Practical quantum key distribution over 60 hours at an optical fiber distance of 20km using weak and vacuum decoy pulses for enhanced security

Experimental one-way decoy pulse quantum key distribution running continuously for 60 hours is demonstrated over a fiber distance of 20km. We employ a decoy protocol which involves one weak decoy pulse and a vacuum pulse. The obtained secret key rate is on average over 10kbps. This is the highest rate reported using this decoy protocol over this fiber distance and duration.


I. INTRODUCTION
Quantum key distribution (QKD) involves the secure communication between two remote parties, conventionally named Alice (sender) and Bob (receiver), where the security of the keys is determined by the laws of quantum mechanics rather than the use of strong, one-way mathematical functions to encrypt the keys [1]. Where security is of paramount importance, QKD naturally would be the technique of choice for secret key distribution owing to its unconditionally secure nature. Although since the original proposal [2], there has been a considerable amount of work on QKD, beginning with the first experimental demonstration in 1992 [3], reliable, compact systems with tolerably high enough bit rates compatible with existing telecoms fiber technology are only now starting to emerge [4,5].
Ideally the QKD setup should be arranged employing a true single photon source to guarantee immunity against the so-called pulse number splitting attacks (PNS) [6,7] from a potential eavesdropper (Eve). Presently there are a lack of deterministic, reliable and useful single photon sources. Therefore most implementations rely on heavily attenuated lasers as a photon source which emit photon pulses with a Poissonian number distribution. The PNS attack in such a configuration would consist of blocking any true single photons in the quantum channel, removing part of the multi-photon pulses and transmitting the remaining portion to Bob via a lossless channel. In Eve's best case scenario, Bob's detection rate is maintained while Bob is oblivious to Eve's presence. Eve can then determine all or part of the key [7].
A recent proposal [8] circumvents the PNS attack using additional (decoy) pulses sent by Alice. These pulses in general have different pulses intensities compared to the signal pulses and are interleaved randomly with the signal pulses. Bob measures the transmittances of the quantum channel for these different pulse intensities and can then infer tighter bounds on the final secure key by the ability to detect PNS attacks. Under such conditions Eve is powerless to attack the channel using the PNS. Recently a proof of the decoy pulse protocol has been displayed (GLLP) [9] which also includes realistic (if pessimistic) experimental assumptions; Bob's detectors can be manipulated by Eve and the detectors have finite detection efficiency.
A recent experimental bi-directional decoy pulse system has been implemented [10] but (as pointed out by Ref. [10]) a drawback of bi-directional systems are the pulse intensities can indeed be tampered with by Eve unknown to Alice and Bob, thus compromising security. Very recently we showed an extremely promising one-way QKD system employing a single decoy pulse [11]. This system displayed a high key rate of over 5kbps with 25km of optical fiber. For a non-decoy system using much quieter detectors a secure bit rate of just 43bps was achieved over the same length of fiber [12]. This illustrates the power of the decoy pulse method in providing a much more stringent bound on the security of the final key. Even tighter bounds can be achieved using more than one decoy pulse [6]. Theory shows that it is usually enough to limit the number of decoy pulses to two decoy pulses only. The optimal case for the two decoy pulses is for one decoy of which is a lower intensity ν than the signal pulse µ and another which has an intensity close to zero or "vacuum-like" [13]. The lower bound on the single photon gain, Q L 1 is then given by three transmittances, signal, decoy and vacuum respectively: Q µ , Q ν and Y 0 [10,13]: where Q L ν (Y U 0 ) are the lower (upper) bounds on the decoy pulse and vacuum transmittances respectively , estimated conservatively as ten standard deviations of Q ν (Y 0 ) from the measured value ensuring a confidence interval of 1 − 1.5 × 10 −23 . The bit errors are assumed to derive from the subset of single photon pulses and the upper bound for the single photon error rate can be written as: where ǫ µ is the signal error rate and Y L 0 is the lower bound on the vacuum transmittance (estimated as as ten standard deviations of Y 0 from the measured value). The lower bound on the final secure key rate, R L can then be determined by the following expression: where q = 0.5 for the BB84 protocol, N µ is the total number of signal pulses sent by Alice, f (x) is the bi-directional error correction efficiency above the Shannon limit is estimated is the binary entropy function and the time t is the duration of the key session. The first term in eq. (3) corresponds to error correction; the second term corresponds to the single photon gain modified by privacy amplification (H 2 (ǫ U 1 )). Although the weak + vacuum decoy protocol is predicted to have an improved performance over the single decoy pulse protocol, recent implementations [14,15] show relatively low key generation rates and are limited to local synchronization.
Here we present a one-way weak + vacuum decoy pulse system which has a relatively high secure continuous key rate of more than 10kbps over 20km of fiber length. The key generation rate is stable over the rate time period of 60 hours and the system requires no manual alignment for set-up or during operation.

II. QKD EXPERIMENTAL SETUP
We use a one-way fiber optic QKD system with phase encoding as shown in Fig. 1.
Two Mach-Zehnder phase encoding interferometers are employed for the phase encoding (Alice; sender) and decoding (Bob; receiver). Alice and Bob have a 20km fiber spool linking them through which the signal (λ = 1.55µm) and clock (λ = 1.3µm) optical pulses are transmitted. The 1.3µm clock pulse duration is 5ns with a peak intensity of ∼ 5µW; average intensity is ∼ 200nW at Alice. The clock pulse over the entire transmission distance does not overlap the (1.55µm) signal pulses. The signal laser is a distributed feedback type and emits a fixed intensity train of pulses at a repetition rate of 7.143MHz. An intensity modulator is used to produce signal and decoy pulses of differing intensities. The vacuum  the non-zero decoy (E ν ) are plotted in Fig. 2(b). They are fairly stable and constant. The final secure bit rate is displayed in Fig. 3. A secure bit rate of > 10kbps is observed. The long term drift in the key rate is attributed to long term temperature drift from day through to night (the period is roughly 24 hours) in the laboratory affecting the overall temperature of the 20km fiber spool. In a real world environment the fiber is usually located around 1 meter underground leading to very stable fiber temperatures. This would eliminate this long term drift observed here.
The bit rate of > 10kbps is approximately more than two orders of magnitude higher than what can be achieved at a fiber distance of 20km without decoy states [12]. Indeed, if one were to employ more decoy states than the two we use here, there is not that much advantage to be gained. As shown in [13] the secure bit rate as a function of fiber distance for the single pulse and dual decoy pulse protocols varies significantly. However, the weak plus vacuum protocol is close to the asymptotic limit of using an infinite number of decoy states.
This can be understood intuitively by the fact that the photon distribution is Poissonian and states with a photon number N > 2 have a very small probability of occurring. Hence they will contribute little to the overall photon distribution when the average photon numbers of the signal and decoy states are µ,ν < 1. Additionally, there are practical problems in using more decoy pulses such as a decrease of duty cycle of signal pulses, greater requirements on Alices' random number generator and more data processing power needed.
The possibility of nonlinear effects being generated in the fiber due to the clock and signal pulses is negligible on the results of the quantum key distribution. As stated previously, both clock and signal pulses never overlap in time throughout the entire transmission rendering possible mixing effects negligible. Addtionally, any (small) Raman scattering generated by the clock pluse in the fiber was adequately filtered out using an efficient wavelength division multiplexer at Bob. In any case, if the Raman scattering was a problem, the quantum bit error rate would be higher than observed. Finally, the experimentally observed quantum transmittances agrees very well with the predicted transmittances indicating the system performs with the expected losses accurately.
To assess the possibility of a PNS attack on the key distribution, the technique used previously [11] was to monitor the ratio of transmittances Q ν /Q µ . If Eve decides to implement a PNS attack, the ratio Q ν /Q µ will dip below the expected value as preferentially more multi-photon signals would be transmitted to Bob (the transmittance Q µ > Q ν due to µ > ν). This is displayed in Fig. 4(a)(ii). No secure bit rate is possible with Q ν /Q µ < 0.13. Now with an additional vacuum pulse at our disposal we can also check for Eve's manipulation of the vacuum rates. In keeping with the paranoid assumptions of GLLP [9], we  (2)). The magnitudes of the single photon gain (privacy amplification) are greater (smaller) respectively by using the weak + vacuum protocol compared to employing the single pulse protocol. This is manifest through a tighter bound on the single photon gain eq. (1) and the single photon error rate eq. (2). The second term in eq. (2) reduces the overall single photon error rate due to the measurement of the vacuum pulses.
In the single decoy pulse protocol this term is zero.
Finally we address the issue of the small number of spikes observed in the vacuum counts transmittance ( Fig. 2(a)). All classical messages are exchanged on the internet. We believe the spiking is due to increased internet traffic slowing down classical exchange of information between Alice and Bob and thereby affecting synchronization. It affected less than 1% of the entire set of quantum keys exchanged over the 60 hour period. For large numbers of counts (the signal and decoy pulses) this effect is negligible, but for low numbers of counts (Y 0 ) this effect can be apparent. We are currently working to improve this problem with modifications to the software. However, we note this behaviour does not compromise security as evident from Fig. 4(b)(ii). As can be seen, an increase in Y 0 overestimates the amount of privacy amplification and results in a shorter key, hence lower final secure key rate. The final secure key rate is underestimated for this small fraction of keys.

IV. CONCLUSIONS
In summary, we have demonstrated practical one-way decoy pulse QKD over 20km of optical fiber. The key generation rate is > 10 kbps on average over 60 hours. This is the highest reported key rate for this distance and duration. We believe the system to be a useful milestone in achieving a continuously operating QKD system. It is envisaged that such a system could be placed in a real-world environment such as a quantum nodal network with fiber links of around a few tens of kilometers of fiber. Such a system would be reliable and effective as a means of distributing quantum keys over a long period of time.