Experimental Quantum Key Distribution Secure Against Malicious Devices

Wei Li, Víctor Zapatero, Hao Tan, Kejin Wei, Hao Min, Wei-Yue Liu, Xiao Jiang, Sheng-Kai Liao, Cheng-Zhi Peng, Marcos Curty, Feihu Xu, and Jian-Wei Pan

Phys. Rev. Applied 15, 034081 – Published 29 March 2021

Abstract

The fabrication of quantum key distribution (QKD) systems typically involves several parties, thus providing Eve with multiple opportunities to meddle with the devices. As a consequence, conventional hardware and/or software hacking attacks pose natural threats to the security of practical QKD. Fortunately, if the number of corrupted devices is limited, the security can be restored by using redundant apparatuses. Here, we report on the demonstration of a secure QKD setup with optical devices and classical postprocessing units possibly controlled by an eavesdropper. We implement a 1.25 GHz chip-based measurement-device-independent QKD system secure against malicious devices on both the measurement and the users’ sides. The secret key rate reaches 137 bps over a 24 dB channel loss. Our setup, benefiting from a high clock rate, miniaturized transmitters, and a cost-effective structure, provides a promising solution for widespread applications requiring uncompromising communication security.

Received 19 August 2020
Revised 3 December 2020
Accepted 25 February 2021

DOI:https://doi.org/10.1103/PhysRevApplied.15.034081

Physics Subject Headings (PhySH)

Optical quantum information processing Optoelectronics Quantum communication Quantum cryptography Quantum optics

Communication networks Photodiodes

Optical interferometry

Atomic, Molecular & OpticalQuantum Information, Science & Technology

Authors & Affiliations

Wei Li^1,2,3,§, Víctor Zapatero^4,§, Hao Tan^1,2,3, Kejin Wei^1,2,3, Hao Min^1,2,3, Wei-Yue Liu^1,2,3, Xiao Jiang^1,2,3, Sheng-Kai Liao^1,2,3, Cheng-Zhi Peng ^1,2,3,5, Marcos Curty ^4,*, Feihu Xu ^1,2,3,6,†, and Jian-Wei Pan^1,2,3,‡

¹Hefei National Laboratory for Physical Sciences at the Microscale and Department of Modern Physics, University of Science and Technology of China, Hefei 230026, China
²Shanghai Branch, CAS Center for Excellence in Quantum Information and Quantum Physics, University of Science and Technology of China, Shanghai 201315, China
³Shanghai Research Center for Quantum Sciences, Shanghai 201315, China
⁴Escuela de Ingeniería de Telecomunicación, Department of Signal Theory and Communications, University of Vigo, Vigo E-36310, Spain
⁵QuantumCTek Co., Ltd, Hefei, Anhui 230088, China
⁶Key Laboratory of Space Active Opto-electronics Technology, Shanghai Institute of Technical Physics, Chinese Academy of Sciences, Shanghai 200083, China

^*mcurty@com.uvigo.es
^†feihuxu@ustc.edu.cn
^‡pan@ustc.edu.cn
^§These authors contributed equally to this work.

Article Text (Subscription Required)

Click to Expand

References (Subscription Required)

Click to Expand

Issue

Vol. 15, Iss. 3 — March 2021

Subject Areas

Reuse & Permissions

Access Options

Author publication services for translation and copyediting assistance advertisement

Images

Figure 1
Schematic of the setup implementing the protocol presented in the text. While Alice holds two QKD modules, ${{QKD}_{A_{j}}}_{j = 1}^{2}$ , and four CP units, ${{CP}_{A_{l}}}_{l = 1}^{4}$ , Bob holds a single module, ${QKD}_{B}$ , and a single unit, ${CP}_{B}$ , for simplicity. Each pair of modules, $({QKD}_{A_{j}}, {QKD}_{B})$ with $j = 1, 2$ , is used to implement a MDI-QKD link using Charles’ central node. The two pairs of keys generated by these links are postprocessed by the CP units. Precisely, on Alice’s side, the postprocessing is performed in a multiparty setting using all four units ${{CP}_{A_{l}}}_{l = 1}^{4}$ , while, for simplicity, a standard single-party postprocessing is applied on Bob’s side. In this scenario, the protocol presented in the text is secure if one of Alice’s QKD modules and/or one of Alice’s CP units are corrupted at most. The quantum channels are marked with dashed blue arrows, while every other arrow in the figure is solid and represents a classical channel. All of Alice’s units are connected to each other by links that are assumed to be physically shielded and to connect only the desired units. Thus, further encryption and authentication is not required for them. The same applies to the links that connect a QKD module to a CP unit inside each lab, through which the raw key material and some protocol information is sent to the units for the postprocessing. The classical links connecting a ${CP}_{A_{l}}$ with ${CP}_{B}$ are authenticated (solid purple arrows). Finally, the central node (Charles) is untrusted and thus no assumptions are made about the classical links between this node and the QKD modules.
Reuse & Permissions
Figure 2
(a) Depiction of the experimental MDI-QKD setup described in the text. (b) Schematic of the Si chip. It integrates an intensity modulator (IM), a polarization modulator (POL), and a variable optical attenuator (VOA). See Sec. 3 for a detailed description of the different elements.
Reuse & Permissions
Figure 3
Simulation (lines) and experimental result (solid black triangle) of the secret key rate as a function of the channel loss. The achieved experimental secret key rate for a total emulated channel loss of 24 dB is $1.1 \times 10^{- 7}$ bits/pulse. The solid line corresponds to a simulation of the secret key rate in the setting with dishonest devices described by the experiment. The dashed line corresponds to the standard setting where the parties assume that all their devices are honest. The secret key rate in this latter scenario roughly doubles that with dishonest devices. This is so because of the need to discard the key generated by the potentially malicious QKD pair via PA when dishonest devices are considered. Moreover, this approximate factor 2 shows that the extra authentication cost required in the experiment due to the use of redundant devices is negligible.
Reuse & Permissions
Figure 4
(a) Encryption and decryption with the shared secret key. Alice encrypts a $300 \times 300$ pixels grayscale image of a panda, $m$ , with her final key, $S_{A}$ , and the one-time pad encryption scheme. Bob decrypts the image correctly using his final key $S_{B} = S_{A}$ . (b) Illustration of Eve’s failed attempt to decrypt the encrypted picture. Despite Eve’s significant knowledge about the sifted key, $Z_{A}$ , due to both her possible intervention in the quantum channel and the information revealed by the corrupted devices—assumed to be ${QKD}_{A_{1}}$ and ${CP}_{A_{1}}$ for illustration purposes here—her attempt to decrypt the intercepted picture using $S_{E}$ (defined in the text) yields a white noise output, fully uncorrelated to the actual picture. However, if, as in standard QKD, only one QKD module and one CP unit are used, Eve’s attempt is successful unless both of them are honest.
Reuse & Permissions

Physical Review Applied