1. Introduction
Quantum key distribution (QKD) presents information-theoretically secure communication by employing quantum mechanical laws to reveal the presence of an eavesdropper [
1]. For the past two decades, the majority of research has focused on the proposing of QKD protocols involving just two legitimate users, conventionally named Alice and Bob, who want to establish a secret shared key [
2,
3,
4,
5,
6]. The rapid development in information processing technologies has led to the emergence of quantum networks [
7,
8,
9] aimed at realizing quantum information tasks among multiple users. Quantum Cryptographic Conferencing (QCC) or multipartite QKD, which allows the distribution of information-theoretical secure keys among multiple remote users, is one of the most promising applications in quantum networks. Consequently, several QCC protocols have been proposed recently [
10,
11,
12,
13,
14,
15,
16,
17] using various quantum resources and techniques to prove the security of multipartite QKD. Despite these achievements, a large gap remains between the theoretical assumptions in security proofs of QCC protocols and actual implementation. For instance, challenges exist in relation to secret key rate, transmission distance, size, cost, imperfect physical devices, signal-to-noise ratio, and practical security [
3,
18,
19]. Moreover, other challenges are associated with imperfections in communication channels, for instance, quantum data communications and networking, underwater communication, satellite communication, and fiber-optic communication [
20,
21,
22,
23,
24]. A QCC protocol is ideally secure only when it employs perfect single-photon sources and detectors. Unfortunately, ideal devices are impractical to realize. Consequently, device imperfections may open up the possibility of security loopholes or side channel attacks by an eavesdropper, which can compromise the security of practical QCC. This brings about the need to design protocols that can be made secure against device imperfections, such as decoy-state QKD. Another bottleneck to large scale deployment of QCC is high channel loss and decoherence, which lead to a relatively low secret key rate. Therefore, in order to realize full-scale practical QCC for secure everyday communications, it is of utmost importance to develop efficient methods and models which address the aforementioned challenges. Except for this introduction, we organize this article as follows.
Section 2 provides the literature review, while
Section 3 outlines the operation of the proposed protocol.
Section 4 evaluates the security bounds for the proposed protocol. In
Section 5, we provide the key rate formula of the three-party RFI QKD based on the decoy-state theory.
Section 6 provides a numerical simulation of the secret key rate based on fiber implementation and discusses the results. Lastly,
Section 7 provides our conclusions.
2. Review of the Literature on QCC Protocols
Several QCC protocols have been proposed recently in efforts to close the gap between theory and practice. For instance, in order to address low key rate and transmission distance challenge, protocols inspired by the idea of twin-field QKD [
25] have been proposed [
12,
14,
26]. More precisely, the authors of [
12] evaluated the security of a QCC by exploiting the multipartite entanglement of a W-class state; their protocol relied on single-photon interference in an untrusted node, following the idea of twin field QKD [
27]. Based on the single photon interference of optical fields at the untrusted relay, their protocol is capable of surpassing the secret key capacity of bound for repeaterless QKD schemes. To address the problem of detector side-channel attacks, a device-independent (DI) QCC protocol has been proposed in which security is based on the violation of a Parity–CHSH inequality [
28]. Unfortunately, the DI QCC requires loophole-free Parity–CHSH experiments, which means that it is not feasible with current technology. A more practical solution is measurement device-independent (MDI) QCC, which is inherently immune to all side-channel attacks targeting the measurement device and removes all detection-related security loopholes. Fu et al. [
11] proposed an MDI protocol based on the postselection of the GHZ state. In this protocol, the measurement device is controlled by an untrusted third party, making it immune to all detector side-channel attacks. The primary basis of the protocol is that after a successful detection event occurs, a GHZ state is shared among multiple parties. Thus, multiple parties can distribute secret key bits among themselves via the post-selected entanglement states. Furthermore, Zhao et al. [
14] presented a QCC network protocol by combining the ideas of phase-matching weak coherent pulses (WCPs) interference and post-selecting GHZ states. In addition, the protocol is measurement device-independent, thus rendering it immune to all detector side-channel attacks. While the results in the aforementioned QCC protocols constitute an essential step toward realization and guaranteeing the security of QCC systems, both analyses neglect the case of imperfect photon sources and misalignment in the reference frames. This means that the results cannot be directly applied to real-life QCC implementations.
A serious challenge in the practical implementation of QCC schemes is achieving a well-aligned reference frame between communicating parties. This task is complex because of unstable fiber communication links and imperfections in the measuring devices, which results in obscure and changing reference frames [
29]. Laing et al., (2010) introduced a reference-frame independent (RFI) QKD protocol to solve this alignment problem [
30]. Subsequently, several variants of their protocol have been proposed, both theoretically [
31,
32,
33,
34,
35,
36,
37] and experimentally [
38,
39,
40], to advance the merits of RFI QKD. Furthermore, security proofs of existing QCC protocols assume perfect state preparation. However, this assumption fails during practical implementations because of the natural deficiencies of photon sources. Tamaki et al., (2014) invented a loss-tolerant protocol that is immune against losses in the channel caused by state preparation flaws. The protocol employs only three states out of the four permissible states present in the BB84 protocol [
41]. In addition, the protocol takes into consideration errors due to phase modulation by imperfect phase modulators (PM), and it has been analyzed recently in [
42,
43] in order to evaluate the security of QKD systems in the presence of information leakage from Alice’s phase modulator.
Therefore, inspired by the ideas of a loss-tolerant (LT) protocol and reference frame independence, we determine the security bounds in the presence of imperfect state preparation and misalignment in reference frames for a three-party QKD protocol. For this, we generalize the LT protocol to include typical imperfections in the sending devices. More precisely, in order to have the effect of information leakage from the phase modulation in the security analysis, we use the fact that signal states prepared by Alice can be written in terms of Pauli matrices. By doing this, the transmission rates of the matrices can be determined and in turn used to compute the different error rates used to calculate the objective quantity
C, which is used to quantify the amount of information that has leaked to an eavesdropper. In particular, we determine the error rates by employing the security proof introduced by Koashi [
44,
45] based on the complementarity of conjugate observables. The effect of misalignment of reference frames is incorporated in the measurement results from the
X and the
Y bases by following the method introduced in [
46]. In order to estimate the secret key rate of the three-party RFI QKD, we consider a biased basis choice decoy-state QKD protocol [
39,
47,
48] with three intensity settings.
4. Security Analysis
After completing the required rounds to extract a raw key, the three legitimate parties possess bit strings that are partially correlated. Thus, the parameter estimation step follows this to compute the bit error rate (BER) measured on a key basis. The quantum bit error rate is expressed as
The notation
represents the probability that Alice prepares the states
and Bob and Charlie select the
Z basis and obtain the bit values
k and
m when they measure their systems. The results obtained by measuring the complementary bases are employed to evaluate the information gained by Eve. To estimate the knowledge of Eve about the key, a depolarising channel is considered where
[
30]. As a result, the bound on Eve’s knowledge of the key is found, per [
51], to be
where
The statistical quantity,
C, is defined as follows:
The term
where
indicates an expectation value that Alice will prepare the two states according to basis
and Bob and Charlie will perform measurements on bases
and
on the states they receive, respectively. Moreover, one can demonstrate that the statistical quantity
C does not depend on the value of
by substituting the relations
,
and
,
in Equation (
14). In order to estimate
C, the quantity
is allowed to change slowly in sufficiently brief intervals, allowing the exchange of a secure key. Typically, a QKD experiment runs for a considerable length of time in order to acquire sufficient data to estimate the average values used to compute the parameter
C in Equation (
14). During this time, the drift of reference frames erodes the estimated correlations and reduces the value of
C, thus compromising the security of the key generation protocol. Therefore, in order for the protocol to be secure, the communicating parties must collect enough signals to generate a key above the finite size effects in an interval that allows for minimal variation of
. If a longer key is required, the communication parties can terminate the protocol after collecting a certain number of signals and restart the protocol several times until a long enough key is acquired. In terms of error rates, the expression in Equation (
14) can be expressed as
The above error rates are evaluated by following the technique in [
41], which is based on the complementarity principle introduced by Koashi [
44,
45]. For simplicity, the estimate of the phase error rate,
and other parameters in Equation (
15) are derived similarly. The term
is evaluated based on a virtual protocol whereby Alice prepares an entangled state
, where
B and
C represent systems sent to Bob and Charlie. The three parties then select the
Z basis and measure their corresponding subsystems in the
X basis (instead of the selected
Z basis). Therefore, the error rate can be expressed as
where
represents the joint probability that Alice, Bob and Charlie measured
,
, and
, respectively. In this hypothetical protocol, the state of the pulses received by Bob (Charlie) can be expressed as
where
is a projection operator for a specific pure state,
. The resultant normalized state is
. Accordingly, the joint probability that the three parties respectively measure
,
, and
is provided by
where
represents the operator which contains Eve’s operation and Bob (Charlie)’s POVM measurement and
represents the probability that Alice measures her subsystem in the
X basis. Because the virtual state
can be expressed in terms of identity and Pauli operators as
it follows that Equation (
18) can be rewritten as
Therefore, in order to obtain
it is sufficient to evaluate the transmission rate of Pauli operators, defined by
where
and the parameters
and
denote the coefficients of Pauli matrices. Note that the transmission rate of operators can be evaluated from the yield of signal states used in the actual protocol. In order to evaluate the yield of these states, the entanglement description where Alice prepares the entangled states is employed, as follows:
Afterward, Alice measures her subsystems in the
Z,
X, and
Y bases, respectively, to effectively emit the states
sent to Bob and Charlie. Using the same method previously described for the yield of virtual states, the expression for the yield of actual states is obtained as
with
denoting the probability that Alice measures her subsystems as state
. The state
corresponds to one of the four states defined in Equation (
6). The parameters
and
correspond to the yields of the states sent to Bob and Charlie, respectively. Now, based on the cases where Bob (Charlie) measured the states sent by Alice in the
X basis, the transmission rate of Pauli operators is determined as follows
where
The same logic can be applied to determine the yield of the virtual states based on the transmission rate as
where
Based on Equations (
24) and (
26), the yield of the virtual states sent to Bob and Charlie can be deduced. The results can then be used to obtain the virtual yield in Equation (
18) and, as a result, obtain the expression for the error rate,
.
5. Estimation of Key Rate
Note that in the previous section, for simplicity of this analysis, it is assumed that Alice has a single-photon source. However, it must be emphasized that this analysis can be applied to the case where Alice uses an SPDC source that occasionally emits more than one photon in each mode. The signals produced by this source contain photons with a probability distribution provided by [
49,
52]
where
k is the number of photons and
is the average intensity of the laser source. In this case, the decoy-state method is employed to estimate all of the quantities corresponding to the single-photon pulses needed to apply the loss tolerant method. In the decoy-state method, in order to mitigate against a possible photon-number splitting attack Alice prepares photons using the intensities
, where
denotes the intensity of the signal states,
represents decoy states, and
denotes vacuum states [
47]. These intensities are typically chosen according to
, whereby
and
correspond to the probabilities for the signal, decoy and vacuum states, respectively. Therefore, the corresponding key generation rate for the proposed RFI QKD protocol is provided by [
11,
14,
39]
where
is the gain of signals prepared using the
Z basis and intensity
, and measured by Bob and Charlie in the
Z basis. The term
denotes the gain of single-photon components. The parameters
(
) correspond to the QBER between Alice and Bob (Charlie) for signals transmitted using intensity
and measured in the
Z basis. Here
represents the Shannon binary entropy. Moreover, the term
denotes the error correction efficiency and
denotes the upper bound on the knowledge gained by Eve about the key. The relevant parameters in Equation (
29) are derived in
Appendix A. The key rate formula in Equation (
29) is a direct generalization of the bipartite scenario in Ref. [
39] to the tripartite case. In addition, note that the key difference between the key rate formula for the three-party RFI QKD and the one in Refs. [
11,
14] lies in the method used to estimate Eve’s knowledge about the key.
6. Simulation Results
In this section, the performance of the proposed protocol on a fiber-based QKD system model is simulated. The following experimental parameters are used; the loss coefficient of the fiber is
dB/km, Bob and Charlie’s detection efficiencies are
, and the dark count rate of a single-photon detector is
. It is assumed that the error correction efficiency is
and the expected photon number for signal states is set at
. The optimal probability,
, for the key basis is set at
, as per Ref. [
48]. It is important to note that the performance of the three-party RFI protocol can, in principle, be simulated with a free-space channel link; however, this is left for further studies.
The curves in
Figure 2a are obtained from Equation (
29) using the values
,
, and
. These values correspond to a deviation of
,
, and
from the desired phase encoding angles, respectively. The parameter
is related to the extinction ratio of the phase modulators according to the definition
[
53]. The non-zero extinction ratio arises owing to imperfections present in phase modulators; in typical experiments, it is of order
. Based on this extinction ratio,
0.063; however, in this simulation, pessimistic values are opted for in order to estimate encoding imperfections and show the robustness of the proposed protocol against source flaws. The same parameters were chosen for the states prepared in the
Z basis, which correspond to the 16 dB [
], 20 dB [
], and 26 dB [
] extinction ratios of the practical optical attenuator, or the intensity modulator in a system with time-bin encoding. For comparison, a plot of the curve when
is shown, which is analogous to the perfect encoding scenario. The maximum signal transmission distances between Alice and Bob(Charlie) are 266.9 km (with a secret key rate of
), 262.1 km (with a secret key rate of
), and 258.0 km (with a secret key rate of
) for the encoding source flaws
,
and
, respectively.
Figure 2b illustrates the results for the simulation of the secret key rate,
r, for the three-party RFI protocol as a function of the transmission distance where the degree of misalignment of reference frames is fixed at
, and
, respectively. Our primary goal was to investigate the impact of reference frame misalignment on the stability of the proposed protocol. The parameter
corresponds to the drift of reference frames in the
X and
Y bases. A transmission distance of 301.4 km, 284.6 km, and 268.5 km is obtained for the relative rotation of reference frames at an angle of
,
, and
, respectively. In addition, in order to show how the proposed protocol fares against the other alternative multipartite QKD protocols, the simulation results of the secret key rate are provided as a function of the transmission distance in
Figure 3 for a three-party RFI QKD with encoding source flaws
and the three-party phase matching (PM) QCC protocol proposed in [
14]. The results indicate that the three-party PM-QCC protocol outperforms our proposed three-party RFI protocol in terms of maximum attainable transmission distance and the achievable secret key rate. A maximum distance of 284 km (with a secret key rate of
) is obtained for the three-party PM-QCC protocol and maximum distance of 266 km (with a secret key rate of
) for the three-party RFI QKD.
Discussion of Results
The trend in the results portrayed by the curves in
Figure 2a shows that as
increases, which is associated with encoding source flaws, the achievable secret key rate and the maximum attainable transmission distance decrease. Furthermore, the simulation results show that despite increased encoding source flaws, i.e., an increase in the parameter
, the achievable key rates are comparable to those obtained via perfect encoding, where
. These results clearly demonstrate that the three-party RFI QKD is loss-tolerant to signal state preparation flaws. Furthermore, in
Figure 2b it can be observed that the increase in the parameter
, associated with the relative rotation of reference frames, leads to a reduction in both the secret key rate and maximum attainable transmission distance. Additionally, it can be noted that regardless of the increase in the reference frame misalignment, the achieved key rates are comparable to a scenario without any misalignment in the reference frames (i.e.,
). This is a clear indication that the three-party RFI QKD is robust against drift in reference frames, which makes it a suitable candidate for practical multipartite QKD. For further comparison, the key rate is simulated for a two-party RFI QKD protocol using similar parameters in
Figure 2a,b. It is evident from both figures that the two-party RFI QKD protocol performs better than the three-party RFI QKD protocol based on the achievable secret key rate for different encoding source flaws,
, and misalignment degrees of
. However, it is noteworthy that despite this observation, the three-party RFI protocol is preferable in scenarios that involve secure communications involving three communicating parties, as a single run of the protocol produces a secret key for all the parties, which can then be used for communication among themselves. On the contrary, the two-party QKD protocol requires the three communicating parties to run the protocol three times to produce secret keys that can be used for secure communication amongst themselves.
Furthermore, the trend in results obtained in
Figure 3 can be attributed to the fact that the three-party PM-QCC protocol neglects the imperfections in the signal state preparation devices and does not account for misalignment in the channels linking communicating parties to the measurement station. On the contrary, the three-party RFI protocol incorporates the encoding source flaws due to the extinction ratio of the phase modulators and the drift of the reference frames in the security analysis, reducing both the secret key rate and the transmission distance.
A limitation of this work is that the quantity C is computed from average values, and time is required to accumulate enough statistics to estimate these values. Therefore, it depends on whether the frame rotation is slower or faster than the time required to estimate the value of C. Consequently, it will be helpful to explore finite-key studies as a solution. However, according to the results presented above, the three-party RFI QKD is a realistic protocol that can be realized with current experimental technology without compromising the security of the QKD.
7. Conclusions
A tripartite quantum key distribution method that can tolerate imperfections in state preparation and be implemented without aligning reference frames between the legitimate communicating parties is presented. Notably, the performance of the proposed protocol is examined when the encoding flaws are set at
,
, and
, denoting a change of
,
, and
from the desired phase encoding angle, respectively. The results significantly demonstrate that the achievable key rates compare to perfect encoding regardless of state preparation flaws. Moreover, the simulation shows the secret key rate for the proposed protocol in terms of transmission distance for various degrees of misalignment (i.e.,
, and
) and investigates the impact on the statistical quantity
C and protocol stability. The simulation results confirm that the proposed protocol is insignificantly affected by increased misalignment of reference frames, as the achievable distances in transmission remain similar to scenarios without misalignment of reference frames (i.e.,
). Most significantly, this work finds applications in quantum communication network environments involving unknown and slowly varying reference frames, such as earth-to-satellite quantum communication networks, chip-to-chip communications in free space, and chips connected by fiber optics. Other applications include web conferences, online communications, and scenarios where multiple parties must communicate securely using secret keys. Lastly, using the formalism developed in [
44,
45] guarantees unconditional security, although this does not mean that the bounds developed in the proposed protocol are very tight; possible improvements might be achieved by considering two-way classical post-processing. However, in order to fulfill the objectives of this work, a restriction of the security bounds for the case when the secret key is extracted through one-way post-processing is undertaken. In the future, as an extension of the decoy state-based protocol, it will be worthwhile to consider other single-photon source techniques which are robust against photon number splitting attacks, such as the deterministic single-photon sources proposed in [
54], to improve the performance of the three-party RFI protocol. Furthermore, in the future, it would be interesting to investigate the performance of the three-party RFI QKD through underwater channels under the influence of diverse factors such as signal attenuation and noise ratio, which has previously been considered in [
22].