Measurement-device-independent quantum key distribution over untrustful metropolitan network

Quantum cryptography holds the promise to establish an information-theoretically secure global network. All field tests of metropolitan-scale quantum networks to date are based on trusted relays. The security critically relies on the accountability of the trusted relays, which will break down if the relay is dishonest or compromised. Here, we construct a measurement-device-independent quantum key distribution (MDIQKD) network in a star topology over a 200 square kilometers metropolitan area, which is secure against untrustful relays and against all detection attacks. In the field test, our system continuously runs through one week with a secure key rate ten times larger than previous result. Our results demonstrate that the MDIQKD network, combining the best of both worlds --- security and practicality, constitutes an appealing solution to secure metropolitan communications.

through one week with a secure key rate ten times larger than previous result 9 .Our results demonstrate that the MDIQKD network, combining the best of both worlds -security and practicality, constitutes an appealing solution to secure metropolitan communications.
Quantum key distribution (QKD) 1, 2 can in principle offer information-theoretical security between two remote parties, guaranteed by the fundamental laws of quantum mechanics.The last three decades have witnessed tremendous advances in both theoretical developments and successful experimental demonstrations of various quantum cryptographic systems.Moreover, QKD networks of various topologies have emerged and extended to more users in larger domains [4][5][6][7]10 .
To increase the scalability of these networks, the architectures often adopt the idea of sharing, and thus star-type network is preferable for sharing the most expensive resource -single photon detectors 10 , as shown in Fig. 1(a).With such a topological structure, it is straightforward to directly add more users with low hardware requirement.
From the security point of view, the existing star-type networks have to assume the central relays to be trustful, which is a critical shortcoming.Once the relay is dishonest, the security of the whole network is down.Furthermore, an honest relay with imperfect devices still suffers from various attacks that exploit the loopholes caused by the gap between the idealized devices assumed in the security proof and the realistic ones 11 .Indeed, single photon detectors can be difficult for legitimate users to characterize precisely but easy for technology-advanced eavesdroppers to exploit a certain imperfection to attack 12,13 .It is important to note that in all previous network implementations, trustful relays are utilized, which constitutes the weakest point of security.
Remarkably, the MDIQKD protocol 8 , inspired by the time-reversed entanglement-based QKD protocol [14][15][16] , can close all the detection loopholes.Besides, MDIQKD is intrinsically suitable for a star-type network architecture with measurement devices placed at the central relay, as depicted in Fig. 1(b).Since its security doesn't rely on any assumption on measurement, MDIQKD network even allows the eavesdroppers to have a full control of the relay without compromising the security.Therefore, the MDIQKD networks are able to solve the security loophole existing in the conventional star-like QKD networks and almost all existing quantum networks.
Up till now, many efforts have been devoted to proof-of-principle experimental demonstrations of the MDIQKD protocol [17][18][19][20][21] .Further experiments, accounting for long distance, high loss and field test, have also been reported 9,22,23 .Nevertheless, these are all limited to point-to-point configurations.A network implementation, yet to be developed, is crucial for enabling and extending practical applications of MDIQKD.
Here, we experimentally demonstrate a three-user, four-node MDIQKD network within the city of Hefei, China.The network deployment is shown in Fig. 2(a), which includes an untrusted relay, R, and three users, U1, U2, and U3, located in four different places.The deployed fiber lengths (channel losses) between the three users and the relay are 17 km (5.1 dB), 25 km (9.2 dB), and 30 km (8.1 dB), respectively.We employ an 8-by-4 mechanical optical switch to route the three users to the relay by auto-control command, with a low connection loss around 1 dB per channel.The outputs of the switch are connected to a fiber beam splitter (BS) for Bell state measurement (BSM).Within the star-type topology, any user pair (U1 − U2, U1 − U3, U3 − U2) can get access to the BSM setup to run MDIQKD, which works as a quantum telephone exchange.
We emphasize that the MDIQKD network is not a straightforward upgrade of the previous point-to-point system 18,22 .There are significant new technical challenges in the network implementation.The first one is reference frame calibration.Due to the polarization and phase fluctuation 17,18 , the reference frame needs to be calibrated timely.In the previous point-to-point experiments 18,22 , we utilized an additional fiber link between the two users and one phase-stabilization laser (PSL) for this purpose.To scale up for networking applications, the demand of fiber links increases quadratically with the user number.Besides, each new user needs an additional PSL with its wavelength locked to the signal laser.
We use a scalable and efficient structure of phase stabilization suitable for phase calibration.
As shown in Fig. 3(a), a pulsed PSL is placed in the relay and passes through a reference asymmetrical Mach-Zehnder interferometer (AMZI) with a delay of 6.5 ns.It is divided by BS and then sent to the three users through three additional fibers, respectively.After the user's AMZI, two commercial power meters record the two output interference intensities.Their measurement ratio provides a feedback signal to compensate the phase shift of AMZI by the phase shifter inside each user's AMZI.In this arrangement, the required fiber resources increase only linearly with the user number, which is a significant reduction compared to that in point-to-point structure.In addition, only one PSL, placed in the relay and shared by all the users, is needed.
The other critical challenge is to maintain the indistinguishability of all the users' lasers.For a point-to-point system, a high-speed feedback system 22 was developed for this purpose where the two lasers are calibrated and locked via a feedback loop.Whereas, in the network, any two users will be switched upon their requests.Once switched, the two lasers must be calibrated immediately to guarantee their timing, spectrum and polarization mode are indistinguishable.Furthermore, the optical switch will change the lasers' arriving time and polarization when it is connected.
In our network, we randomly switch any two users to the relay BSM per two hours, i.e.
we need to recalibrate all the lasers' modes per two hours.For the timing synchronization and polarization stabilization, we adopt the feedback system in our previous system 22 (see Methods).
For the wavelength calibration, in the point-to-point system, we previously utilized an optical spectrum analyzer (OSA) to calibrate and feedback the wavelength.Here, we measure the Hong-Ou-Mandel (HOM) interference with the BSM setup and utilize the visibility of the HOM dip as the feedback signal.When the time and polarization are calibrated, the HOM visibility depends on the wavelength difference of the two lasers.And then we adjust the wavelength by tuning the temperature of the input signal lasers.As shown in the inset of Fig. 3(b), by scanning the wavelength, we can observe a clear HOM dip.Using this method, we can take advantage of the existing BSM equipments, without the need of other instruments sush as the OSA.Furthermore, as the HOM dip can reflect the overall interference condition, it is also an efficient way to calibrate all the interference parameters, including the wavelength difference.
In our experiment, we optimize the system parameters 24 , including the decoy-state parameter and basis choice setting 25 , to increase the secure key rate.This optimization is based on the system parameters of the MDIQKD network with a high-quality transmitter system and a high-efficiency detection system.The MDIQKD transmitter at the user side and the BSM setup in the relay are illustrated in Fig. 2(b).Each user has the same configuration, adopting a signal laser internally modulated at 75 MHz, with a central wavelength of 1550.12 nm and a pulse width of 2.5 ns.With decoy-state optimization, the laser pulse intensities of vacuum state, weak decoy state and signal state are 0, ν = 0.1 and µ = 0.33, respectively, and their probabilities are 16%, 58% and 26%, respectively.Each user employs the time-bin phase-encoding scheme 26 , in which only the raw data in the Z basis are used for final key generation and those in the X basis are used for phase error estimation.All the signal state is encoded in the Z basis.For the weak decoy state, 63% is encoded in the X basis and the rest 37% in the Z basis.We utilize an AMZI, three AMs (AM2∼AM4) and one PM to encode qubits.The modulators, AM2, AM3 and PM, are used to encode basis, and AM4 is used to normalize the two bases' average photon numbers.The signal laser pulses are attenuated to single-photon level by an EVOA.
After passing through the deployed fiber routed to the relay by an optical switch, the laser pulses are interfered in the BSM setup.Before the BSM, we insert two DWDMs with 0.7 dB loss to block the background light.The BSM is then implemented with an interference BS and two SNSPDs 27 operated at 2.1K with system detection efficiencies of 64% and 66% and the dark count rate of 100 Hz.The inner insertion loss of the BS is 1.4 dB.The partial BSM post-selects |ψ − Bell state, when the two detectors in the two output arms of the BS have a coincidence detection at two alternative time bins.We set an efficient time window of 1.7 ns to achieve a good interference.
With the BSM results announced by the untrusted relay, the two users run the basis sift by post selecting the raw data when they choose the same basis.Then the two users categorize the data according to vacuum, decoy and signal state labels and evaluate the gains and bit error rates in each case.All the data from the Z basis, consisting of nine cases, will be used for secure key extraction.The secure key rate formula is given by 8 where 0, ν, µ denote the vacuum, decoy and signal states, respectively.Q ab and E ab are the overall gain and error rate when two users send states a and b with a, b ∈ {0, ν, µ, }.The gain and phase error rate of the single-photon components, Q ab 11 and e ab 11 , can be estimated by the decoy-state method with a proper fluctuation analysis 28  for evaluation.The detailed key rate calculation is shown in Supplemental Material.
We run the post-processing for each valid data session of 1 to 2 hours between different user pairs.In the analysis, we fix the failure probability to be 10 We remark that the results we have achieved are at least ten times higher than the previous state-of-the-art field test.
In conclusion, we have demonstrated the first MDIQKD network which is secure against un-trustful replays and all detection attacks, and also resource efficient in real world implementation.
The multi-user HOM interference technology developed in the experiment can find applications in multi-party entanglement swapping based quantum communication 29 and a quantum computing cloud.In quantum computing cloud, the users only need to prepare quantum states and share the expensive quantum computing devices.Furthermore, with the decoy state source, such topological setup can also be extended to the blinding quantum computing 30 , where the computing station can be untrusted.

Methods
Fully-automated feedback system.The time calibration system mainly includes synchronization laser (SynL, 1570 nm) pulses to synchronize the whole system, and programmable delay chip to adjust the time delay of SynL pulses.The polarization stabilization system in each arm of the interference BS in the BSM handles the polarization misalignment of the laser pulse connected to BSM by the optical switch.It mainly includes an EPC, a PBS, a SNSPD in the reflection port of this PBS, and a polarization-maintained interference BS in the transmission port.
For the wavelength calibration, we implement the HOM interference and calculate the coincidence value of HOM dip, rather than measure the wavelength difference directly by an OSA.The coincidence value of HOM dip is calculated by (N c N tot )/(N 1 N 2 ), where N c , N tot , N 1 and N 2 represent the coincidence count of two BSM detectors, the total pulse count sent by the laser source, the detection count of BSM detector 1 and 2, respectively, over a certain run time and within a certain time window.By scanning the temperature which increases linearly with the wavelength of our laser (0.8 pm per 0.01 degree centigrade), we can obtain the optimized wavelength.To implement HOM dip measurement, the two users send their strong laser pulses without any decoy or qubit modulation.Besides, it's preferable for the intensity of the laser pulses arriving at the BSM setup to be close to each other.This is because the coincidence value represents the indispensability considering all the modes.To obtain the wavelength difference more precisely, the coincidence value should be less influenced by the other aspects.To fulfill this purpose, the EVOA in the user's side is utilized to adjust the output intensity in this wavelength calibration procedure.
For the phase stabilization, we adopt a pulsed PSL (1550.12nm) with 2.5 ns pulse width placed in the relay.It passes through an AMZI with 6.5 ns time difference of two paths.Then, a BS divides the pulsed laser into three parts, with each output port connecting to one user.Combined with the synchronization laser pulses by WDM, The PSL pulses are transmitted through an additional fiber links and received by the corresponding user.Separated by another WDM, the PSL pulses passes through the user's AMZI, and are monitored by two commercial power meters in the two interference output.The intensity ratio provides a feedback signal to calibrate two AMZIs' phase reference frame by the phase shifter inside each user's AMZI.This arrangement has two advantages in both the scalable structure and the low commercial cost.Firstly, this new structure is preferred for extension, with only one PSL placed in the relay and shared by all the users.In contrast, the structure of phase stabilization system suitable for point-to-point implementation 22 needs one more feedback laser source when one user joins in the network, and all the feedback laser wavelengths should be locked to the signal laser, which increases the technical complexity.
Secondly, we adopt the commercial power meter rather than the gated single-photon detector.On one hand, the power meter is much cheaper, especially preferred by users.On the other hand, the single-photon detector requires a gate signal with time calibrated according to fiber length shift.
However, the power meter requires no extra controlling signal and thence no calibration to it.The users' setup and the relay's BSM setup are shown in the inset.In the user's side, we utilize an internally modulated signal laser, and modulate the decoy intensity according to vacuum+weak decoy scheme by an AM.Then we adopt a circulator, an asymmetrical Mach-Zehnder interferometer (AMZI), three amplitude modulators (AMs) and one phase modulator (PM) to encode qubits.

* Acknowledgments
The idle ports of circulators and beam splitters for the AMZI are exploited for phase synchronization and feedback, which are represented in the dash line.After attenuated by an electrical variable optical attenuator (EVOA), the signal laser pulses are sent via the deployed fiber to the relay comprised by an interference BS and two superconducting nanowire single-photon detectors (SNSPDs).Before the BSM, we adopt a dense wavelength division multiplexor (DWDM) in each input of the BS to block the stray light in the fiber, and insert an electric polarization controller (EPC) and a polarization beam splitter (PBS) for polarization alignment.
. H(e) = −e log 2 (e) − (1 − e) log 2 (1 − e) is the binary Shannon entropy function.The parameter f is the error correction efficiency and we use f = 1.2

Figure 1 :
Figure 1: (a) Schematic of conventional QKD network with detectors as the shared resources

Figure 2 :
Figure 2: Birds-eye view of the MDIQKD network topology.User U1 is placed in an admin-

Figure 3 : 16 Figure 4 :
Figure 3: (a) The structure of phase-feedback scheme.A PSL placed in the relay passes through The authors would like to thank J. Fan, X. Xie, Z. Cao and M. Jiang for enlightening discussions, as well as D. Yang and W. Sun for experimental assistance.This work has been supported by the National Fundamental Research Program (under Grant No. 2011CB921300 and 2013CB336800), the National Natural Science Foundation of China, the Chinese Academy of Science, and the Shandong Institute of Quantum Science & Technology Co., Ltd.