Continuous-variable quantum cryptography with an untrusted relay: Detailed security analysis of the symmetric configuration

We consider the continuous-variable protocol of Pirandola et al. [arXiv:1312.4104] where the secret key is established by the measurement of an untrusted relay. In this network protocol, two authorized parties are connected to an untrusted relay by insecure quantum links. Secret correlations are generated by a continuous-variable Bell detection performed on incoming coherent states. In the present work we provide a detailed study of the symmetric configuration, where the relay is midway between the parties. We analyze symmetric eavesdropping strategies against the quantum links explicitly showing that, at fixed transmissivity and thermal noise, two-mode coherent attacks are optimal, manifestly outperforming one-mode collective attacks based on independent entangling cloners. Such an advantage is shown both in terms of security threshold and secret-key rate.

Figure 1

(a) Relay-based protocol performed in the symmetric configuration with the untrusted relay perfectly in the middle between the parties. Alice and Bob prepare coherent states with Gaussianly modulated amplitudes, $\alpha$ and $\beta$, respectively. The relay performs a continuous-variable Bell measurement with complex outcome $\gamma :=(q_{-}+i{p}_{+})/\sqrt{2}$, which is publicly broadcast. From the knowledge of $\gamma$ each party can infer the variable of the other party. (b) Entanglement-based representation of the protocol under two-mode Gaussian attack. Using two beam splitters with transmissivity $\tau$, Eve injects to ancillary modes, $E_1$ and $E_2$, prepared in a two-mode Gaussian state with zero mean and CM in the symmetric normal form of Eq. (2). See text for details.

Figure 2

Correlation plan for a symmetric Gaussian attack. Given $\tau$ and $\omega$ (here set to 2), the attack is fully specified by the two correlation parameters $(g,g^{\prime })$, whose accessible values are represented by the nonwhite area. In particular, the inner darker region represents the set of separable attacks (${\sigma }_{E_1{E}_2}$ separable), while the two outer and lighter regions represent entangled attacks (${\sigma }_{E_1{E}_2}$ entangled). The numbered points represent the specific attacks described in Sec. 4.

Figure 3

Secret-key rate $R$ (bits) versus thermal noise $\omega$ for the various symmetric attacks (1)–(6) classified in Sec. 4 and displayed in Fig. 2. Link transmissivity is set to $\tau =0.9$. Note that the negative EPR attack (6) is the optimal attack minimizing the rate of the protocol.

Figure 4

Security threshold ($R=0$) expressed as maximum tolerable thermal noise $\omega$ versus link transmissivity $\tau$. We compare the various symmetric attacks (1)–(6) classified in Sec. 4 and displayed in Fig. 2. The negative EPR attack (6) is the optimal corresponding to the lowest security threshold. Also note the peculiar inversion of the threshold for the positive EPR attack (5), for which the rate is positive for values of thermal noise above the threshold.

Figure 5

Untrusted relay with inefficient detectors. Two additional beam splitters, with transmissivities $(\eta ,{\eta }^{\prime })$ are placed in front of the ideal detectors. One output from each beam splitter is sent to the detectors for measurements. The other outputs are sent to Eve's quantum memory.

Figure 6

The key rate $R$ (bits) is plotted versus thermal noise $\omega$ for $\mu =10$ (SNU) (top panel) and $\mu =70$ (bottom panel). Other parameters are $\tau =0.9$, $\beta =0.95$, and $\eta ={\eta }^{\prime }=0.98$. We compare two eavesdropping strategies: the collective one-mode entangling cloner attack $g^{\prime }=g=0$ (dotted black line) and the two-mode “negative EPR” attack $g=-g^{\prime }=-\sqrt{{\omega }^2-1}$ (continuous black line). We see that the key rate of the two-mode attack is always lower than that of the one-mode attack. For comparison, we have also plotted the performances in the case of ideal reconciliation ($\beta =1$), ideal detectors ($\eta ={\eta }^{\prime }=1$), and large modulation ($\mu \gg 1$). These ideal performances are represented by the red curves, dotted for the one-mode attack and continuous for the two-mode attack.

Figure 7

We plot the security threshold $\omega =\omega \left(\tau \right)$ for $\mu =10$ (top panel) and $\mu =70$ (bottom panel). Other parameters are $\beta =0.95$ and $\eta ={\eta }^{\prime }=0.98$. We compare the two-mode negative EPR attack (continuous black lines) and the one-mode entangling cloner attack (dotted black lines). Red curves refer to the ideal case $\beta =\eta ={\eta }^{\prime }=1$ and $\mu \gg 1$.

Figure 8

This figure shows the security thresholds as $\omega =\omega \left(d\right)$, where $d$ is the distance in km, assuming the loss rate of $0.2$ dB/km. As in previous figures we compare the two-mode negative EPR attack (solid lines) with the one-mode entangling-cloner attack (dotted lines). In the top panel, the red curves refer to the ideal conditions $\beta =\eta ={\eta }^{\prime }=1$ and $\mu \gg 1$. The black curves refer to the nonideal case $\beta =0.95$, $\eta ={\eta }^{\prime }=0.98$, and $\mu =70$ (SNU). The bottom panel shows the degradation of the performance as we increase the modulation from $\mu =70$ (black curves) to $\mu =1000$ (green curves), for $\beta =0.95$, $\eta ={\eta }^{\prime }=0.98$.