Practical decoy-state round-robin differential-phaseshift quantum key distribution

To overcome the signal disturbance from the transmission process, recently, a new type of protocol named round-robin differential-phase-shift(RRDPS) quantum key distribution[Nature 509, 475(2014)] is proposed. It can estimate how much information has leaked to eavesdropper without monitoring bit error rates. In this paper, we compare the performance of RRDPS using different sources without and with decoy-state method, such as weak coherent pulses(WCPs) and heralded single photon source(HSPS). For practical implementations, we propose finite decoy-state method for RRDPS, the performance of which is close to the infinite one. Taking WCPs as an example, the three-intensity decoystate protocol can distribute secret keys over a distance of 128 km when the length of pulses packet is 32, which confirms the great practical interest of our method.


Introduction
Quantum key distribution(QKD) 1, 2 enables two legitimate communication participants, Alice and Bob, to share identical keys based on the fundamental laws of quantum physics.It has been a kind of information security technology raised from modern cryptography and quantum mechanics.QKD can be considered the most important application of quantum physics.Many papers have proven the security of Bennett-Brassard-1984(BB84) protocol 3,4 .Subsequently the experimental implementation also made great progress [5][6][7] .So far, commercial products have already become available.However, due to the symmetry of BB84 protocol, the phase error rate is equal to the bit error rate.Needing to estimate the amount of leaked information by randomly sampling the signal, BB84 protocol may overestimate the leaked information and limit the threshold of the error rate.
Recently, a quantum key distribution protocol called round-robin differential phase-shift(RRDPS) was proposed by Sasaki et al. 8 , which can generate keys without monitoring signal disturbance of the measurement outcomes and has no restriction on the error rate 9 .RRDPS is a novel method to encode raw key bits even with the existence of eavesdropper, in which Bob specifies randomly how to calculate the sifted key from the raw key bits.Due to the large number of pulses in a packet, RRDPS system has higher stability and lower loss.It can tolerate a noisier channel than the conventional one.Up to now, many modified schemes have been proposed and several experimental demonstrations have been performed [10][11][12][13] .Using a receiver set-up to randomly choose one of four interferometers with different delays, Takesue et al. 10 reported a proof-of-principle QKD experiment based on RRDPS protocol.Wang et al. 11 demonstrated an active implementation of this protocol, and their system can distribute secret keys over a distance of 90 km.Implementation results show that the protocol is feasible with current tech-nology, especially in high-error situations 11 .
Similar to the standard QKD protocol, most researches of RRDPS use weak coherent pulses(WCPs) as a replacement of the perfect single-photon source.Heralded single photon source (HSPS), is also within reach of current technology and can be considered as the candidate of the perfect single-photon source.So the performance of this source in RRDPS remains to be further studied.
In BB84 protocol, decoy-state method [14][15][16][17] can be used to efficiently estimate the contribution of the single-photon pulse and significantly increase the transmission distance of secure keys.Many researchers have studied the practicability of decoy-state method.Ma et al. 17 first studied the statistical fluctuation analysis for the decoy state.Similarly, Zhang et al. 9 proposed the infinite decoy-state method for RRDPS.Their method is valid in the asymptotic limit with an infinite number of decoy states, thus it has some limitations in practice.We extend it to the practical case with a finite number of decoy states.
First of all, we compare the performance of WCPs and HSPS in different pulse packet lengths.Then, fixing the packet length at 32, we simulate the infinite decoy-state method using these two sources.Since infinite decoy-state method is difficult to achieve in practice, we put forward a finite decoy-state protocol.Taking WCPs as an example, bounds on the yields and quantum bit error rates of some photon number states are stated.At last, considering that contributions from three and more photons are not obvious, we employ three-intensity decoystate method.

Round-robin differential-phase-shift protocol
The round-robin differential-phase-shift protocol encodes raw key bits coherently so that only a few bits can be read out at the same time.It is hard for Eve to guess the sifted key.The ideal protocol, between two legitimate users, Alice and Bob, runs as follows.
1. State Preparation.Alice prepares packets of pulses containing L pulses, and generates a random L-bit sequence, s = (s 1 , s 2 , • • • , s L ).Then she encodes the sequence into the phase of each pulse, 0(when s i = 0) or π(when s i = 1), and sends the pulse packets to Bob.We consider that the encoded signal is a superposition photon state of pulses 8 |ψ >= where s k is the encoded bit sequence, |k > denotes that the photon is in the k-th pulse.
2. Measurement.Upon receiving the states, Bob randomly sets the pulse delay value r(1 ≤ r ≤ L − 1), and splits each received L-pulse train into two.Then Bob delays one of the train and interferes with the other.After measuring interference between the two trains, the detection result shows the phase difference between two pulses i andj ({i, j} ⊂ {1, 2, • • • L}) satisfying j − i = ±r(modL).The value of the relative phase s B = s i ⊕ s j is a sifted key of Bob.
3. Sifting.Bob announces {i, j} to Alice through classical channel, so that Alice computes s A = s i ⊕ s j as her sifted key.
4. Post Processing.Alice and Bob repeat steps 1-3 to accumulate enough sifted key.They perform error correction and privacy amplification on the sifted key to extract the final secure key.
The sketch of the protocol is shown in the Figure 1. [ht] The secure key length of QKD protocol is given by 4 where N is the sifted key length, f corresponds to the efficiency of error correction, and h(e) = −e log e − (1 − e) log(1 − e) is the binary Shannon entropy function.Moreover, e bit and e phase are the bit error rate and phase error rate respectively.
As for RRDPS protocol, the phase error rate depends on the preparation of quantum states rather than the transmission process.When the number of photons in a packet is no more than an integer v th (v th < L−1 2 ), in the analysis of Sasaki et al., the phase error rate can be bounded by v th /(L − 1) 8 .While they assume that Eve completely knows the sifted key bits from the rest part(v > v th ).
Zhang et al. 9 improved the phase error estimation by considering the encoding details of the quantum signal.The phase error rate is given by When the number of photons satisfies v < v th , phase error rate can be bounded by 1−(1−2/L) v th

2
, which accords a tighter and more reasonable bound on the phase error rate.
Hence, the improved phase error rate estimation of source satisfying Pr(v > v th ) ≤ e src is expressed by 8,9 e ph = e src where Q is the empirical rate of detection Q = N/N em , and N em corresponds to the number of packets emitted from Alice.There are N em e src rounds satisfying the number of photons v > v th , which are regarded as a phase error in the worst case scenario.So the first term of this equation stands for the fraction of phase error rate where the photons in a packet have exceeded v th , and the second one refers to that of packets whose photons are no larger than v th .
On account of this classification, the secure key rate per packet can be calculated to be 8 The former part is the contribution of packets containing photons exceeding v th , while the latter one is that of packets containing photons no more than v th .From this equation, it is clear that the larger L is, the higher secure key rate of per packet we can obtain.

Finite decoy-state RRDPS protocol
Decoy-state method 14 has been proposed as a useful method to improve the performance of QKD protocols when using an imperfect single-photon source.Similarly, the decoy-state for RRDPS protocol also have been employed 9 .Here, we review the idea of decoy-state RRDPS. Denote Y n P Lµ (n) to be the overall gain when the source intensity is Lµ, and H P A to be the ratio of key rate that is sacrificed in privacy amplification.According to Eq.( 2), the final key rate of per packet can also be written as 9 Define Y n to be the yield of n-photon state, which means the conditional probability of a detection event at Bob side when Alice sends out n-photon state.Note that Y 0 is the background rate, including the detector dark count and other background contributions.Denote P µ (n) to be the possibility of n photons when the mean number is µ.The amount of key loss can be calculated as 9 Y n cannot be measured directly, but we can accurately estimate it with infinite decoy states.Without the interference of Eve, it is given by 17 And the error rate e n can be obtained from 17 In practice, the number of decoy states cannot be chosen freely.As the number of intensity increases, the enforcement of the protocol may be more challengeable.So it is worthy to study finite decoy-state method.For practical implementations, since contributions from states with large photon numbers are negligible comparing with those from small photon numbers, only a few decoy states will be sufficient.The final key rate can be rewritten as where Y n is defined to be the yield of an n-photon state, P Lµ (n) refers to the possibility of n photons when the mean number is Lµ, f corresponds to the efficiency of error correction, and h(e) = −e log e − (1 − e) log(1 − e) is the binary Shannon entropy function.n th is the threshold of the photon numbers that are efficient.Define e n bit , e n ph to be the bit error rate and phase error rate of n photons respectively.Y n and e n bit need to be estimated by using the decoy states method.
In BB84, a protocol with two decoy states, the vacuum and a weak decoy state, only estimating the yield and error rate of single photon, asymptotically approaches the theoretical limit of infinite decoy-state protocol 17 .Since multi-photons are also contributed to the secret key in RRDPS, we propose finite decoy-state to estimate Y 1 , Y 2 , Y 3 and e 1 , e 2 , e 3 , that is n th = 3.
Here we set an example of WCPs to show the calculation of these parameters.

Numerical simulation
To describe a practical system, a widely used fiber-based setup model is needed.When the laser source is modeled WCPs, the density matrix of the state can be given by 18 where |0 >< 0| is the vacuum state and |n >< n| is the density matrix of the n-photon state.
HSPS, like the commonly used WCPs, is also within reach of current technology as another candidate of the perfect single-photon source.Given a two-mode state of the form 18 Set the intensity of the source µ to sinh 2 χ, then the above description simplifies to 19 After triggering out one of a photon pair, the other mode is basically a field of distribution 16 where µ is the mean photon number of one mode, η A , d A account for the detection efficiency and dark count rate of detector respectively.The post-selection probability isP post (x) Considering the distribution of photons in Eq.11, the gain and QBER for using WCPs can be calculated by 17 Based on the formula above, we use the following for the error rate 9 Denote the loss coefficient in the quantum channel to be α.For an optical-fiber-based system, the relationship between the transmission distance d and the overall transmittance η is 17 From these formulas, the overall gain and bit error rate for HSPS can be given by Key rate per packet, R, represents the average net production length of secure key in a fixed length packet.The final asymptotic secret key rate per packet can be given by equation (5).For a fixed length packet, there are optimized mean photon numbers, µ, and thresholds of photons in each packet, v th , in the process of transmission.To clarify the choice of µ and v th intuitionally, we show the relationship among R, µ and v th as following Figure 2. The length of each packet is fixed at 128.The channel transmission is 10 −5 .By changing values of two variables, we can observe the affect of variables on optimization results of final key rate. [ht] Various colors indicate diverse values of key rate per packet.By looking at the graph, all the major values will show up clearly.It is obvious that key rate per packet has a maximum point, where corresponding mean photon number and photons in each packet can be regarded as optimal ones.So in the following simulation we adopt these optimal values for each condition to obtain better key rates.
Let Q be the empirical rate of detection about channel transmission η.For the use of WPCs and HSPS, the key rates per packet with different packet length and bit error rate, as a function of channel transmission, is illustrated in Figure 3. Parameters used are listed in Table 1.
From the results shown in Figure 3, key rates per packet increase as the variation of channel transmission.By simulation, we can see that the key rate or WCPs is mostly larger than that for HSPS when L = 128.Two sources perform similarly if L is equal to 64 and e = 0.03.When L equals to 32, HSPS performers better.In a word, WCPs is more suitable for larger packet length while HSPS performs better with smaller packet.
According to the distribution of each source, we can obtain the probability of emitting different numbers of photons among WCPs and HSPS.For a better interpretation of this fact, we take a simple comparison in Figure 4.

[ht]
It is apparent that the results of Figure 4 and Figure 3 are coincident as a whole.Roughly speaking, when L = 128, the summation of photons contributing to secure key rate in WCPs is larger than that in HSPS.These two summations are equal to each other while L = 64, then the former one is less than the latter one when L = 32.
Applying the expressions of Q Lµ and e bit to Eq.5, we can numerically compare the performance of the two sources with decoy-state and without decoy-state.In order to give a faithful estimation, we employ a reasonable model to forecast the result, taking example by a typical QKD system 6 .Here, we fix L at 32, and other parameters used are listed in Table 1.
Combing Eq.6, Eq.7, 8, 9, we can calculate the final key generation rate of RRDPS protocol with and without decoy-state for WCPs and HSPS.For convenience of comparing, we use the same parameters as above in Table 1.Our simulation results are shown in Figure 5.
The decoy-state method is often used to improve the secure key rate and transmission distance in conventional protocol.The simulation result in Figure 5 clearly demonstrates that this method is also effective for the RRPDS protocol.The performance of HSPS is much better than WCPs under these two circumstances.
For the case of WCPs, we compare decoy-state methods for RRDPS protocol with different intensities: infinite decoy states, two-decoy-state method in which we just estimate Y 1 and e 1 , three-intensity decoy-state estimating Y 1 , Y 2 , e 1 and e 2 , four-decoy-states estimating Y 1 , Y 2 , Y 3 , e 1 , e 2 and e 3 .(seethe Methods) Then, the comparison between the estimated values and asymptotic values of yields and error rates are shown in Figure 6.

[ht]
From the graph it is evident that the estimated values of yields are infinite approaching the asymptotic values.The estimated error rates are very close to the asymptotic values.Since we have presented partial lower bounds of yield and upper bounds of QBER, we will give an example to show that, even in the case of finite, the performance of our method is close to that of the infinite decoy method.We use the key parameter listed in Table I.Here, we also fix L at 32, and optimize µ to obtain the maximum transmission distance.The simulation result indicates that three decoy states are sufficient for the RRDPS protocol, which is shown in Figure 7. [ht] In the decoy-state method of BB84 protocol, only Y 1 and e 1 are needed to estimate, so a few decoy states will be sufficient.This is because contributions from states with large photon numbers are negligible comparing with those from small photon numbers.From the results, we can see that contributions from two-photon state are considerable, while those from three photons are not obvious.Therefore, it is dispensable to estimate yield and QBER when the photon number is more than three.

Discussions
From the comparison between WCPs and HSPS, it is clear that they perform differently with various packet lengths.WCPs is more suitable for larger packet length while HSPS performs better with smaller packet.We anticipate that this result can guide the use of conventional lasers.In current practice, attenuated lasers emitting WCPs are employed in most quantum system.The technology on how to efficiently obtain HSPS has been developed to a high level.It is pragmatic to experimentally test the conclusions from numerical simulations.For practical implementations, we put forward finite decoy-state protocol.Since the key rate of the finite decoy-state method is close to the infinite one, our protocol can be regarded as a choice for the practical experiment of RRDPS.Taking cost and and technological feasibility into account, our scheme can be promising implementation of quantum cryptography.Compared with existing QKD protocol, there are still many aspects to improve for RRDPS.For example, the finite length of key 20 and its statistical fluctuations can significantly affect the security of RRDPS protocol, which is of special concern.

Lower bound of
Suppose Alice and Bob choose a signal state with intensity Lµ and four decoy states whose intensities are Lv 1 , Lv 2 , Lv 3 , Lv 4 , which satisfies One can obtain the following gains and quantum bit error rates for the signal and decoy states Given such equations, how can we obtain a tight lower bound on R.This is the main problem for decoy-state protocols.
Based on when Lv 2 = 0 the equality sign will hold.
Consequently, we obtain a minimum value of Y 1 17 where Y L 0 is the lower bound of Y 0 calculated earlier.
Combine these two equations , we also have Therefore, we can bound Y 2 by As we have known, For a similar settlement, we can also give the lower bound of Y 3 Upper bound of QBER e 1 , e 2 , e 3 According to the condition, the QBER of decoy state is given by 17 The upper bound of e 1 can be obtained directly 17 and solving the equality the upper bound of e 2 can be further represented by For the same reason, we can obtain the equations followed, Then, the upper bound of e 3 can be shown by  The solid curves represent the key rates per packet for using WCPs, the dashed curves stand for key rates for using HSPS.Lines labeled (i)-(iii) characterize the protocol with L=128, 64, 32.The error rate is 0.03 and 0.06, respectively.The choices of v th and the mean photon number µ are optimized.

Figure 4 (Color online) A comparison for the probability of emitting different numbers of photons between WCPs and HSPS.
Here parameters for HSPS are listed in Table 1, while the intensity is 0.02 for both WCPs and HSPS.

Figure 5 (
Figure 5 (Color online)Final key rate without and with decoy states.The solid curves represent the key rates per packet for using WCPs, and the dashed curves stand for key rates for using HSPS.The length of each packet is fixed at 32.The left two curves are the key rates of RRDPS protocol with no decoy states, and the other two are those of the protocol with decoy states.

Figure 6 (
Figure 6 (Color online) The estimated bounds and asymptotic bounds of yields and error rates.The solid lines represent estimated bounds of yields and error rates, and the dashed lines stand for asymptotic bounds of yields and error rates.

Figure 7 (
Figure 7 (Color online) Final key rate for using infinite and finite decoy states.The dotted curve accounts for the key rate per packet for infinite decoy-state, and the solid curve stands for the four-intensity decoy-state method to estimateY 1 , Y 2 , Y 3 , e 1 , e 2 and e 3 .The dashed curve represents for three-intensity decoy-state method estimating Y 1 , Y 2 , e 1 ande 2 , and the dash-dotted one is on behalf of the two-intensity decoy-state method just estimating Y 1 ande 1 .The choices of the mean photon number µ are optimized.
Photon number