CV-MDI-QKD with coherent state: beyond one-mode Gaussian attacks

A general security proof of continuous variable (CV) measurement device independent (MDI) quantum key distribution (QKD) should not be automatically reduced to the analysis of one-mode Gaussian attacks (in particular, independent entangling-cloner attacks). To stress this point, the present work provides a very simple (almost trivial) argument, showing that there are an infinite number of two-mode Gaussian attacks that cannot be reduced to or simulated by one-mode Gaussian attacks. This result further confirms that the security analysis of CV-MDI-QKD must generally involve a careful minimization over two-mode attacks as originally performed in (Pirandola et al, 2015 Nature Photon. 9, 397–402; arXiv:1312.4104 (2013)).


Introduction
Measurement-device-independent quantum key distribution MDI-QKD [1,2] promises to be a remarkably effective solution for the practical implementation of the next generation of QKD infrastructures, in which privacy should be granted over a quantum network. In MDI-QKD the authorized users of the network, Alice and Bob, exploit a swapping-like protocol where secret correlations are established by the measurement of a third untrusted party, the relay [1,[3][4][5][6]. This performs a Bell measurement but, in order to achieve security, it is not required to pass a Bell test. By contrast, in full device independent QKD [7,8], the privacy of the shared key depends on passing a Bell test, which is still an operation performed with very poor success rates [9][10][11]. The power of the MDI approach relies indeed on its practicality: One can achieve high-rate side-channel-free unconditionally secure network communication.
In recent years the study of QKD protocols [12] based on quantum continuous variables (CVs) [13] has attracted increasingly attention because of several appealing properties of CV systems: Protocols use bright coherent states, and exploit standard telecommunication technologies; in particular coherent detection techniques, already developed for classical optical communication [14]. In addition, CV-QKD is interesting for the relatively simple implementation of protocols at different frequencies [15,16]. Finally, exploiting CV pointto-point protocol with state-of-the-art classical reconciliation and error correction schemes [17][18][19] allowed the implementation CV-QKD in laboratory over a distance of 80 Km [20]. After this work, several other experimental realizations have shown progress for integrated miniaturization [21] and implementation of longdistance communication [22,23]. The high rate performance of CV-QKD is not so far from the secret key capacity of the lossy channel, also known as PLOB bound [24,25], which is achievable by a CV-QKD protocol based on the reverse coherent information [26].
In 2013 we proposed a CV-MDI-QKD protocol, which we have also successfully tested in a proof-ofprinciple experiment [3]. In particular, we proved that our scheme is capable of remarkably high key-rates per use of the communication channel, over the length of metropolitan range distances. This performance is sensibly higher than implementations based on discrete variables [27]. We therefore believe that CV-QKD will play a crucial role in future implementation of metropolitan quantum cryptography. At this scale, in fact, both Any further distribution of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI. high density of untrusted nodes and high rates should be considered nonnegotiable properties, if we want a quantum network able of competing with present classical infrastructure.
In this work we provide a further discussion on the security analysis of CV-MDI-QKD given in [3,4]. We show, by simple arguments, that the security analysis restricted to one-mode Gaussian (entangling-cloner) attacks can only account for a subclass of all possible eavesdropping strategies. In particular we provide a counterexample in order to explicitly prove that, if we model Eve's attack assuming a restricted strategy, based on independent entangling cloners, one cannot generate all the possible covariance matrices shared between Alice and Bob. Our analysis confirms that a complete security analysis of CV-MDI-QKD cannot indeed avoid to consider two-mode Gaussian attacks, as originally done in [3,4].
The structure of the paper is the following. In section 2 we present the protocol. Section 3 gives general consideration about the security analysis, marking the difference between theoretical and experimental analyses. Section 4provides a simple counter example to the (wrong) assumption that an attack by independent entangling cloners would be complete. Finally, section 5 is for our conclusions.

Description of the protocol
We start with a brief description of the protocol [3]. At one side, Alice prepares a mode A in a coherent state añ | whose amplitude α is modulated by a Gaussian distribution with zero mean and large variance. At the other side, Bob prepares his mode B in another coherent state bñ | whose amplitude β is modulated by the same Gaussian distribution as Alice. Modes A and B are then sent to an intermediate relay where a CV Bell detection is performed. The classical outcomes are combined in a complex variable γ, which is communicated to Alice and Bob via a public channel. As a result, knowledge of γ enables each party to infer the variable of the other party by simple post-processing (see figure 1).
In general, the relay is assumed to be untrusted [1], i.e., operated by Eve, and also the links with the relay are subject to eavesdropping. The protocol is assumed to be performed many times, so that the honest parties collect a large amount of classical data (we consider asymptotic security here). Using several tools, including de Finetti arguments and the extremality of Gaussian states (see [3]for more details), one can reduce the security analysis to considering a two-mode Gaussian attack against the two links with the relay (performing a proper CV Bell detection). This type of attack can be constructed by suitably combining two canonical forms [28] into a correlated-noise Gaussian environment. The most relevant canonical forms are clearly the lossy channels.
In this scenario, the two modes A and B are mixed with two ancillary modes, E 1 and E 2 , by two beam splitters with transmissivities τ A and τ B , respectively. These ancillary modes belong to a reservoir of ancillas (E 1 , E 2 plus an extra set e) in a pure Gaussian state. The reduced state s E E 1 2 is a correlated thermal state with zero mean and covariance matrix (CM) in the normal form are the variances of the thermal noise affecting each link, while g and ¢ g are correlation parameters, satisfying suitable physical constraints [29,30]. After interaction, Eve's ancillas are stored in a quantum memory, measured at the end of the protocol (see figure 2).
In order to deal with the joint attack, Alice and Bob must retrieve the joint statistics of the variables α, β, and γ. For this purpose, they publicly compare a small part of their data and reconstruct the probability distribution p(α, β, γ). The empirical values of the transmissivities τ A and τ B are accessible to the parties from the first-order moments of p(α, β, γ). Knowing these values is essential in order to apply the correct post-processing and rescaling of the output data. Then, from the second-order moments of p(α, β, γ), Alice and Bob can extract the CM g V ab| that they would share in an equivalent entanglement-based representation of the protocol [31] and conditioned to the outcome γof the Bell detection at the relay (see [3]for more details). From this shared postrelay CM, they can derive the secret-key rate of the protocol.

General considerations on the security analysis
It is important to note that, once the shared CM g V ab| is reconstructed by Alice and Bob, the secret-key rate can be (numerically) computed no matter what the actual eavesdropping strategy was. In fact, it is sufficient to consider the purification of the state r g ab| into an environment which is assumed to be fully controlled by Eve. This is a pretty standard method in CV-QKD.
However, while this approach is valid for experimental demonstrations, it is generally not sufficient for deriving analytic expressions of the key rate R, just because there are too many free parameters in the CM. Having simple analytic expressions is crucial in order to theoretically compare the performances of different QKD protocols. The next theoretical step is therefore the reduction of the free parameters to a minimum set which is accessible to the parties and that allows us to write a closed formula for R (or a lower-bound to R).
It is typical to derive a single quantifier of the noise, the so-called 'excess noise' ε, to be associated to the observed values of the transmissivities τ A and τ B . Such a reduction is the non-trivial part of the theoretical analysis since it requires a minimization of the rate with respect to all degrees of freedom of Eve, once that the triplet τ A , τ B , and ε has been fixed. One important pre-requisite for such a reduction is the correct modelling of the most general attack that Eve can perform against the protocol. The entire 'space of the attacks' must be covered in this analysis. As pointed out in [3], CV-MDI-QKD requires the explicit consideration of all two-mode Gaussian attacks, not just one-mode Gaussian attacks, where = ¢ = g g 0. The latter class is in fact restricted and can only lead to partial security proofs.

Simple counter-example to one-mode attacks
Here we easily show that one-mode Gaussian attacks represent a restricted class and, therefore, a security proof of CV-MDI-QKD based on these attacks can only be partial. Furthermore, since they form a restricted class, it does not make sense to claim their optimality.
For the sake of simplicity, consider the symmetric configuration [4], where Alice's and Bob's channels are identical lossy channels, with the same transmissivity τ. Extension to asymmetric configurations is just a matter of technicalities. After the action of the relay, the shared CM of Alice and Bob is simply given by [3] Figure 2. Two-mode Gaussian attack against CV-MDI-QKD. Figure adapted from [3]. The traveling modes A and B interact with ancillary modes E 1 and E 2 . The links to the relay are described by beam splitters with transmissivities t A B , and thermal noise w A B , . Modes E 1 and E 2 , together with the general set of additional modes e, describe the reservoir of ancillas E E e , , In the previous CM, the modulation parameter μ is known to Alice and Bob, and also the transmissivity τ which is derived by comparing the shared data and computing the first-order moments. By contrast, Alice and Bob do not directly access the values of the thermal noise and the correlation parameters, since they are combined in the x-parameters of equation (4)). The fact that the parameters ω A , ω B , g and ¢ g get scrambled in x and ¢ x has led some authors [32] to claim that one-mode attacks ( = ¢ = g g 0) with suitable values of the thermal noise (ω A and ω B ) could simulate any two-mode attack with arbitrary ω A , ω B , g, and g ′ . However, this is not the case.
To understand this point, it is important to note that the components of the CM g V ab| are monotonic in x and ¢ x . As an example, the top-left component is increasing in x, so that V 11 is minimum when x is minimum. In the case of one-mode attacks ( = ¢ = g g 0), we have  x 1. It is therefore clear that any two-mode attack such that x<1 cannot be simulated by one-mode attacks. Indeed there is an infinite number of such two-mode attacks. In fact, let us assume that Eve performs a two-mode attack with ω A =ω B =ω and ¢ =g g. In this case, we have w = ¢ =x x g , and the condition x<1 corresponds to imposing in which case Eve's ancillas are entangled [30]. Thus, for any value of ω, we can pick an entangled two-mode attack which cannot be simulated by one-mode attacks. In other words, this entangled attack generates a shared CM g V ab| which does not belong to the set of possible CMs associated with one-mode attacks. As depicted in figure 3, there is an infinite number of entangled attacks which cannot be reduced to one-mode attacks.
One may attempt to enlarge the set of one-mode attacks by allowing for squeezed thermal noise, i.e., the use of thermal states with asymmetric variances, w A q for the q-quadrature and w A p for the p-quadrature (and similarly, w B q and w B p , for the other ancilla). In this case, equation (4) for one-mode attacks would become , it is easy to check that realizing x<1 would imply ¢ > x 1, and vice versa. As a result, there will always be components in the shared CM g V ab| whose values, for entangled attacks, cannot be realized by assuming one-mode attacks.

Conclusion
We have considered the security analysis of CV-MDI-QKD. We have explicitly shown that one-mode Gaussian (entangling-cloner) attacks represent a restricted class, which cannot generate all the possible shared CMs for Alice and Bob. This is true for any fixed value of the transmissivity τ for the two lossy channels (extension to different transmissivities τ A and τ B is trivial). This very simple result confirms the necessity of explicitly studying two-mode Gaussian attacks in a general security analysis of CV-MDI-QKD, as originally considered in [3].
Note that the advantage of using attacks based on correlated ancillas has been also discussed for two-way protocols [33,34]. In that case the honest parties have to resort to additional strategies to re-establish security, as described in [35].