An entanglement-based quantum network based on symmetric dispersive optics quantum key distribution

An entanglement-based quantum network based on symmetric dispersive optics quantum key distribution Xu Liu, Xin Yao, Rong Xue, Heqing Wang, Hao Li, Zhen Wang, Lixing You, Xue Feng, Fang Liu, Kaiyu Cui, Yidong Huang and Wei Zhang * Beijing National Research Center for Information Science and Technology (BNRist), Beijing Innovation Center for Future Chips, Electronic Engineering Department, Tsinghua University, Beijing 100084, China

connected QKD network was proposed and demonstrated experimentally based on a broadband quantum light source 32 . Each two users can be connected based on the combination of two specific correlated wavelength channels from the polarization-entangled quantum light source based on spontaneous parametric down conversion (SPDC). It can be expected that a minimum of N(N-1) wavelength channels are required to fully connect N users in this architecture. Hence, it depletes the resource of quantum light source bandwidth rapidly as the network scale increases, limiting the user number of the network it can support.
Here we propose a highly efficient entanglement-based QKD network architecture, in which more than 100 users can be fully connected based on one quantum light source. The illustration of the QKD network is shown in Fig. 1. Figure 1(a) shows the sketch of the network architecture. The entangled photon pairs are generated from the quantum light source located in the center. The entangled signal and idler photons are frequencyconjugate over a wide spectrum, which are divided into different channels by wavelength division multiplexing. Each pair of these correlated wavelength channels are multiplexed into a single fiber and further shared by many end users constituting a subnet of QKD. In each subnet, the entangled photon pairs are distributed randomly to the end users by a 1N passive beam splitter. By this way, any two users in the subnet have coincidence events due to the inherent correlation properties of the entangled photon pair and the random routing by the passive beam splitter, which can be used for generating cryptographic keys between them.
Hence, each subnet is a fully connected QKD network. Furthermore, as shown in Fig. 1(a), the connections between these subnets can be realized by a trusted node, which acts as a user in every subnet marked in the dotted box. For two users in two different subnets, they both establish cryptographic keys with the trusted node by QKD. Then, the trusted node can perform a bitwise exclusive OR operation between the two keys and sends the new key via a classical channel to one of the users. Eventually, the user can decode the other one's original key by another bitwise exclusive OR operation, by which the two users share the same cryptographic keys. The logical topology structure of this architecture is shown in Fig. 1(b). It can be seen that this architecture realizes a fully connected QKD network with high efficiency. Firstly, the broadband characteristics of quantum light source is utilized sufficiently by wavelength division multiplexing to support many subnets. Secondly, if the user number of each subnet is not too small, most photon pairs would be distributed to two different users randomly, which is a simple but high efficient way to realize fully connected network. The subnet number is determined by the bandwidth of the quantum light source. On the other hand, the quality of the coincidence events between two users in a subnet would reduce if the user number in the subnet increases, which limits the scale of the subnet. In the following experimental demonstration, by a quantum light source based on spontaneous four wave mixing (SFWM) in a piece of silicon waveguide, a QKD network with 16 subnets and 8 users in each subnet could be realized eventually. corner shows that the generated entangled signal and idler photons are frequency-conjugate over a wide spectrum, which are divided into different channels by wavelength division multiplexing. Each pair of these correlated wavelength channels is multiplexed into a single fiber and shared by multiple users by a 1N passive beam splitter constituting a subnet of QKD. The end users in the subnet are fully connected due to the inherent correlation of the entangled photon pairs and the random routing by the passive beam splitter. The connections between subnets can be realized by a trusted node, which acts as a user marked in the dotted box in each subnet. (b) The logical topology structure of the network. Every subnet is a fully connected mesh QKD network, and provides a user to the trusted node located in the center, which connects all the subnets. (c) The sketches of the original DO-QKD and the symmetric DO-QKD. The symmetric DO-QKD is first proposed here to fully adapt the QKD network applications. Comparing with these two schemes, it can be seen that both normal and abnormal dispersion components are introduced in each user in the symmetric DO-QKD. Since all the users have the same configurations, the nonlocal dispersion cancellation can be fulfilled between any two users in the network, which is responsible for the security test and key generation.
Obviously, the quality of coincidence events between two users in a subnet would reduce rapidly if the user number increases. To utilize the resource of coincidence events more efficiently, we introduce the dispersive optics QKD (DO-QKD) based on energy-time entanglement into the architecture. In the entanglement-based DO-QKD, signal and idler photons are sent to two users. Normal and anomalous dispersion components are introduced at the two sides to carry out the security test which is guaranteed by the nonlocal dispersion cancellation effect 33 of entangled photon pairs, which has been proven to be secure against collective attacks 34,35 . Recently, we have shown that it can be realized in long distance optical fiber link by a telecom band quantum light source based on spontaneous four wave mixing 36 . An attractive property of the entanglement-based DO-QKD is that high dimensional time encoding can be utilized in this scheme, which supports multi-bit key generation per coincidence. Hence, it would highly improve the utilization efficiency of coincidence events between two users in a subnet. However, as shown in Fig. 1 (c), the two users in previous entanglement-based DO-QKD schemes have different setups that one has normal dispersion component and the other has abnormal dispersion component. It cannot be introduced directly to the proposed architecture that realizes fully connected QKD network by 1N beam splitters. Therefore, we introduce the "symmetric DO-QKD" into the network architecture as shown in Fig.1 (c), which is first proposed here to fully adapt the applications of network architecture. It is named as "symmetric DO-QKD", since all the users have the same configurations. In this modified symmetric scheme, the two users have both normal and abnormal dispersion components. The paths with two different dispersion modules in the two users are treated as the measurement bases. There are two bases between the two users and both of them experience the effect of nonlocal dispersion cancellation. They are used for security test and key generation, respectively, which should be predefined between any two users according to nonlocal dispersion cancellation requirement.

Results
Experimental system. To demonstrate how many users can be supported by the proposed fully connected entanglement-based QKD network architecture, the experimental system is established as shown in Fig. 2. The energy-time entangled photon pairs are generated in a broad telecom band through the SFWM effect in a piece of silicon waveguide under continuous wave (CW) pumping. An array waveguide grating (AWG) is used to filter the output photons. In the experimental system, the wide spectrum of the signal and idler photons are divided into 32 different wavelength channels. Further, the photons of these correlated wavelength channels, which satisfy the energy conservation condition of SFWM, are multiplexed together by a dense wavelength division multiplexing (DWDM) component and then distributed randomly to 8 users by a passive 18 Planar Lightwave Circuit Splitter (PLCS), which constitutes 16 subnets. In each subnet, any two users can be fully connected for generating cryptographic keys based on the symmetric DO-QKD scheme. In each end user, the photons are split into two paths by a fiber coupler and detected by superconducting nanowire single photon detectors (SNSPDs), respectively. The fiber polarization controllers (FPCs) before the SNSPDs are used to maximize the detection efficiencies. A normal dispersion component and an abnormal dispersion component based on fiber Bragg gratings are introduced in the two paths, respectively. Hence, all the end users have the same setups and can be fully connected for security test and cryptographic key generation.
Entanglement distribution. High-quality entanglement distribution is crucial in this QKD network architecture, which was tested in the experimental system shown in Fig. 2. Firstly, we tested broadband characteristics of the quantum light source. The AWG used in the experiment covers the International Telecommunication Union (ITU) channels of C21-C60. To fully utilize the filtering channels of the AWG, the mono-color pump light of the quantum light source is set at 1545.32 nm which is the central wavelength of C40. We selected C44~C59 as the signal channels, and C21~C36 as the idler channels. In the measurement, SNSPDs (with FPCs) were connected to the output fiber of the AWG for specific ITU channels. Fig. 3 shows the performances of the wavelength division in the system and corresponding coincidence results. The single photon count rates of these channels were measured under a specific pumping level which was fixed in the following experiments. The results are shown in Fig. 3(a). It can be seen that the photon count rates of all the channels are close owing to the broadband characteristics of the photon pair generation by SFWM in the silicon waveguide. Further, we measured the coincidence counts of each pair of signal and idler correlated channels after the wavelength division of AWG as shown in Fig. 3(b). For clarity, the coincidence peak positions of different signal and idler channel combinations were realigned with a fixed time delay of 1600ps. The results in Fig. 3 (b) shows that all the correlated wavelength channels have good coincidence. Each pair of the correlated wavelength channels can be used to constitute a subnet. Therefore, 16 subnets could be supported by the quantum light source in the experimental system. In the experiment system, the signal and idler photons with a specific pair of correlated wavelength channels are multiplexed and further distributed together to eight end users of a subnet by a 18 PLCS. By this way, each two users in the subnet have coincidence events of entangled photon pairs, which is the base to realize the fully connected QKD network. To show the performance of the entanglement distribution between the end users, all the coincidence events of 28 user combinations in a typical subnet supported by entangled photon pairs with channels of C31 and C49 are measured. In the measurement, the photons sent to an end user were detected by a SNSPD directly and the coincidence counts of all the user combinations in the subnet are calculated in the same way with that of Fig. 3 (b). The quality of these coincidences can be indicated by their coincidence to accidental coincidence ratio (CAR). The experiment results are shown in Fig. 3 (c), in which the two figures indicate the measured coincidence rates and the corresponding CARs between each two end users, respectively. These results show that any two users in the quantum network have photon pairs which support the proposed quantum network architecture, even though the distribution by the 18 PLCS reduces the coincidence rates to several tens of counts per second. While, all the CARs are higher than 100, indicating that such a high quality entanglement distribution could support high performance QKD.  Fig. 4 (a), the performance of raw key generation between these two users can be optimized by adjusting the parameters of the time encoding (See Supplementary Materials for details). Eventually, a raw key rate of 80.9 bits per second (bps) can be achieved with a quantum bit error rate lower than 5%, under an optimized encoding strategy supporting 4 bits of raw key generation per coincidence event. On the other hand, the secure information that two users could extract per coincidence can be calculated as well according to the experimental results shown in Fig. 4(a), by which the secure key rate between the two users after privacy amplification can be estimated to 63.7 bps (See Supplementary Materials for details of the analysis). Further, we measured the QKD performances of all the user combinations in the subnet. The results are shown in Fig. 4 (b), in which the yellow and blue columns indicate the generation rates of raw keys and secure keys between each two end users, respectively. Their difference is due to the costs of error correction and privacy amplification. It can be seen that any two users can generate secure keys, showing the property of fully-connected QKD network.

Discussion
We have successfully realized the demonstration of the high dimensional entanglement-based wavelength division multiplexing QKD network, which has the potential to scale up the number of users in a quantum communication network. As shown in Fig.1(a), if each subnet provides a user to establish a trusted node, secure key generation between the users in different subnets can be realized. Hence, this experiment system realizes a fully-connected QKD network with 112 end users, which is supported by only one quantum light source. It includes 16 subnets, and each subnet has 7 end users and one user for the trusted node. This network architecture takes full advantage of the broadband characteristics of the quantum light source by wavelength division multiplexing. The entangled photon pairs are distributed randomly to all end users in subnets by the PLCSs to establish their fully connected topological structures. What's more, the high dimensional encoding is introduced into the network through the symmetric DO-QKD scheme to improve the utilization efficiency of the coincidence events, which are precious resources for QKD. It can be expected that the scale of this network could be further extended by improving the bandwidth and brightness of the quantum light source.
It is worth noting that the motivation of this experiment is on applications of local networks requiring fullconnection. Hence, the lengths of fibers between the source and the end users are short. The geographical scale of this network architecture could be extended by introducing long distance fiber transmissions, with proper compensations for the fiber dispersions and fine clock distribution for time synchronization.

High dimensional time encoding in key generation
In the proposed QKD network architecture, the photon pairs would be distributed randomly to the users by a 1N beam splitters in each subnet. It can be expected that the coincidence events between two users would reduce rapidly as the number of users (N) increases. These coincidence events are precious resources for key generation between the two users. Hence, how to use the resources of these coincidence events with high efficiency is crucial in this network.
In this work, we used symmetric DO-QKD scheme to generate keys between two users in a subnet, which is based on the coincidence events of the energy-time entangled photon pairs shared by them. Utilizing the temporal correlation between the single photon detection events recorded by the two users, it is a convenient way to generate keys by time encoding. In this work, we used a three level format to take the time encoding and bin sifting 1 , by which one coincidence events could generate multiple bits of raw keys. It would be significantly beneficial for enhancing the key generation rate, especially in the applications of QKD networks with 1N beam splitters. Supplementary Figure 1 shows the format of the high dimensional time encoding between the two users in a subnet. In this format, a time frame consists of M (M=2^D) consecutive time slots and a slot includes I time bins with a width of  .
Several steps are required to take the time encoding in the symmetric DO-QKD by the format shown in Supplementary Figure 1. Firstly, the two users should synchronize their clocks to ensure that the time frames, slots and bins at the two sides are matched. Then, Alice and Bob tag their single photon events with the index numbers of the frame, slot and bin. In the bin sifting process, the two users communicate the frame numbers of their single photon events and keep the events with the same frame numbers. It means that in these time frames both of the two users record single photon events. Then, for each kept frame, the two users check the time bin numbers of their single photon events, and only keep the events with the same bin number. The single photon events with the same frame and bin numbers at the two sides are looked as the coincidence events of entangled photon pairs. Eventually, the raw keys are generated by the slot numbers of the coincidence events in the selected frames at the two sides. Therefore,

Optimization in bin sifting
Based on the measured single photon detection events, any two users in the network can generate raw keys according to the above high dimensional encoding bin sifting method. In order to obtain a good performance It can be seen that for different time bin numbers in a slot I, the raw key generation rates rise with increasing time bin width monotonously. The QBER decreases with the increasing bin width  and then reach its minimum when  is small. It is because that such a small leads to a small slot width, which is too narrow to cover the coincidence peak (The main contributions of the width of the coincidence peak include the laser pulse duration, and timing jitters of single photon detectors and TCSPC). In these cases, it is possible that the two photons in a pair may be detected at the same frames but adjacent slots. If they are detected at two time bins with the same index but in two different slots, their records would be kept in the bin sifting process, but cause errors in raw keys. Hence, the bin widths for a minimum QBER exist for all bin numbers I. And it would locate at smaller bin widths if the time bin number in a slot I is larger. On the other hand, the QBER rises monotonously with increasing  after its minimumIt is because that lager  means the wider frame width, which leads to the increase of the errors due to accidental coincidences. When the time bin width  is wide enough, this effect would determine the errors in raw keys.
Considering the raw key generation and post-data processing process of the symmetric DO-QKD, the parameters of the time encoding format should be optimized for a high raw key generation rate with low QBER. In this work, we optimize them by maximizing the raw key generation rate under the requirement of QBER ≤ 5%. According to Supplementary Figure 3 As for the systems with different time encoding dimension D, we did the same optimization process and the results are shown in Supplementary Figure 4. It can be seen that the case of D=4 has the best performance. If D is smaller than 4, the key generation rate is not fully enhanced by the high dimensional time encoding. On the other hand, if the dimension increases to D=5, a smaller time bin width  is required to guarantee QBER ≤ 5%, which would highly reduce the coincidence rate and leads to a smaller raw key generation rate.
Eventually, a raw key rate of 80.9 bits per second (bps) can be achieved under QBER≤ 5%, under an optimized format supporting 4 bits of raw key generation per coincidence event. In the experiment, these optimized parameters of time encoding format were applied on all the symmetric DO-QKDs in the network.

Security test
The security test of the symmetric DO-QKD used in this work is similar with that in original DO-QKD 2 . In symmetric DO-QKD, both normal and anomalous dispersion components are introduced in each user to carry out the security test which is guaranteed by the nonlocal dispersion cancellation effect 3 . For the typical intercept-resend attack, the eavesdropper (Eve) cannot make the fake photons the same as the original photons both in the time and frequency domains, which can be used to test the eavesdropping.
As shown in Fig. 4(a) in the main manuscript, the coincidence counts between two users in a subnet were measured in four possible basis combinations. The single photon count rates of SNSPDs under the four corresponding bases (K1, K2, S1, S2) were 8.6 kHz, 7.9 kHz, 10.1 kHz, and 8.5 kHz, respectively. Based on these single photon events detected under the S bases and K bases, the joint measurements of time-frequency covariance matrix (TFCM) can be carried out. It is used to evaluate the Shannon information between the two users and the maximum accessible information of Eve, which are responsible for the system security. The secure information that could extract per coincidence 4,5 is expressed as: where  is the reconciliation efficiency, ( ; ) I A B is the Shannon information between two users of the network, ( ; ) A E  is the Holevo information denoting Eve's maximum accessible information. To evaluate I  , the security analysis of DO-QKD follows the well-established proofs for protocols of the Gaussian continuous-variable quantum key distribution, which is based on the optimality of Eve's Gaussian collective attack for a given TFCM [5][6][7] . According to the experimental data shown in Fig. 4(a), the corresponding TFCM can be calculated. By further decomposing the TFCM, an upper bound on the Holevo information of ( ; ) A E  was obtained, which is 0.3669 bpc (bit per coincidence) indicating the impact of the excess channel noise.
It has been shown that in the optimized time encoding format, the symmetric DO-QKD between these two users has a raw key generation rate of 80.9 bps with QBER of 4.69% under the optimized parameters of the time encoding format. Then, based on the acquired raw keys with a low QBER, the secret keys were extracted after error correction and privacy amplification. The secret key rate could be estimated using Eq. (1). The analysis of Fig. 4(a) has shown that Eve's Holevo information ( ; ) A E  is 0.3669 bpc, which is estimated by the calculated TFCM. The Shannon information between Alice and Bob I (A; B) can be estimated in a similar way, which is 3.6348 bpc in this experimental system. As a result, the secret key capacity I  is 2.9 bpc according to Eq. (1), leading to a secret key rate of 63.78 bps. The security test and secure key rate estimation of all the symmetric DO-QKDs in a subnet was executed in the same way like this. The results are shown in Fig. 4 (b) in the main manuscript.

Coincidence counts between any users in a subnet
The raw keys are generated based on the measured coincidence events of the two users under matched measurement bases. Supplementary Figure 5 shows It can be seen that any two users in the subnet have a coincidence peak with good quality, in which the CARs are all higher than 100. Based on the measured coincidence events, any two users in the subnet can generate raw keys based on the proposed symmetric DO-QKD scheme. The results of Fig. 4(b) in the main manuscript were obtained based on these measurement results of coincidence.