Two-way Quantum Key Distribution at Telecom Wavelength

Transcription

1 Two-way Quantum Key Distribution at Telecom Wavelength Rupesh Kumar, Marco Lucamarini, Giovanni Di Giuseppe, Riccardo Natali, Giorgio Mancini, and Paolo Tombesi Dipartimento di Fisica, Università di Camerino, I Camerino, Italy (Dated: October 5, 2007) We report on the first quantum key distribution effected with a two-way deterministic protocol over a standard Telecom fiber. Despite the common belief of a prohibitive loss rate for such a scheme the results show its feasibility on distances of few tenths of kilometers. PACS numbers: a, Dd, Hk I. INTRODUCTION The basic purpose of any cryptographic setup is to let two users, traditionally called Alice and Bob, communicate in a secret way. A communication is deemed secret when any third unauthorized party (usually called Eve) is kept almost totally ignorant about it. Whereas it is highly impractical to achieve a perfect secrecy with only classical means, it has been shown [1 4] that quantum mechanics in conjunction with standard information theory [5] can dramatically simplify such a demanding task. The resulting discipline studying this issue is generally briefed under the name of Quantum Cryptography [6 8]. The secret communication mentioned above occurs in two steps: in the first, Alice and Bob resort to quantum mechanics (mainly quantum optics) to generate a common random key known only to them. This step is known as Quantum Key Distribution (QKD). In the second step Alice and Bob use the generated key to enable a secret classical communication, for example using the socalled perfect cipher, patented by Vernam in 1919 [9] and demonstrated secure by Shannon in 1949 [5]. So the QKD represents the only point of the whole communication in which quantum mechanics plays a role. All the known practical setups for QKD are realized with photons, which can travel for long distances without interacting too much with the surrounding environment, and can be easily generated, manipulated and detected. Nevertheless the way to exploit photons for a secret quantum communication is not at all unique, and many different experiments have been realized in this context during the last two decades. Among all the possible quantum setups for QKD, of particular interest are those conceived to plug into the existing optical-fibre network at the third Telecom window (wavelength around 1550 nm). In this paper we describe a fiber-based QKD in the third Telecom window performed, for the first time, with a bidirectional deterministic protocol, namely the LM05 [10, 11]. Although this protocol has been not yet proven unconditionally secure, it features a more than usual resistance against a wide class of individual at- Electronic address: rupeshkumar.ps@unicam.it Electronic address: marco.lucamarini@unicam.it tacks by the eavesdropper Eve, and performs better than standard one-way protocols [12] on short and middle distances as far as the rate of transmission is concerned [13]. Furthermore it allows for a communication in the Holevo limit [14] and, at least in principle, for a direct communication [15]. In Section II we review the LM05 protocol, pointing out the main differences with the most popular nondeterministic protocol for QKD, the BB84 [12]. In Section III we describe the details of our experimental setup and in Section IV we discuss the results. Section V contains some concluding remarks. II. THE PROTOCOL In LM05 (see Fig.1) Bob prepares a qubit in one of the four states 0, 1 (the Pauli Z eigenstates), +, (Pauli X eigenstates), and sends it to his counterpart Alice. With probability c Alice switches to Control Mode (CM) and uses the qubit to test the channel noise or, with probability 1 c, she switches to Encoding Mode (EM) and uses the qubit to encode a bit of information. The CM consists in a projective measurement of the qubit along a basis randomly chosen between Z and X, followed by the preparation of a new qubit in the same state as the outcome of the measurement. The EM is the modification of the qubit state according to one of the following transformations: the identity operation I, which leaves the qubit unchanged and encodes the logical 0, or iy Z X, which flips the qubit and encodes the logical 1. Alice can now send the qubit back to Bob who measures it in the same basis he prepared it; in case of an EM run this feature allows Bob to deterministically infer Alice s operation, without any need of a basis reconciliation procedure, typical of non-deterministic setups like BB84. Notice that it is not necessary to provide Bob with the knowledge of the modality chosen by Alice (EM or CM) in order to achieve the determinism of the protocol. In fact, Alice declares the CM and the EM runs after the end of the whole transmission. By comparing the data collected during the CM the users estimate the Quantum Bit Error Rates (QBERs) on the forward and backward channels; we call these two partial QBERs respectively q 1 and q 2. By comparing a part of the data collected dur-

2 2 PREPARATION 0 1 Z + X BOB MEASUREMENT AND DECODING = 0 = iy I 1 EVE E 1 E 2 ALICE 1 C C ENCODING = 0 = 1 iy I CONTROL or Z X tocols [16], the current partial implementation of LM05 represents a meaningful result, as it is directly connected to the final secure rate achievable with a complete implementation. To better illustrate this point we kept our setup for LM05 as close as possible to the setup for BB84 described in [22]. This allows to a certain extent a first experimental comparison between a deterministic protocol and a non-deterministic one in terms of secure rate. Eavesdropping and Privacy Amplification FIG. 1: Schematics of LM05 Protocol. Bob prepares the qubit with random bases and values and sends it to Alice. Alice encodes data on it with probability (1-c), or measures the qubit with probability c. In case of measurement she also prepares a new qubit in the same state resulting from her measurement. Finally Bob measures the qubit in the same basis used for its preparation and decodes the data. ing the EM the users estimate also a third, total, QBER Q AB. This quantity is not necessary for the security of the protocol but proves useful for estimating the mutual information between Alice and Bob. Actually only two out of the three QBERs are sufficient to guarantee the security of the protocol, for example q 1 and Q AB. As the backward path of the CM is quite difficult to realize in practice, this observation turns out to be important for any practical implementation of the LM05. We point out that the CM is a necessary procedure for any twoway quantum protocol. In fact there exists a number of attacks, like Trojan-horse [16], quantum man-in-themiddle [17] and double-cnot [17, 18] which can not be detected by Alice and Bob using only the EM runs. The LM05 protocol has already been tested at the wavelength of 800 nm using the photon polarization as a quantum carrier of the information [13, 19]. However this choice is not ideal when coping with optical fibers because birefringence makes the polarization change randomly. In the current implementation we use an encoding based on the relative phase between two pulses separated in time. In this way the channel noise seen by the two pulses is the same, and their relative phase remains stable in time. The only left noise is the one coming from a misalignment between Alice s and Bob s apparatuses. To eliminate this source of noise we adopted the mechanism of passive compensation, invented in [20] and employed for QKD in the so-called Plug-and-Play systems [21 25]. This technique fits in a very natural way with the EM of LM05, thus letting the implementation reported here. In the current work only the EM of the LM05 is experimentally realized. So, as a consequence of what said above, we can not claim the security of the scheme against a number of specific attacks, like for instance the Trojan-horse. However, beside the fact that the Trojanhorse attack is a serious threat for all the known pro- Several eavesdropping strategies against LM05 have been analyzed in [10, 13, 17]. In the present work we consider two specific strategies which allow a direct comparison with the theory developed for the BB84 protocol in [26] and exploited in [21] and [22], namely the Intercept-Resend attack (IR) and the Beam-Splitting attack (BS). IR is an example of a zero-loss eavesdropping, while BS is an example of a zero-qber eavesdropping. The most powerful eavesdropping should be given by the best combination of these two classes of attacks. In turn, the procedure of privacy amplification [27, 28] should remove from Eve s hands all the bits gained through any kind of attack. We note however that the theory developed here is not the most general possible. However it has already been adopted in the past for the BB84 [21, 22] and contains all the essential features of a more sophisticated analysis, as can be found in [29, 30]. Given an upper bound on the information tapped by Eve, it is generally true that the final amount of secure bits F W is given by: with: N W P F W = N W P S E W, (1) the number of bits composing the so-called raw key in the BB84 and LM05 protocols (W = BB84, W = LM05 respectively). In both protocols the raw key is composed by those qubits that: (i) did produce a single click in the receiver s detectors and that (ii) were not selected for testing the noise on the channel. Furthermore in BB84, the raw key qubits come from the ones which survived the basis reconciliation procedure [12], while in LM05 they come from those collected during the EM. the number of parities revealed during the procedure of error correction [32]. This number is the same for BB84 and LM05 because it only depends on the QBER of the communication channel and on the (classical) error correction procedure. S the security parameter defined in [27]. 2 S / ln2 represents the number of bits Eve knows in the final block distilled by Alice and Bob. We set S equal to 30, the same value used in [22].

3 3 E W un upper bound on the number of bits tapped by Eve by means of her quantum attack. This bound is a function of the QBER measured by the users, and can be equal to E BB84 or to E LM05, both defined later on. The theory of Quantum Cryptography is mainly concerned with the estimation of this last parameter E W. In what follows we show how to calculate it in the BB84 and LM05 protocol, for the two eavesdropping strategies IR and BS. Zero-loss attack (IR). IR represents one of the simplest attacks at Eve s disposal [26]. It consists in Eve blocking a qubit, measuring it in a random basis, registering the (classical) outcome, and forwarding to Bob the resultant qubit state. When Eve perchance measures in the same basis of Alice and Bob she creates no error and gets all the information; on the contrary, for different basis, she creates an error with probability 1/2 and gets no information. Hence, on the average, the probability for Eve to cause an error is p = 1/4. Moreover, whereas it would be natural to say that Eve acquires an average information of 1/2, in [26] is shown that an upper bound to Eve s maximum deterministic information amounts to 1/ 2. In order to ascertain the connection between the bits eavesdropped by Eve and the errors detected by the legitimate users it is useful introduce the following three random variables: k e t the total number of qubits intercepted by Eve, the total number of bits learned by Eve, the total number of errors detected by Alice and Bob. While k and e should be indirectly estimated by Alice and Bob, t is the only observable quantity to them [33]. It is natural to assume that for k attacked qubits the number of errors t follows a Binomial distribution B [k,1/4] (t), where the factor 1/4 is Eve s probability to create an error. All the same the random variable e follows a Binomial distribution B [k,1/ 2] (e). However, as said, the only measurable parameter is t. Hence it is necessary to invert the probability distributions so to express k and e as functions of t. To do that we linearize the random variables of interest by using the momenta of the distributions. We start from B [k,1/4] (t): E(t) = t = k/4 (2) V ar(t) = σ 2 t = 3k/16. (3) Eq. (2) can be inverted to give the estimator for k: E(k) = k = 4 t. (4) The variance of the estimator can be calculated as: V ar(k) = 16σ 2 t = 3 k = 12 t, (5) so that up to the second order momentum the random variable k can be written as: k = E(k) ± V ar(k) (6) = 4 t ± 12 t. (7) Analogously the momenta for the distribution B [k,1/ 2] (e) are: E(e) = ē = k/ 2 (8) V ar(e) = σē 2 = k 1 ( 1 1 ). (9) 2 2 By substituting Eq. (7) into Eqs. (8) and (9) we can obtain the expression for the random variable e as a function of t: where e = ē ± σē, (10) ē = 4 t/ 2 (11) ( ) ( 1 = 6 t + 4 t ) (12) 2 ( = ) t. (13) σ 2 ē Notice that in doing the substitution we have retained only the terms which give a contribute up to the second order to e. Specifically we neglected the term coming from the substitution of the variance of Eq. (7) into the variance of e given in Eq. (9). We can finally write the parameter E W pertaining to the IR attack in the BB84 protocol as: EBB84 IR = ē ± 5σ E = 4t ± 5 ( )t, (14) 2 where a confidence interval of 5 standard deviations is assumed [26]. Given a Normal distribution the probability that a value falls outside the region of 5 standard deviations is about It is natural to compare this value with the quantity 2 S / ln2 defined before, i.e. the number of bits Eve knows in the final block distilled by Alice and Bob. The IR attack against LM05 is very similar to the one against BB84. The only difference is that Eve has to measure both in the forward path and in the backward one in order to ascertain the value of Alice s encoding. This double measurement by Eve causes an error with the same probability as BB84, p = 1/4 [36]. Hence t still follows a Binomial distribution B [k,1/4] (t). However to calculate the information stolen by Eve in LM05 is necessary to distinguish between two error-reconciliation procedures available to Alice and Bob, that we call Direct Reconciliation (DR) and Reverse Reconciliation (RR) in analogy to what happens in the Quantum Cryptography with continuous variables [31]. The difference between

4 4 DR and RR depends on who between Alice and Bob correct the acquired data in order to reach the agreement with the other. In LM05 when Bob corrects his data to match the encoding by Alice we speak of DR; when Alice corrects her data to match Bob s results we speak of RR. Direct Reconciliation. The theory of [10] improved in [19] shows that in LM05 Eve can acquire full information (1 bit) with the IR, rather than the fraction 1/ 2 acquired in BB84 with the same attack. This implies that e follows a Binomial distribution B [k,1] (e), rather than the B [k,1/ 2] (e) pertaining to the BB84. Hence, indicating with primed quantities those referred to LM05, and with steps analogous to those of Eqs. (2) (9), we have: E (t) = t = k/4, E(k) = k = 4 t, V ar (t) = σ 2 t = 3k/16; V ar( k) = 12 t; E (e) = k, V ar (e) = 0. Notice that the zero variance for e comes from the distribution B [k,1] (e). Following the criterium of the 5 standard deviations used before and in [26] we arrive at the expression for the information eavesdropped with IR in the LM05 with a DR: E IR LM05 DR = 4t ± 5 12t. (15) Reverse Reconciliation. In LM05 Eve can not guess with certainty the Bob s outcome during the EM [10], [19]. This is due to the fact that the bases used by Alice and Bob are never revealed during the EM of LM05. All Eve can do is to guess Bob s bits with a certain probability. In case of IR this probability amounts to 75%. This is similar to what happens in BB84 when Eve measures along the so-called Breidbart basis [26]: Eve can not know with certainty the bit shared by Alice and Bob; she can only guess it with a probability of about 85%. This similarity allows us to repeat for LM05 the argument of Big Brother presented in [26] for BB84. The nett result is the substitution of a factor 1/2 instead of the factor 1/ 2 in the calculation leading to Eq. (14). After that the rate for LM05 with RR against IR turns out to be: E IR LM05 RR = E IR BB84 = ē ± 5σ E = 2t ± 5 4t. (16) Zero-QBER attack (BS). In the BS Eve uses a beamsplitter of transmissivity T = 1 R to deviate a fraction R of the main beam coming from Alice towards her detectors, which are supposed to be ideal (100% quantum efficiency, no dark counts). If Alice uses a perfect singlephoton source the single photon can only be detected either by Eve or by Bob. However in practice Alice uses an approximated single-photon source i.e. an attenuated laser beam. For this source the number of photon per pulse follows a Poissonian statistics. It is then possible that a single pulse contains more than one photon in the same quantum state, and that both Eve and Bob detect the same qubit. In this case Eve steals one bit of information without introducing any noise in Bob s measurement; however she introduces losses. Alice and Bob, from the knowledge of the loss rate, should be able to infer how much information has been stolen and remove it by means of Privacy Amplification. The approach for BS is very similar to the one adopted for IR. We first evaluate the probability of success for an Eve eavesdropping one bit of information when BB84 is adopted. Let us define as µ the average number of photons contained in each pulse prepared by Alice. With the above-mentioned BS Eve splits a fraction Rµ from the main beam towards her (ideal) detectors, so that the probability to successfully detect a photon is given by: P = 1 e Rµ Rµ. The above approximation holds when µ 1. Usually in the experiments µ = 0.1. It is reasonable to assume that R 1 because usually the attenuation rate measured by Alice and Bob is very close to the unity at 1550 nm. Hence Eve s probability to successfully detect a photon is about µ when µ is small enough. We also conservatively assume that Eve possesses a perfect quantum memory to store the bits until the moment in which the basis is revealed by Alice and Bob, so that every stored photon is detected by Eve in the right basis. This means that the number of acquired bits by Eve with BS in the BB84 is a Binomial distribution B [N,µ] (e), where N is the total number of qubits prepared by Alice. Hence we have E(e) = Nµ, V ar(e) = Nµ (1 µ). From these equations is simple to repeat the arguments adopted for IR in order to achieve the net secure rate pertaining to BS. Putting the two rates together (IR and BS) we obtain the final rate of a BB84 that is secure against the two considered attacks: ( ) 4t E BB84 = + Nµ ± 5 ( )t + Nµ (1 µ) 2 (17) ( ) 4p [ = + µ N ± 5 (4 + 2 ] 2)p + µ (1 µ) N. 2 (18) The second equation should be used when Alice and Bob estimate the QBER (indicated with p) rather than measuring the number of errors t. However in this case the formula should be slightly modified to account for the variance of the QBER s estimate. We stress that the above equations hold until the approximation for small µ holds. In analogy with BB84 one can calculate the amount of Privacy Amplification necessary to cope with BS in LM05. Being LM05 a two-way protocol the BS must be accomplished using two beam-splitters rather than one, positioned along the two paths of the communication channel. In this way Eve can happen to measure two photons, one from the forward path and one from the

5 5 backward one; then, by comparing her outcomes, Eve can ascertain the encoded information. Let R 1 and R 2 be the reflection coefficients of the two beam-splitters. After the first beam-splitter Eve has a probability of successful detection P 1 = 1 e R 1µ. The fraction of the beam transmitted through the first beam-splitter is T 1 µ = (1 R 1 )µ. Then the fraction of the beam deviated by the second beam-splitter is R 2 (1 R 1 )µ, and Eve s probability to detect a photon in the second path is: P 2 = 1 e R 2(1 R 1 )µ. A successful eavesdropping is given by two successful detection events in the same run: P BS12 = P 1 P 2 = ( 1 e R 1µ ) ( 1 e R 2(1 R 1 )µ ). (19) From this expression it is straightforward to check that the values R 1 = 1/2, R 2 1 maximize P BS12 for any µ [37]. This means that Eve s best strategy is to grab almost all the information from the backward path while splitting into equal parts the information from the forward path. Inserting the optimal values of R 1 and R 2 into Eq.(19) we have: P BS12 ( 1 e µ/2) 2 = P = 1 2e µ/2 + e µ. The number of acquired bits by Eve with BS in the LM05 is a Binomial distribution B [N,P ](e) so that: E(e) = NP V ar(e) = NP (1 P ). Repeating the arguments presented above and putting the results together with those pertaining to IR for direct and reverse reconciliation we obtain the secure rate of LM05 against the two attacks IR and BS: E DR LM05 = (4t + NP ) ± 5 12t + NP (1 P ) (20) = (4p + P ) N ± 5 [12p + P (1 P )] N; (21) E RR LM05 = (2t + NP ) ± 5 4t + NP (1 P ) (22) = (2p + P ) N ± 5 [4p + P (1 P )] N. (23) III. EXPERIMENTAL APPARATUS Optics. The schematics of the optical layout is depicted in Fig. 2. A 100 ps pulse from a 1550 nm DFB diode laser integrated in single-mode grade fibre is attenuated and then sent through an imbalanced Mach-Zender interferometer (MZ) realized with polarization-maintaining fibers. The attenuation stage is composed by a 20-dB FIG. 2: LM05 setup using integrated optics over optical fiber. Bob s station: 1- DFB-LD@1550nm, 2- Isolator, 3- Fixed attenuator, 4- Variable attenuator, 5- Polarization controller, 6- Circulator, 7- Polarization maintaining variable coupler, 8- PM fiber (10m), 9- Phase modulator, 10- Polarization combiner, 11- Filter@1550nm, 12- WDM coupler (@ nm), 13- DFB-LD@1310nm, 14- InGaAs APDs (id-quantique, id200). Alice s station: 1- WDM coupler (@ nm), 2- Filter@1550nm, 3-80/20 1x2 Coupler, 4- Polarization coupler, 5- Faraday mirror, 6- Variable optical delay line, 7- Phase modulator, 8- Fast InGaAs-PIN. In blu-color are draw Single-Mode fiber, and in red-color Polarization-Maintaining fiber. VA- variable attenuator. fixed attenuator plus a variable one, and allows to prepare the average photon number µ of the pulses. The presence of the attenuation before the MZ is a difference from the usual plug-and-play schemes. The reason for this is related to the two-way nature of LM05: it is Bob, rather than Alice, to prepare the initial pulse, and to finally measure it; so if the attenuator was after the MZ the beam would be attenuated twice, once per path. At the input of the MZ a 50/50 beam splitter (BS) splits the weak pulse in two, one traveling in the long arm and one in the short arm, thus creating a time-split qubit. In the short arm a phase modulator (PM) changes the relative phase between the two components (0 or π for the Z basis, π/2 or 3π/2 for the X basis), encoding the qubit in one of the four initial states of the protocol. Since the PM is polarization sensitive, a polarization controller (PC) is used to optimize the polarization of the input weak pulse. A polarization beam splitter/combiner (PBS) finally sums up the components at the output of MZ into a single-mode fibre. So, after PBS the qubit is composed by two weak pulses with orthogonal polarizations and separated in time by about 37 ns. Bob sends a so prepared qubit to Alice through a single mode fibre. Also a bright laser nm is injected in the channel through a wavelength division multiplexer (WDM) in order to synchronize the system. At Alice side, the bright pulse is extracted using a second WDM and directed towards a PIN detector that acts as a clock for Alice encoding operation. The qubit pulses go into

6 6 a Bethune and Risk interferometer [21]. It is composed by a PBS and a Faraday mirror whose combined effect is to adequately adjust the photons polarization before they enter the polarization sensitive PM, placed in a fiber loop. By choosing carefully the distances inside the interferometer is possible to make the two pulses coming from the PBS pass at the same time, in opposite direction, through the PM. In this way Alice can change at her will the relative phase between the two pulses coming from Bob simply by acting twice on the PM. A phase change of π encodes the binary value 1 while a phase change of zero encodes the value 0. Notice that a given relative phase value can be obtained as the difference of infinitely many pairs of global phase values. For instance, in order to encode a zero relative phase, Alice could encode a global phase ϕ 0 on both the first and the second pulse coming from Bob. After Alice s encoding the pulses are reflected back towards Bob. However their polarization is orthogonal to the one they had when entered Alice s site. This effect is due to the Faraday mirror, and enables the automatic compensation of noise typical of the plug-and-play setups [21, 23, 24]. The nett result is that the pulses trace back their steps in the reverse path until they arrive at Bob s site in a polarization state orthogonal to the initial one. Hence, Bob s PBS interchanges the paths and let him put on his PM a decoding phase shift, which depends on the basis used by Bob in preparing the initial qubit. This feature provides the determinism of the scheme. After passing for the second time through the MZ the pulses are eventually detected by two APD single-photon counters (id-quantique, id200). Electronics. An electronic layer is used for controlling and synchronizing the whole apparatus through a couple of remote computers located at Alice and Bob sites, and connected using two 20 MHz, 32-bit Digital I/O cards (DIO) by National Instruments (NI-6534). We slowed the cards down to a repetition rate of 2.5 MHz, with a 25% duty-cicle, to match the maximum rate acceptable by the detectors as external trigger. From the available 32 bits of Bob s DIO card, 16 have been devoted to the writing task, and 16 to the reading task. From the 16 writing bits 14 bits are converted to analog by a DAC, amplified by an Op-Amp, and used to drive Bob s phase modulator; 1 bit is used to trigger the two pulsed lasers, with a proper delay between them, and the DAC; the last bit, again properly delayed, is used to gate the Bob s detectors, and also to trigger the reading task during which the outputs of the detectors can be written into the first two lines of the reading bits. Note that the last mentioned delay, introduced to synchronize the reading part with the writing one, depends on the length of the fiber, and can be tuned by software in order to match the physical layout. Detector clicks are collected and stored in Bob s computer along with the information about the phase value used in the preparation/decoding of the qubit. A multi-threaded driver software allows the writing and reading tasks to occur at the same time without further delays. On each qubit Alice encodes data using a second NI DIO card in a simpler configuration. The phase modulator driver electronics are the same as that of Bob. Of course the main point here is to synchronize Alice and Bob s operations. This is achieved through the intense nm, on which Alice resets the internal clock of her card. She then refers to this clock for all the remanent operations. The bright pulse is prepared by Bob with a structure that we call a physical frame constitutes of a label header plus 4096 triggers for the quantum information encoding. Software. The tasks performed by the software are manyfold: it controls the electronics to prepare the physical frames together with their labels, and to acquire them at the end of transmission; it writes and reads information into a file inside Bob s computer, and further process them [38]. The acquisition process is conceived for a real-time generation of a quantum key. Specifically the system counts all the vacuum, single and double clicks of Bob s detectors [39], and puts this temporary information into the RAM of the DIO card. When the singles overcome the value 4096 the information is transferred for the classical post-processing. This information constitutes what we call the logical frame. In general a logical frame will be composed by a variable number of physical frames, depending on the losses of the channel. Furthermore the size of the logical frame is not precisely defined, because the software only requires that the number of singles is greater than The singles contained in the logical frames constitute the so called raw key. In the standard BB84 the raw key is subsequently sifted by the procedure of basis reconciliation. However, being LM05 a deterministic protocol, it does not require a basis-reconciliation procedure. Hence the raw key and the sifted key are, for us, essentially the same. The bits constituting the logical frame are packaged into blocks whose size is a power of 2; this enables a straightforward Error Correction (EC) via a modified version of the Cascade protocol [34], explained later. The packaged and corrected bits then undergo the procedure of Privacy Amplification (PA). Finally, when required, our software can use the quantum key just distilled to encrypt and send a message or an image between distant users via the Vernam cipher [9]. All the software is written in C and C++ for Windows OS. It is independent from other parts of the setup and can be exported to other platforms. The EC procedure is a simplified version of the Cascade protocol [34]. It is based on the interactive binary search of the error [26]. The bits come from the previous packaging step already grouped into a number that is a power of 2. This greatly simplifies the binary search, which is based on a bisection algorithm. We used groups of 4096 bits, a value often seen in the experiments. Our EC greatly exploits the adaptivity property of Cascade. At each block s correction the program reads a temporary QBER value and calculates the best way to partition the block in sub-blocks of smaller size. It then effects the

7 7 binary search and corrects the error, counting the total number of detected (and corrected) errors in the block. The temporary QBER of the n-th block is the one read from the (n 1)-th block. The first block has a fixed initial QBER of 15%. Simulations have been performed on blocks of bits to compare the performances of our EC protocol with the one described in [34]. In all the tested instances our protocol performed a faster correction at the same average distance from the Shannon limit. The user deputed to correct his bits under the indications of the other user can be either Alice or Bob (Direct or Reverse reconciliation respectively). In our experiment we chose that Alice tells Bob how to change his bits in order to correct errors. The PA procedure is performed by means of Toeplitz matrices as universal 2 hash functions. The program acquires the 4096-bit-long vector v c of corrected bits and the values of t and µ defined in Section II. It calculates the parameter F of Eq. (1) and prepares a pseudorandom Toeplitz matrix T of size 4096 F ; this step requires ( F 1) pseudo-random bits. Finally the multiplication of T times v c provides the users with the final sequence of bits, i.e. the quantum key. QBER [%] Km Km Km FIG. 3: Variation of the QBER with different mean photon number for three different fiber lengths (5.86, 11.22, km) connecting the two users. The values of µ are measured as described in the text. The theoretical curves are plotted according to the noise model given by eq. (31) with Q opt = , Q el = and p dark = IV. EXPERIMENTAL RESULTS accounts for the losses of the channel and of Alice s and Bob devices, and the first order expansion is given by: Our main result is the noise model of LM05, in its fiberbased implementation, depicted in Fig. 3. It contains the variation of the QBER Q AB as a function of the average number of photons µ sent out by Bob. The QBER is measured by counting the errors in the data acquired by Alice and Bob during the EM. µ is varied through the variable attenuator showed as component 4 in Fig. 2. Average photon number. Each value of µ is given by the ratio of the singles in a logical frame and the total number of triggers contributing to that frame. This ratio is measured in two different ways. The first, which can be considered a calibration of the setup, is done by taking the photons soon after Bob s interferometer, before they travel into the channel. In this way µ is given by µ = counts triggers 1, (24) Γ d where Γ d is the average quantum efficiency of Bob s APD detectors, assumed equal to the nominal value of 12%. Eq. (24) comes from the first order expansion of the complete expression for the signal p sign, measured by the ratio of single counts on triggers, given by: p sign = 1 e µγ d. (25) The dark counts are neglected in the above expression. The second consists in detecting photons after the whole round trip in the setup. So in this case we must add to the exponent in Eq. (25) a second factor, which µ = counts triggers 1 ; (26) Γ d Γ s Γ s is the transmittance of the channel between Alice and Bob after including a double passage in an optical fibre of transmittance Γ qc and in Alice s setup of transmittance Γ a, and a single passage in Bob s box, whose transmittance is Γ b : Γ s = Γ 2 a Γ 2 qc Γ b. (27) The transmittances have been measured from the attenuation of intense pulses. They amount to Γ a (3.98 db) and Γ b (4.09 db); on the contrary the value of Γ qc depends on the distance of the channel. [40]. The two estimates for µ lead to the same result within the experimental tolerance. Hence, after calibrating the system once, we adopted the easier second measurement for the in-course estimate of µ. Finally we point out that the double counts have been neglected from the estimate of µ, thus underestimating it by a factor of about For every setting of the variable attenuator we acquired about 10 blocks of sifted key, which form the groups of points reported in the figure. It can be noticed the spreading of the points in the horizontal direction when µ increases from lower to higher values, and in the vertical direction when the QBER increases. This is due to the Poissonian statistics followed by the experimental points, which show a variance increasing with the square root of the mean value of the sample.

8 8 Distance. The measurements are done after fixing three main distances between Alice and Bob: 5.86, and km. These distances are obtained in the following way: there is a real optical fibre of length L 0 = km connecting the users; the remaining distance is virtual, i.e. it is simulated by using the variable attenuator showed as component VA in Fig. 2. The idea, introduced in [35], is to vary the attenuation rate so to mimic the presence of more or less fibre connecting Alice and Bob, assuming a standard attenuation rate for the fibre which at 1550 nm is of γ 0.2 db/km. By varying the attenuation A we can ascertain the virtual distance L v using the following equation: A = 10 2γLv 10. (28) Notice the factor 2 which is peculiar of our two-way scheme. The natural way to measure the attenuation A is from the ratio of the counts before and after the action of the attenuator, according to the equation: µ = A µ. (29) From Eq. (28) and L 0 we can obtain the total distance, in kilometers, between Alice and Bob as: L tot = L 0 + L v. (30) QBER. The theoretical lines of the QBER versus µ are given by the following error model (we make explicit the dependance of the QBER on µ): where Q AB (µ) = min[q opt + Q el + Q dark (µ), 1 ], (31) 2 Q dark (µ) = p dark p sign (µ) + 2p dark. (32) Q opt is the noise related to the interference quality, and is almost independent of the distance when the distances are not too big; it amounts to Q el is the electronics noise, coming from the boards and the DIO cards; it is always independent of the distance and amounts to These two noises create the background noise in Fig. 3, which corresponding to a visibility of 98%. The count probability, p dark, in a time-window gate of 2.5 ns with the laser disabled amounts to in our setup, corresponding to a detector dark counts probability of and to due to stray counts and noise from the LD at 1330 nm [41]. Raw key and final key. Once all of the above quantities are known it is possible to give the expected raw key rate as reported in Fig. 4: R raw = νµγ d Γ s, (33) where ν is the repetition rate of the source. Notice that in the standard plug-and-play BB84 a factor 1/2 multiplies the above expression [7], because of the presence of the Key [cps] Raw Key Part. Ampl. Key F RR LM05 F DR LM L [Km] FIG. 4: The experimental rates of the LM05 apparatus. The quantities are given as function of the fiber length connecting the two users. The raw key is the collection of the events in which only one of Bob s detectors counted. The partially amplified key is the result of a privacy amplification process which only takes into account the parities P revealed during error correction and the security parameter S (see text for the parameters definitions). FLM05 DR and FLM05 RR are the theoretical rates pertaining to LM05 when Intercept-Resend and Beam-Splitter attacks are taken into account, in case of Direct Reconciliation and Reverse Reconciliation respectively (see text for details). basis reconciliation procedure. For LM05 this factor is 1, because of determinism. Remember that for the same reason the raw key is essentially the same string as the sifted key for us. In Fig. 4 we reported our key generation rates as a function of the distance between Alice and Bob. The data are obtained after fixing the variable attenuator showed as component 4 in Fig. 2 at the optimal value for every distance [42], and by changing the variable attenuator at the output of Bob s station, showed as component VA in Fig. 2, so to change the virtual distance between the users. The write and read procedures from the NI-6534 DIO card obliged us to work with bunches of bits (4096) prepared at a repetition rate of 250 khz separated by empty spaces of 20 ms, thus resulting in an average rate of 150 khz. With this average repetition rate we can generate our keys with the rates reported in Fig. 4. For a distance of 10 km the raw key generation rate is of about 250 bit/s. We also reported in Fig. 4 the rate of a partially amplified key, and the theoretical curves for the complete privacy amplified keys, both in Direct Reconciliation (DR) and in Reverse Reconciliation (RR). To generate the partially amplified key we only took into account the parameters P and S in Eq. (1). The theoretical fits of the other two curves are given by the rate of Eq. (33) multiplied by the factor related to privacy

9 9 amplification, given by Eq. (1), normalized to the total number of counts. Notice that the µ is chosen so to maximize the rate for each given distance. However it should be said that the optimal values of µ are never too distant from µ 1. The Figure shows that on 10 km at the repetition rate around 150 khz we can provide up to 40 bit/s in DR and 70 bit/s in RR on about 200 bit/s of raw key. We remember that the rate of the final key can be slightly but easily increased by including the CM in the apparatus (see Note [37]), while the raw key rate improvement is mainly a matter of telecommunication technology. We can attempt now a comparison with the BB84 reported in [22], which features an experimental setup and a privacy amplification model similar to ours. In [22] the trigger repetition rate is 1 MHz, the raw key generation rate is about 4400 bit/s and the final key generation rate is about 1500 bit/s for a 10 km fibre-link. Our trigger repetition rate is about 6.6 times smaller, while our raw key rate is about 22 times smaller. On one side this is due to the two-way connection between the users, which, roughly speaking, features about the double of lost qubits with respect to a one-way channel. On the other side this is related to the technical implementation of our setup, which can still be improved significantly. Our final key generation rate is about 37.5 times smaller in DR and 21 times smaller in RR than the correspondent rate of [22]. The ratios between the final key and the raw key generation rates are then about the same for the BB84 and the LM05 in RR. However it should be noted that, apart from some similarities, the experimental setup in [22] is optimized in several ways. Actually, if we put our experimental parameters in a simulation for the BB84 protocol we hardly obtain a positive final secure key rate over a distance of 10 km. This motivates a future research in the direction of implementing both the protocols in the same experimental setup for a more direct comparison. V. CONCLUSION We presented the complete implementation of the LM05 Encoding Mode at telecom wavelength, using integrated optical elements and the passive compensation technique usually adopted in the plug-and-play schemes for BB84. We successfully distilled secret keys after sifting, error correction and privacy amplification at rates comparable with a similar setup employed for BB84. The realization of the Control Mode will further enhance the security of the protocol, both ruling out Trojan-horselike attacks and restricting the potentialities of the zero- QBER attacks. It would require an active compensation of the channel noise similar to that currently adopted for the one-way BB84. Despite the in principle possibility of a direct quantum communication with LM05, the high loss rate of quantum communications, specially that registered at telecom wavelengths, still severely limits this interesting option. This work has been partly supported by the European Commission under the Integrated Project Qubit Applications QAP funded by the IST, Contract No We also acknowledges financial support from the Ministero della Istruzione, dell Università e della Ricerca Grants Nos. PRIN and FIRB- RBAU01L5AZ, and from CNISM Progetto Innesco [1] M. Ben-Or, M. Horodecki, D. W. Leung, D. Mayers, and J. Oppenheim, in Lect. Notes Comp. Sci., ed. J. Kilian (Springer, Berlin), v. 3378, p. 386 (2005). [2] H.-K. Lo and H. Chau, Science 283, 2050 (1999). [3] D. Mayers, in Lect. Notes Comp. Sci., ed. N. Koblitz (Springer, New York), v. 1109, p. 343 (1996). [4] P. W. Shor and J. Preskill. Phys. Rev. Lett. 85, 441 (2000). [5] C. E. Shannon, Bell Syst. Tech. J. 28, 656 (1949). [6] M. Dušek, N. Lütkenhaus, and M. Hendrych, Progr. Opt. 49, 381 (2006). [7] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden, Rev. Mod. Phys. 74, 145 (2002). [8] H.-K. Lo and N. Lütkenhaus, quant-ph/ [9] G. Vernam, US Patent 1,310,719 (1919). [10] M. Lucamarini and S. Mancini, Phys. Rev. Lett. 94, (2005). [11] M. Lucamarini and G. Di Giuseppe, Int. J. Quant. Inf. 3, 189 (2005). [12] C. H. Bennett and G. Brassard, IEEE Int. Conf. Comp. Syst. Sign. Proc., p. 175, Bangalore, India (1984). [13] M. Lucamarini, A. Cerè, G. Di Giuseppe, S. Mancini, D. Vitali, and P. Tombesi, Open Syst. Inf. Dyn. 14, 169 (2007). ArXiv: quant-ph/ [14] A. Cabello, Phys. Rev. Lett. 85, 5635 (2000). [15] A. Beige, B.-G. Englert, C. Kurtsiefer, and H. Weinfurter J. Phys. A 35, L407 (2002). [16] N. Gisin, S. Fasel, B. Kraus, H. Zbinden, and G. Ribordy, Phys. Rev. A 73, (2006). [17] M. Lucamarini, PhD thesis (2005). Available at [18] J. S. Shaari, M. Lucamarini, and M. R. B. Wahiddin, Phys. Lett. A 358, 85 (2006). [19] A. Cerè, M. Lucamarini, G. Di Giuseppe, and P. Tombesi, Phys. Rev. Lett. 96, (2006). [20] M. Martinelli, Opt. Commun. 72, (1989). [21] D. Bethune and W. Risk, IEEE J. Quant. Electr. 36, 340 (2000). [22] D. Bethune M. Navarro, and W. Risk, Appl. Opt. 41, 1640 (2002). [23] G. Ribordy, J.-D. Gautier, N. Gisin, O. Guinnard, and H. Zbinden, J. Mod. Opt. 47, 517 (2000). [24] G. Ribordy, J. D. Gautier, H. Zbinden, and N. Gisin, Appl. Opt. 37, 2272 (1998).

10 10 [25] H. Zbinden, J.-D. Gautier, N. Gisin, B. Huttner, A. Muller, and W. Tittel, Electr. Lett. 33, 586 (1997). [26] C. H. Bennett, F. Bessette, G. Brassard, L. Salvail, and J. Smolin, J. Cryptol. 5, 3 (1992). [27] C. H. Bennett, G. Brassard, C Crépeau, and U. M. Maurer, IEEE Trans. Inf. Th. 41, 1915 (1995). [28] C. H. Bennett, G. Brassard, and J.-M. Robert, Siam J. Comput. 17, 210 (1988). [29] N. Lütkenhaus, Phys. Rev. A 59, 3301 (1999). [30] N. Lütkenhaus, Phys. Rev. A 61, (2000). [31] F. Grosshans, G. Van Assche, J. Wenger, R. Brouri, N. J. Cerf, and P. Grangier, Nature 421, 238 (2003). [32] To be precise, one should encode the parities using a stream cipher like the One-Time Pad in order to decouple the procedures of Error Correction and Privacy Amplification completely [H.-K. Lo, quant-ph/ ]. [33] We note that due to the particular procedure adopted by Alice and Bob for error correction the measure of t does not carry any experimental error; in fact t is exactly the number of errors found during the EC procedure. The same argument will hold also for the average photon number µ, which is given by the number of detected photons divided by the number of collected triggers. [34] G. Brassard and L. Salvail. Lect. Notes Comput. Sci. 765, 410 (1994). [35] P. A. Hiskett, G. Bonfrate, G. S. Buller, and P. D. Townsend, J. Mod. Opt. 48, 1957 (2001). [36] This value is taken from the QBERs of the protocol: q 1 = q 2 = Q AB = 1/4. [37] Notice that if the loss rate would be monitored both at Alice s and Bob s site, as it happens in an LM05 endowed with CM, Eve is forced to set R 1 = R 2 in order to conceal her presence. In this case the optimal beam-splitters reflectivity would be 2/3, and Eve s attack would be far less dangerous than what analyzed in the present work. However, due to the lack of a CM in our current implementation, we conservatively assume the setting R 1 = 1/2, R 2 1. [38] Note that the write/read operation is currently the bottleneck of our apparatus as far as the speed of execution is concerned. [39] A vacuum count is when a trigger arrives but none of Bob s detectors fires. [40] Notice that Γ a is similar to Alice box s loss rate reported in [22]. [41] Notice that the noise contribution coming from Raileigh backscattering is absent in our setup, because the signal is attenuated since the beginning. [42] It turns out the value µ 1 is almost always optimal for the distances we considered.