Quantum Key Distribution Using Qudits Each Encoding One Bit Of Raw Key

All known qudit-based prepare-and-measure quantum key distribution (PM-QKD) schemes are more error resilient than their qubit-based counterparts. Their high error resiliency comes partly from the careful encoding of multiple bits of signals used to generate the raw key in each transmitted qudit so that the same eavesdropping attempt causes a higher bit error rate (BER) in the raw key. Here I show that highly error-tolerant PM-QKD schemes can be constructed simply by encoding one bit of classical information in each transmitted qudit in the form $(|i\rangle\pm|j\rangle)/\sqrt{2}$, where $|i\rangle$'s form an orthonormal basis of the $2^n$-dimensional Hilbert space. Moreover, I prove that these schemes can tolerate up to the theoretical maximum of 50\% BER for $n\ge 2$ provided that the raw key is generated under a certain technical condition, making them the most error-tolerant PM-QKD schemes involving the transmission of unentangled finite-dimensional qudits to date. This shows the potential of processing quantum information using lower-dimensional quantum signals encoded in a higher-dimensional quantum state.

Introduction -Quantum key distribution (QKD) allows two cooperative players, Alice and Bob, to share a secret key whose security is guaranteed by the laws of quantum mechanics. Since the discovery of the first QKD scheme by Bennett and Brassard [1], researchers have been studying different aspects of QKD. New QKD protocols that are either more practical, efficient or error tolerant have been proposed. Actual QKD experiments for some of the protocols have been carried out. Unconditionally security proofs, including those covering realistic settings like the use of imperfect sources and detectors, for many of these protocols have been found. (See, for example, the review article in Ref. [2] for an overview.) One line of research is to investigate the use of qudits rather than qubits as quantum information carriers in QKD. In particular, Chau proved the unconditional security of a prepare-and-measure quantum key distribution (PM-QKD) scheme (called Chau05) using 2 n -dimensional quantum particles as information carriers each encoding n bits of the raw key [3]. Although his scheme has a very low key rate and is hard to implement using current technology, it can tolerate a bit error rate (BER) of up to 50% in the limit of n → +∞ [4]. This demonstrates the superior error-tolerant capability of qudit-based PM-QKD scheme as the best qubit-based PM-QKD scheme known to date can only tolerate up to about 27.4% BER [5]. Recently, Sasaki et al. proposed a radically different qudit-based PM-QKD scheme known as the round-robin differential-phase-shift (RRDPS) protocol in which Alice encodes multiple bits s i 's in each of the N -dimensional qudit state as so that Bob's measurement can only reveal one of the (s i − s j )'s of his choice [6]. This is a conceptually important scheme for it demonstrates that the security of QKD needs not link to the Heisenberg uncertainty principle [7]. In terms of performance, the RRDPS protocol can also tolerate up to 50% BER in the N → +∞ limit. Besides, if the BER of the raw key is low, the key rate of the RRDPS protocol is much higher than that of Chau05. Several proof-of-principle experiments for the RRDPS protocol have been conducted [8][9][10].
Here I report a family of qudit-based PM-QKD schemes whose security comes from a new principle. In these schemes, Alice and Bob randomly and independently prepare and measure qubit-like states each in the form (|i ± |j )/ √ 2 in a 2 n -dimensional Hilbert space for n ≥ 2 so that only one bit of the raw key is encoded and transmitted in the phase of each qudit state. (Here |i 's form an orthonormal basis of the 2 n -dimensional Hilbert space.) The security originates from the fact that the eavesdropper Eve has a hard time to read out a sizable portion of the raw key without being caught because she does not know the preparation basis of each qudit at the time when the quantum state is passing through the insecure channel under her control. By identifying |i as the single photon state in the ith optical pulse, these schemes have the additional attractive feature that the prepared states, which are essentially qubit states in diagonal basis, can be easily created and measured using a standard optical interferometer with variable path length. (Interestingly, the experimental techniques used to prepare quantum states in Expression (1) in Refs. [8][9][10] can be adapted to prepare the states (|i ± |j )/ √ 2.) Using an aggressive entanglement distillation procedure involving local operation and two-way classical communications (LOCC2) originally reported in Ref. [5], I prove that Alice and Bob could share a provably secure secret key whenever the BER is less than 50% provided that the raw key obeys the technical condition to be stated in Eq. (2) later in the text, making it the first family of PM-QKD schemes that saturates the theoretical maximum limit of the tolerable BER using unentangled finite-dimensional quantum information carriers. This opens up the study of processing quantum information through the use of lower-dimensional quantum states embedded in a higher-dimensional Hilbert space or transferred through a higher-dimensional quantum channel.
The schemes -Let me denote the finite field of N ≡ 2 n elements by GF (N ) and consider the following family of schemes.
The family of PM-QKD schemes: 1. Alice randomly picks i = j ∈ GF (N ). She secretly prepares a state in the form (|i ±|j )/ √ 2 and sends it to Bob through an insecure quantum channel.
2. Bob randomly picks i ′ = j ′ ∈ GF (N ) and measures the state along |i ′ ±|j ′ . He keeps his measurement outcome private.
3. By announcing the pairs (i, j) and (i ′ , j ′ ) through an unjammable classical channel, Alice and Bob establish a bit of raw key from those states with (i, j) = (i ′ , j ′ ). (They adopt the convention that [|i + (−1) s |j ]/ √ 2 encodes the bit s.) They discard the measurement outcomes of those states with (i, j) = (i ′ , j ′ ). They repeat steps 1-3 until they have a long enough raw key. 4. They estimate the BER of the raw key e b , namely, the fraction of mismatched bits in their shared raw bit string, by comparing (and then discarding) a small random sample of the raw key. Using both accepted and rejected measurement outcomes in step 3, they calculate the conditional probability e c that a state is prepared and measured as (|i ± |j )/ √ 2 given that it is prepared as (|i ± |j )/ √ 2 and measured as [|(1−a)i+aj ±|(a+1)j −ai ]/ √ 2 for some i, j, a ∈ GF (N ). (Note that all arithmetic in the state-ket of a qudit is performed in the finite field GF (N ) from now on.) They continue only if 5. Alice and Bob apply the following LOCC2 classical post-processing procedure to the remaining raw key adapted from Ref. [5]. The values of the parameters k and r used in this procedure will be discussed in Methods.
(a) Alice and Bob randomly group their corresponding bits in their remaining raw key in pairs. They reveal the parity of each corresponding pair and keep the first bit in those corresponding pairs whose parities agree. They repeat this process k times.
(b) Alice and Bob randomly group their corresponding bits in their remaining raw key in sets each containing r bits. They replace each set by the parity of the r bits in the set.
(c) Alice and Bob obtain their final secret key by applying the Shor-Preskill privacy amplification procedure [5,11] to these bits using a Calderbank-Shor-Steane code that could correct up to, say, 1% quantum error.
Note that for the case of N = 4, the above scheme takes a rather simple form. Alice and Bob keep those states that are prepared and measured in diagonal basis of the same Hilbert subspace H ij ≡ span(|i , |j ) for some i = j ∈ GF (4). In addition, e c equals the length of the raw key divided by the total number of qudits that are prepared in the subspace H ij and measured in either H ij or H ab subspaces, where i, j, a, b are the four distinct elements of GF (4).
The unconditional security proof -Now I show the unconditional security [12,13] of this family of PM-QKD schemes for N ≥ 4 by proving the unconditional security of the following associated family of entanglementdistillation-based quantum key distribution (ED-QKD) protocols using the Shor-Preskill-type argument [11].
The associated family of ED-QKD protocols: 1. Alice prepares the state ℓ∈GF (2) |ℓ, ℓ / √ 2. She randomly picks λ, β ∈ GF (N ) with λ = 0 and applies the linear transformation for all a ∈ GF (N ) to the second qudit. She keeps the first qudit and sends the second qudit to Bob through an insecure quantum channel.
4. Alice and Bob perform the following entanglement purification procedure adapted from Ref. [5].
(a) They randomly group their corresponding qubits in tetrads where each tetrad consists of two pairs shared by them. Alice applies the unitary operation |ψ κ , ψ ℓ → |ψ κ , ψ κ+ℓ to her share of the particles in the tetrad, where |ψ κ ≡ [|0 + (−1) κ |1 ]/ √ 2; and Bob does the same to his corresponding particles in the tetrad. Alice and Bob keep their second qubit pair if the measurement results of their first qubit pair in the diagonal basis B × ≡ {ψ 0 , ψ 1 } agree. They repeat this process k times.
(b) They randomly group their remaining qubits in sets each with r shared qubit pairs. They separately apply the [r, 1, r] majority-vote error correction code for the rectilinear basis to their share of the qubits in each set.
(c) They apply a Calderbank-Shor-Steane code that could correct up to 1% quantum error to the remaining shared quantum state to distill out almost perfect |Ψ 00 EPR pairs. Finally, by measuring each qubit of these states along the diagonal basis B × Alice and Bob obtain their secret key.
Clearly |Ψ aℓ = (I ⊗ X a Z ℓ )|Ψ 00 where for all λ = 0, β, a, b ∈ GF (N ) and ℓ, κ ∈ GF (2). Up to an irrelevant global phase, the R.H.S. of Eq. (7) equals |Ψ b+λ −1 a,κ ′ . Here κ ′ = κ if ℓ = 0 or N (λb + β) = N (λ(b + 1) + β); and κ ′ = κ + 1 otherwise. Hence, the sequences of probabilities of measurement outcome along B conditioned on different λ = λ ′ and β = β ′ in step 2 of the ED-QKD protocol transform from one to another by permutation. In addition, all operations in step 4 except the final measurement in the diagonal basis permute elements in B up to an irrelevant phase. Therefore, Alice (Bob) may push the final measurement in B × in step 4c forward in time to immediately after step 1 (2) [5,15]. By renaming λ = j − i and β = i, I get L λβ |0 = |i and L λβ |1 = |j . Consequently, this ED-QKD protocol is reduced to the PM-QKD scheme. Furthermore, the Shor-Preskill argument implies that the unconditional security of the above PM-QKD scheme follows that of the ED-QKD protocol [11].
I now proceed to analyze the security of the ED-QKD protocol. Clearly, the probabilities e aℓ 's obeys a∈GF (N ),ℓ∈GF (2) e aℓ = 1. Since λ and β are randomly chosen for each transmitted qudit and are unknown to Eve during the transmission, Eq. (7) implies that e a0 + e a1 = e b0 + e b1 (8) for all non-zero a, b ∈ GF (N ). So, if Eq. (5) is satisfied, e 00 > 1/2 is the greatest element among the e aℓ 's. Furthermore, by comparing the definitions of e b , e c in step 4 of the PM-QKD schemes with the definitions of e aℓ 's in step 3 of the ED-QKD protocols, I find the following correspondences: e c = e 00 + e 10 + e 01 + e 11 (10) and 1 − e c = (e 10 + e 11 )(N − 2).
Thus, Eq. (5) implies Eq. (2). The probabilities that the joint measurement outcomes for those remaining shared qubits just before step 4 of the ED-QKD protocol can be written as the elements of the 2 × 2 error matrix e 00 e 01 e 10 e 11 .
By treating each pair of shared qudits as shared qubit pair, then p I , p x , p y and p z can be regarded as the probabilities that Bob's share of the qubit pair has suffered I, σ x σ y and σ z errors, respectively. Note that in the above ED-QKD protocol, step 4 is analogous to a similar procedure in Ref. [5] with the roles of X-and Z-errors being swapped. That is to say, step 4a is a variation of the BXOR test [16,17] that reduces the Z-error of the resultant qubit pairs; whereas step 4b reduces the X-error. Applying Proposition 1 in Ref. [5] with the roles of X-and Z-errors exchanged, the corresponding error matrix for the shared qubits immediately after step 4a equals where Since e 00 > 1/2, so is p I . Hence from Proposition 2 in Ref. [5] (again with X-and Z-errors exchanged), the quantum error rate of the shared qubits can be reduced to less than 1% after step 4b and therefore almost perfect |Ψ 00 's can be distilled in step 4c if the r in step 4b equals 0.005/(p kEP y + p kEP z ) and 2r(1/2 − p kEP x − p kEP y ) 2 ≫ 1. Such an r exists if (B+D) 2 ≫ 400C(A+C). Since p I > 1/2, p I − p z > p x − p y . Thus, r exists by picking a sufficiently large k as long as (Incidentally, the same condition has been proven in Ref. [5] for the special case of p x = p y = p z .) From Eqs. (9) and (12)  Besides, f → 0 as e 11 = 0, e b → 1/2 and e c → 1. Therefore, e max = 1/2; and this can be attained when Eve feeds every particle sent by Alice through a completely dephasing channel before giving it to Bob.
By the standard composability definition of security for QKD [12,13], the family of ED-QKD protocols for N ≥ 4 can, therefore, produce a shared secret key whenever the BER is less then 50%.
To conclude, using the above family of PM-QKD schemes, Alice and Bob can establish a secure key when-ever the BER of the raw key is less than 50% provided that N ≥ 4 and the accepted data rate e c obeys Eq. (2). Since it is impossible to recover any encoded classical message after sending through a binary symmetric channel with crossover probability 1/2, this family of PM-QKD schemes shows that the most error-tolerant QKD scheme (as measured by its tolerable BER) can be constructed by sending 4-dimensional qubit-like qudits each containing a single bit of classical information encoded in its phase. (The most error-tolerant scheme of this type using 4-dimensional qudits before this study was Chau05, which can distill a secret key up to 35.6% BER.) The security of this family of schemes comes partly from the ability to deduce the X-error rate through a clever use of the accepted data rate e c in step 4. This opens up new possibilities for doing quantum information processing through carefully designed algorithms that sends lower-dimensional quantum states through a higher-dimensional channel.
Outlook -So far, the analysis is restricted to the case of ideal source and detectors in the arbitrarily long raw key length limit. One still needs to investigate of the security and performance of this family of schemes for realistic source (say, by decoy state method [18][19][20]) and detector (say, by measurement-device-independent techniques [21,22]) in the finite-key-length setting [23][24][25][26] using one-way or two-way classical post-processing. They will be reported elsewhere.