Handheld free space quantum key distribution with dynamic motion compensation

: Mobile devices have become an inseparable part of our everyday life. They are used to transmit an ever-increasing amount of sensitive health, financial and personal information. This exposes us to the growing scale and sophistication of cyber-attacks. Quantum Key Distribution (QKD) can provide unconditional and future-proof data security but implementing it for handheld mobile devices comes with specific challenges. To establish security, secret keys of sufficient length need to be transmitted during the time of a handheld transaction (~1s) despite device misalignment, ambient light and user’s inevitable hand movements. Transmitters and receivers should ideally be compact and low-cost, while avoiding security loopholes. Here we demonstrate the first QKD transmission from a handheld transmitter with a key-rate large enough to overcome finite key effects. Using dynamic beam-steering, reference-frame-independent encoding and fast indistinguishable pulse generation, we obtain a secret key rate above 30kb/s over a distance of 0.5m.


Introduction
Guaranteed by the laws of physics, Quantum Key Distribution (QKD) provides an ultimate level of security [1][2][3], and uniquely it is the only technology known to-date that can monitor eavesdropping activities. Since its inception in 1984, developments of QKD has been largely focused on securing large-scale infrastructures [4][5][6] using long distance fiber transmission [7][8][9][10][11] and free space transmission between fixed terminals [12][13][14] QKD transmission has also been demonstrated from large mobile vehicles such as trucks [15], planes [16] and air balloons [17]. Today, there is increasing demand for security in handheld devices such as mobile phones and wearable technologies. A QKD protected link between handheld devices and the terminal would provide the keys for encryption with verifiable security for any wireless communication system, ranging from indoor wireless networks (e.g. Wi-Fi) to access control and near field communications (NFC) mobile payment applications. This technology could also prevent ATM skimming attacks, where a $2 billion loss worldwide in 2015 [18] was estimated, by transmitting the quantum encryption key from the mobile device securely to the ATM terminal. A short-range free-space implementation of QKD could address these security challenges and provide a high degree of security.
For a handheld free-space QKD to be practical, it needs to be compact and low-cost [19][20][21], and crucially, it must also be able to transmit a secure key in a time suitable for a handheld transaction (~1s). If the size of the transmitted key is too small it is not mathematically secure, so during this short span of time, a number of qubits large enough to overcome finite key effects must be exchanged [22][23][24]. The system must therefore provide a stable communication link taking into account the user's unavoidable hand movement, which lead to translations and rotations of the mobile device. Previous work by Mélen, G. et al. [21] obtained intermittent key transmission from a handheld device by using one-side beamsteering and mechanical waveplate rotation in the receiver. Here we addressed these issues by using novel agile dual-MEMS mirror-based beam-steering system combined with a reference frame independent (RFI) QKD protocol to provide wider angular, translational tolerance and rotational independence respectively. This results in the first stable quantum link from a handheld device able to transmit a secure key in less than a second.
In order to compensate for hand-held operation instabilities, we characterized typical hand-movement and accordingly designed a system with optimal latency and tolerance. Based on this evaluation, we implemented the system using MEMs mirrors for beam-steering at both ends of the link. Their orientation was controlled by a tracking system using LED beacons and Position sensing detectors (PSD) at both ends of the steering system. This implementation allowed us to obtain a wide angular coverage and minimize latency, thus guaranteeing the robustness against hand movements.
The RFI QKD protocol proposed by Laing, A. et al. [25], and experimentally demonstrated by Wabnig, J. et al. [26] allows polarization encoding without the requirement of aligning the polarization bases. In this protocol the qubits are encoded and measured in three polarization bases (horizontal-vertical, diagonal-anti-diagonal, circular left-circular right). Only one of those bases needs to have a fixed alignment between the transmitter and the receiver. As the circular basis is unaffected by relative rotations of the transmitter and the receiver in polarization encoding, it is therefore used to transmit the secret keys. The two linear bases can have any relative alignment and are used to assess the security parameters of the quantum channel. Based on this protocol, we demonstrated a practical quantum secured wireless link between a terminal and a handheld device using a steerable optical link.

QKD transmitter and receiver modules
The RFI QKD transmitter and receiver modules are represented in Figs. 1(a) and 1(b) respectively. RFI QKD is based on the transmission and detection of qubits encoded in three bases. Here the qubits are implemented by polarization encoded faint pulses. In order to produce these 6 optical states, we use 6 resonant-cavity Light Emitting Diodes (RCLEDs). The light produced by each of the RCLED is collimated and transmitted through a set of Polarizing Beam Splitters (PBS), non-polarizing Beam Splitters (BS) and waveplates (WP). The polarization of the light produced by each RCLED is thus purified and rotated in order to exit the transmitter in one of the 6 required polarization states. The optical signal is then attenuated by a neutral density (ND) filter to obtain faint pulses. In order to avoid side-channel attacks [27] the optical states originating from all the RCLEDs must be identical apart from their polarizations. This means that their spatial, spectral, and time profiles should be identical. For the spatial indistinguishability, a spatial filter composed of a first aperture with a 1mm diameter followed by a focusing lens (f=6.24mm) and a second aperture with a 5 micron diameter (comparable to the Airy disk diameter). The light is then collimated with an f=11mm lens. This ensures any difference in mode profile or propagation direction between sources is eliminated. In order to ensure the spectral indistinguishability, a spectral filter with a passband (1.5 nm centred at 658 nm) narrower than the RCLED emission spectrum (spectral width of 7nm, central wavelength of ~656 nm) is used to select the light to be transmitted. Figure 2(a) shows the resulting spectra from the six sources. Here, the choice of RCLEDs over laser diodes or LEDs is important since RCLEDs have a wider spectrum than lasers, without multiple mode structure. The disparities between the central wavelengths of the different RC-LEDs become smaller as the light going through a narrow band filter will be similar for each RC-LED ( Fig. 2(a)). This is very difficult to achieve with lasers because they need to be tuned with a tolerance smaller than their individual modes' width and filtered with a narrower filter. Since RCLEDs can be modulated faster than LEDs, it is possible to transmit a larger number of photons compared to the constant detector noise rate and thus, increasing the key rate. Time profiles of the light emitted by each source were measured by a single photon detector collecting photons at the output of the transmitter. The resulting statistics, shown on Fig. 2(b), exhibits a very good timing overlap. To modularize both the transmitter and receiver, base plates were fabricated using aluminum terminated with modified 16mm cage plates to house the spatial filter and to enable easy integration with the beam-steering system. Alignment of the receiver's lensed multimode fibers was achieved using spherical bearings to give the degrees of freedom required. All components were fixed in place using UV cured adhesives. In the demonstration the RCLEDs were driven by a 6-channel pattern generator. Every 4ns (i.e. a 250MHz repetition rate), a 1ns pulse is generated in one of the six channels, this channel being determined by a pseudo-random pattern. The voltage level driving each channel is adjusted to ensure that the output power was identical for the 6 polarizations. The power was then reduced to 0.07 photons per pulse with a ND filter (10dB). This value was chosen to obtain a sufficiently small probability for a pulse to contain more than one photon.
The receiver module ( Fig. 1(b)) has a similar structure to the transmitter. First, the light is spectrally filtered with the same passband as the transmitter filter. Then, light propagates through the same PBS, BS and WP arrangement as the transmitter, which splits the light according to its polarization and distributes it to six different channels. Light is then coupled into six lensed multimode fibers, which are connected to the Silicon Avalanche Photo-Detectors (SiAPD). The resulting photon counts are used to assess the security parameters of the quantum channel and build a secret key. Based on this protocol, we demonstrated a practical quantum secured wireless link.

Beam-steering module
The beam-steering module must compensate for hand movement, and ensure that the angular misalignment of the transmitter and receiver remains within the field of view of the QKD communications system. The angular fluctuations of typical hand movements were analyzed by measuring the position of a hand-held laser pointer spot as a function of time. Figure 3(a) shows the complementary cumulative distribution function (CCDF) of the angle created by hand-movement. This indicates the speed at which any correction must be made to the field of view of the optical system. Our receiver's the field of view, which is set by the numerical aperture of the lensed multimode fibers and associated optics, is 0.1 degree. This means that corrections must be made within approximately 42ms.  To minimize the system latency, a scheme using independent LED beacons is used here. Each terminal has a beacon that indicates its position, and a position sensitive detector (PSD) to measure the location of the beacon on the other terminal. This dual beacon system allows the two terminals to track each other independently, resulting in low-latency. Figure 1(c), (d) shows the system we used for dynamic beam-steering. A green LED beacon aligned with the QKD optical mode is used in the transmitter, to indicate its position to the receiver, allowing it to perform adjustment of its field of view. For the receiver to evaluate the transmitter's position, light from the beacon enters the receiver and is diverted to a PSD via a MEMs steering mirror. The PSD then measures the angle of arrival of the beacon light, creating a signal that steers the MEMs mirror until the beacon light is centered on the PSD. This sets the receiver mirror angles so that photons coming from the direction of the QKD transmitter are coupled into the lensed fibers. The receiver also has a co-aligned infrared LED beacon, which allows the transmitter to orientate its MEMs mirror and steer the QKD photons towards the receiver. For this operation, beacon wavelengths (520nm for downlink, 850nm for uplink) were chosen to ensure enough separations from the weak QKD signal at 658nm via dichroic beam splitters. Commercial PSDs and MEMS mirrors were used. Mirror size (ϕ=4.2mm) was chosen considering the fact that larger size leads to longer latency, mainly due to the inertia, but provides a better reliability by reflecting more off-axis beams. This PSD and MEMS mirror combination enabled a low latency suitable for an agile correction of hand-movement. In operation, coverage of +/-4 degree was achieved, as shown in Fig. 3(b). For different link distances, divergence of the beacon lights (i.e., coverage) should be readjusted, so that the two PSDs can detect the light levels within their dynamic-range.
In addition, a waveplate was added in each steering module to correct for their induced birefringences. The WP angle around vertical axis as well as the relative angle of the QKD and steering modules were adjusted to obtain perfectly circular polarizations in the Z basis. We also took advantage of the fact that the additional WP acted essentially as a quarter WP to swap the X and Z basis by rotating the QKD receiver module by 45 degree. This allows us to have the Z basis (used for the secure key) nearer to the receiver input. By construction this made the detection probability and the polarization purity higher than when the Z basis is at the opposite end of the receiver.

QKD performance evaluation
In our QKD protocol part of the detected photons is used to build a raw key and the other part is used to estimate channel security parameters. The raw key is built by randomly extracting half of the photons that were transmitted as well as received in the Z basis. The remaining photon detections are used for security parameter estimation. In order to ensure absolute secrecy of the transmitted key, the raw key needs to be processed using error correction and privacy amplification codes. These reduce the key size to a fraction of its original size, called the secure key fraction. This secure key fraction is calculated based on the estimated security parameters, which are correlations between the number of photons transmitted in each polarization state and the number of detections in each receiver channel, using the method based on Wabnig, J. et al. [26]. These calculations take into account potential polarization impurity and non-orthogonality and it includes finite key analysis. Initial static tests were undertaken, for different steering angles. It was found that the optical elements in the beam-steering system (and to a small extent the beam splitters inside the transmitter and the receiver) introduced an undesired birefringence leading to polarization rotations of the QKD beams. RFI QKD is tolerant to polarization rotations, but not to ellipticity alterations, so a WP was added inside the beam-steering modules to compensate for this. The induced birefringence was also dependent on the MEMS mirror angle, which varies, and therefore cannot be compensated with a static WP, but it was found that the increase in the error rate remained within 3% over the whole steering range.
In order to demonstrate the robustness of our system against axial rotations (i.e. rotations around the transmission direction) we introduced a rotating half-wave plate between the emitter and the receiver, which is equivalent to a rotation of the transmitter by an angle equal to twice the value of the waveplate angle. The secure key fraction as a function of the equivalent rotation angle is shown on Fig. 4. Here the secure key fraction was calculated for 0.5s key transmissions. We can see that not only transmission of secure keys was possible for any angle but the secure key fraction remained between 40% and 60% over a 360 degree rotation. The secure key fraction was also calculated by using the BB84 protocol with the same photon counts, and therefore keeping two bases out of three to calculate the key fraction. In this case we can see that the system performances would drop very quickly with the transmitter angle. RFI protocols is superior to BB84 for each point except for the angle of 170 degrees. This is due to the fact that the calculation we used for the BB84 curves assumes perfect polarization orthogonality, while our RFI calculation takes the most pessimistic possibility without assuming perfect polarization. Rotations around the other axes induced small modifications of the photons' polarization but with minor effects on the secure key fraction. The secure key fraction over the whole possible range of deflection of the mirrors remained between 35% and 65%. Fig. 4. Robustness of RFI protocol against axial rotation. The secure key fraction (ratio between the raw key length and the error corrected, privacy amplified key length) is plotted as a function of the relative axial angle between the transmitter and the receiver. The values were calculated from a 0.5s data transmission for each point, for a fixed position of the terminals. The relative axial angle between the transmitter and the receiver was simulated by rotating a half-wave plate between the terminals.
The system operates in normal ambient light conditions (>400 lux from incandescent light bulbs). The detector dark count rate is 370 counts/s per detector, and the noise due to ambient light was 600 photons/s per detector. The beacon LEDs additionally contribute approximately 570 photons/s per detector. These numbers are small compared to the ~1M photons/s that are detected for the QKD link, and induced error rate due to these impairments is negligible.
Quantum Key Distribution from a handheld device was demonstrated by holding the transmitter and pointing it at a static receiver. The whole optical assembly including the QKD and beam steering modules were part of the mobile handheld device, while the electrical instruments were static and connected to the handheld part by cables. Two sets of experiments were performed.
First, in order to illustrate the fluctuations of the asymptotic key rate in real time, measurements were performed while the experimenter holding the device performed a series of voluntary movements. To calculate this asymptotic key rate, short (4ms) samples of QKD transmission were collected every 100ms, which is the time required to process the photon arrival times. Figure 5(a) shows the vertical and horizontal angles of the two MEMS mirrors as well as the axial angle. Mirror angles were derived from the applied voltage while the axial angle was derived from the photon statistics, which depend on the polarization angle. The alignment system was switched on after 4s, and no data was received before this point. Then we can see that the experimenter moves the transmitter up, down, left, right and finally performs an axial rotation. Fig. 5(b) shows the transmission and error rate as a function of time. The transmission is defined as the total number of detected photons divided by the total number of emitted photons (i.e. 0.07 x 250MHz), while the error rate only takes into account the photons used for the secure key (i.e. photons transmitted and received in the Z basis). After starting the steering system, the transmission stabilizes at around 6% with a few short drops and the error rate is also approximately 6%. Figure 5(c) shows an estimation of the asymptotic key rate as a function of time, indicating a rate of approximately 30kb/s with very few drops to zero. Fluctuations in this rate are due to the short measurement samples.

Fig. 5.
Hand-held QKD performance. These measurements were performed while the experimenter holding the QKD transmitter displaces it in the directions shown. The motion compensation system was switched on after 4s. (a)Vertical and horizontal angles of the two MEMS mirrors as well as the axial angle between the two terminals. The mirror angles were retrieved from the applied voltage, while the axial angle was calculated from the QKD data. This angle was divided by four to allow a common axis. (b) Photon transmission and error rate. The transmission is defined as the number of detected photons divided by the number of emitted photons (i.e. 0.07 x 250MHz). The error rate is calculated for photons that were both transmitted and detected in the Z basis. (c) Estimation of the asymptotic key rate as a function of time. Each point was calculated from a 4ms transmission sample.
Second, in order to demonstrate the performance of our system during a real handheld transaction, including the finite key effects, a series of 14 separate measurements was performed with a duration of 0.5s each, while the experimenter was holding the transmitter without any intentional movement. The average value of the secure key rate, after the finite key effect is taken into account, was 39kb/s with a standard deviation of 8kb/s. These results show that our system can reliably transmit secret keys long enough to overcome the finite key limitations in a very short time. An increased key rate could be achieved by using a decoy state protocol [28][29]. This would however require more pseudo-random pattern channels to modulate the pulse amplitude.

Conclusions
In this paper, we have successfully constructed the first quantum wireless prototype for handheld usage fulfilling finite key requirements. The beam-steering technique used maintained a motion-stabilized communication link, which allowed sufficient secure keys to be transmitted with a high throughput under hand-movement and typical ambient light levels. A number of improvements are possible, for example, decoy state protocol could be implemented to increase the key rate. For full mobile device integration, further miniaturization of the emitter could be obtained by fabricating the RCLEDs on a single chip and combining the polarizations with photonic waveguides as previously demonstrated with VCSELs [20]. The steering system could also be miniaturized by taking advantage of the fast improvements and size reductions of laser-based pico-projection systems.
The success of wireless QKD technology could introduce an unprecedented level of data security to merchants and customers alike. Making QKD economical and practical enough is essential to overcome the adoption barrier before security threats start to appear with the increase of computing power and efficiency of hacking techniques. This demonstration of handheld quantum wireless prototype represents a major step towards real-world quantum security for mobile applications.

QKD secure key rate calculations
Our security analysis takes into account that, in real implementations, not only reference frames of the transmitter and the receiver can be rotated with respect to each other, but also that there is always a degree of misalignment within a reference frame. This induces nonorthogonality within a basis and mutual bias between bases. Our analysis also takes into account differing detector efficiencies. This is achieved by using an explicit device model and minimizing the key rate over possible model parameters. The calculation of the secret key fraction can be posed as an inference problem: given the measurements and a device model, what is the maximum amount of information an eavesdropper can possess about the distributed key.
Following the derivation in Wabnig, J. et al. [26], we can express the secret key fraction as We take into account imperfect measurement devices that can lead to a large number of additional parameters, such as non-orthogonalities in the preparation and measurement bases and detector efficiencies, which can be collected into the vector . The usable entropy is obtained as the minimum over all parameters , 1,2 ( ) ( The parameters have to obey the constraints imposed by the observations ( ) ( ) ( )