Coherent one-way quantum conference key agreement based on twin field

Quantum conference key agreement (CKA) enables key sharing among multiple trusted users with information-theoretic security. Currently, the key rates of most quantum CKA protocols suffer from the limit of the total efficiency among quantum channels. Inspired by the coherent one-way and twin-field quantum key distribution (QKD) protocols, we propose a quantum CKA protocol of three users. Exploiting coherent states with intensity 0 and $\mu$ to encode logic bits, our protocol can break the limit. Additionally, the requirements of phase randomization and multiple intensity modulation are removed in our protocol, making its experimental demonstration simple.


I. INTRODUCTION
The establishment of quantum network is the ultimate goal of quantum communication, where QKD is the most mature subfield for applications. QKD allows secret key sharing between two distant authorized participants with unconditional security [1,2]. But the number of participants in QKD is merely two. In many other scenarios on quantum networks, such as web conference and online courses, there are far more than two users who need to share keys. Quantum CKA [3][4][5][6] gives the solution, which aims to distribute common secret keys among multiple parties. The advantages of quantum CKA over repeating QKD in quantum networks are that quantum CKA requires fewer resource qubits, transmits fewer classical bits and performs fewer rounds of error correction and privacy amplification steps, which have been illustrated by researchers [7]. After more than two decades of development, many quantum CKA protocols have been proposed [7][8][9][10][11][12][13][14][15][16][17][18][19][20], including measurementdevice-independent [8] and device-independent [15] protocols. Details can be found in the review article [21].
Nevertheless, the conference key rates in a majority of quantum CKA protocols are rigorously restricted by the total efficiency among quantum channels, which is an upper bound of the conference key rates [22]. Although some techniques may be utilized to break this upper bound, such as quantum repeaters [23], adaptive measurement-device-independence [24] and W states with single-photon interference [25], these approaches are difficult to be implemented practically. Recently, a three-party quantum CKA [20], inspired by the twin-field QKD [26][27][28], is presented to overcome this limit in a practical way. However, this protocol [20] requires to exploit the decoy-state method [29,30], including the active and high precision phase randomization and multiple intensity modulation, which increases the experimental complexity in quantum state preparation.
Here, we propose a simple scheme for three-party quantum CKA protocol to break this limit by combining the methods of coherent one-way QKD [31] and twin-field * hlyin@nju.edu.cn † zbchen@nju.edu.cn QKD [26]. The simulation results show that this protocol can be demonstrated over 450 km with available technology. Our protocol employs weak coherent states with intensity 0 or µ to encode logic bits. Therefore, phase randomization and pulse modulation with different intensities are circumvented in our protocol, which results in a much simpler experimental setup and decreased security risks caused by imperfect phase randomization. The security proof of our protocol, surprisingly, can directly utilize the security analysis of coherent one-way QKD [31][32][33]. Our protocol promotes the practical process of quantum CKA and may have a good application prospect.

II. PROTOCOL DESCRIPTION
As shown in figure 1, there exist three parties in our protocol, named Alice, Bob and Charlie. Alice and Bob serve as senders while Charlie serves as a receiver. Since participants in our protocol encode logic bits with weak coherent states instead of single-photon states, our scheme features a simple experimental setup where senders only require a laser source and an intensity modulator to generate pulses.
Each sender prepares a pulse with intensity µ (0) for logic bit 1 (0). They both send pulses with a period of 2T . Charlie measures the received pulses in time-interference bases and applies a passive-basis choice. Bits are encoded in the time basis and coherence is checked in the interference basis. For Charlie, we set that |0 A |α B (|α| 2 = µ) means 0 and |α A |0 B means 1. Charlie employs D 1 and D 2 to perform passive measurements in the time basis. Specifically, the bit value is 0 when only D 2 clicks in the time basis while the bit value is 1 when only D 1 clicks. The distance between BS2-BS3 is longer than that between BS1-BS3 so as to delay Bob's pulses for a fixed time T before entering the interferometer, which helps transform Alice's and Bob's pulse trains with the period of 2T into pulse trains with the period of T in two arms of the interferometer after BS3. The delay introduced in one arm of the interferometer is used to make the neighboring pulses interfere with each other. Coherence can be quantified through the visibility of the interference. We denote the time slot when Charlie performs interfero- metric measurements as i, with i ∈ {T, 2T, 3T, ..., 2N T }, where N is the is the total number of pulses sent by Alice (Bob). And we set k is an integer ranging from 1 to N. Visibility can be calculated by [31]: where P (D t ) is the probability that detector D 3 clicks when i = (2k + 1)T or D 4 clicks at i = 2kT and P (D f ) is the probability that detector D 4 clicks at (2k + 1)T or D 3 clicks at 2kT . The definition of visibility is similar to that in coherent one-way QKD and we relate the two schemes in Section III. If the coherence of the signals is perfectly preserved, P (D f ) = 0 and V = 1. The whole process of our protocol is stated as follows: 1. Preparation. Alice (Bob) randomly prepares weak coherent pulses |α with probability t, and |0 with probability 1 − t. Bob flips his logic bits after sending his pulses. They send the optical pulses to Charlie through insecure quantum channels.
2. Measurement. Charlie measures the received pulses in time-interference bases. Alice's (Bob's) pulse is split into two sub-pulses by BS1 (BS2). For Alice (Bob), one of two sub-pulses is sent to D1 (D2) for measurements in the time basis and the other two bunches of pulses are used for interferometric measurements. Charlie records when and which detector clicks. If different detectors click at the same time in the time basis, Charlie randomly chooses a bit value. If detectors click at the same time in different bases, Charlie discards relevant data.
3. Reconciliation. Charlie announces the moment when detectors click and the corresponding basis information. Alice and Bob publicly announce the intensity information only when detectors in interference basis click. Participants calculate visibility when there exist two neighboring |α , i.e. |α b k |α a k or |α a k+1 |α b k .
4. Parameter estimation. Participants disclose a part of bit values from time basis to estimate the bit error rate and the gain of states, |0 |α and |α |0 , which are used to encode logic bits. They evaluate the information Eve gets by calculating the visibility.
5. Key distillation. They extract the common conference key after classical error correction and privacy amplification.

III. SECURITY ANALYSIS
We discuss the security of our protocol in this section. As depicted in figure 2, we reduce our scheme to previous coherent one-way QKD [31]. We first present the typical coherent one-way QKD set-up in figure 2(a). Alice sends pulses and Bob detects them. For both of them, logic bits are encoded with two-pulse sequences. As an intermediate step towards our scheme, the common path of coherent one-way QKD is unfolded in figure 2(b). In this case, the two pulses travel on separate channels and are encoded together. The rule of encoding logic bits is similar to above. Blue pulses are one-pulse time later than red ones. After BS3, red and blue pulses with the period of 2T are transformed into pulse trains with the period of T in two arms of the interferometer, respectively. On short arm of the interferometer, the blue pulses have the opposite phase with other pulses, which is the only difference between figure 2(a) and figure 2(b) in the interference basis. Therefore, we calculate visibility according to the parity of pulse's time slot which can be seen in equation (1). The two schemes are equivalent from a security perspective. In figure 2(c), we present the quantum CKA scheme. The detecting section have been outsourced to Charlie and the users' stations have been separated. Alice and Bob send pulses at the same time and Bob's (blue) pulses are postponed before entering the interferometer, which makes no difference in the measurements. Therefore, attacks on two different protocols have same influence. Thus we can take advantage of the security analysis of the existing protocol which is secure against a large class of collective attacks [32,33].

IV. KEY RATES
By using the result of coherent one-way QKD (see also in A), the asymptotic conference key rate of our protocol can be written as where Q xy is the gain for the case of Alice choosing intensity x and Bob choosing intensity y, with x, y ∈ {0, µ}. E T is the error rate under time basis and h(x) is the binary Shannon entropy. V is visibility in the interference basis. Q µ f h(E µ ) is the leaked information during classical error correction. Here, Q µ and f are the Unfolded QKD setup. The common path of length L in a is split into two separate paths with length L. Red pulses and blue pulses travel on their own path, where blue ones are one-pulse time later than red ones. And they are split by different BSs. One sub-pulse of blue (red) pulse is detected by detectors D1 (D2). The other two sub-pulses are the input of an asymmetric Mach-Zehnder interferometer. (c). Setup in this work. We use two light sources to send pulses independently. They send pulses at the same time. But the blue pulses are delayed for one-pulse time before interferometric measurements.
overall gain under time basis and the error correction efficiency, respectively. E µ is the max error rate between X (X ∈ {Alice, Bob}) and Charlie. [33]. More simulation details can be seen in B. Here, we assume that the sources and channels are all symmetric. The distances between Alice-Charlie and Bob-Charlie are L/2. Besides, the detection efficiencies and dark count rates of Charlie's detectors are the same. The total efficiency of quantum channel is is the efficiency of one quantum channel. The repeaterless bound between two users is PLOB bound and its form is − log 2 (1 − η) [35], where η is the channel efficiency between two users. Denote η lim = η d ×10 −αL/10 as the total efficiency among quantum channels and η rpl = − log 2 (1 − η d × 10 −αL/20 ) as repeaterless bound [36,37], which is a generalized form of the two-user repeaterless bound [35,38]. We utilize the practical parameters which are presented in

FIG. 3.
Conference key rates using the experimental parameters in Table I. We define the misalignment rate under time basis as e d = 0.001 and the misalignment rate under interference basis as e ′ d . We set e ′ d = 1%, and 3% and compare their key rates to total efficiency among quantum channels and repeaterless bound.
above-mentioned steps, the performance of our protocol is shown in figure 3. Conference key rates in our protocol can break the limit of the total efficiency among quantum channels when the misalignment rate of interference basis e ′ d is lower than 3%. Under this circumstance, the transmission distance of our protocol reaches over 450 km theoretically.

V. CONCLUSION
In summary, by employing coherent states, we have proposed a practical quantum CKA protocol that allows three parties to share secure conference keys. Since Charlie encodes logic bits with a nonempty coherent state and a vacuum state, the key feature of our scheme is removing the requirement of coincidence detection, which is similar to the key idea of twin-field QKD. Scaling as O( √ η) rather than O(η), the conference key rate of our practical protocol can surpass the limit of the overall efficiency among quantum channels when the misalignment rate of the interference basis is lower than 3%. The key rates of existing quantum CKA protocols are lower than that of repeating QKD and our protocol makes a contribution to narrowing the gap. Our protocol can be theoretically demonstrated over 450 km, whose performance is significantly beyond that in most previous works. Furthermore, encoding logic bits with coherent pulses, without the process of phase randomization and multiple intensity modulation, decreases the experimental difficulty and avoids the possible attacks caused by imperfect phase randomization. Besides, a strong reference pulse for synchronization and the phase stabilization are also required in our protocol.
We believe that our practical quantum CKA protocol has wide application prospect and can be widely imple-mented in the approaching large-scale quantum network. But note that our scheme still fails to beat the repeaterless bound and extending our scheme to N (N > 3) parties is a nontrivial work. Unlike the twin-field QKD, our protocol is not a measurement-device-independent scheme. We hope evolving technologies can improve our protocol's performance.

VI. ACKNOWLEDGMENTS
We gratefully acknowledge support from the National Natural Science Foundation of China (under Grant No. 61801420); the Key Research and Development Program of Guangdong Province (under Grant No. 2020B0303040001); the Fundamental Research Funds for the Central Universities.
Appendix A: Coherent one-way QKD Coherent one-way QKD is one of the most practical protocols in the realm of quantum cryptography. In this section, we present a brief introduction to coherent oneway QKD [31].
There are 2 participants, Alice and Bob, in this scheme. Alice sends pulses and Bob detects them. As shown in figure 4, Alice consists of an attenuated laser source followed by an intensity modulator and Bob owns beam splitters and detectors. Alice prepares either a pulse of mean photon number µ (µ = |α| 2 ) or a vacuum pulse. The logic bits sent are encoded in the two-pulse sequence consisting of a nonempty and an empty pulse. Bits 0 and 1 are encoded with |α 0 := |0 |α and |α 1 := |α |0 . Bob recovers the bit value simply by measuring the arrival time of the laser pulse. To detect attacks on |α 0 and |α 1 , Alice randomly sends a decoy state, |α t := |α |α , to check for phase coherence between any two successive laser pulses. BS2 and BS3 form an asymmetric Mach-Zehnder interferometer. The coherence of both decoy and 1-0 bit sequences can be checked with a single interferometer.
Detailed protocol is summarized as follows: 1. Preparation. Alice sends bit 0 or 1 with probability 1−t 2 and the decoy sequence with probability t. 2. Measurement. Bob uses D1 to establish the raw key and the other detectors for interfermeotric measurements.
3. Reconciliation. When sufficient data is accumulated, Bob reveals for when detector clicked and the corresponding detector. Alice tells Bob which bits he has to remove from his raw key, since they come from detections of decoy sequences.
4. Parameter estimation. Alice evaluates the information Eve gets by analyzing the time and basis of clicks and calculating the visibility.
5. Key distillation. Alice and Bob run an error correction and a privacy amplification, and then extract the common conference key. In [32], security of coherent one-way QKD against collective attacks has been considered and an upper bound on the secret key rate for this protocol has been derived. From [32,33], we can know when comes to infinite key length, the key rate of coherent one-way QKD is where R s is the gain of pulses that can be used for encoding bits and Q is the quantum bit error rate. ζ(µ, V ) = (2V − 1)e −µ − 2 (1 − e −2µ )V (1 − V ) and leak EC means the leaked information during the process of error correction.

Appendix B: Simulation details
The asymptotic conference key rate of the ideal protocol is where Q xy is the gain for the case of Alice choosing intensity x and Bob choosing intensity y, with x, y ∈ {0, µ}. E T is the error rate under time basis and is the binary Shannon entropy. V is visibility in the interference basis. Q µ and f are the overall gain in the time basis and the error correction efficiency, respectively. E µ is the max error rate between X (X ∈ {Alice, Bob}) and Charlie. ζ(µ, V ) is the same as that in coherent one-way QKD. In the following part, we present how to obtain the values of parameters used in equation (B1). For coherent states, we take |k a A |k b B as an example. When sending |k a A |k b B , the gain can be given by E kak b is the error rate when sending corresponding pulses and mainly owing to the misalignment rate of basis, denoted as e d . Besides, imperfect detectors also contributes to error rate and the error rate of this kind of errors is e 0 = 1 2 . It can be given by E T is the error rate under time basis, which originates from |0 A |α B and |α A |0 B , while E V means the error rate under interference basis, which originates from |α A |α B . By E T (Q α0 + Q 0α ) = E 0α Q 0α + E α0 Q α0 , we can get E T , The process of calculating E V is similar to above. But the pulses measured in interference basis experience more channel loss and we assume the overall transmission and detection efficiency under interference basis η V = η/10. By E V = 1−V 2 , we can get the value of visibility.
The bit error rate between Alice-Bob is almost twice as that between Alice-Charlie or Bob-Charlie. Therefore, we set Charlie's raw key as reference key. Since Alice and Bob are symmetric, we merely need to work out the error rate of Alice-Charlie. For both Alice-Charlie and Bob-Charlie, as long as Alice and Bob send the same state and Charlie detects it, it will result in an inevitable error. Thus, either of them has half the errors. |α A |0 B and |0 A |α B also contribute to the error rate. In fact, their error rates here equal to E α0 and E 0α . Obviously, E 0α = E α0 and Q 0α = Q α0 , so (B4) For free parameters µ and t, we utilize Genetic Algorithm to find their optimal value. Utilizing the practical experimental parameters in [34] , we can get the relationship between the conference key rate and transmission distance.