HTML
-
Our practical quantum secure direct communication scheme is based on the DL04 protocol using single photons12. The scheme is illustrated in detail in Fig. 1. The "main channel" and the "wiretap channel" are discrete memoryless channels; the main channel represents the channel between the sender and receiver, while the wiretap channel represents the channel between the legitimate users and the eavesdropper. The protocol contains the following four steps.
Fig. 1 Illustration of the PDL04-QSDC protocol.
The "main channel" and the "wiretap channel" are discrete memoryless channels. The main channel represents a channel between the sender and the legitimate receiver, while the wiretap channel represents a channel between the sender and the eavesdropper(1) Bob, a legitimate information receiver, prepares a sequence of qubits. Each qubit is randomly in one of the four states $\left| 0 \right\rangle$, $\left| 1 \right\rangle$, $\left| + \right\rangle$, and $\left| - \right\rangle$, where $\left| 0 \right\rangle$, $\left| 1 \right\rangle$ are the eigenstates of Pauli operator Z, and $\left| + \right\rangle$, $\left| - \right\rangle$ are the eigenstates of Pauli operator X. Then, he sends the sequence of states to the information sender Alice.
(2) After receiving the single photon sequence, Alice randomly chooses some of them and measures them randomly in the Z-basis or the X-basis. She publishes the positions, the measuring basis and measurement results of those single photons. Bob compares this information with his preparations of these states, estimates the bit-error rate of the Bob-to-Alice channel, and informs Alice through a broadcast channel. Thus, Alice can estimate the maximum secrecy capacity Cs of the Bob-to-Alice channel using the wiretap channel theory.
(3) Alice chooses a coding scheme for the remaining qubits. This coding scheme is based on the concatenation of LDPC codes that will be described in the discussion section. The following two unitary operations,
$$ I = \left| 0 \right\rangle \left\langle 0 \right| + \left| 1 \right\rangle \left\langle 1 \right|, Y = \left| 1 \right\rangle \left\langle 0 \right| - \left| 0 \right\rangle \left\langle 1 \right| $$ map '0' and '1', respectively; they are further used for constructing the code words. Then, she sends them back to Bob.
(4) Bob decodes Alice's message from his received signals after measuring the qubits in the same basis he prepared them. If the error rate is below the correcting capability of the LDPC code, the transmission is successful. Then, they start again from step (1) to send another part of the secret message until they complete the transmission of the whole message. If the error rate is larger than the correcting capability of the LDPC code, neither Bob nor Eve can obtain information. In this case, they terminate the process.
-
According to Wyner's wiretap channel theory3, the secrecy capacity is
$$ C_s = \mathop {\max }\limits_{\{ p\} } \left\{ {I(A:B) - I(A:E)} \right\} $$ (1) where p represents the probability of unitary operation I. I(A:B) and I(A:E) are the mutual information between Alice and Bob and between Alice and Eve, respectively. Moreover, I(A:E) represents the maximum information that an eavesdropper can obtain using the best strategy she can.
The state Bob prepared is a complete mixed state, $\rho = \left( {\left| 0 \right\rangle \left\langle 0 \right| + \left| 1 \right\rangle \left\langle 1 \right|} \right)/2$, because he prepares it with equal probabilities of the four states, $\left| 0 \right\rangle$, $\left| 1 \right\rangle$, $\left| + \right\rangle$, $\left| - \right\rangle$. We consider the case of collective attack, where the most general quantum operation that Eve may perform in the forward Bob-to-Alice channel consists of a joint operation on the qubit and some ancilla that belong to Eve,
$$ \rho ^{BE} = U\left( {\rho \otimes \left| \varepsilon \right\rangle \left\langle \varepsilon \right|} \right)U^ + $$ (2) where $\left| \varepsilon \right\rangle$ represents Eve's ancillary state and U is a unitary operation acting on the joint space of the ancilla and the qubit. Then, Eve resends the qubit to Alice and stores her ancilla until the qubit is sent back. Alice performs an operationIwith probability p or Y with probability 1−p. After operating by Alice, the state becomes
$$ \rho ^{ABE} = p \cdot \rho _0^{BE} + \left( {1 - p} \right) \cdot \rho _1^{BE} $$ (3) where $\rho _0^{BE} = I\rho ^{BE}I$ and $\rho _1^{BE} = Y\rho ^{BE}Y^ +$. To gain Alice's information, Eve must distinguish Alice's encoded qubit $\rho _0^{BE}$ from $\rho _1^{BE}$ by performing coherent measurements on any number of qubits and ancilla. The maximum mutual information between Alice and Eve is upper-bounded by:
$$ I(A:E) \le \chi = \, \mathop {{\max }}\limits_{\{ U\} } \left\{ S(\rho ^{ABE}) - p \cdot S(\rho _0^{BE})\right. \\ - \left.(1 - p) \cdot S(\rho _1^{BE}) \right\} $$ (4) where S(ρ) is the von Neumann entropy, and χ is the Holevo bound22. We obtain the maximum mutual information between Alice and Eve (the detailed derivation is given in supplementary information),
$$ I(A:E) \le h(\xi ) $$ (5) where ${\xi = ( {1 - \sqrt {( {1 - 2p} )^2 + ( {1 - 2e_x - 2e_z} )^2[ {1 - ( {1 - 2p} )^2} ]} } )/2}$, ex and ez are the bit-error rates in the X-basis and the Z-basis in the error-check, respectively, and h(x) = −x log2 x−(1-x) log2 (1-x) is the binary Shannon entropy.
Because of imperfect efficiency of the detectors and channel loss, Bob cannot receive all the qubits. Gottesman has proven the security of the Bennet-Brassard quantum-key-distribution protocol in the case in which the source and detector are under the limited control of an adversary23. Similarly, considering the detectors and channel loss, the maximum mutual information between Alice and Eve becomes
$$ I(A:E) \le Q^{{\rm Eve}} \cdot h(\xi ) $$ (6) where QEve is the maximum rate at which Eve can access the qubits. Highly attenuated lasers are used as an approximate single-photon source in our implementation; for a better treatment of such an approximate single photon source, one can use the decoy state methods24-26.
The main channel can be modeled as a cascaded channel, which consists of a binary symmetric channel and a binary erasure channel in series27. The mutual information between Alice and Bob is,
$$ I(A:B) = Q^{{\rm Bob}} \cdot \left[ {h\left( {p + e - 2pe} \right) - h(e)} \right] $$ (7) where QBob is the receipt rate at Bob's side and e is the bit-error rate between Alice and Bob. We can estimate the lower bound of the secrecy capacity,
$$ C_{s} = \mathop {{\max }}\limits_{\{ p\} } \left\{ {I(A:B) - I(A:E)} \right\}\\ = \mathop {{\max }}\limits_{\{ p\} } \left\{ {Q^{{\rm Bob}} \cdot \left[ {h\left( {p + e - 2pe} \right) - h(e)} \right] - Q^{{\rm Eve}} \cdot h(\xi )} \right\}\\ = Q^{{\rm Bob}} \cdot \left[ {1 - h(e)} \right] - Q^{{\rm Eve}} \cdot h\left( {e_x + e_z} \right)\\ = Q^{{\rm Bob}} \cdot \left[ {1 - h(e) - g \cdot h\left( {e_x + e_z} \right)} \right] $$ (8) where g represents the gap between QEve and QBob, depending on the back-channel loss and the efficiency of the detector.
For any wiretap channel, if the secrecy capacity is non-zero, i.e., if the legitimate receiver has a better channel than the eavesdropper, there exists some coding scheme that achieves perfect secrecy3. Not all coding schemes can guarantee the security; the security depends on the details of the coding.
-
We implemented the above scheme in a fiber system with phase coding28. The details of the experimental setup and methods are shown in the material and methods section, and the coding scheme is described in the discussion section. In our experiment, we initially set the distance at 1.5 km, which is a typical distance between buildings in a secure area. Figure 2 shows the error rates at Alice's and Bob's sites; the horizontal axis is labeled with the number of blocks processed. ex and ez are the error rates of measurements using the X-basis and Z-basis at Alice's site, respectively. We estimate the error rate block by block. Each block contains 1312 × 830 = 1, 088, 960 pulses, including a frame head for synchronization. Under normal working conditions, their values are ~0.8%. At Bob's site, of the pulses he sent to Alice previously, he receives 0.3% of them; namely for every 1000 pulses, 3 photons are counted when Bob measures the returned pulses. The error rate at Bob's site is lower than that at Alice's site due to the intrinsic robustness of the retrace-structure of light, usually ~0.6%. Here, the mean photon number is 0.1. The inherent loss of the quantum channel is 14.5 dB, including the efficiency of the superconducting nanowire single-photon detectors, ~70%, and the optical elements, ~13 dB. Because the mean photon number is 0.1 and the channel loss of 1.5 km fiber is 0.6 dB, the total loss of the system is 25.1 dB. Shown in Fig. 3, the mutual information I(A:B) and I(A:E) versus the loss of the system are two straight lines. The area between these two lines is the information-theoretic secure area; i.e., for a coding scheme with an information rate within these areas, it is possible to guarantee the security reliably. In our experiment, the error rates are initially set at values as above, namely e is 0.6% and ex and ez are 0.8%. Then, the secrecy capacity is estimated as 0.00184 for loss at 25.1 dB. For the number N in the pseudo-random sequence, we set N = 830, after optimization. Together with the chosen error correcting code, our coding scheme gives a transmission rate 0.00096 when the bit error rate is chosen as 10−6. Additionally, $I(A:E) = g \cdot Q^{{\rm Bob}} \cdot h\left( {e_x + e_z} \right) = 9.1 \times 10^{ - 4}$, where the loss of the back channel, including the efficiency of the detector and channel loss, is ~4.1 dB, so that g = 2.57. This yields a secure information rate of 50 bps, which is well within the secure area in Fig. 3.
Fig. 2 System stability with different message blocks.
ex and ez are the error rates of measurements using the X-basis and Z-basis, respectively, at Alice's site. e is the error rate at Bob's site. We estimate the error rate block by block; each block contains 1312 × 830 pulses. The mean number of photons is 0.1. The inherent loss of a quantum channel is 14.5 dB, which includes the efficiency of the detector, ~70%, and the optical elements, ~13 dB. The total loss of the system is 25.1 dB at a distance of 1.5 kmFig. 3 The solid line represents the mutual information between Alice and Bob, the capacity of the main channel that transmission rate cannot exceed, by the noisy-channel coding theorem.
The dotted line is the mutual information between Alice and Eve, the maximum information that an eavesdropper can obtain. The error rates are set at values as above, namely e is 0.6% and ex and ez are 0.8%. Symbols represent experimental results. We set the length of the pseudo-random sequence as 830. Together with the chosen LDPC code, our coding scheme yields a transmission rate of 0.00096 when the bit-error rate is under 10−6. Because the rate is greater than the mutual information between Alice and Eve, both the security and reliability of the information transmission are assured
Practical DL04-QSDC (PDL04 QSDC) protocol
Security analysis
Experimental results
-
It is well-known that in quantum communication, photon loss is very high due to inefficient photon sources, high channel loss and low detector efficiency. To guarantee the reliability and security of transmission for QSDC, we designed a coding scheme based on the concatenation of LDPC codes, with preprocessing based on the universal hashing families (UHF)29.
Fig. 4
Illustration of the coding scheme. A message m together with a local random bits r and public random seed s are processed by the reverse universal hashing families UHF−1 to vector u, and then u is changed by LDPC code into v, which is mapped to codeword c and is then sent to the receiver's site. Because loss and error, receiver Bob receives a degraded codeword, and then he demaps, decodes and obtains the message after performing universal hashing families UHFDetails of our coding scheme are illustrated in Fig. 4. For each message block m of length Nm, the sender, namely Alice, generates a local sequence of random bits, denoted r, of length Nr. Then, she maps (m, r) to a vector u of length Nu = Nr + Nm, by the inverse of an appropriately chosen UHF, determined by a public random seed s. Information theoretic security can be guaranteed if the ratio of the length of the random bits to the length of the code word is higher than the mutual information between Alice and Eve30. In information theory, the noisy-channel coding theorem establishes reliable communication for any given degree of noise contamination of a communication channel31. To ensure the reliability of the information, Alice encodes the vector u to v of length Nv using the generator matrix of a specified LDPC code. Then, she maps each coded bit to a sequence of length N to obtain a transmitted sequence, namely a code word of length Nc that is transmitted over the quantum channel. According to the noisy-channel coding theorem31, the ratio of the length of the vector u to the length of the code word cannot be higher than the channel capacity. We deduce that the information rate,
$$ R = \frac{{N_m}}{{N_c}} = \frac{{N_u}}{{N_c}} - \frac{{N_r}}{{N_c}} \le I(A:B) - I(A:E) \le C_s $$ (9) After receiving the modulated pulses from Alice, the legitimate receiver Bob makes measurements in the same basis as he prepared them. Though only a fraction of photons in a pseudo-random sequence can reach Bob's site, he can still readout the coded bit by looking at the log-likelihood ratios of each coded bit calculated from the received sequence, and he decodes the LDPC code with an iterative propagation-decoding algorithm with the log-likelihood ratios. Then, Alice announces the public random seed s, so that Bob can obtain the secure message by the certain UHF with the seed.
For our system, we consider a (1408, 1024) quasi-cyclic (QC)-LDPC code of block length Nv = 1408, which is a standardized LDPC code of the Consultative Committee for Space Data Systems (CCSDS) for use in near-earth and deep-space applications32. The last 128 coded bits in the obtained code word of this LDPC code are punctured to achieve better error-correction performance. Thus, the actual block length of punctured LDPC code word is reduced to 1280 and the actual code rate is 0.8. Then, each coded bit in the punctured LDPC code word is mapped into a pseudo-random sequence of length 830 to obtain a transmitted sequence of length Nc = 1280 × 830 = 1, 062, 400 such that our coding scheme has a transmission rate of 0.00096. During decoding, the log-likelihood ratio of each coded bit of LDPC code is first calculated based on its corresponding pseudo-random sequence. Then, an effective iterative propagation-decoding algorithm, the scaling Min-Sum decoding algorithm33, is used to decode this LDPC code. The maximum number of iterations and scaling factor of the scaling Min-Sum decoding algorithm are set to 65 and 0.75, respectively. This shows that the decoding bit-error rate is ~10−6 in our code scheme.