Continuous variable measurement device independent quantum conferencing with postselection

Abstract

A continuous variable (CV), measurement device independent (MDI) quantum key distribution (QKD) protocol is analyzed, enabling three parties to connect for quantum conferencing. We utilise a generalised Bell detection at an untrusted relay and a postselection procedure, in which distant parties reconcile on the signs of the displacements of the quadratures of their prepared coherent states. We derive the rate of the protocol under a collective pure-loss attack, demonstrating improved rate-distance performance compared to the equivalent non-post-selected protocol. In the symmetric configuration in which all the parties lie the same distance from the relay, we find a positive key rate over 6 km. Such postselection techniques can be used to improve the rate of multi-party quantum conferencing protocols at longer distances at the cost of reduced performance at shorter distances.

Introduction

Quantum Key Distribution (QKD) promises provably secure communication¹ based on fundamental physical principles. Relying on the inability to clone arbitrary quantum states² and by utilising non-orthogonal states or entanglement³, two distant parties are able to agree symmetric cryptographic keys, secure against any attack possible within the laws of quantum mechanics. The technology has rapidly matured, advancing from the first proposed protocols based on transmission of discrete single qubit states^4,5 and proof of principle of experiments to practical deployments over long distances^6–8 and networks and network protocols enabling multiple users to communicate securely across metropolitan sized areas and beyond^9–11.

However, whilst QKD offers ultimate security against channel attacks, its practical implementation remains challenging. Many approaches require trusted experimental devices and detectors and therefore suffer from the possibility of so-called side-channel attacks against such devices. Fully Device-Independent approaches to QKD are possible, which entirely eliminate such attacks^12–14 but these are practically limited by low rates and poor distance scaling. Instead Measurement Device Independent (MDI) QKD^15,16 provides a middle ground, offering higher rates¹⁷ and various practical implementations^18–20, by relaxing the assumptions on the protocol to having distant parties send states to a central detector relay which may be controlled by an Eavesdropper (Eve). Malicious behaviour by Eve may be detected by the parties in the reconciliation and parameter estimation stage of the protocol.

Moreover, point-to-point quantum communications are known to be inherently distance limited by the PLOB bound²¹ expressed by the formula $\mathcal{C}=-{log}_2(1-\eta )$ with the transmissivity $\eta$ decaying exponentially with distance. Continuous variable (CV) QKD protocols are able to reach rates approaching the PLOB bound, outperforming discrete state protocols; furthermore their experimental implementation is more straightforward^1,22. Naively, there was thought to be a 3db (corresponding to $\eta =\frac{1}{2}$) loss-limit on CV QKD, however this has since been exceeded with reverse reconciliation, twin-field QKD^23–26 and postselection techniques. Postselection techniques rely on the fact that even beyond 3db loss there are regions in parameter space in which the rate remains positive²⁷. By announcing the absolute values of the quadratures of their prepared coherent states the two end parties are able to select only these regions, reconciling the signs of their quadratures into a key with a positive rate even beyond 3db loss. Such post selection techniques have been implemented experimentally²⁸ and have recently been exploited in the MDI setting to extend the maximum distance of two-party CV MDI QKD²⁹. Other similar postselection techniques are also possible and have recently been utilised in^30,31 for discrete modulation CV QKD protocols to improve their distance scaling and tolerance to excess noise.

Whilst such postselection techniques have been shown to improve the distance scaling for typical QKD protocols with two end users; it is also frequently desirable, particularly within a network setting, for multiple users to be able to establish a common secret key. Quantum conferencing³² enables the secure distribution of such keys from a single QKD protocol rather than via the composition of multiple bipartite protocols. Such protocols rely on establishing multipartite entangled states between the users such as GHZ states³³ in the discrete variable case. Quantum conferencing has attracted a great deal of interest and a variety of protocols have been proposed, including MDI protocols with discrete variables³⁴, twin field protocols^35–37, consideration of the effect of finite sized keys³⁸ and recently a continuous variable MDI protocol³⁹.

In this work, we provide the first demonstration that the same post selection techniques typically applied to two party QKD can also be utilised to increase the effective range at which CV MDI quantum conferencing can occur. We utilise the same generalised Bell detection from the CV MDI quantum conferencing protocol introduced in³⁹ to establish multipartite correlations between the user’s variables and a similar postselection procedure to that used in²⁹ to extend the effective range of the protocol. Whilst we are restricted by the need to perform numerical integration in large number of dimensions to consider only three parties and pure loss attacks, the protocol presented here is in principle readily extended to N users and entangling cloner attacks.

The structure of the paper is as follows: in “Protocol and detector” we introduce the protocol and explain the structure of the detector; “Rate” explains how the rate of the protocol is calculated; “Results” provides results and “Conclusion” is for conclusions.

Protocol and detector

In this paper, we consider the case of three users undertaking quantum conferencing. The three parties: Alice, Bob and Charlie individually prepare Gaussian modulated coherent states. Each party individually has access to an independent zero-mean Gaussian distribution with standard deviations ${\sigma }_A,{\sigma }_B,{\sigma }_C$ respectively. Each party then draws two independent values from their respective distributions for the value of the q and p quadratures of their coherent state. They encode the absolute values in the variables ${\mathbb{Q}}_i$ and ${\mathbb{P}}_i$ respectively and the signs in ${\kappa }_i$ and ${\kappa }_i^{\prime }$. Thus they prepare coherent states of the form:

$$\begin{array}{c}\hfill |{\alpha }_i⟩=|\frac{1}{2}({\kappa }_i{\mathbb{Q}}_i+{\kappa }_i^{\prime }{\mathbb{P}}_i)⟩\mathrm{for}i=A,B,C.\end{array}$$ 1

Each state is sent through a lossy channel to the detector which may be attacked by an eavesdropper (Eve). This is modelled as a beamsplitter attack in which Eve inserts a beamsplitter into each channel, storing the outputs in a quantum memory. In a pure loss attack, Eve does not actively inject any state at the beamsplitter and thus each coherent state is instead mixed with the vacuum state $|0⟩$.

The structure of the detector is illustrated in Fig. 1 and was devised in³⁹ to perform a generalised Bell detection on the incoming coherent states. It is comprised of a cascade of beamsplitters, each having transmissivity $T_i=\frac{i}{i+1}$. In the case of three parties, which we consider, this corresponds to $T_1=1/2$ and $T_2=2/3$. The beamsplitters are followed by two q  (p) homodyne detections and a final homodyne detection in the p  (q) quadrature and the results of all the measurements are publicly broadcast. Operated correctly, in the entanglement based representation¹ the detector has the effect of projecting the Alice-Bob-Charlie state into a symmetric state with GHZ-like correlations between each parties state³⁹. The two possible configurations are switched between randomly and are announced during the basis reconciliation stage of the protocol. If the first configuration (two q and one p detection) was selected, the parties will attempt to reconcile their values of ${\kappa }_A^{\prime },{\kappa }_B^{\prime },{\kappa }_C^{\prime }$ into a secure key. Conversely, if the second configuration is utilised, the parties will attempt to reconcile their values of ${\kappa }_A,{\kappa }_B,{\kappa }_C$. At this point each party reveals their values of ${\mathbb{Q}}_i$ and ${\mathbb{P}}_i$, and publicly broadcasts them to every other user. Using their knowledge of ${\mathbb{Q}}_i$ and ${\mathbb{P}}_i$, the parties can perform postselection, only retaining instances of the protocol where their mutual information exceeds Eve’s Holevo information. Figure 2 depicts the protocol being performed under the pure loss attack assumed throughout this paper.

Figure 1.

Structure of the detector, demonstrating the two possible orientations. Input modes are mixed by two beamsplitters with transmissivities $T_1=\frac{1}{2}$ and $T_2=\frac{2}{3}$. In the first configuration (pictured left) the states undergo two q homodyne detections and one p homodyne detection. The parties will attempt reconciliation between ${\kappa }_A^{\prime },{\kappa }_B^{\prime },{\kappa }_C^{\prime }$. In the second orientation (pictured right) the states undergo two p homodyne detections and one q homodyne detection. In this case the parties attempt reconciliation on ${\kappa }_A,{\kappa }_B,{\kappa }_C$.

Figure 2.

Operation of the detector under a collective pure loss attack. Eve attacks each of the incoming channels by inserting beamsplitters with transmissivities ${\tau }_A,{\tau }_B,{\tau }_C$, which combine the incoming signals with vacuum states $|0⟩$. Eve stores her output modes in a quantum memory (QM). The remaining modes are mixed in the cascade of beamsplitters and then undergo homodyne detection. The results of the homodyne detections ${\gamma }_{q_1},{\gamma }_{q_2},{\gamma }_p$ are publicly announced. Alice, Bob and Charlie also publicly announce the absolute values of the quadratures of their prepared coherent states ${\mathbb{Q}}_A,{\mathbb{Q}}_B,{\mathbb{Q}}_C,{\mathbb{P}}_A,{\mathbb{P}}_B,{\mathbb{P}}_C$. In this configuration the parties attempt to reconcile their values of ${\kappa }_A^{\prime },{\kappa }_B^{\prime },{\kappa }_C^{\prime }$.

Rate

We first sketch the method used to determine the rate. At the end of the protocol the parties perform pairwise reconciliation between ${\kappa }_A,{\kappa }_B,{\kappa }_C$ or ${\kappa }_A^{\prime },{\kappa }_B^{\prime },{\kappa }_C^{\prime }$ depending on the orientation of the detector. In the asymptotic limit of a large number of uses the rate of the protocol is given by:

$$\begin{array}{c}\hfill R_{\mathit{ij}}=I_{\mathit{ij}}-\chi \end{array}$$ 2

where $I_{\mathit{ij}}$ is the binary mutual information between the sign variables ${\kappa }_i$ and ${\kappa }_j$ or ${\kappa }_i^{\prime }$ and ${\kappa }_j^{\prime }$. $\chi$ is the Holevo information. The mutual information can be found by utilising Bayes’ Theorem and the distribution of measurement outcomes as detailed in “Mutual information”. The Holevo information is calculated by carefully considering Eve’s state at the end of the protocol as explained in “Holevo bound”. Additionally, since we ultimately wish to perform postselection to increase the performance of the protocol we work with single-point versions of the above quantities ${\tilde{I}}_{\mathit{ij}}$ and $\tilde{\chi }$ which are the values conditioned upon the quadratures and measurement outcome. To this end we start by considering the initial covariance matrix of the Alice–Bob–Charlie–Eve system, which is given by:

$$\begin{array}{c}\hfill {\mathbf{V}}_{\mathit{ABCE}}={\mathbf{I}}_A\oplus {\mathbf{I}}_B\oplus {\mathbf{I}}_C\oplus {\mathbf{V}}_E\end{array}$$ 3

where $\mathbf{I}$ is the two-by-two identity matrix and for a pure loss attack ${\mathbf{V}}_E=\mathbf{I}\oplus \mathbf{I}\oplus \mathbf{I}$. The mean value of the Alice–Bob–Charlie system is:

$$\begin{array}{c}\hfill {\overline{\mathbf{x}}}_{\mathit{ABC}}={({\kappa }_A{\mathbb{Q}}_A,{\kappa }_A^{\prime }{\mathbb{P}}_A,{\kappa }_B{\mathbb{Q}}_B,{\kappa }_B^{\prime }{\mathbb{P}}_B,{\kappa }_C{\mathbb{Q}}_C,{\kappa }_C^{\prime }{\mathbb{P}}_C)}^T.\end{array}$$ 4

The mean value of Eve’s system is zero. After propagation through the detector’s array of beamsplitters and the homodyne detections, the distribution of measurement outcomes is given by:

$$\begin{array}{c}\hfill p({\gamma }_p|{\kappa }_A^{\prime },{\kappa }_B^{\prime },{\kappa }_C^{\prime },{\mathbb{P}}_A,{\mathbb{P}}_B,{\mathbb{P}}_C)=\frac{1}{\sqrt{2\pi v_p}}\exp (\frac{-{({\gamma }_p-\overline{p})}^2}{2})\end{array}$$ 5

where

$$\begin{array}{cc}\hfill \overline{p}=\sqrt{T_1{T}_2{\tau }_A}{\kappa }_A^{\prime }{\mathbb{P}}_A+\sqrt{(1-T_1)T_2{\tau }_B}{\kappa }_B^{\prime }{\mathbb{P}}_B& +\sqrt{(1-T_2){\tau }_C}{\kappa }_C^{\prime }{\mathbb{P}}_C.\hfill \end{array}$$ 6

We have implicitly removed the conditioning on the modulus and absolute value of the q quadratures from the notation as there is no dependence upon them. Similarly for the opposite detector configuration:

$$\begin{array}{c}\hfill p({\gamma }_q|{\kappa }_A,{\kappa }_B,{\kappa }_C,{\mathbb{Q}}_A,{\mathbb{Q}}_B,{\mathbb{Q}}_C)=\frac{1}{\sqrt{2\pi v_q}}\exp (\frac{-{({\gamma }_q-\overline{q})}^2}{2})\end{array}$$ 7

where

$$\begin{array}{c}\hfill \overline{q}=\sqrt{T_1{T}_2{\tau }_A}{\kappa }_A{\mathbb{Q}}_A+\sqrt{(1-T_1)T_2{\tau }_B}{\kappa }_B{\mathbb{Q}}_B+\sqrt{(1-T_2){\tau }_C}{\kappa }_C{\mathbb{Q}}_C.\end{array}$$ 8

Finally, we have implicitly assumed throughout that the homodyne detectors have perfect efficiency.

Mutual information

We first introduce the following compact notation ${\mathit{\kappa }}^{\mathbf{\prime }}=({\kappa }_A^{\prime },{\kappa }_B^{\prime },{\kappa }_C^{\prime })$; $\mathbb{P}=({\mathbb{P}}_A,{\mathbb{P}}_B,{\mathbb{P}}_C)$, ${\mathit{\kappa }}_{\backslash A}^{\prime }=({\kappa }_B^{\prime },{\kappa }_C^{\prime })$ which simplifies the following expressions. Let us recall the definition of the single point mutual information between the two binary variables ${\kappa }_i^{\prime }$ and ${\kappa }_j^{\prime }$. This is clearly just the mutual information conditioned on the announced variables ${\gamma }_p$ and $\mathbb{P}$:

$$\begin{array}{c}\hfill {\tilde{I}}_{\mathit{ij}}=H_{{\kappa }_i^{\prime }|\mathbb{P},{\gamma }_p}-\sum _{{\kappa }_j^{\prime }}p({\kappa }_j^{\prime }|\mathbb{P},{\gamma }_p)H_{{\kappa }_i^{\prime }|{\kappa }_j^{\prime }\mathbb{P},{\gamma }_p}\end{array}$$ 9

where H is the binary entropy so that:

$$\begin{array}{c}\hfill H_{{\kappa }_i^{\prime }|\mathbb{P},{\gamma }_p}=-p({\kappa }_i^{\prime }|\mathbb{P},{\gamma }_p){log}_2(p({\kappa }_i^{\prime }|\mathbb{P},{\gamma }_p))-(1-p({\kappa }_i^{\prime }|\mathbb{P},{\gamma }_p)){log}_2(1-p({\kappa }_i^{\prime }|\mathbb{P},{\gamma }_p))\end{array}$$ 10

and

$$\begin{array}{c}\hfill H_{{\kappa }_i^{\prime }|{\kappa }_j^{\prime },\mathbb{P},{\gamma }_p}=-p({\kappa }_i^{\prime }|{\kappa }_j^{\prime },\mathbb{P},{\gamma }_p){log}_2(p({\kappa }_i^{\prime }|{\kappa }_j^{\prime },\mathbb{P},{\gamma }_p))-(1-p({\kappa }_i^{\prime }|{\kappa }_j^{\prime },\mathbb{P},{\gamma }_p)){log}_2(1-p({\kappa }_i^{\prime }|{\kappa }_j^{\prime },\mathbb{P},{\gamma }_p)).\end{array}$$ 11

From the symmetry of the detector we have $I_{\mathit{AB}}=I_{\mathit{AC}}=I_{\mathit{BC}}$ and for simplicity we consider only $I_{\mathit{AB}}$ from this point onwards. Using Eq. (5) and Bayes’ theorem we first calculate the probability of positive and negative values for ${\kappa }_A^{\prime }$ conditioned on ${\kappa }_B^{\prime }$,${\kappa }_C^{\prime }$, the magnitudes of the p quadratures $\mathbb{P}$ and the measurement outcome ${\gamma }_p$:

$$\begin{array}{c}\hfill p({\kappa }_A^{\prime }|{\mathit{\kappa }}_{\backslash A}^{\prime },\mathbb{P},{\gamma }_p)=\frac{p({\gamma }_p|{\mathit{\kappa }}^{\prime },\mathbb{P})p({\kappa }_A^{\prime }|{\mathit{\kappa }}_{\backslash A}^{\prime },\mathbb{P})}{p({\gamma }_p|{\mathit{\kappa }}_{\backslash A}^{\prime },\mathbb{P})}\end{array}$$ 12

Noting that,

$$\begin{array}{c}\hfill p({\gamma }_p|{\mathit{\kappa }}_{\backslash A}^{\prime },\mathbb{P})=\sum _{{\kappa }_A^{\prime }}p({\gamma }_p|{\mathit{\kappa }}^{\prime },\mathbb{P})p({\kappa }_A^{\prime }|{\mathit{\kappa }}_{\backslash A}^{\prime },\mathbb{P})\end{array}$$ 13

and $p({\kappa }_A^{\prime }|{\mathit{\kappa }}_{\backslash A}^{\prime },\mathbb{P})=1/2$ we reach:

$$\begin{array}{c}\hfill p({\kappa }_A^{\prime }|{\mathit{\kappa }}_{\backslash A}^{\prime },\mathbb{P},{\gamma }_p)=\frac{p({\gamma }_p|{\mathit{\kappa }}^{\prime },\mathbb{P})}{{\sum }_{{\kappa }_A^{\prime }}p({\gamma }_p|{\mathit{\kappa }}^{\prime },\mathbb{P})}.\end{array}$$ 14

We may then remove the conditioning on ${\kappa }_C^{\prime }$ to find $p({\kappa }_A^{\prime }|{\kappa }_B^{\prime },\mathbb{P},{\gamma }_p)$ for the second term in the single point mutual information.

$$\begin{array}{c}\hfill p({\kappa }_A^{\prime }|{\kappa }_B^{\prime },\mathbb{P},{\gamma }_p)=\sum _{{\kappa }_C^{\prime }}p({\kappa }_A^{\prime }|{\mathit{\kappa }}_{\backslash A}^{\prime },\mathbb{P}{\gamma }_p)p({\mathit{\kappa }}_{\backslash b}^{\prime }|{\kappa }_B^{\prime },\mathbb{P}),\end{array}$$ 15

so that we may write

$$\begin{array}{c}\hfill p({\kappa }_A^{\prime }|{\kappa }_B^{\prime },\mathbb{P})=\frac{{\sum }_{{\kappa }_C^{\prime }}p({\gamma }_p|{\mathit{\kappa }}^{\prime },\mathbb{P})}{{\sum }_{{\kappa }_A^{\prime }{\kappa }_C^{\prime }}p({\gamma }_p|\mathit{\kappa }{,}^{\prime }\mathbb{P})}.\end{array}$$ 16

Similarly to further remove the dependence from ${\kappa }_B^{\prime }$:

$$\begin{array}{c}\hfill p({\kappa }_A^{\prime }|\mathbb{P},{\gamma }_p)=\frac{{\sum }_{{\kappa }_B^{\prime }{\kappa }_C^{\prime }}p({\gamma }_p|{\mathit{\kappa }}^{\prime },\mathbb{P})}{{\sum }_{{\kappa }_A^{\prime }{\kappa }_B^{\prime }{\kappa }_C^{\prime }}p({\gamma }_p|{\mathit{\kappa }}^{\prime },\mathbb{P})}.\end{array}$$ 17

By the same approach we can also find $p({\kappa }_B^{\prime }|\mathbb{P},{\gamma }_p)$, enabling the sum in Eq. (9) to be taken. Finally in order to take the integral over the single point mutual information we require the probability of all the variables

$$\begin{array}{c}\hfill p({\gamma }_p,\mathbb{P})=\sum _{{\mathit{\kappa }}^{\mathbf{\prime }}}p({\gamma }_p|{\mathit{\kappa }}^{\mathbf{\prime }}\mathbb{P})p({\kappa }_A^{\prime }{\mathbb{P}}_A)p({\kappa }_B^{\prime }{\mathbb{P}}_B)p({\kappa }_C^{\prime }{\mathbb{P}}_C).\end{array}$$ 18

Holevo bound

At the end of the protocol Eve is left with the state ${\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p}$ which is her total state conditioned on the announced absolute values of the p quadratures $\mathbb{P}$ and the measurement outcome ${\gamma }_p$. This state is a convex combination of pure Gaussian states corresponding to given values of ${\kappa }_A^{\prime },{\kappa }_B^{\prime },{\kappa }_C^{\prime }$ and hence Eve’s total state may be written:

$$\begin{array}{c}\hfill {\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p}=\sum _{{\mathit{\kappa }}^{\mathbf{\prime }}}p({\mathit{\kappa }}^{\mathbf{\prime }}|\mathbb{P},{\gamma }_p){\widehat{\rho }}_{\mathfrak{E}|{\mathit{\kappa }}^{\mathbf{\prime }},\mathbb{P},{\gamma }_p}.\end{array}$$ 19

It is important to note that whilst the conditional states, ${\widehat{\rho }}_{\mathfrak{E}|{\mathit{\kappa }}^{\mathbf{\prime }},\mathbb{P},{\gamma }_p}$, are pure and Gaussian the total state, ${\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p}$ is not, which complicates our analysis. Nonetheless, assuming that Eve performs a collective attack on the protocol the relevant quantity to calculate is the Holevo information $\chi$. We can again write this as a single point quantity in the following way.

$$\begin{array}{c}\hfill \tilde{\chi }(\mathfrak{E}:{\kappa }_i^{\prime }|\mathbb{P},{\gamma }_p)=S({\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p})-S({\widehat{\rho }}_{\mathfrak{E}|{\kappa }_i^{\prime },\mathbb{P},{\gamma }_p})\end{array}$$ 20

where $\tilde{\chi }(\mathfrak{E}:{\kappa }_i^{\prime }|\mathbb{P},{\gamma }_p)$ is the single point Holevo information and S is the von Neumann entropy which we recall is calculated from the eigenvalues $\{{\lambda }_i\}$ of a density matrix $\widehat{\rho }$ by:

$$\begin{array}{c}\hfill S(\widehat{\rho })=-\sum _i{\lambda }_i{log}_2({\lambda }_i).\end{array}$$ 21

First let us write the conditional states ${\widehat{\rho }}_{\mathfrak{E}|{\mathit{\kappa }}^{\mathbf{\prime }}\mathbb{P}{\gamma }_p}$ as:

$$\begin{array}{c}\hfill {\widehat{\rho }}_{\mathfrak{E}|{\mathit{\kappa }}^{\mathbf{\prime }}\mathbb{P}{\gamma }_p}=|{\mathfrak{E}}_{{\kappa }_A^{\prime }{\kappa }_B^{\prime }{\kappa }_C^{\prime }}^{\mathbb{P},{\gamma }_p}⟩⟨{\mathfrak{E}}_{{\kappa }_A^{\prime }{\kappa }_B^{\prime }{\kappa }_C^{\prime }}^{\mathbb{P},{\gamma }_p}|\end{array}$$ 22

We consider the matrix of overlaps O of this state for all the combinations of ${\kappa }_A^{\prime },{\kappa }_B^{\prime },{\kappa }_C^{\prime }$.

$$\begin{array}{cc}\hfill O=& \left(\begin{array}{cccccccc}1& C& B& BC& A& AC& AB& ABC\\ C& 1& BC& B& AC& A& ABC& AB\\ B& BC& 1& C& AB& ABC& A& AC\\ BC& B& C& 1& ABC& AB& AC& A\\ A& AC& AB& ABC& 1& C& B& BC\\ AC& A& ABC& AB& C& 1& BC& B\\ AB& ABC& A& AC& B& BC& 1& C\\ ABC& AB& AC& A& BC& B& C& 1\end{array}\right)\begin{array}{ccc}(-1& -1& -1)\\ (-1& -1& 1)\\ (-1& 1& -1)\\ (-1& 1& 1)\\ (1& -1& -1)\\ (1& -1& 1)\\ (1& 1-& 1)\\ (1& 1& 1)\end{array}\hfill \end{array}$$ 23

The values in the far column denote the row values of ${\kappa }_A^{\prime },{\kappa }_B^{\prime },{\kappa }_C^{\prime }$. The columns may be similarly labelled. O is clearly separable as:

$$\begin{array}{c}\hfill O=\left(\begin{array}{cc}1& A\\ A& 1\end{array}\right)\otimes \left(\begin{array}{cc}1& B\\ B& 1\end{array}\right)\otimes \left(\begin{array}{cc}1& C\\ C& 1\end{array}\right)\end{array}$$ 24

which implies:

$$\begin{array}{c}\hfill |{\mathfrak{E}}_{{\kappa }_A^{\prime }{\kappa }_B^{\prime }{\kappa }_C^{\prime }}^{\mathbb{P},{\gamma }_p}⟩=|{{\mathfrak{E}}^{\prime }}_{{\kappa }_A^{\prime }}^{\mathbb{P},{\gamma }_p}⟩\otimes |{\mathfrak{E}}_{{\kappa }_B^{\prime }}^{\mathbb{P},{\gamma }_p}⟩\otimes |{{\mathfrak{E}}^{\prime }}_{{\kappa }_C^{\prime }}^{\mathbb{P},{\gamma }_p}⟩.\end{array}$$ 25

Each of these states lies in a two-dimensional Hilbert space. Using x to index the parties A, B, C we may expand the states as:

$$\begin{array}{c}\hfill |{\mathfrak{E}}_{{\kappa }_i=-1}^{\mathbb{P},{\gamma }_p}⟩=c_0|{\mathrm{\Phi }}_0^{(x)}⟩+c_1|{\mathrm{\Phi }}_1^{(x)}⟩\end{array}$$ 26

$$\begin{array}{c}\hfill |{\mathfrak{E}}_{{\kappa }_i=1}^{\mathbb{P},{\gamma }_p}⟩=c_0|{\mathrm{\Phi }}_0^{(x)}⟩-c_1|{\mathrm{\Phi }}_1^{(x)}⟩\end{array}$$ 27

and find the following relation for the coefficients:

$$\begin{array}{c}\hfill |c_0^{(x)}{|}^2=\frac{1}{2}(1+X)\end{array}$$ 28

$$\begin{array}{c}\hfill |c_1^{(x)}{|}^2=\frac{1}{2}(1-X)\end{array}$$ 29

where X labels the corresponding values A, B, C from Eq. (23). For two Gaussian states with the same covariance matrix $\mathbf{V}$ and mean values ${\overline{\mathbf{x}}}_1$ and ${\overline{\mathbf{x}}}_2$ the following relation holds⁴⁰:

$$\begin{array}{c}\hfill \mathrm{Tr}({\widehat{\rho }}_1{\widehat{\rho }}_2)=\exp (-\frac{1}{4}({\overline{\mathbf{x}}}_1-{\overline{\mathbf{x}}}_2){\mathbf{V}}^{-1}({\overline{\mathbf{x}}}_1-{\overline{\mathbf{x}}}_2))\end{array}$$ 30

which we use to calculate

$$\begin{array}{c}\hfill A=⟨{\mathfrak{E}}_{{\kappa }_A=-1}^{\mathbb{P},{\gamma }_p}|{\mathfrak{E}}_{{\kappa }_A=1}^{\mathbb{P},{\gamma }_p}⟩,\end{array}$$ 31

$$\begin{array}{c}\hfill B=⟨{\mathfrak{E}}_{{\kappa }_B=-1}^{\mathbb{P},{\gamma }_p}|{\mathfrak{E}}_{{\kappa }_B=1}^{\mathbb{P},{\gamma }_p}⟩,\end{array}$$ 32

$$\begin{array}{c}\hfill C=⟨{\mathfrak{E}}_{{\kappa }_C=-1}^{\mathbb{P},{\gamma }_p}|{\mathfrak{E}}_{{\kappa }_C=1}^{\mathbb{P},{\gamma }_p}⟩.\end{array}$$ 33

We are now able to give ${\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p}$ in the $\{|{\mathrm{\Phi }}_0^{(A)}⟩,|{\mathrm{\Phi }}_1^{(A)}⟩\}\otimes \{|{\mathrm{\Phi }}_0^{(B)}⟩,|{\mathrm{\Phi }}_1^{(B)}⟩\}\otimes \{|{\mathrm{\Phi }}_0^{(C)}⟩,|{\mathrm{\Phi }}_1^{(C)}⟩\}$ basis. Describing the row position with the binary string (i, j, k) and similarly the column position with $(i^{\prime },j^{\prime },k^{\prime })$ each component of the density matrix can be calculated by:

$$\begin{array}{c}\hfill {({\widehat{\rho }}_{\mathfrak{E}|\mathbb{P}{\gamma }_p})}_{(ijk)(i^{\prime }{j}^{\prime }{k}^{\prime })}=\sum _{{\mathit{\kappa }}^{\mathbf{\prime }}}p({\mathit{\kappa }}^{\mathbf{\prime }}|\mathbb{P},{\gamma }_p)⟨{\mathrm{\Phi }}_i^{(A)}|{\mathfrak{E}}_{{\kappa }_A}^{\mathbb{P},{\gamma }_p}⟩⟨{\mathfrak{E}}_{{\kappa }_A}^{\mathbb{P},{\gamma }_p}|{\mathrm{\Phi }}_{i^{\prime }}^{(A)}⟩⟨{\mathrm{\Phi }}_j^{(B)}|{\mathfrak{E}}_{{\kappa }_B}^{\mathbb{P},{\gamma }_p}⟩⟨{\mathfrak{E}}_{{\kappa }_B}^{\mathbb{P},{\gamma }_p}|{\mathrm{\Phi }}_{j^{\prime }}^{(2)}⟩⟨{\mathrm{\Phi }}_k^{(C)}|{\mathfrak{E}}_{{\kappa }_C^{\prime }}^{\mathbb{P},{\gamma }_p}⟩⟨{\mathfrak{E}}_{{\kappa }_C^{\prime }}^{\mathbb{P},{\gamma }_p}|{\mathrm{\Phi }}_{k^{\prime }}^{(C)}⟩.\end{array}$$ 34

By calculating the following inner products:

$$\begin{array}{c}\hfill ⟨{\mathrm{\Phi }}_0^{(x)}|{\mathfrak{E}}_{{\kappa }_x=-1}^{\mathbb{P},{\gamma }_p}⟩=c_0^{(x)}\end{array}$$ 35

$$\begin{array}{c}\hfill ⟨{\mathrm{\Phi }}_0^{(i)}|{\mathfrak{E}}_{{\kappa }_x=1}^{\mathbb{P},{\gamma }_p}⟩=c_0^{(x)}\end{array}$$ 36

$$\begin{array}{c}\hfill ⟨{\mathrm{\Phi }}_1^{(i)}|{\mathfrak{E}}_{{\kappa }_x=-1}^{\mathbb{P},{\gamma }_p}⟩=c_1^{(x)}\end{array}$$ 37

$$\begin{array}{c}\hfill ⟨{\mathrm{\Phi }}_1^{(i)}|{\mathfrak{E}}_{{\kappa }_x=1}^{\mathbb{P},{\gamma }_p}⟩=-c_1^{(x)}\end{array}$$ 38

we can therefore immediately find the diagonal components of the density matrix:

$$\begin{array}{c}\hfill {({\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p})}_{(ijk)(ijk)}=|c_i^{(A)}{|}^2|c_j^{(B)}{|}^2{|c_k^{(C)}|}^2.\end{array}$$ 39

The off diagonal terms are given by:

$$\begin{array}{c}\hfill {({\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p})}_{(ijk)(i^{\prime }{j}^{\prime }{k}^{\prime })}=c_i^{(A)}(c_{i^{\prime }}^{(A)}{)}^{\ast }{c}_j^{(B)}(c_{j^{\prime }}^{(B)}{)}^{\ast }{c}_k^{(C)}(c_{k^{\prime }}^{(C)}{)}^{\ast }\mathrm{\Lambda }(i,j,k,i^{\prime },j^{\prime },k^{\prime })\end{array}$$ 40

where $\mathrm{\Lambda }(i,j,k,i^{\prime },j^{\prime },k^{\prime })$ is given by

$$\begin{array}{c}\hfill \mathrm{\Lambda }(i,j,k,i^{\prime },j^{\prime },k^{\prime })=\sum _{{\mathit{\kappa }}^{\mathbf{\prime }}}{(-1)}^{f({\kappa }_A^{\prime })|i-i^{\prime }|+f({\kappa }_B^{\prime })|j-j^{\prime }|+f({\kappa }_C^{\prime })|k-k^{\prime }|}p({\mathit{\kappa }}^{\mathbf{\prime }}|\mathbb{P},{\gamma }_p)\end{array}$$ 41

where f is a function such that $f({\kappa }_i=-1)=0$ and $f({\kappa }_i=1)=1$. We therefore have all the components of ${\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p}$ from which we may numerically find the eigenvalues and compute the first term in the Holevo bound (Eve’s conditional output state following the protocol ${\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p}$ has dimension $2^N$. Therefore for $N\ge 3$, including the tri-partite case considered in this paper, the eigenvalues of this state cannot be given in closed form. Therefore the entropy of the state and consequently the single point Holevo information $\tilde{\chi }$ can only be evaluated numerically for given values of the protocol’s parameters. This greatly complicates numerical integration in Eq. (47) as no explicit expression for the single point rate can be given. It is for this reason that our analysis is limited to pure loss attacks and three users, even though the analysis is readily extended to an arbitrary number of users and entangling cloner attacks.). For the second term in the Holevo bound we need Eve’s state conditioned on ${\kappa }_A$. If ${\kappa }_A^{\prime }=-1$:

$$\begin{array}{c}\hfill {\widehat{\rho }}_{\mathfrak{E}|{\kappa }_A^{\prime }=-1,\mathbb{P}}=|{\mathfrak{E}}_{{\kappa }_A^{\prime }=-1}^{\mathbb{P},{\gamma }_p}⟩⟨{\mathfrak{E}}_{{\kappa }_A^{\prime }=-1}^{\mathbb{P},{\gamma }_p}|\otimes (\sum _{{\kappa }_B^{\prime }{\kappa }_C^{\prime }}p({\kappa }_B^{\prime },{\kappa }_C^{\prime }|{\kappa }_A^{\prime }=-1,\mathbb{P},{\gamma }_p)|{\mathfrak{E}}_{{\kappa }_B^{\prime }{\kappa }_C^{\prime }|{\kappa }_A^{\prime }=-1}^{\mathbb{P},{\gamma }_p}⟩⟨{\mathfrak{E}}_{{\kappa }_B^{\prime }{\kappa }_C^{\prime }|{\kappa }_A^{\prime }=-1}^{\mathbb{P},{\gamma }_p}|);\end{array}$$ 42

if ${\kappa }_A^{\prime }=1$:

$$\begin{array}{c}\hfill {\widehat{\rho }}_{\mathfrak{E}|{\kappa }_A^{\prime }=1,\mathbb{P}}=|{\mathfrak{E}}_{{\kappa }_A^{\prime }=1}^{\mathbb{P},{\gamma }_p}⟩⟨{\mathfrak{E}}_{{\kappa }_A^{\prime }=1}^{\mathbb{P},{\gamma }_p}|\otimes (\sum _{{\kappa }_B^{\prime }{\kappa }_C^{\prime }}p({\kappa }_B^{\prime },{\kappa }_C^{\prime }|{\kappa }_A^{\prime }=1,\mathbb{P},{\gamma }_p)|{\mathfrak{E}}_{{\kappa }_B^{\prime }{\kappa }_C^{\prime }|{\kappa }_A^{\prime }=1}^{\mathbb{P},{\gamma }_p}⟩⟨{\mathfrak{E}}_{{\kappa }_B^{\prime }{\kappa }_C^{\prime }|{\kappa }_A^{\prime }=1}^{\mathbb{P},{\gamma }_p}|).\end{array}$$ 43

The same method explained above may be used to determine components of these density matrices in the $\{|{\mathrm{\Phi }}_0^{(B)}⟩,|{\mathrm{\Phi }}_1^{(B)}⟩\}\otimes \{|{\mathrm{\Phi }}_0^{(C)}⟩,|{\mathrm{\Phi }}_1^{(C)}⟩\}$ basis. The eigenvalues may then be used to calculate the second term in the Holevo bound.

Postselection

We now demonstrate how the single point quantities may be used to calculate the postselected rate $R_{\mathit{PS}}$. The mutual information $I_{\mathit{AB}}$ may be found by integrating the single point mutual information ${\tilde{I}}_{\mathit{AB}}$

$$\begin{array}{c}\hfill I_{\mathit{AB}}=\int p(\mathbb{P},{\gamma }_p){\tilde{I}}_{\mathit{AB}}(\mathbb{P},{\gamma }_p)d\mathbb{P}d{\gamma }_p\end{array}$$ 44

Similarly we do the same for the Holevo information:

$$\begin{array}{c}\hfill \chi =\int p(\mathbb{P},{\gamma }_p)\tilde{\chi }(\mathbb{P},{\gamma }_p)d\mathbb{P}d{\gamma }_p\end{array}$$ 45

By defining the single point rate as $\tilde{R}={\tilde{I}}_{\mathit{AB}}-\tilde{\chi }$. Thus the overall rate becomes:

$$\begin{array}{c}\hfill R=\int p(\mathbb{P},{\gamma }_p)\tilde{R}(\mathbb{P},{\gamma }_p)d\mathbb{P}d{\gamma }_p.\end{array}$$ 46

The postselection ensures the parties only use instances of the protocol where the single point rate is positive. Hence the postselected rate $R_{\mathit{PS}}$ becomes:

$$\begin{array}{cc}\hfill R_{\mathit{PS}}& =\int p(\mathbb{P},{\gamma }_p)\max [\tilde{R}(\mathbb{P},{\gamma }_p),0]d\mathbb{P}d{\gamma }_p\hfill \end{array}$$ 47

$$\begin{array}{cc}& ={\int }_{\mathrm{\Gamma }}p(\mathbb{P},{\gamma }_p)\tilde{R}(\mathbb{P},{\gamma }_p)d\mathbb{P}d{\gamma }_p\hfill \end{array}$$ 48

where $\mathrm{\Gamma }$ denotes the region in which the single point rate is positive.

Results

We now present the numerical results for the post-selected rate of the protocol. By utilising the relation $\tau ={10}^{-\gamma d}$ and setting $\gamma =0.02/\mathrm{km}$ (equivalent to 0.2 db/km), which corresponds to state of the art fibre optics, the rate of the protocol is expressed in terms of distances (d) of the parties from the detector. In particular, we consider the symmetric configuration in which each of the parties is located the same distance from the detector. Other asymmetric configurations can be considered within the same framework, by mapping the distance of the user furthest away into the transmissivity of each incoming channel. Thus the results presented here represent the worst case scenario for any other asymmetric configuration of the parties.

Figure 3 shows the rate-distance performance of the protocol in the asymptotic limit, assuming that a pure-loss attack is undertaken by Eve. We work with perfect detector efficiency and with the variance of each prepared quadrature ${\sigma }_A={\sigma }_B={\sigma }_B=1$ . We note that in general it may be possible to optimise the performance of the protocol over these parameters. Our results demonstrate that a positive rate can be maintained over a greater distance than in the corresponding 3-party case (shown for comparison in Fig. 3, albeit at the cost of lower rates at short distances). In particular the new protocol outperforms the equivalent protocol without postselection for distances greater than $\sim 1\mathrm{km}$.

Figure 3.

Post-selected rate of the protocol for the symmetric party configuration. Rate plotted with perfect detector efficiency and the variance in all prepared quadratures satisfy ${\sigma }_A={\sigma }_B={\sigma }_C=1$. The rate of the equivalent 3-party protocol from³⁹ with optimised parameters, under a pure loss attack from is shown for comparison (red dashed line).

Conclusion

We have demonstrated a 3-party CV-MDI-QKD protocol that combines a generalised Bell detection with a postselection regime based on performing reconciliation on the signs of prepared quadratures of coherent states. We show that improved rate-distance performance is possible compared to the equivalent 3-party protocol without postselection, allowing a rate in excess of ${10}^{-4}$ bits per use at greater than $3\mathrm{km}$ and a positive rate for distances of up to $\sim 6\mathrm{km}$. Our protocol also outperforms the equivalent protocol without postselection for distances greater than $\sim 1\mathrm{km}$. Moreover since these protocols have exactly the same structure in terms of state preparation and the detector relay, it is possible to use one such relay to perform either protocol, choosing whichever will give the higher rate. That is, if the users are able to establish their distances from the detector, they choose whether or not to announce the absolute values of their quadratures and undertake postselection depending on whether or not this will produce a better rate. Whilst ${\sigma }_A,{\sigma }_B,{\sigma }_C$ are preset so any optimisation over these parameters must consider both protocols simultaneously it is still possible to retain the advantages of higher rate at shorter distances from the non-postselected protocol in addition to the improved long distance performance from our protocol.

The need to undertake a high-dimensional numerical integral given in Eq. (47), for a function that cannot be given in closed form (Eve’s conditional output state following the protocol ${\widehat{\rho }}_{\mathfrak{E}|\mathbb{P},{\gamma }_p}$ has dimension $2^N$. Therefore for $N\ge 3$, including the tri-partite case considered in this paper, the eigenvalues of this state cannot be given in closed form. Therefore the entropy of the state and consequently the single point Holevo information $\tilde{\chi }$ can only be evaluated numerically for given values of the protocol’s parameters. This greatly complicates numerical integration in Eq. (47) as no explicit expression for the single point rate can be given. It is for this reason that our analysis is limited to pure loss attacks and three users, even though the analysis is readily extended to an arbitrary number of users and entangling cloner attacks.) to compute the post-selected key rate, limits our analysis to the 3-party case and pure-loss attacks. Nonetheless it may be possible to extend the study to the general N party case, maintaining the same structure of detector as in³⁹ and considering entangling cloner attacks. Thus, our new protocol demonstrates that secure, multi-party conferencing can be achieved over improved distances, while retaining the security advantages of an MDI QKD protocol.

Author contributions

A.I.F. performed the analysis of the rate of the protocol, collected the numerical results and wrote the manuscript. S.P. devised the protocol and supervised the project. Both authors reviewed the manuscript and contributed to improving it.

Data availability

The datasets used and analysed during the current study are available from the corresponding author on reasonable request.

Competing interests

The authors declare no competing interests.