 1.

Security analysis
The present QSDC protocol is based on the single-photon double encoding and the single-photon BSM. The nonorthogonal states, encoded by Bob for the information alignment, are teleported to Alice's node by performing single-photon BSM on both the spatial-mode and polarization DoFs of photons that are sent to Bob. To read out Alice's message that is encoded in the form of a sequence of unitary operations, Eve needs to know the states that Bob encoded and the measurement outcomes of the corresponding BSM, the combination of which leads to the leakage of the photon state just before Alice's encoding process. Subsequently, a simple comparison between the measurement outcome in faithful decoding phase and the photon state that is eavesdropped by Eve reveals the unitary operation (the encoding bit information) that is applied by Alice. Therefore, Eve can focus her attack on acquiring Bob's encoding information, the phase ϕ, by using two different general strategies: (I) symmetric individual attacks; (II) intercept-resend attacks. We will show below that both attacks can not get any useful information for Eve without being detected by legitimated communication parties.

Symmetric individual attacks
During a symmetric individual attack, Eve prepares a probe and makes it interact with a qubit propagating from Alice to Bob; she then measures the probe after Alice has encoded her information and announced the outcomes of her measurement. In principle, Eve can freely choose the probe and let it interact with the qubit under any evolution that is subjected to the laws of quantum mechanics. However, the most general evolution of the qubit and the probe is unitary and can be specified as follows [6,41,42], Here the subscript t represents a travelling qubit and | is the initial state of the probe; Eve's effective Hilbert space is at most four dimensions and is spanned by four ancillary states | ij that are nonorthogonal but normalized with ij | ij = 1. The parameter F is proportional to the probability that Eve learns the state of a travelling qubit without being detected; D is proportional to a similar probability, except that Eve will be detected. Both F and D are supposed to be positive real numbers, since the relative phase involved in the unitary transformation can be absorbed into the states | ij . Therefore, the orthonormality of the two states in equation (2) can be equivalent to the constrains F + D = 1 and 00 | 10 + 01 | 11 = 0. Furthermore, without loss of generality, we may assume that 0j | j 0 = j1 | 1j = 0 forj = 1 − j, cos α = 00 | 11 , and cos β = 01 | 10 , α, β ∈ [0, π/2]. For a photon pair in the state |ϕ + , Eve introduces a probe in the state | and makes it interact with the travelling photon t i . The composite system consisting of Eve's probe and particles belonging to Alice and Bob evolves into a new state where the subscripts (s, t) are used as the shorthand for a general qubit pair (s i , t i ). After photons t i passing through Bob's encoding circuit that introduces a random phase ϕ ∈ {0, π/2, π, 3π/2} in the lower mode l, a polarization-flip operation is applied on photons in the upper mode u. Subsequently, the photon t i in either the lower or upper mode is emitted by the BS in the single-photon BSM setup, which evolves the composite system into Here |0 u , |1 u , |0 l , and |1 l correspond to four single-photon BSM outcomes of |Ψ + , |Φ + , |Ψ − , and |Φ − , respectively. Upon the click of any single-photon detector that measures the photon t i , Alice's stationary qubit and Eve's probe collapse into a superposition state. To give out the probability that Eve is detected by Alice and Bob through the sampling process, Alice's photon state is redescribed in the basis that Bob has used to encode his qubit, i.e., Bob encodes a phase ϕ = 0, π in the basis |± = (|0 s ± |1 s )/ √ 2. The state |Ψ 2 for the case ϕ = 0 can be redescribed as, Therefore, no matter in which state the photon t i is, the system consisting of Alice's stationary qubit and Eve's probe is collapsed into a superposition state that is isomorphic to each other, due to the specific character of ancillary states | ij . The probability of detecting Eve is proportional to P 0 = (1 − F cos α − D cos β)/2 for ϕ = 0. Similarly, for the cases ϕ = π, ϕ = π/2, and ϕ = 3π/2, the system consisting of Alice's stationary qubit and Eve's probe is also collapsed into an isomorphic superposition state that is independent of the state of the photon t i . The corresponding probabilities of detecting Eve are P π = (1 − F cos α − D cos β)/2, P π/2 = (1 − F cos α + D cos β)/2, and P 3π/2 = P π/2 , respectively. The average probability of detecting Eve, when it is averaged over all input states and all results of single-photon BSMs, can be described as which is independent of cos β when Bob encodes his qubit in both bases with an equal probability. Now, the minimum of the detecting probability is This is achieved for F = 1, since F ∈ [0, 1], as shown in equation (2). After the security check process, if Alice wants to transmit a bit value 'k' through the qubit s i , she performs the U k operation on this qubit. After this, she measures the qubit s i by using the same basis that Bob has used to encode his qubit. She then announces her measurement outcome through a public channel. During this process, Eve wants to learn the information as much as she can, while keeping the detecting probability P m as low as she can. Since the different outcomes of a single-photon BSM project Alice's stationary qubit and Eve's probe into an isomorphic state, we can analysis the case with the BSM outcome |Ψ + , denoted as |0 u , to calculate the correlation between the legitimated parties and the eavesdropper Eve.
When the outcome of single-photon BSM is |Ψ + , the system consisting of Alice's stationary qubit and Eve's probe is collapsed into which can be redescribed in different bases of Alice's qubit i.e., |± = (|0 s ± |1 s )/ √ 2 and | ± i = (|0 s ± i|1 s )/ √ 2 as follows: when Bob encodes his qubit in the basis |± , Alice's qubit will be collapsed into |+ (|− ) for ϕ = 0 (ϕ = π) in the ideal situation. However, this ideal situation is changed due to the presence of any eavesdropper Eve, shown in equation (9). We can give out the bit information derived by Bob and Eve for different conditions: Bob encodes the phase ϕ = 0, π; Alice encodes a bit value 'k' by performing a unitary operation U k for k = 0, 1; Alice announces her outcome |+ s or |− s , shown in table 2.  When Bob encodes his qubit in the basis | ± i , we can also give out the bit information that can be derived by Bob and Eve for different conditions, which is similar to the case that Bob encodes his qubit in the basis |± . The degree of correlation between Alice and Bob, referred to as the mutual information between two parties, can be written as

Intercept-resend attacks
A direct intercept-resend attack that is performed by one eavesdropper Eve can be carried out as follows: Eve intercepts each photon t i , measures it in a randomly chosen basis |± or | ± i , and then sends Bob a photon in the same state as her measurement outcome. Eve can easily obtain the bit information encoded by Alice's unitary operations if Eve can hide from Alice and Bob. Fortunately, this type of intercept-resend attack will be detected by Alice and Bob during the sampling process in step (4). Then, Alice stops her encoding before the leakage of any private information.
Suppose Eve uses the basis |± to measure the photon t i of a photon pair that are in the state |ϕ + . Eve gets two possible outcomes |+ and |− , and sends Bob a photon t i that is in the same state as her measurement outcome. After passing through Bob's encoding circuit, the photon t i in the upper mode flips its polarization and combines again with that in the lower mode at a BS. When the photon t i entering into Bob's encoding circuit is in the state |+ or |− , its state evolves as follows, where the subscript u(l) labels a photon that clicks one of the two upper (lower) single-photon detectors and ϕ ∈ {0, π/2, π, 3π/2}. For the case that Eve uses the basis | ± i to measure the photon t i , she sends Bob a photon in the state | + i or | − i that evolves as follows The probability p d of detecting Eve is identical for all cases that Eve sends Bob a photon in the state |+ , |− , | + i , or | − i ; the detecting probability for each single sampling process is p d = 1/4, when Alice and Bob compare their practical outcomes of the BSM with that are obtained under ideal condition. For a sampling process of n 1 = 25 bits, Eve's intervention in principle will be detected with a probability of P d (25) = 99.9%, before Alice encodes her bit information by performing unitary operations. The legitimate parties Alice and Bob restart the communication process and then securely exchange private message without being eavesdropped by any adversary. An alternative intercept-resend attack follows the idea of two eavesdroppers before and after Bob's encoding circuit [36]. The two eavesdroppers Eve and Fred work cooperatively as follows: Eve intercepts each photon t i , measures it in a randomly chosen basis |± or | ± i , and then sends n i photons to Bob with each photon in the same state as her measurement outcome. After these photons pass though Bob's encoding circuit, they evolve into a product state with each photon evolves into a new state that reveals Bob's encoding information ϕ. Fred can first perform nondestructive measurement of these photons to read out n i , if the number of photons n i reveals the basis and outcome of Eve's measurement; subsequently, Fred can get Bob's encoding information ϕ by unambiguous state discrimination measurement of the new state [68]. By comparing Eve's measurement outcome with Bob's encoding choice, Fred determines to announce a BSM outcome that consists with the ideal output shown in table 1.
For example, when Eve gets a measurement outcome |− and Bob encodes a phase ϕ = 0 (ϕ = π), Fred can announce the outcome of the BSM as |Ψ − or |Φ − (|Ψ + or |Φ + ). In contrast, Fred announces the BSM as inconclusive, when Eve's measurement outcome and Bob's encoding choice are inconsistent, because any BSM outcome in this case leads to an error of 50% that can be detected by Alice and Bob during the sampling process. This inconclusive process can be absorbed into channel loss, when Eve substitutes a practical channel with a better channel of a lower loss rate. The security of our protocol is limited by a practical channel of the loss rate up to 50%. This limitation can be removed by inserting a filter before Bob's encoding circuit, which decreases the number of photons n i [69][70][71][72][73][74][75][76]. Subsequently, this disturbs the correlation between Eve's measurement outcome and n i , and prevents Fred from learning about Bob's encoding choice. Therefore, the security of our protocol can be improved to that achieved with direct intercept-resend attack when single-photon filter is available.

Discussion
In previous sections, the security of our protocol against two typical attacks are presented under ideal circumstance. For MDI quantum communication protocols [26][27][28][29][30][31][61][62][63], their security is guaranteed by postselecting entanglement that is introduced by two-photon interference. However, the security of our protocol exploits the exclusive correlation that is introduced by an entanglement distribution together with a single-photon BSM, and removes side-channel attacks on photon detectors when they are built by the legitimate parties. We require no two-photon interference and thus eliminate the corresponding limitation, such as the identical character of two independent photons, time of arrival, frequency, and so on.
When the sender's node is kept isolated from quantum nondestructive measurement applied by Eve, our protocol could be modified to implement a simplified QSDC protocol [46], in which the encoding basis in the receiver node is fixed to {|+ , |− } and the sender can perform the measurement just after loading her private information on stationary qubit. Our protocol in practice can be used to perform a deterministic QKD [42], in which Alice encodes a random string of symbols rather than her private information before performing random sampling. In addition, the single-photon BSM also enables a nondeterministic QKD by using single photons in nonorthogonal states: one party encodes a random spatial qubit to the received photon and performs single-photon BSM on it. Then it introduces exclusive correlation between two parties only when their bases are the same, which allows for the generation of a random key [33][34][35][36].
In practice, there are several sources of noise that may be encountered, such as the noisy preparation of an EPR pair, the channel noise, the imprecise operation involved in the encoding, and the decoherence of a stationary qubit [77]. All these sources of noise decrease the fidelity of practical EPR pairs shared by the legitimate parties, and prevent them from sharing perfect correlation shown in table 1. Then it increases the bit-error rate, which equals zero under idealized circumstance, in random sampling. Fortunately, the legitimate parties, in principle, can use entanglement purification to create EPR pairs with a sufficiently high fidelity from the practical ones with a fidelity larger than a threshold value, such as a fidelity of 0.5 for a depolarizing channel [78]. It is an interesting future topic to study the tolerable bit-error rate. However, the error-rate threshold 5.7% for the DL04-QSDC protocol using four nonorthogonal states in reference [58] is a good estimate of the upper bound. In practical implementation of this protocol, forward error correction [79] might be more practical and easier, and explicit correction codes should be constructed, like those in references [57,80].
The stationary qubit in our protocol can be implemented by quantum memory or optical delay line [53,[55][56][57]. The sender Alice prepares n EPR pairs, and stores half of each EPR pair in n quantum memories that are referred to as stationary qubits. In practice, a stationary qubit should hold on its state for an appreciable length of time T 2 to enable Alice and Bob perform classical communication and eavesdropping diagnostics. The decoherence of the stationary qubit changes a pure state into a mixed one, and it introduces an additional bit-error rate with the lower bound of p e = [1 − exp(−2L/cT 2 )]/2 ∼ L/cT 2 1, which constraints the communicating distance L for a given T 2 and the light speed c. The two-step QSDC with quantum memory was demonstrated with a fidelity of 0.9 [55]. Very recently, the entanglement between two quantum memories over dozens of kilometres was realized [81]. Their quantum memory setup can be modified to implement our protocol directly. A more practical way to circumvent the difficulty of quantum memory is to use a dynamic coding scheme to dispense with the quantum memory in the so-called quantum memory-free QSDC protocol [67].

Summary
The security of our protocol against symmetric-individual [6,42] and intercept-resend attacks [35,36] are demonstrated. For the symmetric-individual attack, the eavesdropper Eve cannot acquire any useful information when she uses a strategy that reveals her intervention with the lowest probability. However, her intervention decreases the mutual information between two legitimate communication parties. For the intercept-resend attack, the eavesdropper Eve is detected by an average probability of 1/4 for each single sampling process, and can be detected deterministically by a larger sampling subset. For a lossy channel, the security of our protocol against the intercept-resend attack is proved by inserting a filter before Bob's encoding circuit [69][70][71][72][73][74][75][76].
In summary, we presented a simple quantum secure direct communication protocol based on single-photon BSM by using linear optics and practical single-photon detectors. It closes the potential security loopholes exploiting the flaws of detectors in practical quantum communication. Furthermore, it removes the limitation of two-photon interference, making it simple and efficient for practical communication.