^{*}

Edited by: Derek Abbott, University of Adelaide, Australia

Reviewed by: Christopher Portmann, ETH Zurich, Switzerland; David Simon, Stonehill College, USA; Xiongfeng Ma, Tsinghua University, China

*Correspondence: Hatim Salih

This article was submitted to Optics and Photonics, a section of the journal Frontiers in Physics

This is an open-access article distributed under the terms of the Creative Commons Attribution License (CC BY). The use, distribution or reproduction in other forums is permitted, provided the original author(s) or licensor are credited and that the original publication in this journal is cited, in accordance with accepted academic practice. No use, distribution or reproduction is permitted which does not comply with these terms.

The phenomenon of quantum erasure has long intrigued physicists, but has surprisingly found limited practical application. Here, we propose a protocol for quantum key distribution (QKD) based on quantum erasure, promising inherent security against detector attacks. We particularly demonstrate its security against a powerful detector-blinding attack.

Ideas at the root of quantum erasure were already at play in the famous Bohr-Einstein dialogue in the 1920's. In one such debate, Einstein envisaged a scenario where one could seemingly observe interference fringes in a double-slit experiment, as well as learn which-path information for individual photons [

In 1982 Scully and Druhl [

While the original quantum erasure proposals have not been implemented, other more practical ones have. For instance, Walborn et al. [

Despite its fundamental significance, quantum erasure has for one reason or another struggled for practical application. One notable exception is Zhao et al. recently employing a frequency eraser to entangle, for the first time, different-color photons [

Quantum key distribution (QKD) on the other hand enables two remote parties to share a random string of zeros and ones. Given such a string, provably secure communication can be established [

We now describe our erasure-based protocol for QKD. The goal here for “Alice” and “Bob,” the customary communicating parties in such tasks, is to securely share a random string of zeros and ones. We start by explaining a simplified two-state version of the protocol before proceeding to give the complete four-state protocol. After sending her photon from the top left, Alice encodes the bit value “0” by doing nothing, and encodes the bit value “1” by turning on switchable polarization rotators _{A1} and _{A2}, applying rotations _{B1} and _{B2}, applying rotations

_{A1} and _{A2}. Bob encodes bit value “1” by doing nothing, and encodes bit value “0” by applying switchable polarization rotators _{B1} and _{B2}. Which-path information destroys interference, while the erasure of which-path information restores interference. As explained in the text, for Alice sending in her photon from the top left, _{1} clicking uniquely corresponds to Alice and Bob agreeing in their bit choices, and for Alice sending in her photon from the bottom left, _{2} clicking uniquely corresponds to Alice and Bob agreeing in their bit choices.

More precisely, Alice starts by sending in a photon, using single-photon source _{1}, in the state |

For the case of Alice choosing the bit value “0,” sending _{2} clicks with certainty because of destructive interference at _{1}. But if Bob applies his rotations, choosing the bit value “0,” then which-path information is introduced in the form of entanglement in _{1} and _{2} are equally likely to click.

For the case of Alice choosing the bit value “1,” sending _{2} clicks with certainty because of destructive interference at _{1}. But if Bob does nothing, choosing the bit value “1,” we get no interference: _{1} and _{2} are equally likely to click. Importantly, whenever _{1} clicks, Alice and Bob have agreed in their bit choices. Alice publicly instructs Bob to keep the corresponding bits, which form our sifted key. Table

0 | 0 | _{1} or _{2} |

0 | 1 | _{2} |

1 | 0 | _{2} |

1 | 1 | _{1} or _{2} |

_{1} clicking uniquely corresponds to Alice and Bob making the same bit choices

This simplified two-state version is vulnerable to a simple Eve attack. She can make the exact measurement as Bob using two polarization rotators, a 50–50 beamsplitter, and two detectors. For Eve not applying her rotations, whenever her equivalent of Bob's _{1} clicks, she knows Alice has sent her entangled state; Eve sends the entangled state. If Eve's other detector clicks, she sends nothing. The case of Eve applying her rotations is analogous. This way Eve can obtain the full key.

We are ready to give our quantum erasure cryptography protocol, using four states. Alice now sends her photon either from the top using _{1}, or from the bottom using _{2}, with equal probability. After Bob makes his measurement, Alice announces publicly which photons were sent from the top and which from the bottom. For photons sent from the top, as before, bits corresponding to _{1} clicking are kept while the rest are thrown away. For photons sent from the bottom, bits corresponding to _{2} clicking are kept while the rest are thrown away. More precisely, the protocol proceeds as follows:

With probability 1/4 Alice sends Bob one of four possible states:

Bob encodes bit value “0” by making the measurement corresponding to applying his polarization rotators, and encodes bit value “1” by making the measurement corresponding to not applying his polarization rotators.

Alice announces whether she initially sent her photon from the the top using _{1} or from the bottom using _{2}.

Bob announces which of his two detectors clicked for each photon.

For photons sent from the top using _{1}, bits corresponding to _{1} clicking are kept. For photons sent from the bottom using _{2}, bits corresponding to _{2} clicking are kept instead. Those bits that are kept form the sifted key. The rest are thrown away.

Alice randomly chooses a sample from the sifted key. Alice and Bob publicly announce corresponding bits. If error rate exceeds some threshold they then abort protocol and start over.

Alice and Bob perform error correction and privacy amplification to obtain the final secure key.

During peer-review of the present paper a one-qubit protocol [

We discuss two attacks by Eve. First an intercept-resend attack, then a powerful detector-blinding attack. Consider Eve employing an intercept-resend strategy where, just like Bob, she brings the two paths together, randomly choosing to either apply identical rotations to Bob's or not apply any before her beam-splitter and two detectors which are also identical to Bob's. Take the case of Eve not applying her rotations and her lower detector clicking. The detector could have equally been triggered by an unentangled state or by an entangled one. But one of the two unentangled states, which allow interference to take place, can be ruled out. Therefore, by assuming that Alice has sent the other entangled state, in this case the one corresponding to Alice sending in her photon from the top and not applying her rotations, Eve is correct with probability 1/2. She sends this state to Bob. The case of Eve not applying her rotations and her upper detector clicking is analogous; she sends to Bob Alice's other unentangled state, that is the one corresponding to Alice sending in her photon from the bottom and not applying her rotations. For the case of Eve applying her rotations, if her lower detector clicks she sends Alice's entangled state corresponding to Alice sending in her photon from the top and applying her rotations. And if Eve's upper detector clicks she sends Alice's entangled state corresponding to Alice sending in her photon from the bottom and applying her rotations.

Let's now work out the probability of Bob's detector _{1} incorrectly clicking for the case of Alice sending in her photon from the top. Eve sends the wrong state with probability 1/2. Based on Alice and Bob's bit choices, there is a 1/2 chance that the state incident on Bob's beam-splitter should be the unentangled state, corresponding to Alice and Bob not agreeing on their bit choices, leading to destructive interference at Bob's _{1}. The probability of Eve incorrectly triggering _{1} is therefore 1/2 × 1/2 × 1/2 = 1/8. The probability of Eve correctly triggering _{1} in this case is 1/4, corresponding to Alice and Bob agreeing on their bit choices. (1/8 due to Eve sending correct state plus 1/8 due to Eve sending wrong state.) By symmetry, The probability of Eve incorrectly triggering _{2} for the case of Alice sending in her photon from the bottom is also 1/2 × 1/2 × 1/2 = 1/8. The probability of Eve correctly triggering _{2} in this case is 1/4, corresponding to Alice and Bob agreeing on their bit choices. (1/8 due to Eve sending correct state plus 1/8 due to Eve sending wrong state.) Given this attack, the error rate in the sifted key, called the quantum bit error rate or QBER, is 1/8 ÷ 3/8 = 1/3.

We now show that our protocol is secure against this intercept-resend attack. Starting with the sifted key, the classical algorithms of error correction and privacy amplification can be used to generate a secure key—as long as Bob has more information than Eve [

While for Bennett and Brassard's BB84 QKD protocol [

We have mentioned that Alice and Bob can make use of two out of the three photons that are to be thrown away on average, to check for an attack by Eve. When Alice and Bob make opposite bit choices, which means interference should take place, Bob measures polarization in the +45, −45 basis. He should always measure +45. (Bob can make this measurement by replacing each of his detectors by a 45° polarization rotator, which leads to a polarizing beam-splitter, which in turn leads to two detectors.) For Eve's intercept-resend attack above, Eve sends the wrong state half the time on average. This means Bob would measure −45 polarization with 25% probability, alerting him to Eve's attack.

Let us now look at Eve's detector-blinding attack inspired by Lydersen et al. [_{1}(_{2}) for the case of Alice sending her photon from top(bottom). If on the other hand Bob chooses bit value “1,” which corresponds to him not applying his rotations, roughly half of Eve's signal would go to one detector while the other half would go to the other detector. The intensity of Eve's pulse is chosen such that half the intensity is below the threshold for triggering either detector. No detector clicks. But Eve sends the wrong state to Bob roughly half the time on average. In this case, if Alice and Bob choose the same bit no detector clicks for the same reason. If, however, Alice and Bob choose different bits, which is half the time on average, the probability of Eve incorrectly triggering _{1}(_{2}) for the case of Alice sending in her photon from the top(bottom) is 1/2 × 1/2 × 1/2 = 1/8. The probability of Eve correctly triggering _{1}(_{1}) on the other hand is 1/2 × 1/2 = 1/4. The QBER is therefore 1/8÷(1/4+1/8) = 1/3. As before, for their sample of the sifted key, if estimated QBER < 33.3%, and estimated

What about attacks whose aim is to learn which of Bob's detectors clicked? Because for each photon Bob publicly announces which detector clicked, if any, such attacks by Eve are not relevant. In fact, no bit-value information is encoded in the photon incident on Bob's beam-splitter. Bob's beam-splitter and two detectors, it seems, might as well be handed to Eve—as long as the module containing his two polarization rotators is kept secure. A general proof of the security of our protocol is planned for a separate paper.

In summary, we have proposed an erasure-based protocol for quantum key distribution that promises inherent security against side-channel detector attacks, analyzing its security against Eve's intercept-resend attack as well as her more powerful detector-blinding attack.

The author confirms being the sole contributor of this work and approved it for publication.

The author declares that the research was conducted in the absence of any commercial or financial relationships that could be construed as a potential conflict of interest.

The author thanks M. Al-Amri, Sam L. Braunstein, and Zeng-Hong Li for valuable discussions in 2013, and more recently Roger Colbeck and Tim Spiller. Qubet Research is a start-up in quantum communication.