Decoy-pulse protocol for frequency-coded quantum key distribution

We propose a decoy-pulse protocol for frequency-coded implementation of B92 quantum key distribution protocol. A direct extension of decoy-pulse method to frequency-coding scheme results in security loss as an eavesdropper can distinguish between signal and decoy pulses by measuring the carrier photon number without affecting other statistics. We overcome this problem by optimizing the ratio of carrier photon number of decoy-to-signal pulse to be as close to unity as possible. In our method the switching between signal and decoy pulses is achieved by changing the amplitude of RF signal as opposed to modulating the intensity of optical signal thus reducing system cost. Our simulation results show a key generation rate of 1.5×10-4/pulse for link lengths up to 70 km. Finally, we discuss the optimum value of average photon number of signal pulse for a given key rate while also optimizing the carrier ratio.


I. INTRODUCTION
P HOTONIC technology has become the ubiquitous choice for implementing quantum key distribution (QKD) protocols as it provides low-loss, long-distance transmission, and operation in C-band (1550nm). Ideally, QKD implementation requires a light source that emits single-photon pulses. However, due to non-availability of commercial single-photon sources (SPSs), a majority of QKD experiments use faint laser pulse source (FLPS) in place of SPSs. The photon emission from a FLPS follows a Poisson distribution with an average photon number μ/pulse. A FLPS emits multi-photon pulse with a non-zero probability 1 − exp(−μ). It has been shown that secure key rate slows down considerably if channel loss is greater than multi-photon emission probability; however security of key bits is not compromised. To overcome this problem, Hwang proposed the idea of using decoy-pulses to place an upper bound on the single-photon transmittance and hence the number of secure key bits in the sifted bit string [1]. In a decoy-pulse method, Alice transmits decoy pulses interleaved with signal pulses, the location of which is known only to her. As Eve cannot distinguish between signal and decoy pulses, she is forced to use the same attack against both types of pulses. At the end of key transmission, Alice estimates quantum bit error rate (QBER) due to signal and decoy pulses and aborts the protocol if the yield of decoy pulses is abnormally high. In this paper, we extend decoy-pulse method to frequencycoded setups. In a frequency-coded setup, key bits are transmitted as sidebands relative to an optical carrier. An electrooptic phase modulator generates optical sidebands by modulating an optical carrier of frequency ω 0 by a microwave signal of frequency Ω and phase φ: where we have neglected terms of higher order under the assumption of low modulation index (m 1). The average photon number of the carrier and sidebands after phase modulation is μJ 2 0 and μJ 2 1 respectively. A lossless modulator conserves the total number of photons from input to output. Hence a straight forward extension of decoy pulse method to frequency-coded setup is not possible as any change in the average photon number of sidebands reflects in the carrier. Eve can distinguish between signal and decoy pulses by monitoring the optical power in carrier thus defeating the purpose of using decoy pulses. We suggest methods to overcome this problem by optimizing the carrier ratio of decoy-to-signal pulses.
The rest of the paper is organized as follows. In Section II, we describe briefly the elements of frequency-coding setup for B92 protocol. In Section III, we describe our decoy-pulse method for frequency-coding setup. We discuss the notion of carrier optimization, its effect on QBER and key rate and the effect of source fluctuation on the key length in Section IV. Finally, we conclude by summarizing our results.
II. FREQUENCY-CODED SCHEME Fig. 1 shows elements of frequency-coded scheme to implement B92 QKD protocol. In this scheme, key bits are transmitted as phase of sidebands relative to an optical carrier [2]. Alice modulates the optical carrier of frequency ω 0 and average photon number/pulse μ L by a microwave signal of frequency Ω and phase φ A to generate: where m is the modulation index and we have neglected terms of higher order under the assumption m 1. She transmits the modulated signal (2) to Bob who in turn modulates (2) with a microwave signal of frequency Ω and phase φ B . Bob's detector registers a photon if Alice and Bob's phases are identical. Alice and Bob retain those slots in which Bob detects photons to form a sifted bit string and discard the rest. They then apply error correction and privacy amplification to generate a final bit string. From (2) we see that the average photon number of carrier and sidebands after modulation are given by μ 0 = μ L J 2 0 (m) and μ ±1 = μ L J 2 1 (m) respectively [3]. However, due to propagation inside a fiber and other optical losses, μ L at the receiver L km from the transmitter is where α tot = 2α mod +2α mux + α e + α f L represents link loss (See Table I). At the output of Bob's detector we have where The QBER of the frequency-coded setup is given by where P noise and P sig are noise and signal probabilities respectively. P noise includes contributions from the detector dark count, out of band noise due to insufficient carrier suppression, and cross-talk noise due to synchronization channel [3]. P sig is given by where μ ±1 is given in (4b).

A. Description of protocol
We consider a two decoy-state protocol with vacuum as one of the decoy states [4]. The vacuum pulse is used to estimate dark count rate (DCR) of the detector and background noise [5]. To implement the protocol, Alice interleaves decoy pulses along with signal pulses, the exact locations of which is known only to her [1]. After bit transmission using a QKD protocol, say B92, Alice estimates the yield of decoy pulses.
If the yield of decoy pulses is abnormally higher than that of signal pulses she abandons bit transmission and informs Bob. The QKD protocol can be implemented using polarization, phase, or frequency-coding schemes. In this paper, we restrict ourselves to frequency-coding scheme.
We denote the average number of photon/pulse of signal and decoy states by μ and ν respectively. Alice chooses μ, ν and the number of signal (N μ ) and decoy pulses (N ν ) be transmitted to Bob. Since decoy pulses do not contribute to the final key, it is essential to maximize N μ . We achieve this by choosing μ < ν and N μ > N ν while keeping the product μN μ approximately equal to νN ν .

B. Key generation rate
The expression for secure key generation rate for an implementation of QKD protocol that uses FLPS is given by [6]: where q = N S μ /N is the ratio of number of signal pulses when both Alice and Bob's basis are identical to the total number of pulses transmitted by Alice [5]. In (7), E μ and Q μ are QBER and gain of multi-photon signal pulse respectively; e 1 and Q 1 are the QBER and gain of the single-photon pulse respectively; f (x) is the bi-directional error correction rate [7]; and H 2 (x) is the binary entropy function for x. The key generation rate R is non-zero provided single-photon transmittance is higher than multi-photon transmittance as can be seen from (7).
The parameters E μ and Q μ are measured experimentally by transmitting multi-photon pulses. Although we could theoretically estimate e 1 and Q 1 using (4b) and (6), in practice we use the following formulae to estimate the quantities : where where Y 0 is the sum of DCR of the detector and background noise [5]. The value of the parameters used in simulation are listed in Table II.

C. Optimization of carrier ratio
At the transmitter, average number of photons in carrier and sidebands are given by where μ L is the input average photon number, m x is the modulation index of the phase modulator with x = s, d denoting signal and decoy pulses respectively. We define carrier ratio CR as the ratio of decoy-to-signal pulse carrier photon number: Since a lossless phase modulator conserves total number of photons, any change in μ 1 produces a detectable change in μ 0 which in turn affects carrier ratio. Eve can now distinguish between signal and decoy states by measuring the carrier photon number without affecting other statistics. Hence, a direct extension of decoy-pulse protocol to frequency-coding scheme in which Alice switches between signal and decoy pulses results in loss of security. We overcome this loophole by optimizing CR to be as close to unity as possible. We do this by choosing appropriate values of m s and m d for a given μ L such that CR≈ 1 while ν > μ. Fig. 2 shows carrier ratio and QBER as a function of input average photon number μ L for μ = 0.4 and ν = 1. We see from Fig. 2 that for μ L slightly above 6, CR is closer to unity and QBER < 0.25. Since maximum allowable QBER for B92 protocol is 0.25, we require μ L > 6 to optimize CR as well as to keep QBER < 0.25.

D. Improvement in key rate using decoy states
The key generation rate experiences an improvement when using decoy-state method. We performed numerical simulations to obtain key generation rate with and without decoy states. Fig. 3 shows the results. We find that the key generation rate exhibits an improvement by a factor of 100 approximately with decoy state. The maximum secure transmission distance also increases significantly in case of decoy-state.

E. Effect of source fluctuation
Alice generates both the decoy and signal pulses at any instant i by attenuating a common father pulse. The fluctuation of the final output pulse from Alice's side comprises of father pulse fluctuation and device (attenuator) parameter fluctuation [8]. Thus the actual intensity of the ith outgoing pulse is given by: where δ i is the intensity fluctuation in the ith father pulse,and id (or is ) are the device parameter fluctuation in the ith decoy (or signal) pulse respectively. We observe from Fig. 4 that the key length decreases slightly with the father pulse intensity variation. However, the device parameter fluctuation degrades the key length severely. Thus device parameters need to be much stable to avoid significant degradation in key length.

F. Optimal secure key length
The choice of m s and m d for a given μ L leads to optimization of CR but affects secure key generation rate. The optimum values of secure key rate and key length corresponding to optimum values of m s and m d are given in Table III. As described earlier, we keep μ L > 6.
We see from Fig. 5 that as the carrier ratio increases beyond 0.6 the key length also increases. When carrier ratio < 0.6 then μ ≮ ν and also either μ or ν or both are greater than 1 so that region is not acceptable for operation. One can obtain suitable CR by varying m d for a given value of μ L and m s . Fig. 6 shows the evolution of key length L (= NR) with increasing μ L as well as μ. We have estimated the usable range of input average photon number μ L and average photon   number in signal sideband μ to obtain maximum key length along with carrier ratio optimization. We see from Fig. 6 that to obtain higher key length μ must be greater than 0.3 and μ L must be less than 12. We find that the key length does not change appreciably for 6 < μ L < 12. Hence for carrier ratio optimization and higher key length we choose 0.3 < μ < 0.5 and 6 < μ L < 12.
We have obtained the lower bound on key rate to be 1.5315×10 −4 /pulse and thus a final key length of 16kbit from simulations. These simulations also indicate that the maximum   Table II). link length for secure transmission is about 70km. Thus, our method is promising for long distance communication.

IV. CONCLUSION
We have numerically studied a two decoy-pulse protocol suitable for frequency-coded quantum key distribution. A direct extension of decoy-pulse method to frequency-coding scheme leads to security loophole as it allows an eavesdropper to distinguish between signal and decoy pulses by monitoring carrier power. Thus, the very objective of using decoy-pulses seems to be lost. We overcome this problem by optimizing the ratio of carrier photon number of decoy-to-signal pulses to be as close to unity as possible. We achieve this by switching the amplitude of signal and decoy pulses in the RF domain which reduces overall system cost. Our simulations reveal that the key length improves by a factor of 100 approximately using decoy states. We analyze the effect of fluctuations of source on key length. we find that the device parameter fluctuation undermine the key length drastically as compared to father pulse intensity fluctuation. We also study optimum values of μ and μ L to obtain an optimum CR and key rate for fixed ν. Our simulation shows key generation rate of ≈ 1.5 × 10 −4 /pulse at link lengths up to 70km thus indicating that our method can be used for long distance secure communication.