Mixed basis quantum key distribution with linear optics

Two-qubit quantum codes have been suggested to obtain better efficiency and higher loss tolerance in quantum key distribution. Here, we propose a two-qubit quantum key distribution protocol based on a mixed basis consisting of two Bell states and two states from the computational basis. All states can be generated from a single entangled photon pair resource by using local operations on only one auxiliary photon. Compared to other schemes it is also possible to deterministically discriminate all states using linear optics. Additionally, our protocol can be implemented with today's technology. When discussing the security of our protocol we find a much improved resistance against certain attacks as compared to the standard BB84 protocol.


Introduction
Quantum key distribution (QKD) promises secure information transfer based on the laws of quantum physics. The most prominent protocol is the famous BB84 protocol [1]. It is proven to be unconditionally secure provided that Alice and Bob make use of a genuine random number generator [2] and that the quantum bit error rate (QBER) is below 11% [3]. The latter can be increased to 12.7% for the six-state protocol [4]. With a two-way classical communications QBER can be increased further and we shall come back to this point in Sec. 5. The secure QBER can also be increased by increasing the capacity of the protocol so as to send 3 or 4 messages (in contrast to 2 in BB84) via three or four states in a 3-or 4-dim space, achieving 22.7% or 25% respectively. [5,6].
Beyond maximum tolerable QBER Eve (an eavesdropper) is undetectable when the losses are significant, however, she might be undetectable even below that limit because weak laser pulses, standardly used for implementing QKD with single photons, enable her a beam-splitting [7, 8.5.3, p. 440] and a photon-number splitting attack [7, 8.5.4, p. 441]. Also, recent commercial systems based on BB84 protocol were shown to be hackable by tailored bright illumination and that initiated "identifying and patching technological deficiencies" of BB84 implementation [8].
Therefore, time and again over the last decade a QKD with entangled photons has been considered and reconsidered mostly as modifications of the so-called ping pong (pp) protocol with two Bell states [9,10], by means of all four Bell states, i.e. via the superdense coding (SDC) protocol [11], or even with three particle GHZ state [12]. It can be argued that "the potential of entanglement-based protocols need to be seriously explored, especially taking into account the rapid research progress [13] of entanglement light sources" [14]. On the other hand, correlated detections of photons from the same down-converted pairs provide us with higher loss tolerance.
One of the first proposed attacks on the pp protocol, given by Nguyen [17,23], enables Eve to read all the messages in the message mode "absolutely unnoticeable." This kind of attack has been addressed in [14,21] and the protocol shown to be secure via its control mode. Nguyen's pp modification, called quantum dialog (in which both, Alice and Bob, send entangled photons and messages) has been addressed in [23].
As we show in Sec. 4, Nguyen's attack can be easily extended to the aforementioned four-Bellstate pp protocol which was proposed to increase the capacity of the protocol-by a transfer of 2 bits via 4 messages-but which requires non-linear optics elements [24] (it cannot be carried out with linear optics ones [25,26]).
In this paper we propose a high-capacity (four messages) entanglement-based pp-like protocol which is not only resistant to Nguyen's attack but also enables Alice and Bob to detect Eve during their data exchange without switching to a separate control mode and which can be implemented with linear optics elements because it is based on the mixed basis consisting of two Bell states and two states from the computational basis.
The paper is organized as follows. In Sec. 2 we introduce the basis our states are in and a description of our setup. In Sec. 3 we outline our protocol. In Sec. 4 we discuss the security of the protocol and in Sec. 5 we summarize the results we achieved.

Mixed basis and setup
Let us start with introducing the mixed basis used in our protocol. We define it as a basis consisting of the two Bell states and the two computational basis states where |H i (|V i ) represents a horizontal (vertical) polarized photon in mode i. A particular advantage of the mixed basis is that all four basis states can be deterministically discriminated using only a few linear optical elements. The discrimination setup consists of a non polarizing beam splitter (BS) and an additional polarizing beam splitter (PBS) in each of its two output ports-see Fig. 1. The outputs of the PBSs are monitored by four photon number resolving detectors [27][28][29]. They can also be approximated by purely linear elements such as additional concatenated beam splitters and single photon detectors [30][31][32].
In the case of | χ 3 = |H 1 |H 2 and | χ 4 = |V 1 |V 2 as input states of the discriminator, two indistinguishable parallel polarized photons are sent to the BS from different sides, as shown in Fig. 1(a). These photons will always exit the beam splitter at the same side, bunched together and showing the well known Hong-Ou-Mandel interference effect [33]. Both bunched photons keep the polarization direction they had before they entered the beam splitter [34-36]. On the other hand, | χ 2 = |Ψ + photons bunch together behind the BS, but have different polarization and split at a PBS behind the BS. In contrast, | χ 1 = |Ψ − photons split at the BS and are subsequently transformed into opposite polarization states by the PBSs. Thus, all four mixed basis states can be deterministically and unambiguously discriminated by means of photon number resolving detectors.
In the following, we demonstrate how to prepare the mixed basis states solely from the state |Ψ − generated by an entangled photon source [30,37]. In order to do this we introduce also our QKD setup in Fig. 2, which consists of Alice's and Bob's part together with a quantum and classical communication channel. Bob has an entangled photon source, a quantum delay, and a mixed basis discriminator, as shown in Fig. 1(a). We assume that Bob's entangled photon source generates photon pairs in state | χ 1 = |Ψ − . Bob sends one of the photons of the pair, the travel photon, to Alice and keeps the other, the home photon, delayed for later joint measurements with the travel photon returning from Alice. Bob's part consists of an entangled photon pair source generating the state Ψ − , a quantum delay, a mixed basis discriminator and a removable HWP( π 8 ) aligned to π/8. Alice's part consists of a mixed basis encoder and a removable HWP( π 8 ) also aligned to π/8. Alice and Bob exchange information on the bases and states over a classical channel. Now, Alice can prepare any state of the mixed basis semi-deterministically by manipulating the travel photon she receives from Bob. For this she has a mixed basis encoder, which consists of an auxiliary on-demand single photon source and linear optical elements as shown in Fig. 1 (b). We will first consider the case when no additional HWP( π 8 ) on Bob's or Alice's side, shown in Fig. 2, are put in.
To generate | χ 3,4 Alice places a PBS with single photon detectors on its output ports and an auxiliary single photon source in her photon's path- Fig. 1(b), lower row. With this, the polarization of the photon is measured and thereby Bob's home photon is projected into |V if Alice's measurement of the travel photon gives |H and into |H if Alice measured |V . Subsequently, Alice replaces the destructively measured photon with a photon of opposite polarization from an auxiliary single photon source. In doing so, it is possible to generate | χ 3 = |H 1 |H 2 and | χ 4 = |V 1 |V 2 in a heralded way. State generation of | χ 3,4 is hence probabilistic in the sense that Alice obtains |H or |V after her PBS completely at random, but as soon as she does obtain them, the | χ 3,4 states are determined because she knows what she sent and Bob will measure.
Let us now come back to the HWP( π 8 ) shown in Fig. 2. We assume that Alice and Bob, independently of each other and randomly insert their HWPs aligned to π/8 (Hadamard gates) using a true quantum random number generator [2].
When both HWPs are inserted Bob will receive (in the absence of Eve) the same states as with no HWP inserted (since two consecutive Hadamards yield the identity). These two arrangements we call the same bases. The case when only Alice's or only Bob's HWPs are inserted we call different bases.
With a delay Bob informs Alice of his choice of bases and Alice him of hers, over a classical channel. The data obtained with different bases serve them as control data which they use to catch Eve. Alice, also with a delay, informs Bob of exact values of all control data. Since the capacity of the classical channels is practically unlimited compared to the quantum channel, the quantity of classical information exchanged should not be a problem. Handling of messages obtained with different bases and the corresponding control data we call the control mode.

Protocol
Now we describe how Alice and Bob using the setup from Fig. 2 proceed to securely exchange a one-time-key. Our suggested protocol is the following: 1. Bob decides randomly about his basis by placing or not placing his HWP. He prepares the two photon state | χ 1 , stores the home photon in his quantum delay, and sends the travel photon to Alice through a quantum channel.
3. Bob measures the two qubit state by means of his mixed basis discriminator, and broadcasts on a public channel if he placed his HWP or not.
4. Alice checks if the transmitted message is valid. This is the case for all | χ 1−4 messages if the bases were the same. If a message is valid, it is stored for later usage as one time key. The selection is called sifting. If the bases are different, the measurement data are stored for later usage as the control data. Alice announces the valid messages via a public channel with a delay. She also announces the values of all control data.
5. Bob repeatedly restarts with (a) and with a delay he processes the control data to check for Eve's presence. If yes, they abort the transmission. If not, they distill the key. Thereupon they carry out error correction and privacy amplification [3].
We would like to stress that even in the case of different bases Alice's and Bob's measurements are sensitive to detect the eavesdropper Eve. This is different from the BB84 protocol where part of the valid data has to be sacrificed. Also no active switching between a message and control mode has to be performed as in other pp-like protocols. This is an advantage since switching may open the possibility to advanced eavesdropping attacks, in particular when Eve can hide her presence in the message mode completely as shown below.

Security
As we mentioned in Sec. 1, Nguyen's attack [17, p. 7, par. containing Eq. (2)] is a powerful attack on pp-like protocols. We start with its brief presentation and only then we show that our protocol is resistant to it.
As shown in Fig. 3, Eve delays the photons Bob sent to Alice and instead, sends her own photons from her Ψ − source to Alice to encode them. Eve intercepts the photons Alice encoded, measures them in her discriminator, encodes the read messages on the travel photons she kept delayed and sends them to Bob. Eve can read off all the states sent by Alice in the p-p protocol but cannot in the protocol of ours.
Our protocol is less susceptible to the above attack because: 1. When Alice prepares | χ 3,4 states she collapses the states of both photons -her and Eve's. Eve can deterministically find out which states Alice's and her photons collapsed to, but can collapse Bob's photon states into ones of her own photons only with a probability of 50% (by means of her HWP); 2. When Alice and Bob put HWPs in their channel, then both Eve's reading and resending will be scrambled.
According to [6,38,39] we evaluate the condition for QKD to be secure in the presence of Eve: I AB > I AE , where I AB (I AE ) is the mutual information between Alice and Bob (Eve). We calculate them as follows.
When Alice and Bob are in the same basis with no HWPs inserted and Alice sends | χ 1 or | χ 2 Eve can detect them and impose the same state on the Bob's photons. Eve is not necessarily always present in the line and we shall denote her presence by X ∈ [0, 1]; X = 0 means that Eve is not present at all and X = 1 that she is always present. Thus, Bob will always receive the correct | χ 1 or | χ 2 , each with the probability 1/4, no matter whether Eve is present or not (when she is in the line she fatefully transmits what she reads), but Eve will read | χ 1,2 only with the probability X/4, i.e., only when she is in the line. When Alice sends | χ 3 or | χ 4 Eve can detect them but cannot impose the same state on the Bob's photons with a probability higher than 50%. So, Bob's probability of receiving a correct state via Eve diminishes with her presence X (probability falls as (2 − X)/8) and of receiving incorrect state increases with X. Eve's probability of receiving both correct and incorrect states increases with X.
We give an overview in Table 1 where we show the probabilities that what Alice ( j = 1, 2, 3, 4) prepares will be received by Bob (m = 1, 2, 3, 4) weighted with Eve's (k = 1, 2, 3, 4) presence X, in the right-hand part entitled Bob as well as Eve's probabilities of gaining Alice's messages again weighted with her presence X, in the left-hand part entitled Eve.
When Alice and Bob are in the same basis but with both HWPs inserted and Alice sends | χ 1 or | χ 2 her HWP( π 8 ) can be regarded as an operator acting on the states as follows At Eve's BS Alice's | χ 1 will be transformed into the following one: Their plots in Fig. 4 highlight the key result of our security analysis. When Eve is in the line all the time we have I AB (1) = 5 8 + 3 32 log 2 3 = 0.774 and I AE (1) = 7 8 = 0.875. Remarkably, the difference between I AE (X) and I AB (X) is even higher for some values of 0.605 < X < 1, for which I AE (X) > I AB (X).
Another method to estimate the security of our protocol is by means of the control mode. When only Bob's HWP is in place and Alice sends | χ 3,4 , according to Eq. (6), Eve will receive them as | χ 3,4 and Bob should receive them as | χ 1 or | χ 2 with the probability of 25%, each, or as | χ 3,4 with the probability of 50%. However, in half of the cases Eve will fail to resend the latter states, i.e., she will send them incorrectly as | χ 4,3 instead, with the probability of 25% and Bob will immediately detect Eve's presence due to Alice's classical information [see Eq. (7)] via Eve's bit-flips | χ 3 → | χ 4 (| χ 4 → | χ 3 ) with the probability of 1/4, and therefore Eve's probability of escaping detection during each of these two sendings is 1 − 1/4 = 3/4.
Within a complete set of 4 different messages | χ 1−4 in the control mode Eve's probability of avoiding detection with either | χ 1 or | χ 2 is 1 and with | χ 3 or | χ 4 is 3/4. Alice's sendings come one after another and therefore the probabilities multiply and Eve will avoid detection within a single cycle with the probability of 1 × 1 × (3/4) × (3/4) = (3/4) 2 ≈ 0.56. After a more detailed analysis we arrive at a result that with such repeated trials Eve's probability of snatching one character (8 bits) undetected is (0.53/1.54) 8 ≈ 0.0002. We do not have to sacrifice data in order to detect Eve in this way.

Discussion
To summarize, we introduced a high capacity (2 bits) protocol that relies on a mixed state basis consisting of two Bell states and two states from the computational basis (a kind of blending ping-pong (pp) and BB84-like protocols) which can be realized experimentally right away since it relies only on off-the-shelf components. The protocol is supported by classical information exchanged between Alice and Bob over a classical channel as shown in Fig. 2. When both HWPs are inserted or none, photon states are in the same bases and the messages are being transferred.
When they are in different bases (only one of the HWPs is inserted) Alice and Bob will detect Eve's bit-flips with the probability of 99.98% during her snatching of her first byte of messages as shown in Sec. 4. So, the different bases do not only support the transfer of messages but function as a control mode as well, similarly to such a mode in the pp protocol and contrary to BB84-like protocols where different bases transmissions are simply discarded (and a portion of messages must be sacrificed for QBER verification).
Still, Eve can hide behind the exponential losses in the fibers and we carried out a security analysis in Sec. 4 to estimate at which level of Eve's presence Alice and Bob must abandon the transmission for the chosen attack. The attack we chose to consider is a modification of Nguyen's attack [17] shown in Fig. 3. When applied to the standard pp-like protocols it can be viewed as sending plain text messages protected by the control mode. For a modified two-state pp protocol with a vacuum state it can be proved secure [14,21], but for the standard pp protocol or its extension to four states there is no critical presence of Eve in the protocol since we have constant and maximal Alice-Bob mutual information (I AB ) for any Eve's presence (0 < X < 1) and without it and without having a new kind of privacy amplification algorithms developed for absent critical presence (disturbance, QBER) we do not know when to abort the transmission in such a protocol. In contrast, our protocol is resistant against such Nguyen's attack because it also contains entanglement-based computational basis states.
On the other hand, it is also fundamentally different from the BB84 because Eve cannot send her photon particularly polarized without also affecting Bob's photon's polarization, i.e., she cannot deterministically resend photons in a particular state of polarization even when she knows whether HWPs are inserted of not.
A modified pp protocol with a vacuum state proposed in [14,21] proved to be secure. In other pp-like protocols [7,10,15,16,[41][42][43][44], whenever one can define a critical disturbance, Eve's attacks influence I AB with respect to I AE more than in our protocol. As shown in Fig. 4, for Eve's presence of up to 60% (X < 0.605) we have I AB > I AE and the transfer is secure for the considered attack. This Eve's presence corresponds to the disturbance of 30% (D = X/2) which is much higher than 11% and 12.7% of D (QBER) for four-and six-state BB84 protocol and also higher than 22.7% and 25% for the 3-and 4-dim protocols mentioned in Sec. 1.
Recently, two-way classical communication channel was used to boost the critical QBER of four-and six-state BB84 protocols to 26% and 30%, respectively [45]. Similar two-way classical communication channel can be used to boost our critical QBER significantly over 30%. This is the work in progress.
Taken together, the proposed protocol allows for much higher disturbance (QBER, Eve's presence), at which the mutual information between Alice and Eve reaches the mutual information between Alice and Bob, than other standard pp-like protocols. The price we have to pay for such an increased robustness of the protocol is a limited distance since the efficiency of Bob detecting both photons diminishes over four times the distance that a single photon would cover in a BB84 implementation. Hence, right now, the protocol is suitable for urban inter-institutional high-security networks.