Loophole-free plug-and-play quantum key distribution

Robust, simple, and flexible quantum key distribution (QKD) is vital for realizing practical applications of this technique. Contrary to typical phase-coded QKD schemes, the plug-and-play QKD design requires only one arm-length-insensitive interferometer without active feedback, in which the noise is automatically compensated by the two-way structure. However, there are certain possible loopholes in the typical plug-and-play designs, which require consideration and strict monitoring. This study proposes a new design of theoretically loophole-free plug-and-play QKD scheme with two-way protocol and presents an experimental demonstration of said scheme. The security is analyzed under a collective attack scenario assisted by the decoy state method. The scheme was implemented in a 50.4 km commercial fibre without active feedback. The system showed highly robust performance with an ultra-low error rate and maintained an ultra-high visibility of 0.9947 ± 0.0002 through significant environmental changes over 24 hours.


Introduction
The principles of quantum mechanics enable novel information security methods.Since the first quantum communication protocol was proposed in 1984 [1], there have been rapid developments in both theory and experiments [2][3][4][5][6][7].Quantum key distribution (QKD), a forerunner technique in the application of quantum information, can operate in optical fibre [7] or in free space [6].The signal can be encoded in various degrees of freedom, such as the polarisation and phase states of photons.Among them, phase and time-bin encoding [7,8] are widely adopted in fibre systems due to their high transmission stability.
However, environmental noise presents a significant challenge for the practical application of QKD.The main factors are the mismatching and phase drift of the interferometers, and birefringence in the fibre.In particular, it is impossible to keep the relative length of the double Mach-Zehnder interferometer stable when the two legitimate users are separated [9].A widely adopted way to solve this problem is to use a pair of customised interferometers with a feedback system between the users, but it is not applicable in all situations.In addition to the complexity of implementing the system, rapid temperature changes and mechanical vibrations present challenges to the reliability and efficiency of the feedback system in practical applications, such as fibre hanging from a pole on a windy day, or other environmental conditions at the user's locations.In addition, users need to share interferometers of the same model in advance, which limits the flexibility of the technique in some applications.Moreover, feedback between the users causes a much more real-time classical information interaction, which may lead to a greater risk of being hacked through side channels.Another method is to use the design of Martilelli [10], in which the polarisation drift is automatically corrected through the use of a Faraday mirror with a two-way structure.Therefore, the plug-and-play scheme [9] can greatly reduce the noise without active feedback because the two pulses in the phase coding go through the same forward-backward path and compensate the polarisation fluctuation and phase drift of each other.However, there are various possible loopholes [11][12][13][14][15][16][17], such as phase-remapping attacks, Trojan horse attacks, and untrusted source attacks, which must be considered and strictly monitored.Typical two-way quantum communication schemes [18][19][20] can be proved to be unconditionally secure [21][22][23][24][25], but those photons chosen for monitoring go through only the forward channel, where the tailor-made interferometers and feedback system are still required.
Here, we propose a theoretically loophole-free plug-and-play scheme with a two-way QKD protocol based on non-orthogonal time-bin and phase states.When a pulse enters an asymmetric interferometer, it is split into two subpulses, where the one taking the short path is denoted as |0 , and that taking the long path is denoted as |1 .The time-bin states {|0 , |1 } are the eigenstates of   .The superposed phase states |± = (|0 ± |1 )/ √ 2 are the eigenstates of   .The key principle is to encode bits of the key only in the states in the X-basis, and use the states in the Z-basis in the forward path to monitor the phase error of the states in the X-basis.Because the states in the Z-basis are highly stable against flip errors, neither an interferometer nor compensation of the phase or polarisation is required.To eavesdrop, Eve has to perform some operation over the forward channel [21], causing errors in the Z-basis and eventually leading to their exposure.Because those bits carrying phase-encoded states pass through the same interferometer, both the forward and backward paths are automatically compensated and highly robust.In principle, the proposed design could find an entirely accurate measurement basis itself.In addition to the electronic control errors and constant background noise such as dark counts, the errors from mismatching, drift, and flip are almost non-existent.Even if the interferometer and the quantum channel are subject to significant environmental changes over an extended period of time, active feedback between the users is still unnecessary, which indicates the high robustness of this plug-and-play system.

The Protocol
As is common in QKD, the public announcements by Alice and Bob are performed over an authenticated channel.For simplicity, we first assume that the source is an ideal single-photon source.The protocol contains the following four steps. where , in the X-basis.He only keeps the results for those he prepared in the X-basis, namely   = 1.Bob discards the results if   = 0.

Post-processing: Bob announces the BER. With the BER and these remain results, Alice
and Bob can bound the information leakage and perform the post-processing such as error correction and privacy amplification [26].

Security Analysis
We restrict ourselves to the case of collective attack with an infinite scenario [5].According to Devetak-Winter's theory [27,28], the maximum achievable secure key rate (SKR) is where   represents the mutual information between Alice and Bob, and   is the maximum amount of information an eavesdropper can obtain using the best possible strategy.The channel between Alice and Bob can be treated as a cascaded channel consisting of a binary symmetric channel and a binary erasure channel in series.The supreme of the mutual information between Alice and Bob   is limited by the Shannon limit according to noisy-channel coding theorem, where  is the BER between the legitimate users,  represents the probability of Alice obtaining a raw key bit and  represents efficiency of error correction, and ℎ( represents the binary Shannon entropy.Some error correction codes such as low density parity check (LDPC) codes can approach very closely the Shannon limit.Weak coherence pulses are often used as source instead of single photons, multi-photon pulses will enable Eve to obtain more information.In such a case, the maximum amount of information Eve can acquire becomes [29], where   ,1 represents the maximum amount of information of Eve can obtain from single photons, Δ 1 and Δ 0 are the fraction of detection events from single-photon and vacuum states, respectively, which can be accurately estimated by the decoy state method for the states in X-basis at Bob's end [30][31][32].
In the following, we restrict the upper bound of   ,1 .The prepared quantum state is  and we consider the case of collective attack, where the most general quantum operation Eve may perform in the forward channel consists of a joint operation on the qubit and some ancilla of Eve, where | represents Eve's ancillary state and  is a unitary operation acting on the joint space of the ancilla and the qubit.After the operation performed by Alice, the state becomes, where   0 =     + and   1 =      +  are the encoded states of 0 and 1, respectively.The information Eve can obtain from single photons is upper-bounded by [33], where () is the von Neumann entropy.Furthermore,   0 and   1 only differ from  ⊗ | | by some unitary transformations, therefore, (  ) can be obtained by the Gram matrix representation [34].Without loss of generality, the effect of the unitary operation may be represented as, The corresponding Gram matrix of   can be written as The eigenvalues of  can be easily obtained as, where Obviously, (  ) is monotonically decreasing with  1 and  2 .Therefore, it has a maximum when The BER of single photons measured in the Z-basis is  ,1 =  01 |  01 .Then, the upper bound of   ,1 can be written as where the value of  ,1 can be upper-bounded by the decoy state methods for the states in Z-basis at Alice's end.Thus, the SKR is Clearly   will decrease soonly or even reach zero when  and  ,1 increase.Therefore, a high ratio of the maximum tolerable error rate to the experimental error rate reflects a high robustness to environmental noise.The experimental set-up is shown in Figure 1.The mean photon numbers of the signal state and decoy state are  = 0.6 and  = 0.2, respectively, with a 50 MHz repetition rate.Two subpulses pass through the same interferometer, so that the phase difference of the two pulses is stable.To control the polarisation, a ring with a Faraday rotator was designed to replace the Faraday mirror [35], and all the modulators were polarisation-sensitive, which makes the system more stable.In particular, the subpulses only go through the modulators once and there was no crosstalk between the forward and backward channels.This design allows the use of a repetition rate greater than 1 GHz.In an 80-minute test, the BER in the X-basis is 0.64 %, At Bob's end, the gains of signal state, decoy state and vacuum state in the X-basis are    = 1.21 × 10 −4 ,    = 3.96 × 10 −5 and   0 = 3.67 × 10 −7 , respectively.We can estimate the fraction of detection events from the single-photon and vacuum state as,

Performance analysis
where ).At Alice's end, the BER of signal state and decoy state in the Z-basis are both 0.06 %.The gain of signal state, decoy state and vacuum state in the Z-basis are    = 1.97 × 10 −2 ,    = 6.32 × 10 −3 and   0 = 3.81 × 10 −7 , respectively.We can estimate the BER for single photons in the Z-basis as, where . The block size is 3 × 10 7 , and we take the reconciliation efficiency  = 1.2, so that the SKR is 4.956 × 10 −5 , which is about 2.5 kbps.The actual SKR will decrease if the modification of the finite-key [24,36,37] and the occupation of monitoring and decoy states are considered.Table 2 shows the experimental parameters and performance indices.In order to eliminate the influence of the dark count rate (DCR) and modulation errors, we use stronger pulses and only ecode 0 to test the performance.Figure 2 shows the visibility being maintained at over 0.994 for more than 24 hours.To imitate significant environmental changes, the entire system is placed next to an open window with a randomly changing polarisation controller connected to the quantum channel.In practice, more than 99% of error bits are caused by Rayleigh backscattering distributed over the entire time domain, which means there is nearly no mismatching or phase drift of the interferometer in our system.For the signal state in the X-basis, the DCR contributes to about 0.04% of the error rate.The Rayleigh elastic backscattering actually contributes to the error rate twice as much compared to the 24-hour test, which is equal to 0.53%.The remaining 0.07% is due to electronic control errors.For the state in the Z-basis, the intensity modulator with an extinction ratio greater than 40dB contributes 0.01% to the error rate.Thus, the total error rate will easily be lower than 0.02% using an accurate temperature controller.
Here, we simulate the SKR of our scheme at repetition rates of 50 MHz and 1 GHz, as well as 1 GHz without backscattering, as shown in Figure 3.For simplification and optimisation, we Fig. 3.The SKR for 50 MHz, 1 GHz repetition rates and 1 GHz repetition rate without backscattering.We assume  = −40.5,  = 5 × 10 −8 , the loss of fibre is 0.2/, the total loss of encoding and decoding section is 4 and 5, respectively.choose the mean photon number  of the signal states to maximise the SKR, and the decoy state can perfectly estimate all the parameters.A 90:10 coupler at Alice's end and much weaker states in the Z-basis were used to increase the SKR.When the loss or the repetion rate increases ,the Rayleigh backscattering causes significant difficulties for two-way QKD because the ratio of the backscattered power to the entering power is nearly fixed at the value .There are different values  for different fibres, with ordinary fibres typically having  values of approximately −40.5 [38].Some special fibre manufacturing processes can reduce Rayleigh backscattering, such as increasing the core diameter and changing the doping of materials.However, when the repetition rate increases, the influence of backscattering is still greater than the DCR.When Rayleigh backscattering contributes excessively to the BER, another fibre must be used as the backward channel to eliminate the influence.Under this circumstance, a polarisation controller is needed before decoding to maintain stability and high gain at Bob's end.

Discussion
Although this protocol has been proved to be theoretically secure, there are still possible loopholes need to be considered in practical applications.In order to estimate the value of  ,1 accurately, the detection efficiency of Alice's detector for all the photons entering Alice's end should be equal.Therefore, depending on the different measurement devices, different modifications are required for eliminating the possible loopholes at Alice's end.For example, if the detection efficiency is sensitive to the polarisation of photons, a randomly changing polarisation controller or a polarisation beam splitter with one more detector will be possible solutions; When the detector's reset time covers some time windows, the corresponding parts of raw key can be discarded.Trojan horse attacks at Bob's end should also be strictly monitoring.By adding an attenuator after the modulators, the information leakage can be limited [13].Besides the device-independent QKD protocols, the above two experimental vulnerabilities are also found in typical QKD protocols.This new design eliminates theoretical vulnerabilities while retaining the advantages of high robustness, simplicity and flexibility of typical plug-and-play scheme.

Conclusion
In conclusion, the long-term stable operation and the extremely low BER without active feedback show the high robustness of the system.The loophole-free plug-and-play design with an armlength-insensitive interferometer provides great security and flexibility for a range of applications.Indeed, the achievable distance of the two-way QKD system can be roughly half of the typical one-way QKD schemes when the same SKR is required.However, different schemes will be used in different situations in the future construction of quantum communication networks.Practical applications are always the trade-off between reliability, flexibility and capacity.Our scheme realises a combination of high reliability and flexibility at the expense of the maximum feasible distance.

Fig. 1 .
Fig. 1.Experiment setup.Laser: 1550 nm with a systematic pulse-repetition frequency of 50 MHz; ATT: attenuator, used for attenuating the laser and simulating the decoy states instead of another intensity modulator; PC: polarisation controller; ILP: in-line polarizer; CIR: optical circulator; PBS: polarisation beam splitter; PMFC: polarisation maintaining filter coupler; PM: 2.2dB insertion loss commercial lithium niobate phase modulator; IM: intensity modulator with an extinction ratio greater than 40 dB; ISO: isolator; FR: Faraday rotator; SNSPD: superconducting nanowire single-photon detector with 85 % detection efficiency, lower than 100 Hz dark count rate and 15 ns reset time.The length of delay is 2 m.

Fig. 2 .
Fig. 2. System stability over 24-hour environment change for a length of 50.4 km with visibility of 0.9947 ± 0.0002.

Funding.
This work was supported by the National Key Research and Development Program of China under Grant No.2017YFA0303700 and the National Natural Science Foundation of under Grant No.11974205, the Key Research and Development Program of Guangdong province (2018B030325002) and Beĳing Advanced Innovation Center for Future Chip (ICFC).

Table 1 . Encoding of the states by Bob
State preparation: Bob generates a sequence of single time-bin photon pulses for each time window , As seen in Table1, when   = 0, |  is the eigenstates of   .When   = 1, |  are the eigenstates of   .Bob prepares the state in eigenstates of   with probability  and in eigenstates of   with probability 1 − .Both the signal carrier states and the monitoring states are randomly in either   = 0 or   = 1.Then Bob sends the sequence of states to Alice, over the forward channel.The values of   and   are never publicly announced.2.Error-check and encoding:Alice measures the received states with probability  in the Z-basis and sends the measured result and the position to Bob for estimating the bit error rate (BER)   , from those instances in which both Alice and Bob choose the Z-basis.For the remaining states, Alice randomly encodes the bit value with two unitary operations  = |0 0| + |1 1| and   = |0 0| − |1 1|, mapping to bit values 0 and 1, respectively.She sends the operated states back to Bob. 3. Measurement and sifting: Bob measures the states