Tripartite Quantum Key Distribution Implemented with Imperfect Sources

Abstract

Multipartite quantum key distribution (QKD) is a promising area of quantum networks that provides unconditional secret keys among multiple parties, enabling only legitimate users to decrypt the encrypted message. However, security proofs of existing multipartite QKD typically assume perfect state preparation devices of legitimate users and neglect the relative rotation of reference frames. These presumptions are, nevertheless, very difficult to meet in practice, and thus the security of current multipartite QKD implementations is not guaranteed. By combining the idea of a loss tolerant technique, introduced by Tamaki et al. (K. Tamaki et al., Phys. Rev. A, 90, 052314, 2014), and the concept of a reference frame-independent protocol, we propose a three-party QKD protocol that considers state preparation flaws and the slow drift of reference frames. Through a numerical simulation, the influence of misaliged reference frames on the protocol’s stability was examined by drifting reference frames through angles $\beta =\pi /5$, $\beta =\pi /6$ and $\beta =\pi /7$. In addition, the performance of the proposed protocol was examined for the encoding flaws set at $\delta =0.35$, $\delta =0.20$, and $\delta =0.10$. The results show that the protocol is robust against state preparation flaws, and is insignificantly impacted by misalignment of the reference frames because the achieved transmission distances and secret key rates are comparable to the perfect scenarios. This work dramatically contributes toward the realization of practical and secure multipartite QKD. The proposed protocol has direct applications in quantum communication network environments that involve unknown and slowly varying reference frames, web conferences, and online communications.

1. Introduction

Quantum key distribution (QKD) presents information-theoretically secure communication by employing quantum mechanical laws to reveal the presence of an eavesdropper [1]. For the past two decades, the majority of research has focused on the proposing of QKD protocols involving just two legitimate users, conventionally named Alice and Bob, who want to establish a secret shared key [2,3,4,5,6]. The rapid development in information processing technologies has led to the emergence of quantum networks [7,8,9] aimed at realizing quantum information tasks among multiple users. Quantum Cryptographic Conferencing (QCC) or multipartite QKD, which allows the distribution of information-theoretical secure keys among multiple remote users, is one of the most promising applications in quantum networks. Consequently, several QCC protocols have been proposed recently [10,11,12,13,14,15,16,17] using various quantum resources and techniques to prove the security of multipartite QKD. Despite these achievements, a large gap remains between the theoretical assumptions in security proofs of QCC protocols and actual implementation. For instance, challenges exist in relation to secret key rate, transmission distance, size, cost, imperfect physical devices, signal-to-noise ratio, and practical security [3,18,19]. Moreover, other challenges are associated with imperfections in communication channels, for instance, quantum data communications and networking, underwater communication, satellite communication, and fiber-optic communication [20,21,22,23,24]. A QCC protocol is ideally secure only when it employs perfect single-photon sources and detectors. Unfortunately, ideal devices are impractical to realize. Consequently, device imperfections may open up the possibility of security loopholes or side channel attacks by an eavesdropper, which can compromise the security of practical QCC. This brings about the need to design protocols that can be made secure against device imperfections, such as decoy-state QKD. Another bottleneck to large scale deployment of QCC is high channel loss and decoherence, which lead to a relatively low secret key rate. Therefore, in order to realize full-scale practical QCC for secure everyday communications, it is of utmost importance to develop efficient methods and models which address the aforementioned challenges. Except for this introduction, we organize this article as follows. Section 2 provides the literature review, while Section 3 outlines the operation of the proposed protocol. Section 4 evaluates the security bounds for the proposed protocol. In Section 5, we provide the key rate formula of the three-party RFI QKD based on the decoy-state theory. Section 6 provides a numerical simulation of the secret key rate based on fiber implementation and discusses the results. Lastly, Section 7 provides our conclusions.

2. Review of the Literature on QCC Protocols

Several QCC protocols have been proposed recently in efforts to close the gap between theory and practice. For instance, in order to address low key rate and transmission distance challenge, protocols inspired by the idea of twin-field QKD [25] have been proposed [12,14,26]. More precisely, the authors of [12] evaluated the security of a QCC by exploiting the multipartite entanglement of a W-class state; their protocol relied on single-photon interference in an untrusted node, following the idea of twin field QKD [27]. Based on the single photon interference of optical fields at the untrusted relay, their protocol is capable of surpassing the secret key capacity of bound for repeaterless QKD schemes. To address the problem of detector side-channel attacks, a device-independent (DI) QCC protocol has been proposed in which security is based on the violation of a Parity–CHSH inequality [28]. Unfortunately, the DI QCC requires loophole-free Parity–CHSH experiments, which means that it is not feasible with current technology. A more practical solution is measurement device-independent (MDI) QCC, which is inherently immune to all side-channel attacks targeting the measurement device and removes all detection-related security loopholes. Fu et al. [11] proposed an MDI protocol based on the postselection of the GHZ state. In this protocol, the measurement device is controlled by an untrusted third party, making it immune to all detector side-channel attacks. The primary basis of the protocol is that after a successful detection event occurs, a GHZ state is shared among multiple parties. Thus, multiple parties can distribute secret key bits among themselves via the post-selected entanglement states. Furthermore, Zhao et al. [14] presented a QCC network protocol by combining the ideas of phase-matching weak coherent pulses (WCPs) interference and post-selecting GHZ states. In addition, the protocol is measurement device-independent, thus rendering it immune to all detector side-channel attacks. While the results in the aforementioned QCC protocols constitute an essential step toward realization and guaranteeing the security of QCC systems, both analyses neglect the case of imperfect photon sources and misalignment in the reference frames. This means that the results cannot be directly applied to real-life QCC implementations.

A serious challenge in the practical implementation of QCC schemes is achieving a well-aligned reference frame between communicating parties. This task is complex because of unstable fiber communication links and imperfections in the measuring devices, which results in obscure and changing reference frames [29]. Laing et al., (2010) introduced a reference-frame independent (RFI) QKD protocol to solve this alignment problem [30]. Subsequently, several variants of their protocol have been proposed, both theoretically [31,32,33,34,35,36,37] and experimentally [38,39,40], to advance the merits of RFI QKD. Furthermore, security proofs of existing QCC protocols assume perfect state preparation. However, this assumption fails during practical implementations because of the natural deficiencies of photon sources. Tamaki et al., (2014) invented a loss-tolerant protocol that is immune against losses in the channel caused by state preparation flaws. The protocol employs only three states out of the four permissible states present in the BB84 protocol [41]. In addition, the protocol takes into consideration errors due to phase modulation by imperfect phase modulators (PM), and it has been analyzed recently in [42,43] in order to evaluate the security of QKD systems in the presence of information leakage from Alice’s phase modulator.

Therefore, inspired by the ideas of a loss-tolerant (LT) protocol and reference frame independence, we determine the security bounds in the presence of imperfect state preparation and misalignment in reference frames for a three-party QKD protocol. For this, we generalize the LT protocol to include typical imperfections in the sending devices. More precisely, in order to have the effect of information leakage from the phase modulation in the security analysis, we use the fact that signal states prepared by Alice can be written in terms of Pauli matrices. By doing this, the transmission rates of the matrices can be determined and in turn used to compute the different error rates used to calculate the objective quantity C, which is used to quantify the amount of information that has leaked to an eavesdropper. In particular, we determine the error rates by employing the security proof introduced by Koashi [44,45] based on the complementarity of conjugate observables. The effect of misalignment of reference frames is incorporated in the measurement results from the X and the Y bases by following the method introduced in [46]. In order to estimate the secret key rate of the three-party RFI QKD, we consider a biased basis choice decoy-state QKD protocol [39,47,48] with three intensity settings.

3. Operation of Proposed Reference-Frame Independent (RFI) Protocol

3.1. State Preparation

For each run i, Alice prepares a two-photon entangled state using a Spontaneous Parametric Down-Conversion source (SPDC). The SPDC process creates two identical photons, which are defined by [49,50]

$${(cosh\lambda )}^{-1}\sum _{n=0}^{\infty }{(tanh\lambda )}^n{e}^{in\chi }|n,n\rangle .$$

(1)

For a source modulated with an intensity $\mu$, which is equivalent to ${sinh}^2\lambda$, the above description simplifies to

$$\sum _{n=0}^{\infty }\sqrt{\frac{{\mu }^n}{{(1+\mu )}^{n+1}}}{e}^{in\chi }|n,n\rangle .$$

(2)

Alice randomly selects a basis $a_i\in \{X,Y,Z\}$ with probabilities $p_z$ and $p_c=1-p_z$, respectively. Here, the Z basis is chosen with probability $p_z>\frac{1}{2}$ and the complementary bases, $\{X,Y\}$ with probability $p_c=1-p_z$. Specifically, the proposed protocol employs time-bin encoding in the Z basis and phase encoding in the X and Y bases. The time-bin eigenstate $|0_Z\rangle$ or $|1_Z\rangle$ is chosen when Alice switches on her longer arm or shorter arm of the interferometer. In addition, the eigenstate $|0_Z\rangle$ or $|1_Z\rangle$ is assigned a bit values, $r_i=0$ or $r_i=1$, respectively. Alice applies phase modulation ${\theta }_A\in \{0,\pi \}$ and ${\theta }_A\in \{\frac{\pi }{2},\frac{3\pi }{2}\}$ when she selects the X and Y basis, respectively. Here the phase values ${\theta }_A\in \{0,\frac{\pi }{2}\}$ and ${\theta }_A\in \{\pi ,\frac{3\pi }{2}\}$ are assigned the bit values $r_i=0$ and $r_i=1$, respectively. Note that for each run i Alice switches on the same arm of the interferometer for each mode of entangled photons when using the Z basis or performs the same phase shift to both entangled photons when using the X basis, i.e., both photons are prepared in the same state. Thus, she keeps one bit value, $r_i$, corresponding to the prepared states. The two entangled photons are then delivered to Bob and Charlie via insecure quantum channels (see Figure 1).

In particular, the three-party RFI protocol follows the loss-tolerant technique presented by Tamaki et al. [41], where they conjecture that the six-state protocol can be implemented with four states, instead of the usual six in its original version. This technique takes into consideration the imperfections in the intensity and phase modulation of the photons [41]; thus, the actual states of each mode after Alice applies the phase shift can be expressed as

$$|{\varphi }_{j\beta }{\rangle }_{B\left(C\right)}=|\sqrt{\mu }{e}^{i\chi }{\rangle }_r{|\sqrt{\mu }{e}^{i(\chi +{\theta }_{B\left(C\right)}+\delta {\theta }_{B\left(C\right)}/\pi )}\rangle }_s$$

(3)

where $r\left(s\right)$ represents the reference (signal) states, $\mu ={sinh}^2\lambda$ corresponds to the intensity of pulses, and $\delta$ represents the deviation from desired encoding angle $\theta$ in the actual states; here, $\beta \in \{X,Y,Z\}$ and $j\in \{0,1\}$. Notably, each mode created with an SPDC source of intensity $\mu$ and a global phase $\chi$ represents the linear superposition of a photon number state $\left\{\right|n\rangle \}$, whereby $|\sqrt{\mu }{e}^{i\chi }\rangle ={\sum }_{n=0}^{\infty }\sqrt{\frac{{\mu }^n}{{(1+\mu )}^{n+1}}}{e}^{in\chi }|n\rangle$. Thus, the single-photon component corresponding to each mode in Equation (3) that Alice sends to Bob (Charlie) is

$$|{\varphi }_{j\beta }{\rangle }_{B\left(C\right)}=\frac{1}{\sqrt{2}}{\left(\right|1\rangle }_r{|0\rangle }_s+e^{i({\theta }_{B\left(C\right)}+\delta {\theta }_{B\left(C\right)}/\pi )}{|0\rangle }_r{|1\rangle }_s),$$

(4)

where $|0\rangle$ and $|1\rangle$ denote a vacuum state and a single photon state, respectively. Based on the above description, the states are defined as ${|1\rangle }_r{|0\rangle }_s=|0_Z\rangle$, ${|0\rangle }_r{|1\rangle }_s=|1_Z\rangle$, $|0_X\rangle =\frac{1}{\sqrt{2}}\left(\right|0_Z\rangle +|1_Z\rangle )$, $|1_X\rangle =\frac{1}{\sqrt{2}}\left(\right|0_Z\rangle -|1_Z\rangle )$, $|0_Y\rangle =\frac{1}{\sqrt{2}}\left(\right|0_Z\rangle +i|1_Z\rangle )$ and $|1_Y\rangle =\frac{1}{\sqrt{2}}\left(\right|0_Z\rangle -i|1_Z\rangle )$. Therefore, Equation (4) can equivalently be expressed as

$$e^{i\left(\frac{({\theta }_{B\left(C\right)}+\delta {\theta }_{B\left(C\right)}/\pi )}{2}\right)}[cos(\frac{{\theta }_{B\left(C\right)}}{2}+\frac{\delta }{2}\left)|0_X\rangle +isin\right(\frac{{\theta }_{B\left(C\right)}}{2}+\frac{\delta }{2}\left)|1_X\rangle \right].$$

(5)

Moreover, it is possible to obtain an expression that is similar to the above for the eigenstates $|0_Y\rangle$,$|1_Y\rangle$. When the overall phase factor in Equation (5) is ignored, the following expressions are obtained for the four states:

$$\begin{array}{cc}|{\varphi }_{0Z}\rangle \hfill & =cos\frac{{\delta }_1}{2}|0_Z\rangle +sin\frac{{\delta }_1}{2}|1_Z\rangle ,\hfill \end{array}$$

(6)

$$\begin{array}{cc}|{\varphi }_{1Z}\rangle \hfill & =sin\frac{{\delta }_2}{2}|0_Z\rangle +cos\frac{{\delta }_1}{2}|1_Z\rangle ,\hfill \end{array}$$

(7)

$$\begin{array}{cc}|{\varphi }_{0X}\rangle \hfill & =cos\left(\frac{{\delta }_3}{4}\right)|0_X\rangle +sin\left(\frac{{\delta }_3}{4}\right)|1_X\rangle ,\hfill \end{array}$$

(8)

$$\begin{array}{cc}|{\varphi }_{0Y}\rangle \hfill & =cos\left(\frac{\pi }{2}+\frac{{\delta }_4}{2}\right)|0_Y\rangle +isin\left(\frac{\pi }{2}+\frac{{\delta }_4}{2}\right)|1_Y\rangle .\hfill \end{array}$$

(9)

Note that for signal states belonging to the Z basis, due to the extinction ratio of the optical attenuator resulting in source flaws Alice prepares $|0_Z\rangle$ and $|1_Z\rangle$ with probabilities ${cos}^2({\delta }_1/2)$ and ${cos}^2({\delta }_2/2)$, respectively. The signal states from the three bases can be expressed in terms of an identity matrix and a Pauli matrix. Thus, they are represented using density matrix notation, as follows:

$${\rho }_{j\alpha }=|{\varphi }_{j\alpha }\rangle \langle {\varphi }_{j\alpha }|=\frac{1}{2}(𝟙+{\mathbf{n}}_X^{j\alpha }{\sigma }_x+{\mathbf{n}}_Y^{j\alpha }{\sigma }_y+{\mathbf{n}}_Z^{j\alpha }{\sigma }_z),$$

(10)

with ${\mathbf{n}}_{\alpha }^{j\alpha }$ denoting the coefficients of the Bloch vector of ${\rho }_{j\alpha }$, where $\alpha \in \{X,Y,Z\}$ and $j\in \{0,1\}$.

3.2. Measurement

After receiving the photons, Bob and Charlie perform measurements using the bases $b_i\in \{X,Y,Z\}$ and $c_i\in \{X,Y,Z\}$, respectively, with probabilities $p_z$ and $p_c$. Additionally, the measurements of Bob and Charlie are represented by a set of positive-operator valued measures (POVMs), $\{{\widehat{M}}_{0\beta },{\widehat{M}}_{1\beta },{\widehat{M}}_f\}$, where ${\widehat{M}}_{0,\beta }$$({\widehat{M}}_{1\beta })$ with $\beta \in \{X,Y,Z\}$ equates to obtaining the bit value of 0 (1) if Bob and Charlie choose basis $\beta$. ${\widehat{M}}_f$ represents an inconclusive event and is assumed to be the same for all the bases. They then choose uniform random bits $r_i^{\prime }\in \{0,1,\varnothing \}$ and $r_i^{″}\in \{0,1\varnothing \}$ to store their outcomes. Here, the symbol ∅ corresponds to an inconclusive result and is assumed the same for all bases. In this protocol, Alice, Bob, and Charlie share a common aligned measurement basis, $Z_A=Z_B$, $Z_A=Z_C$, while the other measurements bases, X and Y, are allowed to slowly vary by an arbitrary angle, $\beta$. Due to drift in reference frames, the measurement bases complementary to the Z basis are provided by

$$X_B=cos\beta X_A+sin\beta Y_A,X_C=cos\beta X_A+sin\beta Y_A,$$

$$Y_B=cos\beta Y_A-sin\beta X_A,Y_C=cos\beta Y_A-sin\beta X_A.$$

3.3. Sifting

The three legitimate parties publish their basis choices during sifting via the authenticated classical channel. A set is defined as $\mathcal{Z}:=\{i:a_i=b_i=c_i,r_i^{\prime }\ne Ø,r_i^{″}\ne Ø\}$. The first steps are repeated as long as $\left|\mathcal{Z}\right|<n$, where n corresponds to the number of bit strings required to form a raw key. The extracted raw key is obtained from instances where Alice’s states are prepared in the Z basis and Bob and Charlie used the Z direction to measure the qubits they received.

4. Security Analysis

After completing the required rounds to extract a raw key, the three legitimate parties possess bit strings that are partially correlated. Thus, the parameter estimation step follows this to compute the bit error rate (BER) measured on a key basis. The quantum bit error rate is expressed as

$$E_{Z_A{Z}_B{Z}_C}=\frac{Y_{0_Z;0_Z{1}_Z}^Z+Y_{0_Z;1_Z{1}_Z}^Z+Y_{1_Z;0_Z{1}_Z}^Z+Y_{1_Z;0_Z{0}_Z}^Z+Y_{1_Z;1_Z{0}_Z}^Z+Y_{0_Z;1_Z{0}_Z}^Z}{Y_{0_Z;0_Z{1}_Z}^Z+Y_{0_Z;1_Z{1}_Z}^Z+Y_{1_Z;0_Z{1}_Z}^Z+Y_{1_Z;0_Z{0}_Z}^Z+Y_{1_Z;1_Z{0}_Z}^Z+Y_{0_Z;1_Z{0}_Z}^Z+Y_{0_Z;0_Z{0}_Z}^Z+Y_{1_Z;1_Z{1}_Z}^Z}.$$

(11)

The notation $Y_{j_Z;k_Z{m}_Z}^Z$ represents the probability that Alice prepares the states $|{\varphi }_{jZ}\rangle$ and Bob and Charlie select the Z basis and obtain the bit values k and m when they measure their systems. The results obtained by measuring the complementary bases are employed to evaluate the information gained by Eve. To estimate the knowledge of Eve about the key, a depolarising channel is considered where $E_{ZZZ}\le 15.9\%$ [30]. As a result, the bound on Eve’s knowledge of the key is found, per [51], to be

$$I_E=(1-E_{Z_A{Z}_B{Z}_C})h\left(\frac{1+u_{\max }}{2}\right)-E_{Z_A{Z}_B{Z}_C}h\left(\frac{1+v\left(u_{\max }\right)}{2}\right)+E_{Z_A{Z}_B{Z}_C}{\log }_{2}7,$$

(12)

where

$$\begin{array}{c}\hfill u_{\max }=\min \left[\frac{1}{1-E_{Z_A{Z}_B{Z}_C}}\sqrt{C/4},1\right],\\ \hfill v\left(u_{\max }\right)=\sqrt{\frac{49}{19}\left[C/4-{(1-E_{Z_A{Z}_B{Z}_C})}^2{u}_{\max }^2\right]}/E_{Z_A{Z}_B{Z}_C}.\end{array}$$

(13)

The statistical quantity, C, is defined as follows:

$$\begin{array}{cc}C=\hfill & {\langle X_A{X}_B{X}_C\rangle }^2+{\langle X_A{Y}_B{X}_C\rangle }^2+{\langle X_A{X}_B{Y}_C\rangle }^2+{\langle Y_A{X}_B{X}_C\rangle }^2+{\langle Y_A{Y}_B{X}_C\rangle }^2\\ \hfill & +{\langle Y_A{X}_B{Y}_C\rangle }^2+{\langle Y_A{Y}_B{Y}_C\rangle }^2+{\langle X_A{Y}_B{Y}_C\rangle }^2.\hfill \end{array}$$

(14)

The term $\langle {\Gamma }_A{\Gamma }_B{\Gamma }_C\rangle$ where $\Gamma \in \{X,Y\}$ indicates an expectation value that Alice will prepare the two states according to basis ${\Gamma }_A$ and Bob and Charlie will perform measurements on bases ${\Gamma }_B$ and ${\Gamma }_C$ on the states they receive, respectively. Moreover, one can demonstrate that the statistical quantity C does not depend on the value of $\beta$ by substituting the relations $X_B$, $Y_B$ and $X_C$, $Y_C$ in Equation (14). In order to estimate C, the quantity $\beta$ is allowed to change slowly in sufficiently brief intervals, allowing the exchange of a secure key. Typically, a QKD experiment runs for a considerable length of time in order to acquire sufficient data to estimate the average values used to compute the parameter C in Equation (14). During this time, the drift of reference frames erodes the estimated correlations and reduces the value of C, thus compromising the security of the key generation protocol. Therefore, in order for the protocol to be secure, the communicating parties must collect enough signals to generate a key above the finite size effects in an interval that allows for minimal variation of $\beta$. If a longer key is required, the communication parties can terminate the protocol after collecting a certain number of signals and restart the protocol several times until a long enough key is acquired. In terms of error rates, the expression in Equation (14) can be expressed as

$$\begin{array}{cc}C\hfill & ={(1-2E_{X_A{X}_B{X}_C})}^2+{(1-2E_{X_A{X}_B{Y}_C})}^2+{(1-2E_{X_A{Y}_B{Y}_C})}^2+{(1-2E_{Y_A{X}_B{X}_C})}^2\hfill \\ \hfill & +{(1-2E_{Y_A{Y}_B{X}_C})}^2+{(1-2E_{X_A{Y}_B{X}_C})}^2+{(1-2E_{Y_A{X}_B{Y}_C})}^2+{(1-2E_{Y_A{Y}_B{Y}_C})}^2.\hfill \end{array}$$

(15)

The above error rates are evaluated by following the technique in [41], which is based on the complementarity principle introduced by Koashi [44,45]. For simplicity, the estimate of the phase error rate, $E_{X_A{X}_B{X}_C}$ and other parameters in Equation (15) are derived similarly. The term $E_{X_A{X}_B{X}_C}$ is evaluated based on a virtual protocol whereby Alice prepares an entangled state $|{\Psi }_Z\rangle =\frac{1}{\sqrt{2}}{\left(\right|0\rangle }_A|{\varphi }_{0Z}{\rangle }_{B\left(C\right)}+{|1\rangle }_{A\left(B\right)}|{\varphi }_{1Z}{\rangle }_{B\left(C\right)})$, where B and C represent systems sent to Bob and Charlie. The three parties then select the Z basis and measure their corresponding subsystems in the X basis (instead of the selected Z basis). Therefore, the error rate can be expressed as

$$E_{X_A{X}_B{X}_C}=\frac{Y_{0_X;0_X{1}_X}^{Z,\mathrm{vir}}+Y_{0_X;1_X{1}_X}^{Z,\mathrm{vir}}+Y_{1_X;0_X{1}_X}^{Z,\mathrm{vir}}+Y_{1_X;0_X{0}_X}^{Z,\mathrm{vir}}+Y_{1_X;1_X{0}_X}^{Z,\mathrm{vir}}+Y_{0_X;1_X{0}_X}^{Z,\mathrm{vir}}}{Y_{0_X;0_X{1}_X}^{Z,\mathrm{vir}}+Y_{0_X;1_X{1}_X}^{Z,\mathrm{vir}}+Y_{1_X;0_X{1}_X}^{Z,\mathrm{vir}}+Y_{1_X;0_X{0}_X}^{Z,\mathrm{vir}}+Y_{1_X;1_X{0}_X}^{Z,\mathrm{vir}}+Y_{0_X;1_X{0}_X}^{Z,\mathrm{vir}}+Y_{0_X;0_X{0}_X}^{Z,\mathrm{vir}}+Y_{1_X;1_X{1}_X}^{Z,\mathrm{vir}}},$$

(16)

where $Y_{j_X;k_X{m}_X}^{Z,\mathrm{vir}}$ represents the joint probability that Alice, Bob and Charlie measured $|j_X\rangle$, $|k_X\rangle$, and $|m_X\rangle$, respectively. In this hypothetical protocol, the state of the pulses received by Bob (Charlie) can be expressed as

$${\widehat{\sigma }}_{B\left(C\right);j_X}^{\mathrm{vir}}={\mathrm{Tr}}_A[\widehat{P}{\left(\right|j_X\rangle }_A)\otimes {𝟙}_{B\left(C\right)}\widehat{P}{\left(\right|{\Psi }_Z\rangle }_{AB\left(C\right)}\left)\right],$$

(17)

where $\widehat{P}\left(\right|x\rangle )=|x\rangle \langle x|$ is a projection operator for a specific pure state, $|x\rangle$. The resultant normalized state is ${\widehat{\tilde{\sigma }}}_{B\left(C\right);j_X}^{\mathrm{vir}}={\widehat{\sigma }}_{B\left(C\right);j_X}^{\mathrm{vir}}/\mathrm{Tr}({\widehat{\sigma }}_{B\left(C\right);j_X}^{\mathrm{vir}})$. Accordingly, the joint probability that the three parties respectively measure $|j_X\rangle$, $|k_X\rangle$, and $|m_X\rangle$ is provided by

$$\begin{array}{cc}\hfill Y_{j_X;k_X{m}_X}^{Z,\mathrm{vir}}& =p\left(j_X\right)\mathrm{Tr}({\widehat{D}}_{k_X}{\widehat{\tilde{\sigma }}}_{B;j_X}^{\mathrm{vir}})\mathrm{Tr}({\widehat{D}}_{m_X}{\widehat{\tilde{\sigma }}}_{C;j_X}^{\mathrm{vir}})\hfill \\ \hfill & =p\left(j_X\right)Y_{j_X;k_X}^{Z,\mathrm{vir}}{Y}_{j_X;m_X}^{Z,\mathrm{vir}},\hfill \end{array}$$

(18)

where ${\widehat{D}}_{k_X\left(m_X\right)}$ represents the operator which contains Eve’s operation and Bob (Charlie)’s POVM measurement and $p\left(j_X\right)$ represents the probability that Alice measures her subsystem in the X basis. Because the virtual state ${\widehat{\sigma }}_{B\left(C\right);j_X}^{\mathrm{vir}}$ can be expressed in terms of identity and Pauli operators as

$${\widehat{\sigma }}_{B\left(C\right);j_X}^{\mathrm{vir}}=\frac{1}{2}\left(𝟙,+,\sum _{s\left(t\right)=x,y,z},{\mathbf{n}}_{s\left(t\right)}^{j_X},{\widehat{\sigma }}_{s\left(t\right)}\right),$$

(19)

it follows that Equation (18) can be rewritten as

$$Y_{j_X;k_X{m}_X}^{Z,\mathrm{vir}}=p\left(j_X\right)\sum _{s=X,Y,Z}{\mathbf{n}}_s{q}_{k_X|s}\sum _{t=X,Y,Z}{\mathbf{n}}_t{q}_{m_X|t}.$$

(20)

Therefore, in order to obtain $Y_{j_X;k_X{m}_X}^{Z,\mathrm{vir}}$ it is sufficient to evaluate the transmission rate of Pauli operators, defined by

$$q_{k{\left(m\right)}_X|s\left(t\right)}=\mathrm{Tr}({\widehat{D}}_{k{\left(m\right)}_X}{\sigma }_{s\left(t\right)})/2,$$

(21)

where $s,t\in \{𝟙,X,Y,Z\}$ and the parameters ${\mathbf{n}}_s$ and ${\mathbf{n}}_t$ denote the coefficients of Pauli matrices. Note that the transmission rate of operators can be evaluated from the yield of signal states used in the actual protocol. In order to evaluate the yield of these states, the entanglement description where Alice prepares the entangled states is employed, as follows:

$$\begin{array}{cc}|{\Psi }_Z\rangle \hfill & =\frac{1}{\sqrt{2}}{\left(\right|0_Z\rangle }_A|{\varphi }_{0Z}{\rangle }_{B\left(C\right)}+|1_Z{\rangle }_A|{\varphi }_{1Z}{\rangle }_{B\left(C\right)}),\hfill \\ |{\Phi }_X\rangle \hfill & =|0_X{\rangle }_A{|{\varphi }_{0X}\rangle }_{B\left(C\right)},\hfill \\ |{\Phi }_Y\rangle \hfill & =|0_Y{\rangle }_A{|{\varphi }_{0Y}\rangle }_{B\left(C\right)}.\hfill \end{array}$$

(22)

Afterward, Alice measures her subsystems in the Z, X, and Y bases, respectively, to effectively emit the states $|{\varphi }_{j\beta }\rangle$ sent to Bob and Charlie. Using the same method previously described for the yield of virtual states, the expression for the yield of actual states is obtained as

$$\begin{array}{cc}\hfill Y_{j_{\alpha };k_{\beta }{m}_{\beta }}^{\omega }=p\left(j_{\alpha }\right)\mathrm{Tr}({\widehat{D}}_{k_{\beta }}{\rho }_{j\alpha })\mathrm{Tr}({\widehat{D}}_{m_{\beta }}{\rho }_{j\alpha })& =p\left(j_{\alpha }\right)\sum _{s=X,Y,Z}{\mathbf{n}}_s{q}_{k_{\beta }|s}\sum _{t=X,Y,Z}{\mathbf{n}}_t{q}_{m_{\beta }|t}\hfill \\ & =p\left(j_{\alpha }\right)Y_{j_{\alpha };k_{\beta }}^{\omega }{Y}_{j_{\alpha };m_{\beta }}^{\omega }\hfill \end{array}$$

(23)

with $p\left(j_{\alpha }\right)$ denoting the probability that Alice measures her subsystems as state $j_{\alpha }$. The state ${\rho }_{j\alpha }$ corresponds to one of the four states defined in Equation (6). The parameters $Y_{j_{\alpha };k_{\beta }}^{\omega }$ and $Y_{j_{\alpha };m_{\beta }}^{\omega }$ correspond to the yields of the states sent to Bob and Charlie, respectively. Now, based on the cases where Bob (Charlie) measured the states sent by Alice in the X basis, the transmission rate of Pauli operators is determined as follows

$${[Y_{0_Z;k_X\left(m_X\right)}^Z,Y_{1_Z;k_X\left(m_X\right)}^Z,Y_{0_X;k_X\left(m_X\right)}^X]}^T=\frac{1}{64}\mathbf{A}{[q_{k_X\left(m_X\right)|𝟙},q_{k_X\left(m_X\right)|x},q_{k_X\left(m_X\right)|z}]}^T$$

(24)

where

$$\mathbf{A}=\left[\begin{array}{ccc}1& sin{\delta }_1& cos{\delta }_1\\ 1& sin{\delta }_2& -cos{\delta }_2\\ 1& cos{\delta }_3& sin{\delta }_3\end{array}\right].$$

(25)

The same logic can be applied to determine the yield of the virtual states based on the transmission rate as

$${[Y_{0_X;k_X\left(m_X\right)}^{Z,\mathrm{vir}},Y_{1_X;k_X\left(m_X\right)}^{Z,\mathrm{vir}}]}^T=\frac{1}{48}\mathbf{B}{[q_{k_X\left(m_X\right)|𝟙},q_{k_X\left(m_X\right)|x},q_{k_X\left(m_X\right)|z}]}^T,$$

(26)

where

$$\mathbf{B}=\left[\begin{array}{ccc}\frac{1}{2}\left(1+sin\frac{{\delta }_1}{2}cos\frac{{\delta }_2}{2}\right)& 0& \frac{1}{2}\left(cos\left(\frac{{\delta }_1-{\delta }_2}{2}\right)+\frac{1}{2}\left(sin\frac{{\delta }_1}{2}+sin\frac{{\delta }_2}{2}\right)\right)\\ \frac{1}{2}\left(1-sin\frac{{\delta }_1}{2}cos\frac{{\delta }_2}{2}\right)& 0& \frac{1}{2}\left(cos\left(\frac{{\delta }_1-{\delta }_2}{2}\right)-\frac{1}{2}\left(sin\frac{{\delta }_1}{2}+sin\frac{{\delta }_2}{2}\right)\right).\end{array}\right].$$

(27)

Based on Equations (24) and (26), the yield of the virtual states sent to Bob and Charlie can be deduced. The results can then be used to obtain the virtual yield in Equation (18) and, as a result, obtain the expression for the error rate, $E_{X_A{X}_B{X}_C}$.

5. Estimation of Key Rate

Note that in the previous section, for simplicity of this analysis, it is assumed that Alice has a single-photon source. However, it must be emphasized that this analysis can be applied to the case where Alice uses an SPDC source that occasionally emits more than one photon in each mode. The signals produced by this source contain photons with a probability distribution provided by [49,52]

$$p\left(k\right|\gamma )=\frac{{\gamma }^k}{{(1+\gamma )}^{k+1}},$$

(28)

where k is the number of photons and $\gamma$ is the average intensity of the laser source. In this case, the decoy-state method is employed to estimate all of the quantities corresponding to the single-photon pulses needed to apply the loss tolerant method. In the decoy-state method, in order to mitigate against a possible photon-number splitting attack Alice prepares photons using the intensities $(\mu ,\nu ,\omega )$, where $\mu$ denotes the intensity of the signal states, $\nu$ represents decoy states, and $\omega$ denotes vacuum states [47]. These intensities are typically chosen according to $P_{\mu }>P_{\nu }>P_{\omega }$, whereby $P_{\mu },P_{\nu }$ and $P_{\omega }$ correspond to the probabilities for the signal, decoy and vacuum states, respectively. Therefore, the corresponding key generation rate for the proposed RFI QKD protocol is provided by [11,14,39]

$$r=Q_{Z_A{Z}_B{Z}_C}^{\mu ,1}(1-I_E^U)-f_{EC}{Q}_{Z_A{Z}_B{Z}_C}^{\mu }max\{h(E_{Z_A{Z}_B}^{\mu }),h(E_{Z_A{Z}_C}^{\mu })\},$$

(29)

where $Q_{Z_A{Z}_B{Z}_C}^{\mu ,1}$ is the gain of signals prepared using the Z basis and intensity $\mu$, and measured by Bob and Charlie in the Z basis. The term $Q_{Z_A{Z}_B{Z}_C}^{\mu ,1}$ denotes the gain of single-photon components. The parameters $E_{Z_A{Z}_B}^{\mu }$ ($E_{Z_A{Z}_C}^{\mu }$) correspond to the QBER between Alice and Bob (Charlie) for signals transmitted using intensity $\mu$ and measured in the Z basis. Here $h\left(x\right)=-x{\log }_2\left(x\right)-(1-x){\log }_2(1-x)$ represents the Shannon binary entropy. Moreover, the term $f_{EC}\ge 1$ denotes the error correction efficiency and $I_E^U$ denotes the upper bound on the knowledge gained by Eve about the key. The relevant parameters in Equation (29) are derived in Appendix A. The key rate formula in Equation (29) is a direct generalization of the bipartite scenario in Ref. [39] to the tripartite case. In addition, note that the key difference between the key rate formula for the three-party RFI QKD and the one in Refs. [11,14] lies in the method used to estimate Eve’s knowledge about the key.

6. Simulation Results

In this section, the performance of the proposed protocol on a fiber-based QKD system model is simulated. The following experimental parameters are used; the loss coefficient of the fiber is $0.2$ dB/km, Bob and Charlie’s detection efficiencies are $\eta =14.5\%$, and the dark count rate of a single-photon detector is $P_d=1.7\times {10}^{-6}$. It is assumed that the error correction efficiency is $f_{EC}=1.22$ and the expected photon number for signal states is set at $\mu =0.6$. The optimal probability, $p_z$, for the key basis is set at $0.95$, as per Ref. [48]. It is important to note that the performance of the three-party RFI protocol can, in principle, be simulated with a free-space channel link; however, this is left for further studies.

The curves in Figure 2a are obtained from Equation (29) using the values $\delta =0.35$, $\delta =0.20$, and $\delta =0.10$. These values correspond to a deviation of $20.{05}^{\circ }$, $11.{46}^{\circ }$, and $5.{73}^{\circ }$ from the desired phase encoding angles, respectively. The parameter $\delta$ is related to the extinction ratio of the phase modulators according to the definition ${|tan(\delta /2)|}^2={\eta }_{ex}$ [53]. The non-zero extinction ratio arises owing to imperfections present in phase modulators; in typical experiments, it is of order ${10}^{-3}$. Based on this extinction ratio, $\delta \approx$ 0.063; however, in this simulation, pessimistic values are opted for in order to estimate encoding imperfections and show the robustness of the proposed protocol against source flaws. The same parameters were chosen for the states prepared in the Z basis, which correspond to the 16 dB [${tan}^2\left(\frac{0.35}{2}\right)={10}^{-16/10}$], 20 dB [${tan}^2\left(\frac{0.20}{2}\right)={10}^{-20/10}$], and 26 dB [${tan}^2\left(\frac{0.10}{2}\right)={10}^{-16/10}$] extinction ratios of the practical optical attenuator, or the intensity modulator in a system with time-bin encoding. For comparison, a plot of the curve when $\delta =0$ is shown, which is analogous to the perfect encoding scenario. The maximum signal transmission distances between Alice and Bob(Charlie) are 266.9 km (with a secret key rate of $4.8\times {10}^{-15}\mathrm{bit}/\mathrm{pulse}$), 262.1 km (with a secret key rate of $4.9\times {10}^{-15}\mathrm{bit}/\mathrm{pulse}$), and 258.0 km (with a secret key rate of $3.6\times {10}^{-15}\mathrm{bit}/\mathrm{pulse}$) for the encoding source flaws $\delta =0.10$, $\delta =0.20$ and $\delta =0.35$, respectively.

Figure 2b illustrates the results for the simulation of the secret key rate, r, for the three-party RFI protocol as a function of the transmission distance where the degree of misalignment of reference frames is fixed at $\beta =0,\pi /5,\pi /6$, and $\pi /7$, respectively. Our primary goal was to investigate the impact of reference frame misalignment on the stability of the proposed protocol. The parameter $\beta$ corresponds to the drift of reference frames in the X and Y bases. A transmission distance of 301.4 km, 284.6 km, and 268.5 km is obtained for the relative rotation of reference frames at an angle of $\beta =\pi /7$, $\beta =\pi /6$, and $\beta =\pi /5$, respectively. In addition, in order to show how the proposed protocol fares against the other alternative multipartite QKD protocols, the simulation results of the secret key rate are provided as a function of the transmission distance in Figure 3 for a three-party RFI QKD with encoding source flaws $\delta =0.10$ and the three-party phase matching (PM) QCC protocol proposed in [14]. The results indicate that the three-party PM-QCC protocol outperforms our proposed three-party RFI protocol in terms of maximum attainable transmission distance and the achievable secret key rate. A maximum distance of 284 km (with a secret key rate of $4.4\times {10}^{-12}\mathrm{bit}/\mathrm{pulse}$) is obtained for the three-party PM-QCC protocol and maximum distance of 266 km (with a secret key rate of $4.8\times {10}^{-15}\mathrm{bit}/\mathrm{pulse}$) for the three-party RFI QKD.

Discussion of Results

The trend in the results portrayed by the curves in Figure 2a shows that as $\delta$ increases, which is associated with encoding source flaws, the achievable secret key rate and the maximum attainable transmission distance decrease. Furthermore, the simulation results show that despite increased encoding source flaws, i.e., an increase in the parameter $\delta$, the achievable key rates are comparable to those obtained via perfect encoding, where $\delta =0$. These results clearly demonstrate that the three-party RFI QKD is loss-tolerant to signal state preparation flaws. Furthermore, in Figure 2b it can be observed that the increase in the parameter $\beta$, associated with the relative rotation of reference frames, leads to a reduction in both the secret key rate and maximum attainable transmission distance. Additionally, it can be noted that regardless of the increase in the reference frame misalignment, the achieved key rates are comparable to a scenario without any misalignment in the reference frames (i.e., $\beta =0$). This is a clear indication that the three-party RFI QKD is robust against drift in reference frames, which makes it a suitable candidate for practical multipartite QKD. For further comparison, the key rate is simulated for a two-party RFI QKD protocol using similar parameters in Figure 2a,b. It is evident from both figures that the two-party RFI QKD protocol performs better than the three-party RFI QKD protocol based on the achievable secret key rate for different encoding source flaws, $\delta$, and misalignment degrees of $\beta$. However, it is noteworthy that despite this observation, the three-party RFI protocol is preferable in scenarios that involve secure communications involving three communicating parties, as a single run of the protocol produces a secret key for all the parties, which can then be used for communication among themselves. On the contrary, the two-party QKD protocol requires the three communicating parties to run the protocol three times to produce secret keys that can be used for secure communication amongst themselves.

Furthermore, the trend in results obtained in Figure 3 can be attributed to the fact that the three-party PM-QCC protocol neglects the imperfections in the signal state preparation devices and does not account for misalignment in the channels linking communicating parties to the measurement station. On the contrary, the three-party RFI protocol incorporates the encoding source flaws due to the extinction ratio of the phase modulators and the drift of the reference frames in the security analysis, reducing both the secret key rate and the transmission distance.

A limitation of this work is that the quantity C is computed from average values, and time is required to accumulate enough statistics to estimate these values. Therefore, it depends on whether the frame rotation is slower or faster than the time required to estimate the value of C. Consequently, it will be helpful to explore finite-key studies as a solution. However, according to the results presented above, the three-party RFI QKD is a realistic protocol that can be realized with current experimental technology without compromising the security of the QKD.

7. Conclusions

A tripartite quantum key distribution method that can tolerate imperfections in state preparation and be implemented without aligning reference frames between the legitimate communicating parties is presented. Notably, the performance of the proposed protocol is examined when the encoding flaws are set at $\delta =0.35$, $\delta =0.20$, and $\delta =0.10$, denoting a change of $20.{05}^{\circ }$, $11.{46}^{\circ }$, and $5.{73}^{\circ }$ from the desired phase encoding angle, respectively. The results significantly demonstrate that the achievable key rates compare to perfect encoding regardless of state preparation flaws. Moreover, the simulation shows the secret key rate for the proposed protocol in terms of transmission distance for various degrees of misalignment (i.e., $\beta =\pi /5,\pi /6$, and $\pi /7$) and investigates the impact on the statistical quantity C and protocol stability. The simulation results confirm that the proposed protocol is insignificantly affected by increased misalignment of reference frames, as the achievable distances in transmission remain similar to scenarios without misalignment of reference frames (i.e., $\beta =0$). Most significantly, this work finds applications in quantum communication network environments involving unknown and slowly varying reference frames, such as earth-to-satellite quantum communication networks, chip-to-chip communications in free space, and chips connected by fiber optics. Other applications include web conferences, online communications, and scenarios where multiple parties must communicate securely using secret keys. Lastly, using the formalism developed in [44,45] guarantees unconditional security, although this does not mean that the bounds developed in the proposed protocol are very tight; possible improvements might be achieved by considering two-way classical post-processing. However, in order to fulfill the objectives of this work, a restriction of the security bounds for the case when the secret key is extracted through one-way post-processing is undertaken. In the future, as an extension of the decoy state-based protocol, it will be worthwhile to consider other single-photon source techniques which are robust against photon number splitting attacks, such as the deterministic single-photon sources proposed in [54], to improve the performance of the three-party RFI protocol. Furthermore, in the future, it would be interesting to investigate the performance of the three-party RFI QKD through underwater channels under the influence of diverse factors such as signal attenuation and noise ratio, which has previously been considered in [22].