Hoi-kwong Lo - Academia.edu (original) (raw)

Papers by Hoi-kwong Lo

arXiv (Cornell University), Feb 5, 2010

Optical and Digital Image Processing-WILEY-VCH Verlag GmbH & Co, KGaA Weinheim. The Rights for th... more Optical and Digital Image Processing-WILEY-VCH Verlag GmbH & Co, KGaA Weinheim. The Rights for this material are held by Wiley-VCH. Any commercial printing, electronic copying, and posting on internet/intranet sites other than arXiv and its mirror sites etc. is illegal and will be prosecuted.

Quantum Inf. Comput., 2014

The security of a high speed quantum key distribution system with finite detector dead time τ is ... more The security of a high speed quantum key distribution system with finite detector dead time τ is analyzed. When the transmission rate becomes higher than the maximum count rate of the individual detectors (1/τ), security issues affect the scheme for sifting bits. Analytical calculations and numerical simulations of the Bennett-Brassard BB84 protocol are performed. We study Rogers et al.'s scheme (further information is available in [D. J. Rogers, J. C. Bienfang, A. Nakassis, H. Xu, and C. W. Clark, New J. Phys. 9, 319 (2007)]) in the presence of an active eavesdropper Eve who has the power to perform an intercept-resend attack. It is shown that Rogers et al.'s scheme is no longer guaranteed to be secure. More specifically, Eve can induce a basis-dependent detection efficiency at the receiver's end. Modified key sifting schemes that are basis-independent and thus secure in the presence of dead time and an active eavesdropper are then introduced. We analyze and compare the...

Quantum Information and Computation, 2007

We prove the security of the Bennett-Brassard (BB84) quantum key distribution protocol in the cas... more We prove the security of the Bennett-Brassard (BB84) quantum key distribution protocol in the case where the key information is encoded in the relative phase of a coherent-state reference pulse and a weak coherent-state signal pulse, as in some practical implementations of the protocol. In contrast to previous work, our proof applies even if the eavesdropper knows the phase of the reference pulse, provided that this phase is not modulated by the source, and even if the reference pulse is bright. The proof also applies to the case where the key is encoded in the photon polarization of a weak coherent-state pulse with a known phase, but only if the phases of the four BB84 signal states are judiciously chosen. The achievable key generation rate scales quadratically with the transmission in the channel, just as for BB84 with phase-randomized weak coherent-state signals (when decoy states are not used). For the case where the phase of the reference pulse is strongly modulated by the sour...

Quantum Information and Computation, 2009

In theory, quantum key distribution (QKD) offers unconditional security based on the laws of phys... more In theory, quantum key distribution (QKD) offers unconditional security based on the laws of physics. However, as demonstrated in recent quantum hacking theory and experimental papers, detection efficiency loophole can be fatal to the security of practical QKD systems. Here, we describe the physical origin of detection efficiency mismatch in various domains including spatial, spectral, and time domains and in various experimental set-ups. More importantly, we prove the unconditional security of QKD even with detection efficiency mismatch. We explicitly show how the key generation rate is characterized by the maximal detection efficiency ratio between the two detectors. Furthermore, we prove that by randomly switching the bit assignments of the detectors, the effect of detection efficiency mismatch can be completely eliminated.

Quantum Information and Computation, 2007

Recently, a new type of attack, which exploits the efficiency mismatch of two single photon detec... more Recently, a new type of attack, which exploits the efficiency mismatch of two single photon detectors (SPD) in a quantum key distribution (QKD) system, has been proposed. In this paper, we propose another ``time-shift'' attack that exploits the same imperfection. In our attack, Eve shifts the arrival time of either the signal pulse or the synchronization pulse or both between Alice and Bob. In particular, in a QKD system where Bob employs time-multiplexing technique to detect both bit "0'' and bit "1'' with the same SPD, Eve, in some circumstances, could acquire full information on the final key without introducing any error. In addition, we prove that if Alice and Bob are unaware of our attack, the final key they share is insecure. We emphasize that our attack is simple and feasible with current technology. Finally, we discuss some counter measures against our and earlier attacks.

Reviews of Modern Physics, 2020

In principle, quantum key distribution (QKD) offers information-theoretic security based on the l... more In principle, quantum key distribution (QKD) offers information-theoretic security based on the laws of physics. In practice, however, the imperfections of realistic devices might introduce deviations from the idealized models used in security analyses. Can quantum code-breakers successfully hack real systems by exploiting the side channels? Can quantum code-makers design innovative countermeasures to foil quantum code-breakers? This article reviews theoretical and experimental progress in the practical security aspects of quantum code-making and quantum code-breaking. After numerous attempts, researchers now thoroughly understand and are able to manage the practical imperfections. Recent advances, such as the measurement-device-independent protocol, have closed the critical side channels in the physical implementations, paving the way for secure QKD with realistic devices.

npj Quantum Information, 2016

Quantum key distribution (QKD) promises unconditional security in data communication and is curre... more Quantum key distribution (QKD) promises unconditional security in data communication and is currently being deployed in commercial applications. Nonetheless, before QKD can be widely adopted, it faces a number of important challenges such as secret key rate, distance, size, cost and practical security. Here, we survey those key challenges and the approaches that are currently being taken to address them.

Physical Review A, 2015

Decoy-state quantum key distribution (QKD) is a standard technique in current quantum cryptograph... more Decoy-state quantum key distribution (QKD) is a standard technique in current quantum cryptographic implementations. Unfortunately, existing experiments have two important drawbacks: the state preparation is assumed to be perfect without errors and the employed security proofs do not fully consider the finite-key effects for general attacks. These two drawbacks mean that existing experiments are not guaranteed to be proven to be secure in practice. Here, we perform an experiment that for the first time shows secure QKD with imperfect state preparations over long distances and achieves rigorous finite-key security bounds for decoy-state QKD against coherent attacks in the universally composable framework. We quantify the source flaws experimentally and demonstrate a QKD implementation that is tolerant to channel loss despite the source flaws. Our implementation considers more real-world problems than most previous experiments and our theory can be applied to general discrete-variable QKD systems. These features constitute a step towards secure QKD with imperfect devices.

Physical Review A, 2015

The security of source has become an increasingly important issue in quantum cryptography. Based ... more The security of source has become an increasingly important issue in quantum cryptography. Based on the framework of measurement-device-independent quantum-key-distribution (MDI-QKD), the source becomes the only region exploitable by a potential eavesdropper (Eve). Phase randomization is a cornerstone assumption in most discrete-variable (DV-) quantum communication protocols (e.g., QKD, quantum coin tossing, weak coherent state blind quantum computing, and so on), and the violation of such an assumption is thus fatal to the security of those protocols. In this paper, we show a simple quantum hacking strategy, with commercial and homemade pulsed lasers, by Eve that allows her to actively tamper with the source and violate such an assumption, without leaving a trace afterwards. Furthermore, our attack may also be valid for continuous-variable (CV-) QKD, which is another main class of QKD protocol, since, excepting the phase random assumption, other parameters (e.g., intensity) could also be changed, which directly determine the security of CV-QKD.

New Journal of Physics, 2013

A novel protocol, measurement-device-independent quantum key distribution (MDI-QKD), removes all ... more A novel protocol, measurement-device-independent quantum key distribution (MDI-QKD), removes all attacks from the detection system, the most vulnerable part in QKD implementations. In this paper, we present an analysis for practical aspects of MDI-QKD. To evaluate its performance, we study various error sources by developing a general system model. We find that MDI-QKD is highly practical and thus can be easily implemented with standard optical devices. Moreover, we present a simple analytical method with only two (general) decoy states for the finite decoy-state analysis. This method can be used directly by experimentalists to demonstrate MDI-QKD. By combining the system model with the finite decoy-state method, we present a general framework for the optimal choice of the intensities of the signal and decoy states. Furthermore, we consider a common situation, namely asymmetric MDI-QKD, in which the two quantum channels have different transmittances. We investigate its properties and discuss how to optimize its performance. Our work is of interest not only to experiments demonstrating MDI-QKD but also to other non-QKD experiments involving quantum interference.

Nature Photonics, 2014

Secure communication plays a crucial role in the Internet Age. Quantum mechanics may revolutionis... more Secure communication plays a crucial role in the Internet Age. Quantum mechanics may revolutionise cryptography as we know it today. In this Review Article, we introduce the motivation and the current state of the art of research in quantum cryptography. In particular, we discuss the present security model together with its assumptions, strengths and weaknesses. After a brief introduction to recent experimental progress and challenges, we survey the latest developments in quantum hacking and countermeasures against it. With the rise of the Internet, the importance of cryptography is growing every day. Each time we make an on-line purchase with our credit cards, or we conduct financial transactions using Internet banking, we should be concerned with secure communication. Unfortunately, the security of conventional cryptography is often based on computational assumptions. For instance, the security of the RSA scheme [1], the most widely used public-key encryption scheme, is based on the presumed hardness of factoring. Consequently, conventional cryptography is vulnerable to unanticipated advances in hardware and algorithms, as well as to quantum code-breaking such as Shor's efficient algorithm [2] for factoring. Government and trade secrets are kept for decades. An eavesdropper, Eve, may simply save communications sent in 2014 and wait for technological advances. If she is able to factorise large integers in say 2100, she could retroactively break the security of data sent in 2014. In contrast, quantum key distribution (QKD), the best-known application of quantum cryptography, promises to achieve the Holy Grail of cryptographyunconditional security in communication. By unconditional security or, more precisely,-security, as it will be explained shortly (see section discussing the security model of QKD), Eve is not restricted by computational assumptions but she is only limited by the laws of physics. QKD is a remarkable solution to long-term security since, in principle, it offers security for eternity. Unlike conventional cryptography, which allows Eve to store a classical transcript of communications, in QKD, once a quantum transmission is done, there is no classical transcript for Eve to store. See Box 1 for background information on secure communication and QKD. Box 1 | Secure communication and QKD. Secure Communication: Suppose a sender, Alice, would like to send a secret message to a receiver, Bob, through an open communication channel. Encryption is needed. If they share a common string of secret bits, called a key, Alice can use her key to transform a plain-text into a cipher-text, which is unintelligible to Eve. In contrast, Bob, with his key, can decrypt the cipher-text and recover the plain-text. In cryptography, the security of a crypto-system should rely solely on the secrecy of the key. The question is: how to distribute a key securely? In conventional cryptography, this is often done by trusted couriers. Unfortunately, in classical physics, couriers may be brided or compromised without the users noticing it. This motivates the development of quantum key distribution (QKD). Quantum Key Distribution: The best-known QKD protocol (BB84) was published by Bennett and Brassard in 1984 [3]. Alice sends Bob a sequence of photons prepared in different polarisation states, which are chosen at random from two conjugate bases. For each photon, Bob selects randomly one of the two conjugate bases and performs a measurement. He records the outcome of his measurement and the basis choice. Through an authenticated channel, Alice and Bob broadcast their measurement bases. They discard all polarisation data sent and received in different bases and use the remaining data to generate a sifted key. To test for tampering they compute the quantum bit error rate (QBER) of a randomly selected subset of data and verify that the QBER is below a certain threshold value. By applying classical post-processing protocols such as error correction and privacy amplification, they generate a secure key. This key can be used to make the communication unconditionally secure by using a one-time-pad protocol [4].

Physical Review Letters, 2014

We demonstrate the first implementation of polarization encoding measurement-deviceindependent qu... more We demonstrate the first implementation of polarization encoding measurement-deviceindependent quantum key distribution (MDI-QKD), which is immune to all detector side-channel attacks. Active phase randomization of each individual pulse is implemented to protect against attacks on imperfect sources. By optimizing the parameters in the decoy state protocol, we show that it is feasible to implement polarization encoding MDI-QKD over large optical fiber distances. A 1600-bit secure key is generated between two parties separated by 10 km of telecom fibers. Our work suggests the possibility of building a MDI-QKD network, in which complicated and expensive detection system is placed in a central node and users connected to it can perform confidential communication by preparing polarization qubits with compact and low-cost equipment. Since MDI-QKD is highly compatible with the quantum network, our work brings the realization of quantum internet one step closer.

Physical Review Letters, 2006

States with private correlations but little or no distillable entanglement were recently reported... more States with private correlations but little or no distillable entanglement were recently reported. Here, we consider the secure distribution of such states, i.e., the situation when an adversary gives two parties such states and they have to verify privacy. We present a protocol which enables the parties to extract from such untrusted states an arbitrarily long and secure key, even though the amount of distillable entanglement of the untrusted states can be arbitrarily small.

Physical Review A, 2007

Quantum key distribution (QKD) can be used to generate secret keys between two distant parties. E... more Quantum key distribution (QKD) can be used to generate secret keys between two distant parties. Even though QKD has been proven unconditionally secure against eavesdroppers with unlimited computation power, practical implementations of QKD may contain loopholes that may lead to the generated secret keys being compromised. In this paper, we propose a phase-remapping attack targeting two practical bidirectional QKD systems (the "plug & play" system and the Sagnac system). We showed that if the users of the systems are unaware of our attack, the final key shared between them can be compromised in some situations. Specifically, we showed that, in the case of the Bennett-Brassard 1984 (BB84) protocol with ideal single-photon sources, when the quantum bit error rate (QBER) is between 14.6% and 20%, our attack renders the final key insecure, whereas the same range of QBER values has been proved secure if the two users are unaware of our attack; also, we demonstrated three situations with realistic devices where positive key rates are obtained without the consideration of Trojan horse attacks but in fact no key can be distilled. We remark that our attack is feasible with only current technology. Therefore, it is very important to be aware of our attack in order to ensure absolute security. In finding our attack, we minimize the QBER over individual measurements described by a general POVM, which has some similarity with the standard quantum state discrimination problem.

Physical Review A, 2006

Decoy states have recently been proposed as a useful method for substantially improving the perfo... more Decoy states have recently been proposed as a useful method for substantially improving the performance of quantum key distribution protocols when a coherent state source is used. Previously, data post-processing schemes based on one-way classical communications were considered for use with decoy states. In this paper, we develop two data post-processing schemes for the decoy-state method using two-way classical communications. Our numerical simulation (using parameters from a specific QKD experiment as an example) results show that our scheme is able to extend the maximal secure distance from 142km (using only one-way classical communications with decoy states) to 181km. The second scheme is able to achieve a 10% greater key generation rate in the whole regime of distances.

Physical Review A, 2006

We compare the performance of Bennett-Brassard 1984 ͑BB84͒ and Scarani-Acin-Ribordy-Gisin 2004 ͑S... more We compare the performance of Bennett-Brassard 1984 ͑BB84͒ and Scarani-Acin-Ribordy-Gisin 2004 ͑SARG04͒ protocols, the latter of which was proposed by V. Scarani et al. ͓Phys. Rev. Lett. 92, 057901 ͑2004͔͒. Specifically, in this paper, we investigate the SARG04 protocol with two-way classical communications and the SARG04 protocol with decoy states. In the first part of the paper, we show that the SARG04 scheme with two-way communications can tolerate a higher bit error rate ͑19.4% for a one-photon source and 6.56% for a two-photon source͒ than the SARG04 one with one-way communications ͑10.95% for a onephoton source and 2.71% for a two-photon source͒. Also, the upper bounds on the bit error rate for the SARG04 protocol with two-way communications are computed in a closed form by considering an individual attack based on a general measurement. In the second part of the paper, we propose employing the idea of decoy states in the SARG04 scheme to obtain unconditional security even when realistic devices are used. We compare the performance of the SARG04 protocol with decoy states and the BB84 one with decoy states. We find that the optimal mean-photon number for the SARG04 scheme is higher than that of the BB84 one when the bit error rate is small. Also, we observe that the SARG04 protocol does not achieve a longer secure distance and a higher key generation rate than the BB84 one, assuming a typical experimental parameter set.

Physical Review A, 2012

In this paper, we study the unconditional security of the so-called measurement-device-independen... more In this paper, we study the unconditional security of the so-called measurement-device-independent quantum key distribution (MDIQKD) with the basis-dependent flaw in the context of phase encoding schemes. We propose two schemes for the phase encoding: The first one employs a phase locking technique with the use of non-phase-randomized coherent pulses, and the second one uses conversion of standard Bennett-Brassard 1984 (BB84) phase encoding pulses into polarization modes. We prove the unconditional security of these schemes and we also simulate the key generation rate based on simple device models that accommodate imperfections. Our simulation results show the feasibility of these schemes with current technologies and highlight the importance of the state preparation with good fidelity between the density matrices in the two bases. Since the basis-dependent flaw is a problem not only for MDIQKD but also for standard quantum key distribution (QKD), our work highlights the importance of an accurate signal source in practical QKD systems.

Optics Express, 2006

We present a design for a quantum key distribution (QKD) system in a Sagnac loop configuration, e... more We present a design for a quantum key distribution (QKD) system in a Sagnac loop configuration, employing a novel phase modulation scheme based on frequency shift, and demonstrate stable BB84 QKD operation with high interference visibility and low quantum bit error rate (QBER). The phase modulation is achieved by sending two light pulses with a fixed time delay (or a fixed optical path delay) through a frequency shift element and by modulating the amount of frequency shift. The relative phase between two light pulses upon leaving the frequency-shift element is determined by both the time delay (or the optical path delay) and the frequency shift, and can therefore be controlled by varying the amount of frequency shift. To demonstrate its operation, we used an acousto-optic modulator (AOM) as the frequency-shift element, and vary the driving frequency of the AOM to encode phase information. The interference visibility for a 40km and a 10km fiber loop is 96% and 99%, respectively, at single photon level. We ran BB84 protocol in a 40-km Sagnac loop setup continuously for one hour and the measured QBER remained within the 2%∼5% range. A further advantage of our scheme is that both phase and amplitude modulation can be achieved simultaneously by frequency and amplitude modulation of the AOM's driving signal, allowing our QKD system the capability of implementing other protocols, such as the decoy-state QKD and the continuous-variable QKD. We also briefly discuss a new type of Eavesdropping strategy ("phaseremapping" attack) in bidirectional QKD system.

Nature Communications, 2014

Quantum key distribution promises unconditionally secure communications. However, as practical de... more Quantum key distribution promises unconditionally secure communications. However, as practical devices tend to deviate from their specifications, the security of some practical systems is no longer valid. In particular, an adversary can exploit imperfect detectors to learn a large part of the secret key, even though the security proof claims otherwise. Recently, a practical approach-measurement-device-independent quantum key distribution-has been proposed to solve this problem. However, so far its security has only been fully proven under the assumption that the legitimate users of the system have unlimited resources. Here we fill this gap and provide a rigorous security proof against general attacks in the finite-key regime. This is obtained by applying large deviation theory, specifically the Chernoff bound, to perform parameter estimation. For the first time we demonstrate the feasibility of long-distance implementations of measurement-device-independent quantum key distribution within a reasonable time frame of signal transmission.

International Journal of Quantum Information, 2006

We consider communication between two parties using a bipartite quantum operation, which constitu... more We consider communication between two parties using a bipartite quantum operation, which constitutes the most general quantum mechanical model of two-party communication. We primarily focus on the simultaneous forward and backward communication of classical messages. For the case in which the two parties share unlimited prior entanglement, we give inner and outer bounds on the achievable rate region that generalize classical results due to Shannon. In particular, using a protocol of Bennett, Harrow, Leung, and Smolin, we give a one-shot expression in terms of the Holevo information for the entanglement-assisted one-way capacity of a two-way quantum channel. As applications, we rederive two known additivity results for one-way channel capacities: the entanglement-assisted capacity of a general one-way channel, and the unassisted capacity of an entanglement-breaking one-way channel.

arXiv (Cornell University), Feb 5, 2010

Optical and Digital Image Processing-WILEY-VCH Verlag GmbH & Co, KGaA Weinheim. The Rights for th... more Optical and Digital Image Processing-WILEY-VCH Verlag GmbH & Co, KGaA Weinheim. The Rights for this material are held by Wiley-VCH. Any commercial printing, electronic copying, and posting on internet/intranet sites other than arXiv and its mirror sites etc. is illegal and will be prosecuted.

Quantum Inf. Comput., 2014

The security of a high speed quantum key distribution system with finite detector dead time τ is ... more The security of a high speed quantum key distribution system with finite detector dead time τ is analyzed. When the transmission rate becomes higher than the maximum count rate of the individual detectors (1/τ), security issues affect the scheme for sifting bits. Analytical calculations and numerical simulations of the Bennett-Brassard BB84 protocol are performed. We study Rogers et al.'s scheme (further information is available in [D. J. Rogers, J. C. Bienfang, A. Nakassis, H. Xu, and C. W. Clark, New J. Phys. 9, 319 (2007)]) in the presence of an active eavesdropper Eve who has the power to perform an intercept-resend attack. It is shown that Rogers et al.'s scheme is no longer guaranteed to be secure. More specifically, Eve can induce a basis-dependent detection efficiency at the receiver's end. Modified key sifting schemes that are basis-independent and thus secure in the presence of dead time and an active eavesdropper are then introduced. We analyze and compare the...

Quantum Information and Computation, 2007

We prove the security of the Bennett-Brassard (BB84) quantum key distribution protocol in the cas... more We prove the security of the Bennett-Brassard (BB84) quantum key distribution protocol in the case where the key information is encoded in the relative phase of a coherent-state reference pulse and a weak coherent-state signal pulse, as in some practical implementations of the protocol. In contrast to previous work, our proof applies even if the eavesdropper knows the phase of the reference pulse, provided that this phase is not modulated by the source, and even if the reference pulse is bright. The proof also applies to the case where the key is encoded in the photon polarization of a weak coherent-state pulse with a known phase, but only if the phases of the four BB84 signal states are judiciously chosen. The achievable key generation rate scales quadratically with the transmission in the channel, just as for BB84 with phase-randomized weak coherent-state signals (when decoy states are not used). For the case where the phase of the reference pulse is strongly modulated by the sour...

Quantum Information and Computation, 2009

In theory, quantum key distribution (QKD) offers unconditional security based on the laws of phys... more In theory, quantum key distribution (QKD) offers unconditional security based on the laws of physics. However, as demonstrated in recent quantum hacking theory and experimental papers, detection efficiency loophole can be fatal to the security of practical QKD systems. Here, we describe the physical origin of detection efficiency mismatch in various domains including spatial, spectral, and time domains and in various experimental set-ups. More importantly, we prove the unconditional security of QKD even with detection efficiency mismatch. We explicitly show how the key generation rate is characterized by the maximal detection efficiency ratio between the two detectors. Furthermore, we prove that by randomly switching the bit assignments of the detectors, the effect of detection efficiency mismatch can be completely eliminated.

Quantum Information and Computation, 2007

Recently, a new type of attack, which exploits the efficiency mismatch of two single photon detec... more Recently, a new type of attack, which exploits the efficiency mismatch of two single photon detectors (SPD) in a quantum key distribution (QKD) system, has been proposed. In this paper, we propose another ``time-shift'' attack that exploits the same imperfection. In our attack, Eve shifts the arrival time of either the signal pulse or the synchronization pulse or both between Alice and Bob. In particular, in a QKD system where Bob employs time-multiplexing technique to detect both bit "0'' and bit "1'' with the same SPD, Eve, in some circumstances, could acquire full information on the final key without introducing any error. In addition, we prove that if Alice and Bob are unaware of our attack, the final key they share is insecure. We emphasize that our attack is simple and feasible with current technology. Finally, we discuss some counter measures against our and earlier attacks.

Reviews of Modern Physics, 2020

In principle, quantum key distribution (QKD) offers information-theoretic security based on the l... more In principle, quantum key distribution (QKD) offers information-theoretic security based on the laws of physics. In practice, however, the imperfections of realistic devices might introduce deviations from the idealized models used in security analyses. Can quantum code-breakers successfully hack real systems by exploiting the side channels? Can quantum code-makers design innovative countermeasures to foil quantum code-breakers? This article reviews theoretical and experimental progress in the practical security aspects of quantum code-making and quantum code-breaking. After numerous attempts, researchers now thoroughly understand and are able to manage the practical imperfections. Recent advances, such as the measurement-device-independent protocol, have closed the critical side channels in the physical implementations, paving the way for secure QKD with realistic devices.

npj Quantum Information, 2016

Quantum key distribution (QKD) promises unconditional security in data communication and is curre... more Quantum key distribution (QKD) promises unconditional security in data communication and is currently being deployed in commercial applications. Nonetheless, before QKD can be widely adopted, it faces a number of important challenges such as secret key rate, distance, size, cost and practical security. Here, we survey those key challenges and the approaches that are currently being taken to address them.

Physical Review A, 2015

Decoy-state quantum key distribution (QKD) is a standard technique in current quantum cryptograph... more Decoy-state quantum key distribution (QKD) is a standard technique in current quantum cryptographic implementations. Unfortunately, existing experiments have two important drawbacks: the state preparation is assumed to be perfect without errors and the employed security proofs do not fully consider the finite-key effects for general attacks. These two drawbacks mean that existing experiments are not guaranteed to be proven to be secure in practice. Here, we perform an experiment that for the first time shows secure QKD with imperfect state preparations over long distances and achieves rigorous finite-key security bounds for decoy-state QKD against coherent attacks in the universally composable framework. We quantify the source flaws experimentally and demonstrate a QKD implementation that is tolerant to channel loss despite the source flaws. Our implementation considers more real-world problems than most previous experiments and our theory can be applied to general discrete-variable QKD systems. These features constitute a step towards secure QKD with imperfect devices.

Physical Review A, 2015

The security of source has become an increasingly important issue in quantum cryptography. Based ... more The security of source has become an increasingly important issue in quantum cryptography. Based on the framework of measurement-device-independent quantum-key-distribution (MDI-QKD), the source becomes the only region exploitable by a potential eavesdropper (Eve). Phase randomization is a cornerstone assumption in most discrete-variable (DV-) quantum communication protocols (e.g., QKD, quantum coin tossing, weak coherent state blind quantum computing, and so on), and the violation of such an assumption is thus fatal to the security of those protocols. In this paper, we show a simple quantum hacking strategy, with commercial and homemade pulsed lasers, by Eve that allows her to actively tamper with the source and violate such an assumption, without leaving a trace afterwards. Furthermore, our attack may also be valid for continuous-variable (CV-) QKD, which is another main class of QKD protocol, since, excepting the phase random assumption, other parameters (e.g., intensity) could also be changed, which directly determine the security of CV-QKD.

New Journal of Physics, 2013

A novel protocol, measurement-device-independent quantum key distribution (MDI-QKD), removes all ... more A novel protocol, measurement-device-independent quantum key distribution (MDI-QKD), removes all attacks from the detection system, the most vulnerable part in QKD implementations. In this paper, we present an analysis for practical aspects of MDI-QKD. To evaluate its performance, we study various error sources by developing a general system model. We find that MDI-QKD is highly practical and thus can be easily implemented with standard optical devices. Moreover, we present a simple analytical method with only two (general) decoy states for the finite decoy-state analysis. This method can be used directly by experimentalists to demonstrate MDI-QKD. By combining the system model with the finite decoy-state method, we present a general framework for the optimal choice of the intensities of the signal and decoy states. Furthermore, we consider a common situation, namely asymmetric MDI-QKD, in which the two quantum channels have different transmittances. We investigate its properties and discuss how to optimize its performance. Our work is of interest not only to experiments demonstrating MDI-QKD but also to other non-QKD experiments involving quantum interference.

Nature Photonics, 2014

Secure communication plays a crucial role in the Internet Age. Quantum mechanics may revolutionis... more Secure communication plays a crucial role in the Internet Age. Quantum mechanics may revolutionise cryptography as we know it today. In this Review Article, we introduce the motivation and the current state of the art of research in quantum cryptography. In particular, we discuss the present security model together with its assumptions, strengths and weaknesses. After a brief introduction to recent experimental progress and challenges, we survey the latest developments in quantum hacking and countermeasures against it. With the rise of the Internet, the importance of cryptography is growing every day. Each time we make an on-line purchase with our credit cards, or we conduct financial transactions using Internet banking, we should be concerned with secure communication. Unfortunately, the security of conventional cryptography is often based on computational assumptions. For instance, the security of the RSA scheme [1], the most widely used public-key encryption scheme, is based on the presumed hardness of factoring. Consequently, conventional cryptography is vulnerable to unanticipated advances in hardware and algorithms, as well as to quantum code-breaking such as Shor's efficient algorithm [2] for factoring. Government and trade secrets are kept for decades. An eavesdropper, Eve, may simply save communications sent in 2014 and wait for technological advances. If she is able to factorise large integers in say 2100, she could retroactively break the security of data sent in 2014. In contrast, quantum key distribution (QKD), the best-known application of quantum cryptography, promises to achieve the Holy Grail of cryptographyunconditional security in communication. By unconditional security or, more precisely,-security, as it will be explained shortly (see section discussing the security model of QKD), Eve is not restricted by computational assumptions but she is only limited by the laws of physics. QKD is a remarkable solution to long-term security since, in principle, it offers security for eternity. Unlike conventional cryptography, which allows Eve to store a classical transcript of communications, in QKD, once a quantum transmission is done, there is no classical transcript for Eve to store. See Box 1 for background information on secure communication and QKD. Box 1 | Secure communication and QKD. Secure Communication: Suppose a sender, Alice, would like to send a secret message to a receiver, Bob, through an open communication channel. Encryption is needed. If they share a common string of secret bits, called a key, Alice can use her key to transform a plain-text into a cipher-text, which is unintelligible to Eve. In contrast, Bob, with his key, can decrypt the cipher-text and recover the plain-text. In cryptography, the security of a crypto-system should rely solely on the secrecy of the key. The question is: how to distribute a key securely? In conventional cryptography, this is often done by trusted couriers. Unfortunately, in classical physics, couriers may be brided or compromised without the users noticing it. This motivates the development of quantum key distribution (QKD). Quantum Key Distribution: The best-known QKD protocol (BB84) was published by Bennett and Brassard in 1984 [3]. Alice sends Bob a sequence of photons prepared in different polarisation states, which are chosen at random from two conjugate bases. For each photon, Bob selects randomly one of the two conjugate bases and performs a measurement. He records the outcome of his measurement and the basis choice. Through an authenticated channel, Alice and Bob broadcast their measurement bases. They discard all polarisation data sent and received in different bases and use the remaining data to generate a sifted key. To test for tampering they compute the quantum bit error rate (QBER) of a randomly selected subset of data and verify that the QBER is below a certain threshold value. By applying classical post-processing protocols such as error correction and privacy amplification, they generate a secure key. This key can be used to make the communication unconditionally secure by using a one-time-pad protocol [4].

Physical Review Letters, 2014

We demonstrate the first implementation of polarization encoding measurement-deviceindependent qu... more We demonstrate the first implementation of polarization encoding measurement-deviceindependent quantum key distribution (MDI-QKD), which is immune to all detector side-channel attacks. Active phase randomization of each individual pulse is implemented to protect against attacks on imperfect sources. By optimizing the parameters in the decoy state protocol, we show that it is feasible to implement polarization encoding MDI-QKD over large optical fiber distances. A 1600-bit secure key is generated between two parties separated by 10 km of telecom fibers. Our work suggests the possibility of building a MDI-QKD network, in which complicated and expensive detection system is placed in a central node and users connected to it can perform confidential communication by preparing polarization qubits with compact and low-cost equipment. Since MDI-QKD is highly compatible with the quantum network, our work brings the realization of quantum internet one step closer.

Physical Review Letters, 2006

States with private correlations but little or no distillable entanglement were recently reported... more States with private correlations but little or no distillable entanglement were recently reported. Here, we consider the secure distribution of such states, i.e., the situation when an adversary gives two parties such states and they have to verify privacy. We present a protocol which enables the parties to extract from such untrusted states an arbitrarily long and secure key, even though the amount of distillable entanglement of the untrusted states can be arbitrarily small.

Physical Review A, 2007

Quantum key distribution (QKD) can be used to generate secret keys between two distant parties. E... more Quantum key distribution (QKD) can be used to generate secret keys between two distant parties. Even though QKD has been proven unconditionally secure against eavesdroppers with unlimited computation power, practical implementations of QKD may contain loopholes that may lead to the generated secret keys being compromised. In this paper, we propose a phase-remapping attack targeting two practical bidirectional QKD systems (the "plug & play" system and the Sagnac system). We showed that if the users of the systems are unaware of our attack, the final key shared between them can be compromised in some situations. Specifically, we showed that, in the case of the Bennett-Brassard 1984 (BB84) protocol with ideal single-photon sources, when the quantum bit error rate (QBER) is between 14.6% and 20%, our attack renders the final key insecure, whereas the same range of QBER values has been proved secure if the two users are unaware of our attack; also, we demonstrated three situations with realistic devices where positive key rates are obtained without the consideration of Trojan horse attacks but in fact no key can be distilled. We remark that our attack is feasible with only current technology. Therefore, it is very important to be aware of our attack in order to ensure absolute security. In finding our attack, we minimize the QBER over individual measurements described by a general POVM, which has some similarity with the standard quantum state discrimination problem.

Physical Review A, 2006

Decoy states have recently been proposed as a useful method for substantially improving the perfo... more Decoy states have recently been proposed as a useful method for substantially improving the performance of quantum key distribution protocols when a coherent state source is used. Previously, data post-processing schemes based on one-way classical communications were considered for use with decoy states. In this paper, we develop two data post-processing schemes for the decoy-state method using two-way classical communications. Our numerical simulation (using parameters from a specific QKD experiment as an example) results show that our scheme is able to extend the maximal secure distance from 142km (using only one-way classical communications with decoy states) to 181km. The second scheme is able to achieve a 10% greater key generation rate in the whole regime of distances.

Physical Review A, 2006

We compare the performance of Bennett-Brassard 1984 ͑BB84͒ and Scarani-Acin-Ribordy-Gisin 2004 ͑S... more We compare the performance of Bennett-Brassard 1984 ͑BB84͒ and Scarani-Acin-Ribordy-Gisin 2004 ͑SARG04͒ protocols, the latter of which was proposed by V. Scarani et al. ͓Phys. Rev. Lett. 92, 057901 ͑2004͔͒. Specifically, in this paper, we investigate the SARG04 protocol with two-way classical communications and the SARG04 protocol with decoy states. In the first part of the paper, we show that the SARG04 scheme with two-way communications can tolerate a higher bit error rate ͑19.4% for a one-photon source and 6.56% for a two-photon source͒ than the SARG04 one with one-way communications ͑10.95% for a onephoton source and 2.71% for a two-photon source͒. Also, the upper bounds on the bit error rate for the SARG04 protocol with two-way communications are computed in a closed form by considering an individual attack based on a general measurement. In the second part of the paper, we propose employing the idea of decoy states in the SARG04 scheme to obtain unconditional security even when realistic devices are used. We compare the performance of the SARG04 protocol with decoy states and the BB84 one with decoy states. We find that the optimal mean-photon number for the SARG04 scheme is higher than that of the BB84 one when the bit error rate is small. Also, we observe that the SARG04 protocol does not achieve a longer secure distance and a higher key generation rate than the BB84 one, assuming a typical experimental parameter set.

Physical Review A, 2012

In this paper, we study the unconditional security of the so-called measurement-device-independen... more In this paper, we study the unconditional security of the so-called measurement-device-independent quantum key distribution (MDIQKD) with the basis-dependent flaw in the context of phase encoding schemes. We propose two schemes for the phase encoding: The first one employs a phase locking technique with the use of non-phase-randomized coherent pulses, and the second one uses conversion of standard Bennett-Brassard 1984 (BB84) phase encoding pulses into polarization modes. We prove the unconditional security of these schemes and we also simulate the key generation rate based on simple device models that accommodate imperfections. Our simulation results show the feasibility of these schemes with current technologies and highlight the importance of the state preparation with good fidelity between the density matrices in the two bases. Since the basis-dependent flaw is a problem not only for MDIQKD but also for standard quantum key distribution (QKD), our work highlights the importance of an accurate signal source in practical QKD systems.

Optics Express, 2006

We present a design for a quantum key distribution (QKD) system in a Sagnac loop configuration, e... more We present a design for a quantum key distribution (QKD) system in a Sagnac loop configuration, employing a novel phase modulation scheme based on frequency shift, and demonstrate stable BB84 QKD operation with high interference visibility and low quantum bit error rate (QBER). The phase modulation is achieved by sending two light pulses with a fixed time delay (or a fixed optical path delay) through a frequency shift element and by modulating the amount of frequency shift. The relative phase between two light pulses upon leaving the frequency-shift element is determined by both the time delay (or the optical path delay) and the frequency shift, and can therefore be controlled by varying the amount of frequency shift. To demonstrate its operation, we used an acousto-optic modulator (AOM) as the frequency-shift element, and vary the driving frequency of the AOM to encode phase information. The interference visibility for a 40km and a 10km fiber loop is 96% and 99%, respectively, at single photon level. We ran BB84 protocol in a 40-km Sagnac loop setup continuously for one hour and the measured QBER remained within the 2%∼5% range. A further advantage of our scheme is that both phase and amplitude modulation can be achieved simultaneously by frequency and amplitude modulation of the AOM's driving signal, allowing our QKD system the capability of implementing other protocols, such as the decoy-state QKD and the continuous-variable QKD. We also briefly discuss a new type of Eavesdropping strategy ("phaseremapping" attack) in bidirectional QKD system.

Nature Communications, 2014

Quantum key distribution promises unconditionally secure communications. However, as practical de... more Quantum key distribution promises unconditionally secure communications. However, as practical devices tend to deviate from their specifications, the security of some practical systems is no longer valid. In particular, an adversary can exploit imperfect detectors to learn a large part of the secret key, even though the security proof claims otherwise. Recently, a practical approach-measurement-device-independent quantum key distribution-has been proposed to solve this problem. However, so far its security has only been fully proven under the assumption that the legitimate users of the system have unlimited resources. Here we fill this gap and provide a rigorous security proof against general attacks in the finite-key regime. This is obtained by applying large deviation theory, specifically the Chernoff bound, to perform parameter estimation. For the first time we demonstrate the feasibility of long-distance implementations of measurement-device-independent quantum key distribution within a reasonable time frame of signal transmission.

International Journal of Quantum Information, 2006

We consider communication between two parties using a bipartite quantum operation, which constitu... more We consider communication between two parties using a bipartite quantum operation, which constitutes the most general quantum mechanical model of two-party communication. We primarily focus on the simultaneous forward and backward communication of classical messages. For the case in which the two parties share unlimited prior entanglement, we give inner and outer bounds on the achievable rate region that generalize classical results due to Shannon. In particular, using a protocol of Bennett, Harrow, Leung, and Smolin, we give a one-shot expression in terms of the Holevo information for the entanglement-assisted one-way capacity of a two-way quantum channel. As applications, we rederive two known additivity results for one-way channel capacities: the entanglement-assisted capacity of a general one-way channel, and the unassisted capacity of an entanglement-breaking one-way channel.